PDA

View Full Version : Cannot remove Command service



ainslieglen
2006-03-08, 22:10
Hi, hopefully someone can help me out. I have run spybot and was unable to remove command service even after a reboot. Here is my HJT log file.

Logfile of HijackThis v1.99.1
Scan saved at 3:43:07 PM, on 08/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\winlog.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 2 for

hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F45385EA-1EF0-3BA3-83A1-8711B9B01F2F} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{904AA85A-2220-4632-B764-9220FE392812}: NameServer =

142.177.129.11 142.177.1.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\SYSTEM32\ssqrs.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe

ainslieglen
2006-03-08, 22:44
[QUOTE=ainslieglen]Hi, hopefully someone can help me out. I have run spybot and was unable to remove command service even after a reboot. Here is my HJT log file.

oops. :mad: I was in selective startup. Here is the actual HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:40 PM, on 08/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\MsLX32.exe
C:\WINDOWS\msnsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\shost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winlog.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\windows\winsysupd5.exe
C:\winsysban12.exe
C:\WINDOWS\SYSC00.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\red3y.exe
C:\WINDOWS\System32\NAMED.exe
C:\WINDOWS\System32\MS22.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\HTTP.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\BCMSMMSG.exe
C:\drrrp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\John\Local Settings\Temp\Temporary Directory 1 for

hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F45385EA-1EF0-3BA3-83A1-8711B9B01F2F} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd5.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Services] C:\red3y.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAMED] C:\WINDOWS\System32\NAMED.exe
O4 - HKLM\..\Run: [MS22] C:\WINDOWS\System32\MS22.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HTTP] C:\WINDOWS\System32\HTTP.exe
O4 - HKLM\..\Run: [gJ^WPRNMTNVWaROsZN] C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.txt:yartgs.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames11.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6

"USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\drrrp.exe
O4 - HKLM\..\Run: [gJ^WPRNMTNVWaROsZN\] C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.txt:yartgs.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program

Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: geedc - C:\WINDOWS\System32\geedc.dll
O20 - Winlogon Notify: ssqrs - C:\WINDOWS\SYSTEM32\ssqrs.dll
O23 - Service: MsLX32 - Unknown owner - C:\WINDOWS\MsLX32.exe
O23 - Service: Msn Service (MSNSVC) - Unknown owner - C:\WINDOWS\msnsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware

Doctor\sdhelp.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH -

C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Windows Logon (winlog) - Unknown owner - C:\WINDOWS\winlog.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

LonnyRJones
2006-03-13, 07:50
Hi ainslieglen
Why arent you running an antivirus program ?

Its been a few days, unless your recieving help at another forum post back with a new log please.

But its needs to be extracted and in a folder of its own:
Your running Hijackthis from a temp and it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder.
http://www.merijn.org/files/HijackThis.exe
This is necessary to ensure you have backups should anything go wrong
Make and post a new log

tashi
2006-03-18, 21:33
As the log requested has not been provided, this topic will be archived.

If you need it re-opened please send me a pm and provide a link to the thread.