i ran spybot and cmdService kept showing up with 2 items under it and it just wont go away



HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 5:56:20 PM, on 8/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{D0A022BC-0897-1033-0908-040518050001}\Update.exe
C:\PROGRA~1\COMMON~1\kkzf\kkzfa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Hello and welcome to the forum. You have two suspicious items in your log that I can not identify on this end. Use one or more of these free online scans to find out what they are (unless you know) and post the results for me to view:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

Here are the items:
C:\Program Files\Common Files\{D0A022BC-0897-1033-0908-040518050001}\Update.exe
C:\PROGRA~1\COMMON~1\kkzf\kkzfa.exe (C:\PROGRAM FILES\ )

Follow these instructions for the command.exe issue:
Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.

http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks...pskelley
Safer Networking Forums

Running from C:\Documents and Settings\eridani\Desktop\ren-cmdservice
No Image Path Listed in Registry

-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------

Scanned file: kkzfa.exe - Infected
kkzfa.exe - infected by Trojan-Downloader.Win32.TSUpdate.l

C:\Program Files\Common Files\{D0A022BC-0897-1033-0908-040518050001}\Update.exe <-- Clean

kaspersky missed something so when i used http://virusscan.jotti.org/ it showed up something different for the Update file


AntiVir Found Trojan/Starter.V.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Generic2.JVQ
BitDefender Found Trojan.Starter.V
ClamAV Found Trojan.Starter-7
Dr.Web Found Trojan.Starter.65
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Starter.65

Ok and thanks for that information. I was fairly certain they both were bad. I do not see them in the bottom of the HJT log? You don't have them turned off like in a whitelist in HJT or MSConfig?

Once way or another they need to go. I will suggest the easiest way first.

Right click the taskbar and click on Task Manager. When Task Manager opens then choose the Processes tab. Highlite these two items and end process on them.

C:\Program Files\Common Files\{D0A022BC-0897-1033-0908-040518050001}\Update.exe
C:\PROGRA~1\COMMON~1\kkzf\kkzfa.exe

Then Navigate to those folders and delete them.

Post a new HJT log so I can make sure they are gone.

Thanks

Now when i run Spybot it shows SurfSidekick. idk whats goin on to this computer

Hijack This Log
Logfile of HijackThis v1.99.1
Scan saved at 4:06:46 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsk26.dll
O4 - HKLM\..\Run: [win3210-794811716] C:\WINDOWS\win3210-794811716.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win320816-7948117] C:\WINDOWS\win320816-7948117.exe
O4 - HKLM\..\Run: [sys0294811716-7] C:\WINDOWS\sys0294811716-7.exe
O4 - HKLM\..\Run: [ms04811716-794] C:\WINDOWS\ms04811716-794.exe
O4 - HKLM\..\Run: [ms0511716-7948] C:\WINDOWS\ms0511716-7948.exe
O4 - HKLM\..\Run: [win32096-79481171] C:\WINDOWS\win32096-79481171.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

OK, listen up. This computer it totally infected, and none of the junk was on there before. Someone has taken this computer to where it could get infected? I will not be able to sit here and wait for you to infect you computer to clean it for you. This infection that you have will attract others, keep it offline except when we are troubleshooting. If you are the only user, you need to think about where you went to get infected. If other people use the computer, you need to have a talk with them about their surfing habits.

Follow the directions exactly if you want the fix to work.

1) Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the file on your Desktop, and choose Extract All.
Click Next.
In the box to choose where to extract the files to:
Click Browse.
Click on the + sign next to My Computer
Click on Local Disk (C:) or whatever your primary drive is.
Click Make New Folder
Type in BFU
Click Next, and uncheck the Show Extracted Files box and then click Finish.
Download sidekickFix.bat (http://downloads.subratam.org/Lon/sidekickFix.bat) (rightclick on that link and choose save as)
Place sidekickFix.bat in your C:\BFU - folder. (Important!)
Close all browsers and explorer folders.
Double-click on sidekickFix.bat
Click Yes and follow the prompts, when prompted to restart the PC please do so.


2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsk26.dll
O4 - HKLM\..\Run: [win3210-794811716] C:\WINDOWS\win3210-794811716.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win320816-7948117] C:\WINDOWS\win320816-7948117.exe
O4 - HKLM\..\Run: [sys0294811716-7] C:\WINDOWS\sys0294811716-7.exe
O4 - HKLM\..\Run: [ms04811716-794] C:\WINDOWS\ms04811716-794.exe
O4 - HKLM\..\Run: [ms0511716-7948] C:\WINDOWS\ms0511716-7948.exe
O4 - HKLM\..\Run: [win32096-79481171] C:\WINDOWS\win32096-79481171.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: repairs303169590.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\Duce6.exe <<< file

C:\WINDOWS\ms04811716-794.exe <<< file

C:\WINDOWS\ms0511716-7948.exe <<< file

C:\WINDOWS\sys0294811716-7.exe <<< file

C:\WINDOWS\win3210-794811716.exe <<< file

C:\WINDOWS\win320816-7948117.exe <<< file

C:\WINDOWS\win32096-79481171.exe <<< file

C:\Program Files\SurfSideKick 3\ <<< folder

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer >>> You don't even appear to have an antivirus program running on the computer. Download the FREE version of AVG, update it and run a complete system scan.
http://free.grisoft.com/freeweb.php

How have you been running this computer without Windows Security screaming at you?? Once you run AVG by Grisoft and remove anything it finds, then go to the Security Center in the Control Panel and make sure all three items are running.
1) Antivirus 2) Firewall 3) Auto Updates.

Post a new HJT log when you have finished the above instructions.

Looks as if everything is now fixed and spybot says there is nothing else infecting the computer. Thank you so much for your help.

Logfile of HijackThis v1.99.1
Scan saved at 5:40:54 PM, on 8/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Let me ask you, anyone who was on that computer when that infection came in would have had to have know it happened?

The log is clean, make sure you followed my advice, and everything is green for go in the Security Center. You need to get into this information I am posting and take advantage of the knowledge of these experts in the field.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...tashi:) will close your topic in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Glad we could help.
:)