PDA

View Full Version : HKLM cmd srvce settings



Fermat
2005-12-01, 23:12
I'd appreciate any advice on this .....

For about the last 4 - 5 days, Spybot has complained of these 3 registry entries after every boot.
Despite me deleting them each time.

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mchInjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mchInjDrv

When I looked at those keys with TuneUp Utilities before cleaning, they are "empty" entries.

I run XP SP2, fully patched. Tried switching off System Restore points after cleaning, then rebooting with Sys Restore still switched off, but they still came back.

I only use IE if absolutely forced to - Firefox is my browser of choice.

Should I be worried?

I've run a battery of malware and AV scan products and they've found nothing.
And Spybot Resident doesn't report anything suspicious (to me) when I boot.

In case it helps, here is a current Hijackthis.

Scan saved at 19:58:30, on 01/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_4.79_windows_intelx86.exe C:\Program Files\HighjackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareGuard] C:\Program Files\SpywareGuard\sgmain.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\system32\oline.dll
O15 - Trusted Zone: http://*.aol.co.uk
O15 - Trusted Zone: *.castlecops.com
O15 - Trusted Zone: http://uk.mcafee.com
O15 - Trusted Zone: *.mcafee.com
O15 - Trusted Zone: http://ts.mcafeehelp.com
O15 - Trusted Zone: http://login.passport.net
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: ppctlcab -
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {047C3241-279D-438A-BC34-9AD1C1910FC0} (DrsDnld Control) - http://mathcentre.ac.uk/resources/tests/activex/DrsDnldProj1.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126006637318
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D095A842-4EDC-48DA-94B6-FCD01616F9EA}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Thanks for any advice you can give
Mike

LonnyRJones
2005-12-02, 06:04
Hi Mike

I assume its just a remnant, not harmfull.
Copy the contents of the code box below into a new notepad document (not wordpad). Click file> save as...> call it check.bat > file types *all files*> and save it to desktop. dont run it yet



dir %windir%\command.exe /a h /s > files.txt
dir %windir%\asappsrv.dll /a h /s >> files.txt
sc query cmdservice >>files.txt
sc query mchInjDrv >>files.txt
start notepad files.txt


Run check.bat and post the log that will open please

Fermat
2005-12-02, 14:32
Thanks Lonny, that was quick.
I cleaned the keys with Spybot, then rebooted and ran your BAT file.
Here's the result.

Volume in drive C has no label.
Volume Serial Number is F06B-F20D
Volume in drive C has no label.
Volume Serial Number is F06B-F20D
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.


I've just looked at those keys again. They're different.
They all contain (from TuneUp registry editor)

Type = dword:00000001
ErrorControl=dword:00000000
Start=dword:00000004
ImagePath=\\??\\C:\\WINDOWS\\TEMP\\mc21.tmp
DeleteFlag=dword:00000001

Windows search (including system, hidden folders) doesn't find mc21.tmp


I haven't seen any apparent ill effects since Spybot started finding those entries about 5 days ago. And none of my resident anti malware/virus progs have complained about anything. (I keep them updated at least daily).

Mike

LonnyRJones
2005-12-02, 14:50
Hi

I've just looked at those keys again. They're different.
They all contain (from TuneUp registry editor)
Elaborate on that please. not sure i understand

can you export this key for us ?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\mchInjDrv

Fermat
2005-12-02, 16:51
Hi, never used Export before.
I've created the export .reg file. Let's see if I can attach it ....

No, the filetype is rejected. Do you know if it's possible to rename it to another type without destroying the contents?

I've managed to capture the Tuneup screen as a .bmp, but it's too big to attach.

I've typed ithe details into the attached .txt, when it's entered here all the formatting is lost.

is that any help?
Mike

LonnyRJones
2005-12-02, 16:59
Hi

If your comfortable doing so manualy delete
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\mchInjDrv

dont worry about the others controlsets

fowmow
2005-12-02, 17:04
Fermat,

You can export from regedit by simply changing which file type to save it as under the "Save as type" dropdown.

So, File > Export... change the "Save as type" drop down from "Registration Files (*.reg)" to whatever you prefer.

Fermat
2005-12-02, 18:11
Thanks Lonny.
Do you mean CurrentControlSet ?
I've no problem with deleting it.
Mike

Fermat
2005-12-02, 18:12
thanks Fowmow. Obvious isn't it?
Mike

LonnyRJones
2005-12-03, 02:39
Yes CurrentControlSet

Did it delete with no problems or was there an error ? does it return after a few hours ?

Fermat
2005-12-04, 21:25
Deleted the key without any errors and it has not come back after about 10 hours continuous running.

I have 2 accounts on this m/c. My normal one which is set up as a LUA which is for everday use, and an Admin account which I use for backups, software install/updates and similar.
Logging on and off each account - without booting - does not bring back the registry keys either.

I've looked back through the SD history logs. Last clean run was on 25/11 at 13:28. Next run was on 26/11 at 16:43, that found the 3 keys.

Between those two date/times I downloaded 2 sets of SD updates -
spybotsd.ini, english.zip, includes.zip, includesb.zip on 25/11: and includesb.zip on 26/11.
Is it possible that those mchinjdrv keys had been appearing on my machine for a long time, but only show up now after new searches were added to SD in one of those downloads?

Mike

bitman
2005-12-04, 21:59
Lonny:

Might want to look at this thread in the Spybot S&D forum. Looks like these keys may be included with some security apps, though I haven't confirmed this myself.
http://forums.spybot.info/showthread.php?t=730&highlight=mchinjdrv

Fermat:

What you're asking seems to match exactly with what others are seeing. These entries appeared along with recent updates and might be false positives if you have any of the software mentioned below.


I have these as well, haven't tried to Fix them yet...

EDIT: TrojanHunter, spysweeper, a2 all add this registry entry, probably more security apps also.
mchInjDrv (Mad code hook injection driver)
Malware can use it, but if you use any of the above security apps, then it's a false positive.

Fermat
2005-12-05, 11:36
Funny, my reply yesterday evening hasn't appeared here.

Yes, I have had a2 installed for a long time. (tried Trojanhunter but only after Spybot started reporting mchinjdrv).

Anyway, thanks a lot for your time and your help. I'm impressed. Definitely calls for a donation.

Mike

tashi
2005-12-11, 23:38
This topic will now be archived.
If you need the thread reopened please pm me. :)