Need your expert help to Remove Command Service

**Livelock** · 2006-01-08, 03:25

last one....thanks for your ongoing help!

Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@target[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@target[3].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.myaffiliateprogram[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@xxxcounter[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt
Possible Virus. Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\!update.exe
Adware:Adware/Popper Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\99_app99.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ask[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@xiti[1].txt
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\GLF9FGLF9F.EXE
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ts_8_new.exe
Adware:Adware/SurfAccuracy Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\uninstall.exe
Adware:Adware/Favadd Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2NG56XKR\opmrket[1].exe
Adware:Adware/eZula Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EJ6FMXUB\ts_8_new[1].exe
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Default User\Cookies\administrator@ask[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Default User\Cookies\administrator@target[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\LocalService\Cookies\system@banners.searchingbooth[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hp\bin\Terminator.exe
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\Common Files\WinFixer 2005\FCrXML.dll
Possible Virus. Not disinfected C:\Program Files\Common Files\WinFixer 2005\uwappchk.dll
Virus:Trj/Andaid.A Disinfected C:\WINDOWS\Downloaded Program Files\eins004.exe
Adware:Adware/2Z0o Not disinfected C:\WINDOWS\hejcdvy.exe
Spyware:Cookie/Ask Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@ask[2].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@target[1].txt
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\fran-hot.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\sate.exe
Adware:Adware/Mirar Not disinfected C:\WINDOWS\system32\WinNB57.dll

**LonnyRJones** · 2006-01-08, 03:56

Hi

Mostly cookies
Manualy delete these files and folders
C:\WINDOWS\SYSTEM32\WinNB57.dll
C:\WINDOWS\hejcdvy.exe
C:\WINDOWS\system32\fran-hot.exe
C:\WINDOWS\system32\sate.exe
C:\PROGRAM FILES\sf
C:\PROGRAM FILES\COMMON FILES\VCClient
C:\Program Files\Common Files\WinFixer 2005

Run hijackthis click config > msie tools > delete a file on reboot, paste this path and file into the file name box and click ok then let your system be restarted
C:\WINDOWS\Downloaded Program Files\eins004.exe

Download System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so or the job doesnt get done.

**Livelock** · 2006-01-09, 16:04

Thanks again...

I've tried to manually delete the files & directories you mentioned, but I noticed that sf, VCClient and WinFixer 2005 directories remain even though the delete command seemed to work (no error return code). Perhaps this is normal?

I'm running the HiJack This on reboot now...

**Livelock** · 2006-01-09, 16:16

Ok, I've run all the recommendations - ran HiJack This w/MSIE tools to delete the eins file on reboot (that seemed to work - I can't find the file). Then I also successfully ran the system security tools and did the reboot.

I'm post the latest HiJack This log just in case there is anything else lingering...

Logfile of HijackThis v1.99.1
Scan saved at 7:14:11 AM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135354214109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks so much, I really appreciate all your help!

**LonnyRJones** · 2006-01-10, 02:56

Hi

That log looks good, are there any problems now ?

Im not sure what your saying about the folder's,
they re-appeared after deletion ?
C:\PROGRAM FILES\sf
C:\PROGRAM FILES\COMMON FILES\VCClient
C:\Program Files\Common Files\WinFixer 2005

**Livelock** · 2006-01-10, 05:14

I was finally able to delete the sf, VCClient, and WinFixer 2005 directories so that's taken care of.

But I re-ran spybot and it still found Command Service again and couldn't fix the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

I went to the command line and type "sc delete cmdservice" but I get the response:

"The specified service does not exist as an installed service"

I'm still getting some pop-ups so there's something still lingering out there....any ideas?

**LonnyRJones** · 2006-01-10, 05:34

Lets use a reg import to remove it

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Code:

REGEDIT4
 
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

popups are normal., maybe a description will help though, when where and to where do they lead ?

Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet

**Livelock** · 2006-01-10, 08:34

OK, I ran the fixme.reg edit and it asked me if I wanted to add this information to the registry, I said YES, and then it said it was successfully added to the registry. I deleted the fixme.reg file and then rebooted.

I actually re-ran Spybot and it still found the cmd service registry keys that are the issue (should that have happened?).

Here's the post from Blacklite - there were more than 10,000 entries found - 99% looked like this......C:\Program Files\Movicken\Cache\00006172_439f5f19_00007a12

Here are the rest...

01/09/06 23:13:20 [Info]: BlackLight Engine 1.0.30 initialized
01/09/06 23:13:20 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/09/06 23:13:20 [Note]: 7019 4
01/09/06 23:13:20 [Note]: 7005 0
01/09/06 23:13:23 [Note]: 7006 0
01/09/06 23:13:23 [Note]: 7011 1380
01/09/06 23:13:23 [Note]: 7018 608
01/09/06 23:13:23 [Info]: Hidden process: C:\WINDOWS\SYSTEM32\VXDCXPNT.EXE
01/09/06 23:13:23 [Note]: 7018 1832
01/09/06 23:13:23 [Info]: Hidden process: C:\PROGRAM FILES\MOVICKEN\SETPPROV.EXE
01/09/06 23:13:23 [Note]: FSRAW library version 1.7.1014
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\ace.dll
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_03-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_04-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_05-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_06-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_07-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_08-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\AI_09-01-2006.log
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:13:25 [Info]: Hidden file: C:\Program Files\Movicken\Cache\00006172_439f5f19_00007a12
01/09/06 23:13:25 [Note]: 7002 0
01/09/06 23:13:25 [Note]: 7003 1
01/09/06 23:13:25 [Note]: 10002 3
01/09/06 23:17:43 [Info]: Hidden file: C:\Program Files\Movicken\data.bin
01/09/06 23:17:43 [Note]: 7002 0
01/09/06 23:17:43 [Note]: 7003 1
01/09/06 23:17:43 [Note]: 10002 3
01/09/06 23:17:43 [Info]: Hidden file: C:\PROGRAM FILES\MOVICKEN\SETPPROV.EXE
01/09/06 23:17:43 [Note]: 7002 0
01/09/06 23:17:43 [Note]: 7003 1
01/09/06 23:17:43 [Note]: 10002 3
01/09/06 23:17:43 [Info]: Hidden file: C:\Program Files\Movicken\shmmshta.exe
01/09/06 23:17:43 [Note]: 7002 0
01/09/06 23:17:43 [Note]: 7003 1
01/09/06 23:17:43 [Note]: 10002 3
01/09/06 23:17:43 [Info]: Hidden file: C:\Program Files\Movicken\WinGenerics.dll
01/09/06 23:17:43 [Note]: 7002 0
01/09/06 23:17:43 [Note]: 7003 1
01/09/06 23:17:43 [Note]: 10002 3
01/09/06 23:21:18 [Info]: Hidden file: C:\WINDOWS\system32\drivers\strfsvga.sys
01/09/06 23:21:18 [Note]: 7002 0
01/09/06 23:21:18 [Note]: 7003 1
01/09/06 23:21:18 [Note]: 10002 1
01/09/06 23:21:20 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\VXDCXPNT.EXE
01/09/06 23:21:20 [Note]: 7002 0
01/09/06 23:21:20 [Note]: 7003 1
01/09/06 23:21:20 [Note]: 10002 1
01/09/06 23:22:28 [Note]: 7007 0

**LonnyRJones** · 2006-01-10, 09:26

Hi

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

**Livelock** · 2006-01-11, 10:24

Thanks for the advice...here's the latest HiJack This log....

Logfile of HijackThis v1.99.1
Scan saved at 1:21:13 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RIS2PostReboot] C:\Program Files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1135354214109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

And here is the log from aproposfix...(log.txt)
Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CuXh9A34gN25]
@="WgOwkRaABBABBCBaghbzoABBAQDBkWbRckgB2823s HGBr1w5s12B231t25uoC282"
"Device"="\\\\.\\MSTNla"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\strfsvga.sys"
"DriverName"="ISAiWDM"
"HideUninstallerName"="C:\\Program Files\\Movicken\\shmmshta.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\jdbftpub.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{2ACA4AFA-4203-4806-ADF4-674F2DB684CE}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\cacntvol.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{X7d3de78-e01b-2a93-8d6b-98036902eb43}"
"PageFiltering"=dword:00000001
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service ISAiWDM removed.

Removing hidden folder:
Deletion of folder Movicken succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\strfsvga.sys succeeded!
Deletion of file C:\WINDOWS\system32\vxdcxpnt.exe succeeded!
Deletion of file C:\WINDOWS\system32\cacntvol.dll succeeded!
Deletion of file C:\WINDOWS\system32\jdbftpub.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CuXh9A34gN25]
[-HKEY_LOCAL_MACHINE\Software\CuXh9A34gN25]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2ACA4AFA-4203-4806-ADF4-674F2DB684CE}]

Done!

Finished!

Thread: Need your expert help to Remove Command Service

Thread Tools

Display

Panda log #3

In process, but can't delete some directories

Latest HiJack This log

Still having problems

Blacklite post

Latest Logs...

Posting Permissions