cmdservice removal

W

W33bl

New member
Hi my spybotS&D reported the cmdservice virus/trojan/aware.
How do I delete it? I you are willing to help me, you will have to teach me how to remove it step by step.
 
Logfile of HijackThis v1.99.1
Scan saved at 22:10:15, on 26-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inet20009\services.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: run=C:\WINDOWS\inet20009\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
 
Hello

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
F3 - REG:win.ini: run=C:\WINDOWS\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\WINDOWS\inet20009 < delete that folder
Post a fresh hijackthis log please, be sure to mention any current problems.
 
Logfile of HijackThis v1.99.1
Scan saved at 13:14:10, on 27-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


No extra internet explorer's! yaay! Thnx a lot for your help :bigthumb:
....but spybot still detects the command service, is this normal?

Also i read on the internet that command service alows other virusses and infections to enter my pc easily, and they are entering easily! New virusses every day, boohoo...
 
Last edited:
Hi
Is it this detection SpyBot is finding ?
Command Service- mchInjDrv in HKLM-CurrentControlSet: http://forums.spybot.info/showthread.php?t=774

Get this free online and post its report
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Or Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.
 
Hi heres the log of kaspersky, lots of virusses! :(

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 14:01:03
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/12/2005
Kaspersky Anti-Virus database records: 167972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 82585
Number of viruses found: 41
Number of infected objects: 147
Number of suspicious objects: 0
Duration of the scan process: 4354 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Michiel\.housecall\Quarantine\C.tmp.bac_a01952 Infected: Trojan-Dropper.Win32.Small.zp
C:\Documents and Settings\Michiel\.housecall\Quarantine\child.dll.bac_a01952 Infected: Trojan-Downloader.Win32.Small.bug
C:\Documents and Settings\Michiel\.housecall\Quarantine\child[1].exe.bac_a01952 Infected: Trojan-Dropper.Win32.Small.ahg
C:\Documents and Settings\Michiel\.housecall\Quarantine\drsmartload[1].exe.bac_a01952 Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\Michiel\.housecall\Quarantine\E.tmp.bac_a01952 Infected: Trojan-Dropper.Win32.Small.ahg
C:\Documents and Settings\Michiel\.housecall\Quarantine\install[1].exe.bac_a01952 Infected: Trojan-Dropper.Win32.Agent.aed
C:\Documents and Settings\Michiel\.housecall\Quarantine\mng[1].exe.bac_a01952 Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\Michiel\.housecall\Quarantine\paqpwk.exe.bac_a01952 Infected: Trojan-Downloader.Win32.Qoologic.at
C:\Documents and Settings\Michiel\.housecall\Quarantine\paradise.raw.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\paradise[1].raw.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\paytime.exe.bac_a01952 Infected: Trojan.Win32.StartPage.adi
C:\Documents and Settings\Michiel\.housecall\Quarantine\paytime[1].txt.bac_a01952 Infected: Trojan.Win32.StartPage.adi
C:\Documents and Settings\Michiel\.housecall\Quarantine\runsvc32[1].exe.bac_a01952 Infected: Trojan-Dropper.Win32.Small.zp
C:\Documents and Settings\Michiel\.housecall\Quarantine\spoolsrv32.exe.bac_a01952 Infected: not-a-virus:AdWare.Win32.FindSpy.e
C:\Documents and Settings\Michiel\.housecall\Quarantine\srpcsrv32.dll.bac_a01952 Infected: Trojan-Downloader.Win32.Agent.rm
C:\Documents and Settings\Michiel\.housecall\Quarantine\ssldr32.dll.bac_a01952 Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\Michiel\.housecall\Quarantine\sywsvcs.exe.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\tool3.exe.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\tool3[1].txt.bac_a01952 Infected: Packed.Win32.Klone.b

END OF PART I
 
C:\Documents and Settings\Michiel\.housecall\Quarantine\toolbar.exe.bac_a01952 Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\Michiel\.housecall\Quarantine\toolbar[1].txt.bac_a01952 Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\Michiel\.housecall\Quarantine\txfdb32.dll.bac_a01952 Infected: Trojan-Downloader.Win32.Agent.rm
C:\Documents and Settings\Michiel\.housecall\Quarantine\wugwp.dat.bac_a01952 Infected: Trojan-Downloader.Win32.Qoologic.at
C:\Documents and Settings\Michiel\Local Settings\Temp\B.tmp Infected: Trojan-Downloader.Win32.CWS.s
C:\Documents and Settings\Michiel\Local Settings\Temp\svchst.exe Infected: Trojan-Downloader.Win32.Small.caf
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\0ZTJUMNT\cr-se121[1].exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\0ZTJUMNT\cr-se121[1].exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\EDLYZE5G\211156[1].htm Infected: Trojan-Downloader.JS.IstBar.z
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\EDLYZE5G\prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\ETLUJ2DC\1[2].htm Infected: Exploit.HTML.Mht
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\H7RF1L0E\web[1].exe Infected: Trojan-Downloader.Win32.CWS.s
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\IPVGT4JE\get_40698_Trend.Micro.PC.Cillin.Internet.Security.2005.v12.1_crack[1].htm Infected: Trojan-Downloader.JS.IstBar.u
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\PCSJ95GT\10[1].exe Infected: Trojan-Downloader.Win32.Small.caf
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\QDQRUZ6N\ms1[1].txt Infected: Trojan-Downloader.Win32.Tiny.al
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\RBPFJP4S\drsmartloadb[1].exe Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\RBPFJP4S\kl[1].txt Infected: Trojan-PSW.Win32.Agent.bu
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\S9EDQZ4J\hosts[1].txt Infected: Trojan.Win32.Qhost.el
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\S9EDQZ4J\xpladv470[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\SRFNAC5P\free[1].anr Infected: Trojan-Downloader.Win32.Ani.c
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\SRFNAC5P\tool2[1].txt Infected: not-virus:Hoax.Win32.Renos.aj
C:\Downloads\Crack.patches.keygens\cr-se121.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Crack.patches.keygens\cr-se121.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Setups\cr-se121.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Setups\cr-se121.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Setups\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Downloads\Setups\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003165.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003165.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003165.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003182.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003182.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003182.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0017.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN/stream/data0007 Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN/stream/data0008 Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN/stream Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0002 Infected: not-a-virus:AdWare.Win32.WebRebates.r
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003322.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003327.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003330.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003340.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003342.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003351.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003352.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003353.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003354.exe Infected: Trojan-Dropper.Win32.Agent.aed
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003367.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003370.exe Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003372.exe Infected: Trojan-Clicker.Win32.VB.kc
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003374.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003384.exe Infected: Trojan-Downloader.Win32.Tiny.al
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003385.dll Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003386.cpl Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003393.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003396.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003408.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003410.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003419.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003421.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003422.exe Infected: Trojan.Win32.StartPage.adi
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003423.exe Infected: not-a-virus:AdWare.Win32.FindSpy.e
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003424.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003425.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003426.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003427.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003428.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003435.dll Infected: Trojan-Downloader.Win32.Small.bug
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003441.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003443.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003455.dll Infected: not-a-virus:AdWare.Win32.Ihbo.gen
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003456.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003458.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003459.exe Infected: Trojan-Downloader.Win32.CWS.s
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003477.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\WINDOWS\kl.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\WINDOWS\system32\ipsiean.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\WINDOWS\system32\jvvjfcd.exe Infected: Trojan.Win32.Pakes
C:\WINDOWS\system32\kmqkf.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\WINDOWS\system32\ssldr32.dll Infected: Trojan-Proxy.Win32.Agent.hs
C:\WINDOWS\tool2.exe Infected: not-virus:Hoax.Win32.Renos.aj

Scan process completed.

END OF PART II
 
Hi
Delete these files >
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Downloads\Setups\cr-se121.exe
C:\WINDOWS\kl.exe
C:\WINDOWS\system32\ipsiean.dll
C:\WINDOWS\system32\jvvjfcd.exe
C:\WINDOWS\system32\kmqkf.dll
C:\WINDOWS\system32\ssldr32.dll
C:\WINDOWS\tool2.exe
C:\Downloads\Crack.patches.keygens\ < delete entire folder and never use any cracks from anywhere again or you will most certainly get infected once again, we can and do get infected just looking for them much less downloading.
Even if you had scanned them with ten antivirus programs found it to be safe something
would eventualy get in.


Download System Security Suite.
http://www.igorshpak.net/
If that site is unavailable use this link please
http://forums.subratam.org/index.php?act=Attach&type=post&id=25013
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

If the pc is stable after about a week Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
 
Thank you for replying.

C:\WINDOWS\system32\kmqkf.dll < file is unse, can't delete it
C:\WINDOWS\system32\ssldr32.dll < no such file

Could you help me with those prob's?

Thnx!

Edit: I ran SpybotSD again, and it still shows command service, 2 entries.
I can't delete them, they are in use by my memory.
 
Last edited:
Run Hijackthis click config > misc tools > delete a file on reboot
paste this file and path into the file name box
C:\WINDOWS\system32\kmqkf.dll
answer no to the prompt to reboot, paste in that other file even if it seams not to exist and answer yes to the prompt to reboot the pc
C:\WINDOWS\system32\ssldr32.dll
 
Hi, i did what you told me to do, but spybot still shows command service.

SpybotSD log:

Command Service: Systeem Service (Register sleutel, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Command Service: Instellingen (Register sleutel, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Instellingen (Register sleutel, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)


Here's a new/fresh HiJackThis-log.

Logfile of HijackThis v1.99.1
Scan saved at 16:30:49, on 28-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
 
Hi
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
(Echo %DATE% %TIME%
sc config "cmdService" start= disabled
sc delete "cmdService"
sc query "cmdService"
)>logit.txt 2>&1
start notepad logit.txt
Click to expand...
Run check.bat and post back with the text that will open

Also: Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet
 
ive got a strange background, installed automatically.

When I right-click it and click 'source' it shows this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY bgColor=#000000>
<DIV
style="BACKGROUND: url(file:///C:/Documents%20and%20Settings/Michiel/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp) no-repeat 50% 50%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 0px; HEIGHT: 768px"></DIV><IFRAME
id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 1px; HEIGHT: 767px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\Web\desktop.html"
resizeable="粶&#55360;
ၩ"> </IFRAME>  </BODY></HTML>

when i delete the desktop.html its still there.
Also im unable to clock software in the 'tools-menu' (in windows)
 
ok we can deal with that, first fallow suggestions in my last post.

"Also im unable to clock software in the 'tools-menu' (in windows)"
Not sure what you mean, explain further please
 
Right.

Also im unable to clock software in the 'tools-menu' (in windows) means:

Also, I am unable to click on the 'software'-icon in the 'tools-menu' (i am not sure it is called 'tools-menu' in English, it's where you can acces stuff like 'software' 'hardware' 'graphics' 'printers' etc.

When I click on 'software' I get the error: ' Value creation failed '' at line 521 '

Results of F-secure:
12/29/05 20:09:35 [Info]: BlackLight Engine 1.0.30 initialized
12/29/05 20:09:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/29/05 20:09:35 [Note]: 7019 4
12/29/05 20:09:35 [Note]: 7005 0
12/29/05 20:09:39 [Note]: 7006 0
12/29/05 20:09:39 [Note]: 7011 1632
12/29/05 20:09:39 [Note]: FSRAW library version 1.7.1014
12/29/05 20:11:23 [Note]: 7007 0
 
I only got a log located int the same directory as the blbeta.exe.
The content of this log was the text I posted earlier.
Also: blbeta.exe didn't any virusses or results.

Next step is to install all the software from the other forum-page and follow the steps?
 
Results of ewido:
---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 22:55:08, 29-12-2005
+ Rapport samenvatting: 6271C80C

+ Scan resultaten:

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Schoongemaakt met een backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Schoongemaakt met een backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@2o7[1].txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@adtech[2].txt -> Spyware.Cookie.Adtech : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@burstnet[2].txt -> Spyware.Cookie.Burstnet : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@centrport[1].txt -> Spyware.Cookie.Centrport : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@com[2].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@estat[1].txt -> Spyware.Cookie.Estat : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@overture[1].txt -> Spyware.Cookie.Overture : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@paypopup[1].txt -> Spyware.Cookie.Paypopup : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@revenue[1].txt -> Spyware.Cookie.Revenue : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@stat.onestat[1].txt -> Spyware.Cookie.Onestat : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@statcounter[2].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Local Settings\Temp\B.tmp -> Downloader.CWS.r : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\O1EBS1U7\mm[2].js -> Spyware.Chitika : Schoongemaakt met een backup
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup


::Einde rapport

Schoongemaakt met backup means 'cleaned with backup'

Results of smitrem:
Smitrem did not make a log or anything, i think.
 
You must log in or register to reply here.
Back
Top