Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

removing command service

Started by js8386 , Sep 08 2006 06:56 PM

  • Please log in to reply

#16
loophole
Posted 12 September 2006 - 09:17 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
What the heck :whistling: Can you close it? Does it just keep running? It sounds like a streming video where you get the 30 second ad and then the video. Can you right click on it and select properties and see what it says or is it just audio
  • 0

Advertisements

#17
js8386
Posted 12 September 2006 - 09:31 PM

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
that is the thing. there is nothinig that i can see to click on. no programs open or anything liike that.
  • 0

#18
loophole
Posted 12 September 2006 - 09:53 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
So this is just an audio file then? Have you tried rebooting ( just trying to cover the bases from easiest)
  • 0

#19
js8386
Posted 13 September 2006 - 08:59 AM

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
yea i did reboot. and it comes back after a while. i found out what it is now though. it is a feed from some website called daily blabber. it is a celeb gossip site.
  • 0

#20
js8386
Posted 13 September 2006 - 09:04 AM

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here is a silent runner log
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = (empty string)
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
  • 0

#21
js8386
Posted 13 September 2006 - 09:07 AM

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
and here is another combo fix log
Joe - 06-09-13 11:06:25.03
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Joe\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))


2006-09-08 18:21 138 --a------ C:\WINDOWS\file.bat
2006-09-08 18:11 1,233 --a------ C:\WINDOWS\system32\hms35111.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-13 10:05 -------- d-------- C:\Program Files\PokerStars
2006-09-12 18:34 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-10 22:49 -------- d-------- C:\Documents and Settings\Joe\Application Data\Azureus
2006-09-10 11:57 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-10 02:10 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-10 02:03 -------- d-------- C:\Program Files\iTunes
2006-09-10 02:03 -------- d-------- C:\Program Files\Internet Explorer
2006-09-10 02:01 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-08 18:08 -------- d-------- C:\Program Files\Online Services
2006-09-08 18:06 -------- d-------- C:\Program Files\Common Files\Services
2006-09-08 18:06 -------- d-------- C:\Program Files\Common Files
2006-09-08 18:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-08 18:02 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-08 18:00 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-30 17:05 -------- d-------- C:\Program Files\PartyPoker.net
2006-08-28 20:24 -------- d-------- C:\Program Files\Warcraft III
2006-08-25 16:14 -------- d---s---- C:\Documents and Settings\Joe\Application Data\Microsoft
2006-08-20 17:39 -------- d-------- C:\Documents and Settings\Joe\Application Data\Lavasoft
2006-08-20 17:38 -------- d-------- C:\Program Files\Lavasoft
2006-08-20 16:51 -------- d-------- C:\Program Files\Yahoo!
2006-08-20 15:56 -------- d-------- C:\Documents and Settings\Joe\Application Data\SpamBlocker
2006-08-20 01:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-20 01:17 -------- d-------- C:\Program Files\QuickTime
2006-08-19 18:18 -------- d-------- C:\Program Files\Full Tilt Poker
2006-08-12 00:08 -------- d-------- C:\Program Files\PokerRoom.com
2006-08-10 18:47 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-08-10 16:20 -------- d-------- C:\Documents and Settings\Joe\Application Data\SpamBlockerUtility_Icons
2006-08-07 21:27 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-08-07 21:27 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-08-03 22:36 -------- d-------- C:\Program Files\PartyGaming
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-16 23:51 -------- d-------- C:\Program Files\LimeWire
2006-07-16 02:58 -------- d-------- C:\Program Files\TexasCalculatem


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\kyzexewiv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\howyv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d0,02,00,00,00,00,00,00,d0,02,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 09/13/2006 11:06:49.14
ComboFix.txt
ComboFix2.txt
  • 0

#22
loophole
Posted 13 September 2006 - 04:33 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

The silent runners log got cut off, but what I could see was fine. This is a strange one. I would rather have this log though

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Create a Startup List[/u]
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP