Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

removing command service


  • Please log in to reply

#16
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
What the heck :whistling: Can you close it? Does it just keep running? It sounds like a streming video where you get the 30 second ad and then the video. Can you right click on it and select properties and see what it says or is it just audio
  • 0

Advertisements


#17
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
that is the thing. there is nothinig that i can see to click on. no programs open or anything liike that.
  • 0

#18
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
So this is just an audio file then? Have you tried rebooting ( just trying to cover the bases from easiest)
  • 0

#19
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
yea i did reboot. and it comes back after a while. i found out what it is now though. it is a feed from some website called daily blabber. it is a celeb gossip site.
  • 0

#20
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
here is a silent runner log
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = (empty string)
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
  • 0

#21
js8386

js8386

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
and here is another combo fix log
Joe - 06-09-13 11:06:25.03
ComboFix 06.09.07 - Running from: C:\Documents and Settings\Joe\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-13 to 2006-09-13 ))))))))))))))))))))))))))))))))))


2006-09-08 18:21 138 --a------ C:\WINDOWS\file.bat
2006-09-08 18:11 1,233 --a------ C:\WINDOWS\system32\hms35111.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-13 10:05 -------- d-------- C:\Program Files\PokerStars
2006-09-12 18:34 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-10 22:49 -------- d-------- C:\Documents and Settings\Joe\Application Data\Azureus
2006-09-10 11:57 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-10 02:10 -------- d-------- C:\Program Files\Norton Internet Security
2006-09-10 02:03 -------- d-------- C:\Program Files\iTunes
2006-09-10 02:03 -------- d-------- C:\Program Files\Internet Explorer
2006-09-10 02:01 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-08 18:08 -------- d-------- C:\Program Files\Online Services
2006-09-08 18:06 -------- d-------- C:\Program Files\Common Files\Services
2006-09-08 18:06 -------- d-------- C:\Program Files\Common Files
2006-09-08 18:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-08 18:02 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-08 18:00 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-08-30 17:05 -------- d-------- C:\Program Files\PartyPoker.net
2006-08-28 20:24 -------- d-------- C:\Program Files\Warcraft III
2006-08-25 16:14 -------- d---s---- C:\Documents and Settings\Joe\Application Data\Microsoft
2006-08-20 17:39 -------- d-------- C:\Documents and Settings\Joe\Application Data\Lavasoft
2006-08-20 17:38 -------- d-------- C:\Program Files\Lavasoft
2006-08-20 16:51 -------- d-------- C:\Program Files\Yahoo!
2006-08-20 15:56 -------- d-------- C:\Documents and Settings\Joe\Application Data\SpamBlocker
2006-08-20 01:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-20 01:17 -------- d-------- C:\Program Files\QuickTime
2006-08-19 18:18 -------- d-------- C:\Program Files\Full Tilt Poker
2006-08-12 00:08 -------- d-------- C:\Program Files\PokerRoom.com
2006-08-10 18:47 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-08-10 16:20 -------- d-------- C:\Documents and Settings\Joe\Application Data\SpamBlockerUtility_Icons
2006-08-07 21:27 2829 --a------ C:\WINDOWS\War3Unin.pif
2006-08-07 21:27 139264 --a------ C:\WINDOWS\War3Unin.exe
2006-08-03 22:36 -------- d-------- C:\Program Files\PartyGaming
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-16 23:51 -------- d-------- C:\Program Files\LimeWire
2006-07-16 02:58 -------- d-------- C:\Program Files\TexasCalculatem


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\kyzexewiv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Online Services\\howyv.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,d0,02,00,00,00,00,00,00,d0,02,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 09/13/2006 11:06:49.14
ComboFix.txt
ComboFix2.txt
  • 0

#22
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

The silent runners log got cut off, but what I could see was fine. This is a strange one. I would rather have this log though

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Create a Startup List[/u]
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP