Command Service Virus?

I unwittingly installed a virus on my computer. Norton AV was no help, but after following the instructions I found here I made massive head and no longer see any symptoms of the virus.

However, I am unable to remove two registry keys that Spybot S&D says poses a threat, they follow.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]

I looked at them using the 'Services' program under Administrative Tools and found it to point to...
C:\windows\U2lylFphyw\command.exe
however I was unable to find the folder U2lylFphyw (I was able to see other hidden folders).

I have attached the HJT log. The only thing that seems suspicious to me is the uhvjsul.dll = windows/system32/rundll.exe /uhvjsul.dll, mrpmvyf line, but I was unwilling to modify it before I had more inforation on it.

Any help is greatly appreciated and if anyone needs any other info from me please to let me know. Gratzi.

Hello and welcome to Techspot.

Download the Pocket Killbox from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

RUNXMLPL.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)

O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Kensington_MouseWorks\IE_KMW.DLL (file missing)

O4 - HKLM\..\Run: [Preload] C:\Windows\RUNXMLPL.exe

O4 - HKLM\..\Run: [uhvjsul.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

O20 - Winlogon Notify: winjyg32 - winjyg32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Windows\RUNXMLPL.exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :wave: :wave:

This thread is for the use of JxSlick only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I believe I fix

I followed your instructions with the following notes:

there was no process RUNXMLPL.exe running, however I did delete the C:\Windows\RUNXMLPL.exe file.


the file C:\WINDOWS\system32\uhvjsul.dll,mrpmvyf did not exist, however I did delete C:\WINDOWS\system32\uhvjsul.dll using killbox.

Upon restart I was still getting the
Command Service: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

warning in Spybot.

I then looked at the Service program found in the adminstrator settings and saw that this service was pointing to c:\windows\system32\uhvjsul\command.exe and used killbox to delete that file, however killbox said that this file did not exist at which point I used killbox to delete the folder, which appeared to be empty.

However I am still getting the same warning with Spybot. Also I will occaisonaly see a warning
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

(note difference between controlset001 and 002). Spybot will let me delete this registry key.

The only difference I see in my computer is that my wireless card seems to not work quite as well (it still seems to work fine, but I'm getting less networks than I normally do, may not have to do with my computer at all)

__________

I have now used the sc delete command to delete the Command Service service, and I am getting no more warnings from Spybot!!!!

My computer seems to be working fine. I did have a little trouble shutting down one time. It seemed like none of my processes would shut themselves down, I kept getting the "would you like to end this process now?" dialog box. But I have not experienced that again. My wireless seems to be working just fine.

The only "problem" now is that I have like three antivirus programs load on startup and I need to clean that up, its making the computer startup and shutdown hella slow. I figure since I paid for Norton AV I might as well use it. I also have Ewido Antispyware and AVG Free Antivirus running, as well as Spybot's Tea Timer and I think another background process from Spybot.

I've uploaded my HJT log just in case I missed anything. Thank you again for you're help. You're awesome and this whole site is awesome. Where's the tip bucket?