PDA

View Full Version : Cmd servive malware problem



Chip82
2008-01-02, 03:17
Please help I have ran spybot several times and it keeps coming up with the same problem and it is not able to delete the problem i have read up on it and this seems to be the best way for me to get help
thank you in advance
here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:18 PM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Sm9uZXM\command.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\QuickTime\qttask .exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol .exe
D:\WINDOWS\mrofinu11.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\QuickTime\qttask .exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\mrofinu11 .exe
D:\Program Files\DAEMON Tools\daemon .exe
D:\Program Files\Common Files\s?mbols\??rss.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe
D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=D:\WINDOWS\system32\ddccb.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [40bc5fba] rundll32.exe "D:\WINDOWS\system32\mbrtfpay.dll",b
O4 - HKLM\..\Run: [runner1] D:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Acae] "D:\PROGRA~1\COMMON~1\SKS~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [Wpzrq] "D:\Program Files\Common Files\s?mbols\??rss.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1968] command /c del "D:\WINDOWS\system32\sqlite3.dll_old"
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Kodak EasyShare software.lnk = D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim .exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Command Service (cmdService) - Unknown owner - D:\WINDOWS\Sm9uZXM\command.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

ndmmxiaomayi
2008-01-03, 06:08
Hi Chip82. :)

Welcome to Safer Networking.

Your log looks quite bad. :sick:

Please follow all instructions carefully so that the malware doesn't regenerate.

Step 1

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please download the beta version of Combofix from Bleeping Computer (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe). Save it to your desktop.

If you can't download it, please try these 2 alternative sites:

Forospyware (http://www.forospyware.com/sUBs/Beta/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/Beta/ComboFix.exe)

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Step 2

Please download and install CCleaner Slim (http://www.ccleaner.com/download/builds/downloading-slim).
Once installed, double click on the desktop shortcut created.
On the leftmost column, click on Tools.
On the middle column, click on Uninstall.
At the bottom right hand corner, click on the Save to text file... button.
By default, it saves this file to C:\Program Files\CCleaner named install.txt. You may want to save it to your desktop to find it easily. Click Save.
Close CCleaner.

In your next reply, please post:

Combofix log (C:\Combofix.txt)
A new HijackThis log
CCleaner install.txt

ndmmxiaomayi
2008-01-12, 17:04
Hi,

It's been more than a week. How's everything going?