Popups & Command Service

[pskelley]

Thanks, that got some of it, follow these instructions:

1) Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

2) Careful that you get the correct service:
Disable the Service
Click Start > Run and type services.msc
Scroll down to Command Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (cmdService) and press OK.
OK any prompts, close HijackThis, and restart your computer.

3) Turn off TeaTimer, it will black changes we must make:
http://russelltexas.com/malware/teatimer.htm

4) Start > Control Panel > Add Remove programs and uninstall DeluxeCommunications if there. Please uninstall any other programs you know do not belong there, if you are unsure let me know and I will look.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {6DC25841-9CD6-E455-80FB-B6693F8CDCB3} - C:\WINDOWS\system32\dsozhfmd.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e48.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
(you can remove the next two restrictions if you wish)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(if you did not set the advanced option, you can remove it)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9uaWNhIEdyZWdvcnk\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

c:\nwnmff_e48.exe <<< delete the file

C:\\kybrdff_e48.exe <<< delete the file

C:\WINDOWS\TW9uaWNhIEdyZWdvcnk <<< delete that folder

C:\Program Files\DeluxeCommunications\ <<< delete that folder

Run ATF-Cleaner again, you can skip Prefetch this time, see this tutorial:
http://forums.security-central.us/showthread.php?t=1925

Follow the instruction in this link: http://www.virusvault.co.uk/fusionbb...ic.php?tid/33/
Thanks to John McKenna for the tutorial. Make sure you delete or at least quarantine everything located unless you know it is not bad.

Restart the computer and post the Report from SD fix, the results of the spyware scan and a new HJT log.

Thanks

[Darkgecko]

I ran SDFix, during the process I got alot of errors mentioning 'Find String' and the like. Here is the report for SDFix.


--

SDFix: Version 1.35
-------------------

Scan run on:
Sat 11/04/2006

Time:
08:46 PM


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Monica\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----


Path:
----




Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\DRSMAR~1.EXE
C:\MC44A43.EXE
C:\MC44A44.EXE
C:\MC44A45.EXE
C:\MC44A46.EXE
C:\MC44A48.EXE
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\Prefetch\DRSMARTLOAD.EXE-113D05CC.pf

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED
--



When I go to the Services window and right click on Command Service, the stop button isn't active, nor can I select stop from the right click menu. I changed the Startup Type to Disabled and am now rebooting to see if stop will be an option next time.

[Darkgecko]

Here is the HJT log after running SDFix.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:46 PM, on 11/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {6DC25841-9CD6-E455-80FB-B6693F8CDCB3} - C:\WINDOWS\system32\dsozhfmd.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [grsb21ae] RUNDLL32.EXE w001f008.dll,n 006b21a80000000a001f008
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose /waitstart
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1160811155375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1160813055828
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[pskelley]

Where are the results of the AVG Anti-Spyware scan:

Follow the instruction in this link:

http://www.virusvault.co.uk/fusionbb...ic.php?tid/33/

Thanks to John McKenna for the tutorial. Make sure you delete or at least quarantine everything located unless you know it is not bad.

I do not need to see a HJT log until after that scan is run.

Did you remove this folder: C:\Program Files\DeluxeCommunications\ <<< delete that folder

Please make sure you are following all directions. You appear to have new items in the log, you need to keep this computer offline until it is clean, this junk will attract more.

Thanks

[Darkgecko]

The Scan is still running actually, and that folder wouldn't let me delete it, and the uninstall from Add/Remove programs isn't working. I'll get you a report of the scan when it finishes

[Darkgecko]

The last line of Step 1 asked for a HJT log after running SDFix, but that paragraph is probably cookie cutter. I can remove that computer from the network so that it wont download anything new, but I had to download these programs.
The AVG Anti-Spyware has been running the scan for about 30 minutes now, so far it's found 55 infected objects. Once that is done, I will post that log, and a new HJT log.

[pskelley]

If you have to boot to safe mode and delete those files or folders, they all must go.
http://www.bleepingcomputer.com/tuto...utorial61.html

This is a badly infected computer as I mentioned, this junk is going to fight you to keep from being removed, but it must go.

The AVG Anti-Spyware has been running the scan for about 30 minutes now, so far it's found 55 infected objects. Once that is done, I will post that log, and a new HJT log.

Thanks, make sure you are deleting the junk it is finding.

[pskelley]

The last line of Step 1 asked for a HJT log after running SDFix

Thanks...that's my bad, that was in the canned fix for the SDFix, I should have asked you to hold the HJT log until you completed the fix.

[Darkgecko]

The AVG Scan has been running for over an hour now, so I might not get those reports to you until the morning. Thanks for the speedy responses, hopefully we'll get to the bottom of this

[pskelley]

OK...no problem. That scan can take an hour on a fairly clean computer.
Some other stuff showed up in the log that was not there before. If you will stay offline except when sending information or downloading, we can cut it off and kill it all. It may take a bit. If you need to you can PM me, just click on my name. I am EST (Clearwater, Fl) and will be down around 9PM until morning.

This one >>> O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
is what we ran SDFix for and it seems to have failed, you can try this:

Disable the offending Service
Click Start > Run and type services.msc
Scroll down to Network Monitor and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (Network Monitor) and press OK.
OK any prompts, close HijackThis, and restart your computer.

Then look for that folder, it may have to been deleted in Safe Mode also:
C:\Program Files\Network Monitor <<< delete the folder if there

Thanks