View Full Version : Command
Ironhead
2007-02-13, 15:46
Hey guys! Thanks in advance for your assistance.
I've got a mess. No antivirus software since the motherboard had to be replaced and with my 14 yr. old playing online games the situation was bad. I've done the following:
Search and destroy
Ad-Aware SE
Hijackthis
and in safe mode reran search and destroy but the command pest is still there.
I will have antivirus by this afternoon (2/13/07).
I've noticed and improvement in the system speed but I'm sure there are things I still need to do.
What do you suggest?
Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 9:06:20 AM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Jeff\My Documents\Programs\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
Ironhead
2007-02-13, 19:46
OK - I've installed and run the AVG anitvirus program and did another scan which has the command file still listed.
Logfile of HijackThis v1.99.1
Scan saved at 1:36:53 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeff\My Documents\Programs\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
pskelley
2007-02-14, 23:46
Welcome to the forum, here is information about that junk: http://research.sunbelt-software.com/threatdisplay.aspx?name=Command%20Service&threatid=41607
OK - I've installed and run the AVG anitvirus program and did another scan which has the command file still listed.You have NOT installed AVG Anti-Virus 7.5, you have installed AVG Anti-Spyware and they do two different functions. You need to get the Anti-Virus program installed before you get infected.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Stick with the free, you can leave the AVG Anti-Spyware program onboard for now, the trial lasts for 30 days and by then you will need another program because the realtime protection stops at that point and I will have advice for you about the program before we finish.
Let's proceed like this to cover all bases:
1) Download AVG Anti-Virus 7.5 from here: http://free.grisoft.com/doc/2/lng/us/tpl/v5
Install, update and run a complete system scan.
2) Disable the Service
Click Start > Run and type services.msc
Scroll down to Command Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (cmdService) and press OK.
OK any prompts, close HijackThis, and restart your computer.
3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) AVG Anti-Spyware 7.5: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T3duZXI\command.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\T3duZXI\ <<< delete that folder if there.
8) Follow the instructions in this link to run AVG Anti-Spyware 7.5, make sure you delete or at least quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the scan results and a new HJT log. Add any comments you think will help.
Thanks
Ironhead
2007-02-17, 04:07
Logfile of HijackThis v1.99.1
Scan saved at 5:17:35 PM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Jeff\My Documents\Programs\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {D2359A1A-50A3-7371-DF4A-5D9090A16C9F} - C:\WINDOWS\system32\nnoawe.dll (file missing)
O2 - BHO: (no name) - {D23DC71E-04F4-7220-DF4A-5D9090A038CC} - C:\WINDOWS\system32\ngfmakmz.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [64 dart one move] C:\Documents and Settings\All Users\Application Data\encsign64dart\START ADMIN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:58:30 PM 2/16/2007
+ Scan result:
C:\Program Files\Outerinfo\OiUninstaller.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056302.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0059332.dll -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0059333.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP78\A0059358.dll -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056303.exe -> Adware.ValueAd : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056280.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056281.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056282.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056283.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056284.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056285.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056286.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056287.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056288.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056289.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056290.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056291.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056292.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056293.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056294.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056295.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056296.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056297.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056298.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056299.exe -> Downloader.Agent : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056300.exe -> Downloader.Agent : No action taken.
:mozilla.122:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.21:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.65:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.66:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.67:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.56:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.61:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.62:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.63:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.71:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.72:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.73:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.74:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.10:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.138:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.139:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.140:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.141:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.6:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.7:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.8:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.9:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
:mozilla.21:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.70:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.128:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.129:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.130:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.96:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.11:C:\Documents and Settings\Johanna\Application Data\Mozilla\Firefox\Profiles\q8n6nh35.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.75:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@as-eu.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Johanna\Cookies\johanna@as-eu.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
:mozilla.120:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.121:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.126:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.127:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.102:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.97:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.135:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.136:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.137:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.133:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.134:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.131:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.132:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.112:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@anad.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Jeff\Cookies\jeff@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Wade\Cookies\wade@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.148:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.149:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.150:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.123:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.124:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.125:C:\Documents and Settings\Wade\Application Data\Mozilla\Firefox\Profiles\7hhbq6pp.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Johanna\Cookies\johanna@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP72\A0053933.exe -> Trojan.DelFiles.ax : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP73\A0054956.exe -> Trojan.DelFiles.ax : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP73\A0054985.exe -> Trojan.DelFiles.ax : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0059346.exe -> Trojan.DelFiles.ax : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0056301.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP77\A0059337.exe -> Trojan.Small : No action taken.
C:\WINDOWS\system32\wnscpsv.exe -> Trojan.Small : No action taken.
::Report end
Quote:
"C:\WINDOWS\T3duZXI\ <<< delete that folder if there"
This file did no appear. I was able to disable the Cmd Service
The two "R0" lines did not appear on the scan list nor did the "023 - Service
so we're making progress. Some new ads are popping up despite the updates.
I suppose I can dump the AVG Control Center now that I have the right anti-virus program.
Thanks again!
pskelley
2007-02-17, 14:59
Jeff, all of the entries in the AVG Anti-Spyware scan say No action taken? please read and follow all instructions carefully:
8) Follow the instructions in this link to run AVG Anti-Spyware 7.5, make sure you delete or at least quarantine anything it finds and save the scan report to post.
Run the program again according to the instructions, please edit out the C:\System Volume Information\_restore items as they are in your System Restore files, just DO NOT do a System Restore until we clean those, that would put the junk back on your computer.
You have other problems that DID NOT show in the first log, so you probably got the infections between sending the first log and sending this one. One infection is called LOP/C2Media and it is nasty. It usually comes bundled with junk called messengerplus (nothing to do with Microsoft's MSN or Windows Messenger) here's some information:
http://www.superadblocker.com/P/PROGRAM%20BOOK.EXE-3755.html
Follow the instructions carefully:
Please download NoLop to the Desktop from one of these links:
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
http://www.spywareedge.net/nolop/NoLop.exe
Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>>
When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log
Post the scan report from AVG Anti-Spyware relecting everything deleted or at least quarantined, the C:\NoLop.log,and a new HJT log. Keep the computer online until we get it clean, you should also look for who download LOP, it did not get there by itself!
Thanks
Ironhead
2007-02-18, 04:51
NoLop would not run due to this error message:
X 'mscomctl.ocx' or one of its' dependecies not correctly registered: a file is missing or invalid
I downloaded from both sites...wouldn't run.
Here is the AVG7.5 report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:01:35 PM 2/17/2007
+ Scan result:
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP78\A0059384.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{D2512354-3E02-4710-8BE5-78DDBEA3B7CF}\RP78\A0059383.exe -> Trojan.Small : No action taken.
::Report end
all actions selected -- deleted
hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 10:44:56 PM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Jeff\My Documents\Programs\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.bellsouth.net/cgi-bin/gx.cgi/AppLogic+mobmain?
O2 - BHO: (no name) - {D2359A1A-50A3-7371-DF4A-5D9090A16C9F} - C:\WINDOWS\system32\nnoawe.dll (file missing)
O2 - BHO: (no name) - {D23DC71E-04F4-7220-DF4A-5D9090A038CC} - C:\WINDOWS\system32\ngfmakmz.dll (file missing)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [64 dart one move] C:\Documents and Settings\All Users\Application Data\encsign64dart\START ADMIN.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
How do I determine who downloaded the lop junk? I may have had sme unintentional help from my son trying to help with this problem while I was away from home for a few days?
I appreciate your advice and the machine is online ready for additional action.
Wade
pskelley
2007-02-18, 12:31
Oops Wade, sorry for calling your Jeff...lol
NoLop would not run due to this error message:
X 'mscomctl.ocx' or one of its' dependecies not correctly registered: a file is missing or invalid
See the information in these links:
http://www.wilderssecurity.com/showthread.php?t=5826
http://www.wilderssecurity.com/showthread.php?t=5169
You need that file for many new programs, in fact I am surprised HJT ran without it.
How do I determine who downloaded the lop junk? I may have had sme unintentional help from my son trying to help with this problem while I was away from home for a few days?
Wade, here is the junk showing on the computer, most of it is hidden:
O4 - HKLM\..\Run: [64 dart one move] C:\Documents and Settings\All Users\Application Data\encsign64dart\START ADMIN.exe
It is a real pice of trash and messing up a computer. You can read here how it got there:
http://en.wikipedia.org/wiki/C2.LOP
If you wish to know when, navigate to that folder: encsign64dart, right click any file in it (should be four I believe) and click properties. You should get a date and time when it was installed. We can try to remove it manually, but the tool does a better job. I will give you instructions for the balance of the cleanup, you just make sure you have:
mscomctl.ocx installed before you proceed so NoLop will work.
1) AVG Anti-Spyware 7.5: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
2) Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>>
When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log
(hold those logs until you finish)
3) Make sure all files and folders are enabled.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {D2359A1A-50A3-7371-DF4A-5D9090A16C9F} - C:\WINDOWS\system32\nnoawe.dll (file missing)
O2 - BHO: (no name) - {D23DC71E-04F4-7220-DF4A-5D9090A038CC} - C:\WINDOWS\system32\ngfmakmz.dll (file missing)
O4 - HKLM\..\Run: [64 dart one move] C:\Documents and Settings\All Users\Application Data\encsign64dart\START ADMIN.exe
LOP
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Documents and Settings\All Users\Application Data\encsign64dart\ <<< delete that folder
6) Run ATF Cleaner
You can just clean the temp/tif stuff this time if you wish, see this tutorial:
http://forums.security-central.us/showthread.php?t=1925
Restart the computer and post C:\NoLop.log along with a new HijackThis log. Add your comments, how's the computer running now? Then finish up like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Ironhead
2007-02-18, 17:32
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\Jeff\Desktop
[2/18/2007]
[10:26:18 AM]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA7423DE91CFDB02.job
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Encsign64dart
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Ansley\Application Data\Adobe
C:\Documents and Settings\Ansley\Application Data\Google
C:\Documents and Settings\Ansley\Application Data\Identities
C:\Documents and Settings\Ansley\Application Data\Macromedia
C:\Documents and Settings\Ansley\Application Data\Microsoft
C:\Documents and Settings\Ansley\Application Data\Xfire
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Jeff\Application Data\Adobe
C:\Documents and Settings\Jeff\Application Data\Avg7
C:\Documents and Settings\Jeff\Application Data\Google
C:\Documents and Settings\Jeff\Application Data\Identities
C:\Documents and Settings\Jeff\Application Data\Lavasoft
C:\Documents and Settings\Jeff\Application Data\Macromedia
C:\Documents and Settings\Jeff\Application Data\Microsoft
C:\Documents and Settings\Jeff\Application Data\Mozilla
C:\Documents and Settings\Jeff\Application Data\Xerox
C:\Documents and Settings\Johanna\Application Data\Adobe
C:\Documents and Settings\Johanna\Application Data\Google
C:\Documents and Settings\Johanna\Application Data\Identities
C:\Documents and Settings\Johanna\Application Data\Macromedia
C:\Documents and Settings\Johanna\Application Data\Microsoft
C:\Documents and Settings\Johanna\Application Data\Mozilla
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Google
C:\Documents and Settings\Localservice\Application Data\Imvu
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Wade\Application Data\Adobe
C:\Documents and Settings\Wade\Application Data\Avg7
C:\Documents and Settings\Wade\Application Data\Birdtraydumb
C:\Documents and Settings\Wade\Application Data\Google
C:\Documents and Settings\Wade\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Wade\Application Data\Identities
C:\Documents and Settings\Wade\Application Data\Image Zone Express
C:\Documents and Settings\Wade\Application Data\Macromedia
C:\Documents and Settings\Wade\Application Data\Microsoft
C:\Documents and Settings\Wade\Application Data\Mozilla
C:\Documents and Settings\Wade\Application Data\Sun
C:\Documents and Settings\Wade\Application Data\Teamspeak2
C:\Documents and Settings\Wade\Application Data\Xfire
Logfile of HijackThis v1.99.1
Scan saved at 11:23:15 AM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Jeff\My Documents\Programs\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
OK -added the file and nolop and was doing fine until Ensign64dart folder was deleted....one file (pollbodymulti) refused to be deleted.."inuse by another user (?) or program" so I rebotted and then deleted, no problem and emptied recycle bin and ran ATF again and now I posting the results.
I'll follow the system restore stuff in the instructions and keep my digits crossed. How are we looking?
BTW THANKS!
pskelley
2007-02-18, 17:53
Looks good from here, were you able to find out when those files were created?
This start page: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.bellsouth.net/cgi-bin...Logic+mobmain?
Looks like this now? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
It's a sign in page for Bell South Web Email, did you make a change in it? You can remove that line if you wish with HJT, it is not malware.
You should be good to go at that point.
Thanks and safe surfing:bigthumb:
Ironhead
2007-02-18, 18:26
I don't recall changing it. When I opened IE no homepage was assigned but I use BS DSL and their webmail service (not impressed) so I make that my homepage. I think I'll just leave it alone unless I have problems/ads reshow.
I found when it was loaded...late at night but specifically what it came with, I'm not sure... still under investigation. I will share the save surfing links with Jr. and reduce his rights somewhat.
You Da Man!
#3 lives (race day tribute):bigthumb: