PDA

View Full Version : Alcan, Matcash, and CommandService


Alarictric
2007-06-08, 20:55
here is the hijackthis log and the log from the ca.com online scan

I am doing this on a company computer. It is a small company and I am in no way trained to do this sort of thing, but I offered to help clean this computer because I have more computer knowledge than most people in the company. I am not getting paid any extra for it. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 2:26:45 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\rayiou.exe
C:\Program Files\Common Files\{C88D5B39-05D8-1033-0324-061114200001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\Run: [Spyware Sweeper] C:\Program Files\Spyware Sweeper\SpywareSweeper.exe
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\rayiou.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iWonPMSetup_12_1,0,2,5.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {D5EC5989-671B-476D-AC86-090793776FB1} (AuctionBlast Templates) - http://download.ispeedway.com/AuctionBlast/XAuctionBlast.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v46/wwspades/wwspades.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


from the CA.com online scan...

wmplayer.exe Win32/Alcan.K cannot delete C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Update.exe Win32/Matcash!generic cannot delete C:\Program Files\Common Files\{C88D5B39-05D8-1033-0324-061114200001}\
system.dll Win32/Matcash.K deleted C:\RECYCLER\S-1-5-18\Dc1\
Update.exe Win32/Matcash.L deleted C:\RECYCLER\S-1-5-18\Dc1\
system.dll Win32/Matcash.K deleted C:\RECYCLER\S-1-5-18\Dc2\
install.exe Win32/Matcash.L deleted C:\WINDOWS\system32\
a4.exe Win32/SillyDl.BAS deleted C:\WINDOWS\system32\micro1\
Shaba
2007-06-09, 11:15
Hi Alarictric

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
Alarictric
2007-06-11, 17:54
Pardon the slow response, but I was unable to work on it over the weekend.

I ran into a problem. After running combofix, I am now unable to boot the system. It no longer recognizes any installed hard disk drives. I'll see if I can find a boot disk I guess... any suggestions?
Shaba
2007-06-11, 18:34
Hi

I'll ask for combofix developer for help.
Shaba
2007-06-11, 18:56
Hi

I asked sUBs and he said that it's not most likely combofix issue.

What type of disk you have, PATA, SATA or SCSI?

Do you have USB flashdrive connected to computer?
Alarictric
2007-06-11, 21:34
Once again, sorry for the slow replies, as I said, this isnt my real job and my other duties come first. I only get to work on this occasionally.

It's standard Dell notebook, so I would imagine it's PATA? It's not my computer though. No, there is no USB flash drive connected.

Thanks for any help you can give. Our "IT guy" is the presidents son and only comes in about once a month and doesnt seem to take care of much.
Alarictric
2007-06-11, 22:41
I was able to save a log prior to the crash, unfortunately I did not get a chance to post it. Maybe it would have had some clues as to what happened if there was any connection between the crash and Combofix.
Shaba
2007-06-12, 10:00
Hi

Then you will need a diagnostic software for that HD. What's the manufacturer of the FD?
Alarictric
2007-06-12, 13:54
I'm sorry... FD? I'm not sure what you mean.
Alarictric
2007-06-12, 13:56
There are no HDDs listed in BIOS either. I removed the HDD and reinstalled it to make sure that the connections were secure, but BIOS still will not recognize any drives.
Shaba
2007-06-12, 14:10
Hi

Sorry I meant HD.

What's the manufacturer of the HD?
Alarictric
2007-06-12, 14:45
Oh... haha. After a quick biopsy, I discovered that the HD is a Seagate Momentus 5400.2, Model# ST9408114A
Shaba
2007-06-12, 14:48
Hi

Then go here (http://www.seagate.com/www/en-us/support/downloads/seatools)
for diagnostic tools.
Alarictric
2007-06-12, 16:45
I ran Seagates diagnostic tool, but unfortunately I didn't get any new information. During the Short test, all it said was "No hard disk found" or something along those lines.

Could the IDE controller have gone bad? The CD drive shows as "None" in the BIOS just like the HD does, however, the CD drive works (that's what I used to boot the Seagate utilities).


This turned into something completely different from Viruses and Adware, sorry. If you can recommend somewhere else i should go to ask questions, I can take my difficulties elsewhere. I appreciate any help you are able to provide though.
Shaba
2007-06-12, 16:52
Hi

"Could the IDE controller have gone bad?"

Yes, it's possible.

Sure I can recommend but you have also malware on your computer which needs to be removed after HD works again.
Alarictric
2007-06-12, 16:59
I was trying to find an install file for fresh IDE drivers, but the only ones I could find were intallable from Windows. I need something I can install through DOS.

I checked on an identical laptop in the Device Manager and the controller is "Intel 82801FB/FBM Ultra ATA Storage Controllers - 266F"
Shaba
2007-06-12, 18:36
Hi

You may ask for those via Seagate support.
Shaba
2007-06-19, 11:14
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.