View Full Version : cmdservice and re-appearing cws problems
jenny_1260
2006-01-12, 12:44
Yes, I am a first-time poster. Believe me, until the past week, I didn't realize how horribly difficult life could be without anti-spyware software, and if I wasn't a member of these forums. (TY, spybot ppls!!)
I, like many people it seems, also have command service problems. According to avast! antivirus, I have a couple of trojans and viruses, like "banmanpro.exe" (which re-appears not matter how I delete it). According to spybot, I have CoolWebSearch problems (which, no matter how many times I delete, comes back up again!!), and at one point I had "Error Safe" as well. The one thing I can't remove though, is the two registry Command Service:
Command Service: Settings (Registry key, fixing FAILED)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing FAILED)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, FIXED)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
The one that is fixed, like CWS, always comes back up again. CWShredder at first kept on finding/removing cws.Yexe or something like that, but now it doesn't find any CWS problems at all, although spybot does. Also, it would occasionally change my homepage (it's not serious at the moment due to my constant scanning and deleting, but I'm worried it might get worse).
I don't know if there are any more sneaky things in my computer just waiting to kill me for another few days, but please help me clean this thing!! It's not just command service I'm worried about... viruses, spyware, adware scares me in general, and the avast! popup warnings aren't helping me soothe my nerves either... Please help!!!
This is my HijackThis log. Is there anything else I need to provide?
Logfile of HijackThis v1.99.1
Scan saved at 5:42:21 PM, on 1/10/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\nvidGUIv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\inet20003\services.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\paytime.exe
C:\windows\banmanpro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\inet20003\mm4.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\paytime.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\dllcache\IExplore.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [enewsletterpro] C:\windows\enewsletterpro.exe
O4 - HKLM\..\Run: [banmanpro] C:\windows\banmanpro.exe
O4 - HKLM\..\Run: [drsmartloadb] c:\\drsmartloadb.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128579388897
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Thank you SO much...
steamwiz
2006-01-12, 22:39
Hi
You have very badly infected computer there...
First, before we get to the removal of entries in your log...
I see you have spysweeper ... so far this is the only program that I know of that will remove all traces of cmdService
update spysweeper, run it and post the log...
Ctrl-Alt-Del .. on the processes Tab ... under CPU what is the number for Winlogon
steam
jenny_1260
2006-01-13, 10:22
Yes, I do have spysweeper. Unfortunately, it happens to be a trial version :( so I can't update it. It is likely the trial version won't get rid of cmdservice, as this seems to be pretty new-ish. However, I ran spysweeper (as well as spybot, cwshredder, avast! a few more times while I was at it, :D ) anyway.
This is the updated log:
Logfile of HijackThis v1.99.1
Scan saved at 5:09:47 PM, on 1/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128579388897
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
winlogon.exe CPU shows "00" :confused:
Thanks
steamwiz
2006-01-13, 19:48
Hi
Well that certainly looks a lot better...
I'd still like to see the spysweeper log
There are 2 more programs which I would like you to run ...and post the logs
Download ewido security suite (http://www.ewido.net/en/download/)install, update and run it.
Please set up as :-
1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display "Update successful")
5. You may need to manually update the definitions which you can get HERE (http://www.ewido.net/en/download/updates/)
6. Exit Ewido. DO NOT scan yet.
boot into safemode...and scan with Ewido
7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.
Important - You need to click "Save report" and Save it to your desktop, or you wont have a log
reboot...
---
Please download & run blacklight Rootkit diagnostic tool from :-
http://www.f-secure.com/blacklight/try.shtml
click I ACCEPT
click download > save it to your desktop
then ...
1. Double-click blbeta.exe
2. Accept the agreement > click next
3. click scan
4. A list of all items found will be displayed, or it will say "No hidden items found"
if anything is found do NOT elect to rename or clean anything, as legitimate entries could be found - click close
5. if you see "No hidden items found" click next then exit
On your desktop you will now see a log file, it will look something like this fsbl-20060105183235.log
6. open the log file and paste the contents into a post here...
So that's 3 logs I need to see ...
Spysweeper
Ewido
Blacklight
steam
jenny_1260
2006-01-15, 03:05
Spysweeper:
11:07 PM Sweeping memory for active software.
11:07 PM Memory sweep has completed.
11:08 PM Registry sweep completed.
11:08 PM Full sweep on all local drives initiated.
11:08 PM Now sweeping drive C:
Found Cookie: Goclick Cookie, version 1
Found Cookie: Passport Cookie, version 1
Found Cookie: Realmedia Cookie, version 1
Found Cookie: TribalFusion Cookie, version 1
11:23 PM Full Sweep has completed. Elapsed time 0 hours, 16 minutes, 38 seconds.
Files swept: 32,910
Software Located: 4
Spy Sweeper quarantined a cookie: Goclick Cookie
Spy Sweeper quarantined a cookie: Passport Cookie
Spy Sweeper quarantined a cookie: Realmedia Cookie
Spy Sweeper quarantined a cookie: TribalFusion Cookie
~~~~~~~~~~~
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 2:50:54 PM, 1/15/2006
+ Report-Checksum: F483E7A0
+ Scan result:
C:\WINDOWS\SYSTEM32\msctl32.dll -> Not-A-Virus.SpamTool.Win32.Mailbot.u : Ignored
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Ignored
C:\WINDOWS\inet20003\3.00.13.dll -> Spyware.Ihbo : Cleaned with backup
C:\WINDOWS\SYSTEM32\DRIVERS\i386p.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.u : Cleaned with backup
C:\WINDOWS\SYSTEM32\p2p.exe -> Not-A-Virus.SpamTool.Win32.Mailbot.u : Cleaned with backup
C:\WINDOWS\ckhdro0l.exe -> Downloader.Small.cdz : Cleaned with backup
C:\Documents and Settings\kl\Local Settings\Temp\svchst.exe -> Downloader.PassAlert.m : Cleaned with backup
C:\Documents and Settings\kl\Cookies\kl@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP40\A0046112.sys -> Not-A-Virus.SpamTool.Win32.Mailbot.u : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP40\A0046121.DLL -> Spyware.Comet : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP40\A0046136.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP40\A0046138.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP40\A0046139.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP40\A0046140.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP41\A0050523.dll -> Spyware.Ihbo : Cleaned with backup
C:\System Volume Information\_restore{F3549E2F-EFC1-4192-B420-03E1148A2264}\RP41\A0052451.exe -> Hijacker.VB.kc : Cleaned with backup
C:\loader.exe -> Downloader.Small.cdz : Cleaned with backup
C:\drsmartloadb.exe -> Downloader.Adload.l : Cleaned with backup
::Report End
~~~~~~~~~~~~~~~
Blacklight:
01/15/06 14:56:18 [Info]: BlackLight Engine 1.0.30 initialized
01/15/06 14:56:18 [Info]: OS: 5.1 build 2600 ()
01/15/06 14:56:18 [Note]: 7019 4
01/15/06 14:56:18 [Note]: 7005 0
01/15/06 14:56:21 [Note]: 7006 0
01/15/06 14:56:22 [Note]: 7011 924
01/15/06 14:56:22 [Note]: FSRAW library version 1.7.1014
01/15/06 15:00:11 [Note]: 7007 0
~~~~~~~~~~~~~~~
Thanks!!
jenny_1260
2006-01-17, 03:20
bump... please help!
steamwiz
2006-01-19, 23:31
Hi
Sorry... I missed your post
Did you tell ewido to ignore this ?
C:\WINDOWS\SYSTEM32\msctl32.dll -> Not-A-Virus.SpamTool.Win32.Mailbot.u : Ignored
run ewido again and let it delete it...
post the new ewido log and a new hijackthis log
cheers
steam
Still with us jenny_1260? ;)
Hello, this topic will now be archived.
I hope you will return if you have not resolved the problem.
If you need the topic re-opened please pm me.
jenny_1260
2006-02-02, 06:47
Thanks Tashi for re-opening the thread. Sorry for taking so long to reply -our internet company were giving us a bit of trouble (all fixed... we switched companies, lol).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the new ewido log:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:23:46 PM, 2/2/2006
+ Report-Checksum: BE1E9383
+ Scan result:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msctl32.dll -> Adware.SpySheriff : Cleaned without backup
C:\WINDOWS\SYSTEM32\msctl32.dll -> Not-A-Virus.SpamTool.Win32.Mailbot.u : Cleaned without backup
C:\Documents and Settings\kl\Cookies\kl@hypertracker[2].txt -> Spyware.Cookie.Hypertracker : Cleaned without backup
::Report End
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:26:51 PM, on 2/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128579388897
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINDOWS\nvidGUIv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks so much for your patience in helping me, steam... it's greatly appreciated. :):):)
jenny_1260
2006-02-03, 07:02
Bump... (I know you guys are really busy...!!!)
steamwiz
2006-02-05, 22:50
Hi jenny
My turn to apologise for the late reply... haven't been around for a few days... got mown down by a biological bug :eek:
Your log's are now clean... are your problems resolved ?
cheers
steam
jenny_1260
2006-02-07, 09:26
I'm pretty sure most of the problems (like the occasional popups) are gone. I will run spybot tomorrow and post again if it finds anything (or if it doesn't).
There is one slight problem I'm not sure if it is related to malware or not... but lately, I can't seem to change my desktop wallpaper to one of my own pictures using the "right-click" and "properties" way. When I click on "browse" and choose a picture I want to come up, and click "open", the browse screen closes but the picture doesn't come up on the list, so I can't select it and change it. To change my wallpaper, I have to open up the actual picture, and right-click and select "set as wallpaper" for the picture to come up on desktop. Is it a malware problem, or is it more likely some other thing wrong with the computer? It's not too much of a bother, but it'll be good if it can be fixed. :) Any ideas?
steamwiz
2006-02-07, 14:29
Hi Jenny
Download this zip file to your desktop, extract the batch file inside, also to your desktop, double click on the bat file and a text file will appear on your desktop.... post the contents of the text file in your next post.
http://www.help2go.com/modules.php?name=Forums&file=download&id=411
jenny_1260
2006-02-09, 09:25
I could've sworn I posted this before already, but I guess it didn't work, since I don't see it appearing on this thread!!:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The bat file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"1"="C:\\WINDOWS\\System32\\service\\explorer.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I ran spybot... it still found command service somewhere in here: ??? ??? ???
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks!!
steamwiz
2006-02-09, 12:41
Hi
Download the attached zip file (to your desktop)
Unzip to reveal a reg file...
Double click the reg file and allow it to merge with the registry...
Let me know if it solves your wallpaper problem...
---
See if you can find this file on your computer :-
C:\WINDOWS\System32\service\explorer.exe
You are only looking for an explorer.exe file in this location...
Do you have a "service" folder in system32 ?
If you find it, please do this :-
Please go here :-
http://virusscan.jotti.org/
Upload this file from your computer :-
C:\WINDOWS\System32\service\explorer.exe
copy & paste the above bold line into the "File to upload and scan" box...
or click the browse button and browse to the file on your computer...
Then click the submit button
Post back the results
cheers
steam
jenny_1260
2006-02-12, 01:55
Wallpaper problem perfectly solved, thanks :)
As for the explorer.exe file, though:
I can't visibly SEE the "service" folder when I am in the "system32" folder, but when I type "C:\WINDOWS\System32\service" on the URL address thing the folder does come up. Here, I can only visibly see 2 files: 1 is a notepad file, and the other is a SAM file. No explorer.exe in sight.
Then, I tried putting up "C:\WINDOWS\System32\service\explorer.exe" on the website you gave me anyway, and they can't find the file at all either. So I'm taking a guess it either exists somewhere else or is not there at all??
Thanks,
Jen
steamwiz
2006-02-12, 02:25
Hi
Don't worry about the cmd service keys, they are just orphans in the registry...
is everything else Ok ?
steam
jenny_1260
2006-02-14, 10:40
Yes, everything else seems to be perfectly fine.
Thanks so much!!
Jen
steamwiz
2006-02-14, 17:33
You're welcome :)
steam
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.
Glad we could help, thank you steamwiz. :)