cmdService Registry keys [Archive] - Safer-Networking Forums

View Full Version : cmdService Registry keys

Wastegate

2006-03-14, 18:06

I think I have everything else cleaned out, but for the life of me, I cannot get these registry keys gone. Any help will be appreciated.

Spybot Report

--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Hijack This Report

Logfile of HijackThis v1.99.1
Scan saved at 11:57:34 AM, on 3/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: .elwisp.com
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .elwisp.com
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127
O1 - Hosts: m
O1 - Hosts: 127
O1 - Hosts: 0.1 www.tbcode.com #[HJTH.Win32.IstBar.hg]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: sexswap2.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127
O1 - Hosts: m
O1 - Hosts: 127
O1 - Hosts: 0.1 www.tbcode.com #[HJTH.Win32.IstBar.hg]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: sing.gammae.com
O1 - Hosts: om #[AVG.Dialer.JT]
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: sexswap2.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127
O1 - Hosts: m
O1 - Hosts: 127
O1 - Hosts: 0.1 www.tbcode.com #[HJTH.Win32.IstBar.hg]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: iz #[WMF-exploit]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)

pskelley

2006-03-16, 02:01

Hello and welcome to the forum. You are far from being clean, you have at least a badly infected hosts file and a trojan running from your services, see this: http://castlecops.com/o23list-1226.html

Let's proceed like this and in the posted order:

1) Follow the directions to download Hoster from here: http://www.funkytoad.com/hoster.htm
then choose "Restore Microsoft's Original hosts file.

2) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

3) Disable the offending Service
Click Start < Run and type services.msc
Scroll down to Local Security Authority Subsystem Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type lsass and press OK.
OK any prompts, close HijackThis, and restart your computer.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(Once we remove these R lines, you can set any HomePage you wish)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Check any 01 line that is there.

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
(should be gone)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\scvhost.exe >>> file (look at the spelling, may be gone) the valid file: svchost.exe would be in the System32 folder

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you have. Let me know how the computer is running now.

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe <<< your Java program is outdated and a security risk, see the information in this link:
http://forums.spybot.info/showthread.php?t=2559

Thanks...pskelley
Safer Networking Forums

Wastegate

2006-03-16, 15:52

The host file is not bad, it help blocks ads and other crap websites

http://www.mvps.org/winhelp2002/hosts.htm

pskelley

2006-03-16, 15:56

Fine...finish the balance of the instructions then.

Thanks.

Wastegate

2006-03-16, 16:56

Thank you so much, been tryng to do this myself for days, reading other peoples post.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:19:48 AM, 3/16/2006
+ Report-Checksum: EDBDA731

+ Scan result:

HKU\S-1-5-21-3655164398-3215379558-3210885996-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE70731D-F28D-4D81-9D61-C8EE60378401} -> Adware.Virtumonde : Cleaned with backup
C:\HJT\backups\backup-20060313-143926-502.dll -> Adware.Virtumonde : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:53:36 AM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\macromed\flash\GetFlash.exe
C:\HJT\HijackThis.exe

O1 - Hosts: .elwisp.com
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .elwisp.com
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127
O1 - Hosts: m
O1 - Hosts: 127
O1 - Hosts: 0.1 www.tbcode.com #[HJTH.Win32.IstBar.hg]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: sexswap2.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127
O1 - Hosts: m
O1 - Hosts: 127
O1 - Hosts: 0.1 www.tbcode.com #[HJTH.Win32.IstBar.hg]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: sing.gammae.com
O1 - Hosts: om #[AVG.Dialer.JT]
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: cgi.sexswap.com
O1 - Hosts: sexswap2.com
O1 - Hosts: he.sidefind.com #[McAfee.Adware-ISTbar.dldr]
O1 - Hosts: 127
O1 - Hosts: m
O1 - Hosts: 127
O1 - Hosts: 0.1 www.tbcode.com #[HJTH.Win32.IstBar.hg]
O1 - Hosts: om]
O1 - Hosts: .com]
O1 - Hosts: 127.0.0.
O1 - Hosts: .com
O1 - Hosts: 1 www.albiondrugs.com
O1 - Hosts: ire.online-more.com #[Dialer.Win32.PlayGames.a]
O1 - Hosts: www.internetpeace.com #[eTrust.Free Popup Killer]
O1 - Hosts: .wegcash.com #[SunBelt.WegCash.com]
O1 - Hosts: .1 clickcash.webpower.com #[IE-SpyAd]
O1 - Hosts: .elwisp.com
O1 - Hosts: iz #[WMF-exploit]
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Wastegate

2006-03-16, 17:42

I spoke to soon. Those registery lines still show up in Spybot

--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

pskelley

2006-03-16, 18:37

That appears to be a glitch in Spybot, do you have the 3/10/2006 detection updates?

Let's do this:
Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Your HJT log appears to be clean, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

PURGE SYSTEM RESTORE
When you are completely finished with the removal procedure and are satisfied that the threat has been removed follow these instructions:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Let me know if that takes care of your problem, Thanks.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Wastegate

2006-03-16, 19:03

Looks Like that failed too.

Running from C:\Documents and Settings\Compaq_Owner\Desktop\ren-cmdservice
No Image Path Listed in Registry

Original perms.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Read NT AUTHORITY\INTERACTIVE
Full access BUILTIN\Administrators

-----------------
Adjusted permisions

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Full access BUILTIN\Administrators
Full access NT AUTHORITY\INTERACTIVE
Read BUILTIN\Users
Full access NT AUTHORITY\SYSTEM

-----------------
Deleting cmdservie key
[SWSC] DeleteService FAIL
Delete Network Monitor if present
[SWSC] DeleteService FAIL
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
A Backup made was made, bakhive
Finised, Post the logit.txt then restart your PC please
ren-cmdservice.bat edited 2-4-2006
-----------------

Wastegate

2006-03-16, 19:10

Sorry. Figured that Fail in the log means it didn't work, but SpyBot did not detect it.

Thank You so much for your time.

LonnyRJones

2006-03-20, 20:31

Wastegate
Hows that pc acting now ?

tashi

2006-03-25, 22:19

Due to lack of a response this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.