PDA

View Full Version : Command Service infection an another computer



davebihl
2006-07-12, 05:07
When I ran Spybot today, it found a bunch of stuff, but it couldn't remove Command Service (3 instances). Here is the online scan log, HJT log, and Spybot log from safe mode.

davebihl
2006-07-12, 05:10
I had Command Service on another computer as well, but this is a different computer from the last infection.

Logfile of HijackThis v1.99.1
Scan saved at 10:01:57 PM, on 7/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\internat.exe
E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\olrlj.exe
F2 - REG:system.ini: UserInit=userinit.exe,yhypthl.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {39f4e304-b7b4-4692-988c-4c19fe944d3e} - C:\WINNT\system32\RICTUB.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Windows update config] svhost.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINNT\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Compiler Pack] DSDEV.EXE
O4 - HKLM\..\Run: [HPWNTOOLBOX] C:\Program Files\Hewlett-Packard\hp business inkjet 1200 series\Toolbox\HPWNTBX.exe "-i"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\NASDAK\OmniMouse Driver\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\xcbhjc.exe reg_run
O4 - HKLM\..\Run: [sys09131268872] C:\WINNT\sys09131268872.exe
O4 - HKLM\..\Run: [ms03268872131] C:\WINNT\ms03268872131.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Windows update config] svhost.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Windows update config] svhost.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Creative Detector] "E:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Documents and Settings\David S. Bihl\Application Data\ROXIO\PhotoSuite4\Temp\ROXIO00000.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137122281750
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} - http://gpstool.globaladserver.com/v30/gpstool.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: RICTUB - RICTUB.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Thanks.

davebihl
2006-07-12, 05:12
Oops...I guess I wasn't supposed to attach the log file. Here it is:

Incident Status Location

Spyware:Spyware/New.net Not disinfected C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL
Adware:Adware/Qoologic Not disinfected c:\winnt\system32\xcbhjc.exe
Adware:Adware/QoolAid Not disinfected C:\WINNT\system32\dmonwv.dll
Adware:Adware/Qoologic Not disinfected C:\WINNT\system32\ejbhakw.dll
Spyware:Spyware/New.net Not disinfected C:\Program Files\NewDotNet\newdotnet7_22.dll
Virus:Trj/Conhook.O Disinfected Operating system
Spyware:spyware/new.net Not disinfected c:\program files\newdotnet\newdotnet7_22.dll
Adware:adware/elitebar Not disinfected c:\winnt\downloaded program files\OSD149F.OSD
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\winnt\downloaded program files\UWA6P_0001_N822M1605NetInstaller.exe
Adware:adware/ieplugin Not disinfected c:\winnt\kwv2.dat
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\David S. Bihl\Application Data\Lycos
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/beginto Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Adware:Adware/Trymedia Not disinfected C:\Downloads\GoldMinerSetup-dm[1].exe
Adware:Adware/Qoologic Not disinfected C:\WINNT\SYSTEM32\daqku.dat
Virus:Trj/Dropper.UH Disinfected C:\WINNT\SYSTEM32\geedc.exe
Virus:Trj/Conhook.O Disinfected C:\WINNT\SYSTEM32\RICTUB.dll
Adware:Adware/WUpd Not disinfected C:\WINNT\Downloaded Program Files\DeskAdX.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINNT\Downloaded Program Files\installer_MARKETING48x.exe[installer_MARKETING48.exe]
Virus:Trj/Agent.CAV Disinfected C:\WINNT\Downloaded Program Files\miniclipGameLoader.dll
Spyware:Spyware/Media-motor Not disinfected C:\WINNT\thiselt.exe
Adware:Adware/Qoologic Not disinfected C:\WINNT\unwn.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\uni_ehhh.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\unin101.exe
Adware:Adware/MediaTickets Not disinfected C:\WINNT\YOINSI.exe
Adware:Adware/ISearch Not disinfected C:\WINNT\idlemg.exe
Virus:Trj/Downloader.JHC Disinfected C:\WINNT\sys021268872132006.exe
Adware:Adware/ConsumerAlertSystem Not disinfected C:\WINNT\pf78.exe
Adware:Adware/DigInk Not disinfected C:\WINNT\Tagasuarus2.exe
Adware:Adware/CommAd Not disinfected C:\WINNT\RGF2aWQgUy4gQmlobA\l3IZuqk0oVb0kA5CvE.vbs
Spyware:Spyware/New.net Not disinfected C:\WINNT\NDNuninstall7_22.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\iinstall.exe
Virus:Trj/Clicker.QE Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[svchostsys.exe]
Virus:Trj/Clicker.QE Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[sysstall.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[webhc1.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[webhc1.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[webhc1.exe][whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[webhc1.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\David S. Bihl\Local Settings\Temp\webhclick.exe[webhc1.exe][whiehlpr.dll]

LonnyRJones
2006-07-15, 20:33
Welcome Dave

Unless your recieving help elsewhere ? continue here


go start run type in
C:\WINNT\unwn.exe

choose uninstall, do the same for this file

C:\WINNT\NDNuninstall7_22.exe
-----------------------------
Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

c:\winnt\system32\xcbhjc.exe
C:\WINNT\system32\dmonwv.dll
C:\WINNT\system32\ejbhakw.dll
c:\winnt\downloaded program files\OSD149F.OSD
c:\winnt\downloaded program files\UWA6P_0001_N822M1605NetInstaller.exe
c:\winnt\kwv2.dat
C:\Downloads\GoldMinerSetup-dm[1].exe
C:\WINNT\SYSTEM32\daqku.dat
C:\WINNT\SYSTEM32\geedc.exe
C:\WINNT\SYSTEM32\RICTUB.dll
C:\WINNT\Downloaded Program Files\DeskAdX.dll
C:\WINNT\Downloaded Program Files\installer_MARKETING48x.exe[installer_MARKETING48.exe]
C:\WINNT\Downloaded Program Files\miniclipGameLoader.dll
C:\WINNT\thiselt.exe
C:\WINNT\unwn.exe
C:\WINNT\uni_ehhh.exe
C:\WINNT\unin101.exe
C:\WINNT\YOINSI.exe
C:\WINNT\idlemg.exe
C:\WINNT\sys021268872132006.exe
C:\WINNT\pf78.exe
C:\WINNT\Tagasuarus2.exe
C:\WINNT\NDNuninstall7_22.exe



Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say NO to the prompt to restart the pc.
Still in Killbox go tools > delete temp files then exit
-----------------------------


Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\olrlj.exe
F2 - REG:system.ini: UserInit=userinit.exe,yhypthl.exe
O2 - BHO: (no name) - {39f4e304-b7b4-4692-988c-4c19fe944d3e} - C:\WINNT\system32\RICTUB.dll (file missing)
O4 - HKLM\..\Run: [Windows update config] svhost.exe
O4 - HKLM\..\Run: [Microsoft Compiler Pack] DSDEV.EXE
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\xcbhjc.exe reg_run
O4 - HKLM\..\Run: [sys09131268872] C:\WINNT\sys09131268872.exe
O4 - HKLM\..\Run: [ms03268872131] C:\WINNT\ms03268872131.exe
O4 - HKLM\..\RunServices: [Windows update config] svhost.exe
O4 - HKCU\..\Run: [Windows update config] svhost.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll

O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.mmohsix.com

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} - http://gpstool.globaladserver.com/v30/gpstool.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -
O20 - Winlogon Notify: RICTUB - RICTUB.dll (file missing)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.

tashi
2006-07-21, 18:10
This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.

Thank you Lonny