PDA

View Full Version : CMD Service Virus


Topguns
2006-08-19, 21:41
Hi All,

I've been having trouble from last 2 days with my computer with different things. Firstly, there were couple of new exe like "Project.exe" and other got downloaded on my system and then many advertising windows keeps on popping up every few sec which is very annoying. I was able to destroy many things using Spypot but every time when I run scan it shows me new things and specially it couldn't destroy "Command Service" cuz it in memory. I'm posting hijackthis export below and really hoping that someone can please help me to remove these malware from my system.

Thanks a lot.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\CA\SHARED~1\CAM\bin\cam.exe
C:\WINDOWS\QXV0aG9yaXplZCBVc2Vy\command.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CA\SharedComponents\DTS\bin\tngdoba.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\download\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O15 - Trusted Zone: http://horizon.cf.capital.ge.com
O15 - Trusted Zone: http://horizon.dev.cf.capital.ge.com
O15 - Trusted Zone: http://horizon.staging.cf.capital.ge.com
O15 - Trusted Zone: http://siebel.cef.capital.ge.com
O15 - Trusted Zone: http://siebel.eef.capital.ge.com
O15 - Trusted Zone: http://siebel.qa.cef.capital.ge.com
O15 - Trusted Zone: http://siebel.qa.vfs.capital.ge.com
O15 - Trusted Zone: http://siebel.vfs.capital.ge.com
O16 - DPF: {09C16DD4-6673-11D6-B6E8-0010B5C03831} (ctlIr0640.uctlIr0640) - http://gecars.corporate.ge.com/gecars30/ctlIr0640.CAB
O16 - DPF: {A0A47404-9CC9-11D6-A934-0050DA7B9119} (ActiveBar.ActiveBar2) - http://gecars.corporate.ge.com/gecars30/Activebar2.CAB
O16 - DPF: {CE713B6C-89D5-11D6-B29E-00B0D069BD3D} (ctlIR0420.UctlIR0420) - http://gecars.corporate.ge.com/gecars30/ctlIR0420.CAB
O16 - DPF: {D8BE4A48-212E-4FCE-8CFA-BCA156E3F315} (Ctlir0667.uctlir667) - http://gecars.corporate.ge.com/gecars30/ctlir0667.CAB
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = comfin.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = comfin.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = comfin.ge.com
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\fplq0335e.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Unicenter Message Queuing Server (CA-MessageQueuing) - Computer Associates International, Inc. - C:\PROGRA~1\CA\SHARED~1\CAM\bin\cam.exe
O23 - Service: CA-License Client (CA_LIC_CLNT) - Unknown owner - C:\WINDOWS\Lic98Rmt.exe
O23 - Service: CA-License Server (CA_LIC_SRVR) - Unknown owner - C:\WINDOWS\Lic98RmtD.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QXV0aG9yaXplZCBVc2Vy\command.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\RapApp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: rtvscan - Unknown owner - C:\WINDOWS\System32\rtvscan.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: Extend360 Agent (ServiceMgr) - Fiberlink Communications Corp. - C:\Program Files\Fiberlink\Extend360\ServiceMgr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: DTS Browser (TNG-DOBA) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\DTS\bin\tngdoba.exe
O23 - Service: DTS Metrics Gatherer (TNG-DTMG) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\DTS\bin\tngdtmg.exe
O23 - Service: DTS Agent (TNG-DTS) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\DTS\bin\tngdta.exe
pskelley
2006-08-23, 17:22
Welcome to the forum, if you still need help and are not receiving it elsewhere, please do this:

1) You have cut off the first four lines of the HJT log, I need a complete log. When in notepad, check under Format and make sure WORD WRAP is NOT checked. Then click Edit > Select All. Post the highlited information.

2) HJT must run from a drive to save backups for safety. You have everything running from C:\ but HJT. Please move HJT to here: C:\HJT\HijackThis.exe

3) Look at the 015 items in the log and let me know if you placed those items there.

4) Post a new, complete HJT log in the new jocation along with the information I requested.

Thanks
tashi
2006-08-28, 20:23
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.