PDA

View Full Version : Malware problems cmdservice, about blank..


cassie
2006-08-26, 21:41
I am having numerous issues incluing popups and browser hijacking. Thank you for your help with this. Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:45 PM, on 8/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\virus removal\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\hpono.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,skvryiy.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {47C530EA-AE23-A8D2-5CE2-864A368BAFCA} - C:\WINDOWS\System32\rjvyfvnk.dll (file missing)
O2 - BHO: (no name) - {4C1D1F2C-D5E8-DA15-9D78-AF98BB11F498} - C:\WINDOWS\System32\hlmk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DellCleanup] c:\DELL\WINCLEAN.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DellSupportOobeCheck] C:\Program Files\Dell\Support\bin\OOBECheckStart.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qwcbob] C:\WINDOWS\System32\qfxjod.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mtjdp] C:\WINDOWS\System32\qfxjod.exe reg_run
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {F4430FE8-2638-42e5-B849-800749B94EED} - (no file)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O21 - SSODL: Client Update - {718E3423-5C07-422E-8D3C-6BEDB0089FD1} - C:\WINDOWS\System32\sceers.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: KpvZuez - {30F08721-9A5A-2D8B-9CB3-1B12620E4662} - C:\WINDOWS\System32\qj.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
cassie
2006-08-26, 21:42
Here is my Panda Activescan:

Incident Status Location

Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for kill2me.zip\Kill2Me.exe
Adware:Adware/WinTools Not disinfected C:\Documents and Settings\...\Local Settings\Temp\~385562.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Guest\Cookies\guest@kmpads[2].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\...\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\LocalService\Cookies\system@go[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kmpads[2].txt
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\...\Application Data\Install.dat
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\...\Local Settings\Temp\1BB.tmp
Virus:Trj/Downloader.AFZ Disinfected C:\Documents and Settings\...\Local Settings\Temp\27.exe\27.exe
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\addit_cs.exe[clicks.dll]
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\addit_cs.exe[Updater.exe]
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\addit_cs.exe[WildWinTracker.exe]
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\B5.exe
Adware:Adware/BroadcastPC Not disinfected C:\Documents and Settings\...\Local Settings\Temp\bpc_inst_1006.exe[bcpc.exe]
Adware:Adware/BroadcastPC Not disinfected C:\Documents and Settings\...\Local Settings\Temp\bpc_inst_1006.exe[bcpc_c.exe]
Adware:Adware/BroadcastPC Not disinfected C:\Documents and Settings\...\Local Settings\Temp\bpc_inst_1006.exe[bcre_inst.exe]
Adware:Adware/BroadcastPC Not disinfected C:\Documents and Settings\...\Local Settings\Temp\bpc_inst_1006.exe[bcre_inst.exe][bcre.exe]
Adware:Adware/StatBlaster Not disinfected C:\Documents and Settings\...\Local Settings\Temp\dYSf.exe
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\Eby.exe
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\FnMEa.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\...\Local Settings\Temp\i2E.tmp
Virus:Trj/Sinowal.BS Disinfected C:\Documents and Settings\...\Local Settings\Temp\msn.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\...\Local Settings\Temp\ojalanpk.exe
Virus:Trj/Multidropper.QW Disinfected C:\Documents and Settings\...\Local Settings\Temp\RAZR.exe
Adware:Adware/DelFinMedia Not disinfected C:\Documents and Settings\...\Local Settings\Temp\rm05040901.Stub.exe
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\...\Local Settings\Temp\s2s8.5.exe[ExtractDLL.dll]
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\...\Local Settings\Temp\s4po.4.exe[nodeipproc.dll]
Spyware:Spyware/SafeSurf Not disinfected C:\Documents and Settings\...\Local Settings\Temp\sjc..exe[ExtractDLL.dll]
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\...\Local Settings\Temp\Temporary Internet Files\Content.IE5\WT2N05YR\eliteunstall[1].exe
Adware:Adware/Midaddle Not disinfected C:\Documents and Settings\...\Local Settings\Temp\th.exe
Virus:Trj/Bhotcher.A Disinfected C:\Documents and Settings\...\Local Settings\Temp\WBCM_Installer.exe
Adware:Adware/DollarRevenue Not disinfected C:\kybrdfg_7.exe
Adware:Adware/SAHAgent Not disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060204213103.zip[WINDOWS/downloaded program files/SAHUninstall_.exe]
Adware:Adware/PurityScan Not disinfected C:\Program Files\CA\eTrust PestPatrol\core\Quarantine\20060219214609.zip[WINDOWS/system32/hlmk.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Common Files\{30F08720-09D7-1033-0128-030816020001}\services.dll
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\UERS_0001_N68M1801NetInstaller.exe
Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard1.dat
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\alg.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\fast.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\UHJlZmVycmVkIEN1c3RvbWVy\oJL5tApVwAp4KHhYwalSvqpV.vbs
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\WINDOWS\WinFix.exe
pskelley
2006-08-30, 14:09
Welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help, let's start like this.

1) You have multiple trojans on board and I suggest you stay offline as much as possible, they will attract more.

2) My scanner is saying this item is a problem: c:\DELL\WINCLEAN.EXE and the bad guys will use a valid name to throw us off. Use one or more of these free online scans to find out if it is bad and post the results for me to view.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

3) Thanks to sUBs and any others who helped with this fix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Make sure the computer has been restarted and post the information I requested above, the combofix log and a new HJT log. Include any comments you think will help.

Thanks
cassie
2006-08-31, 02:45
Thank you for pointing me in the right direction ;) , unfortunately, since my last post I have had hardware issues with the PC in question. Can you please close the thread and I will repost at a later time. Thanks again for the help;)
pskelley
2006-08-31, 12:50
I am sorry to hear of your hardware issues:( If you need help I can direct you to several free forums that deal with hardware issues, let me know. I will post this information, it will help in the future.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

tashi:) can close this topic when time permits.

Thanks...pskelley
Safer Networking Forums
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
tashi
2006-09-05, 00:54
This topic has been archived.

Good luck. :)