View Full Version : CmdService - check my logs
Dear community
Could some check my logs and tell me what to delete, cant get rid of cmdservice
Logfile of HijackThis v1.99.1
Scan saved at 11:48:01, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Common Files\{8484AEC9-0BF0-1033-1202-03051220002c}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\AntiSpyware\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [cna949a5] RUNDLL32.EXE w20a86d8.dll,n 003949a20000000a20a86d8
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int6.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://82.3.250.209/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.msngamecentre.co.uk/online2/MSN_INTL_UK/chuzzle/popcaploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
Thanks
pskelley
2006-08-28, 14:06
Welcome to the forum, You have a nasty infection called Alcan worm and it would be wise if you stay ofline as much as possible until you are clean, this junk will attract others. Let me know what program is finding commnd.exe. If it is Spybot it is locating leftovers in the registry left by a poor removal by another program (possibly Ad-aware?), we will deal with that issue before we are finished. It is important that you follow these directions carefully.
Thanks to Metallica and any others who helped with this fix.
1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log. Please add any comments you think will help.
Thanks
Thanks for the info will try it and get back, here is some background information.
I used Limewire to download a file, and against my basic rule I unzipped the downloaded file - should have heeded my own advice. This resulted in pop up ads galore and bloody limewire would not shut down kept getting restarted by (I think) CmdService. I also think it used limewire and its port settings to download more rubbish. I had to delete limewire stop the Internet connection and then took the following steps.
1)Decided it would be a good time to remove old programs and ruthless went though and removed old games etc.
2) Use windows defender under its Tools section to check what services were running and remove a lot of historical items e.g Nokia phone connections etc. This also would help reduce run times when I used the tools below.
3) Ran windows defender (full scan ), it identified a number of items and removed them
2) Ran Ad-adware from lavasoft and removed some more items.
3) By far the best ran spybot and it removed a large number of items but could not get rid of cmdService. Tired rebooting as recommended and still could not be deleted.
Spent the last few days reading through the forums logs and someone mentioned Ccleaner, which I downloaded last night, and it removed CmdService.
However I am still getting popup ads and my gamming sessions keeps getting minimised. So there appears to be some other infection. So will follow your instructions to resolve this malware, adware?
Will get back to you. Thanks
pskelley
2006-08-30, 12:21
Thanks for the feedback, here is a little information about Alcan, it does indeed spread via file sharing:
http://vil.nai.com/vil/content/v_133690.htm
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Alcan+worm
http://pcpitstop.com/spycheck/p2p.asp
http://pcpitstop.com/spycheck/badtorrent.asp
Thanks
pskelly
Ran Ewido and other applications as directed, there still is a problem.
Once Ewido had completed its scan (2.5 hrs) it listed some 10,854 items. It infomed me that it could not isolate a game.zip file and asked me if I wanted to quarantine it and its folder which I said yes.
When all steps taken rebooted pc and went back into PC to run hijackthis log. I noticed that the response times were very poor. Did Alt,Ctrl and delete to check if any processess were running but none were running . Yet the PC was sluggish and it was doing sometihing. I suspect someting was being replicated.
Anyway did the hijack log, but also decided to try Ewido quick registery scan and it found another item. Did quick system scan and it found 5 itmes. So something is amiss.
Went back into safe mode and could not run ewido, it failed to display its main menu. When I shut down the PC it ended the ewido prgramme.
I did notice that someone at home dowloaded limewire and have deleted it again.
regards
********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 06:24:43, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\wuauclt.exe
C:\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cna949a5] RUNDLL32.EXE w20a86d8.dll,n 003949a20000000a20a86d8
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.brdatahost.com
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int6.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://82.3.250.209/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.msngamecentre.co.uk/online2/MSN_INTL_UK/chuzzle/popcaploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
pskelley
2006-08-31, 12:17
Looking over your feedback first, then I will continue with the cleanup. Show the user who thinks LimeWire is cool this information:
http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059 I would not have the junk on any computer I own.
Once Ewido had completed its scan (2.5 hrs) it listed some 10,854 itemsNot only did you have a badly infected computer, seems it is loaded up with junk also. I will have to assume a vast majority of those items are cookies that you do not need to store on the computer. I do need to see that ewido scan result??? You may edit out all cookies, just be sure you deleted tham. You may also edit out any reference to System Restore or System Information, we will be cleaning that area before we are done. Post the balance of the ewido report even if you need to split it.
It infomed me that it could not isolate a game.zip file and asked me if I wanted to quarantine it and its folder which I said yes.That is fine, if for some reason the file was valid and needed for a valid game you can restore it from quarantine. This happens rarely.
The PC is going to be a little sluggish until we get all of this junk off it. The stuff does not come off as easily as it gets on.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Spyware programs will block the changes we must make, turn them off until you are done:
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
First disable Ewido, as it might be trying to interfere...
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'
4) You are running a rouge spyware product, see this list:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [cna949a5] RUNDLL32.EXE w20a86d8.dll,n 003949a20000000a20a86d8
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
rouge product
O15 - Trusted Zone: *.brdatahost.com
(above? if you know it is safe you can leave it)
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int6.exe
Dialer.Trafficadvance
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt01.com/dialer/internazionale_ver11.CAB
7AdPower Dialer
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.msngamecentre.co.uk/onlin...ploader_v6.cab
ADW_POP.A
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\SpywareBot\ <<< delete that folder
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the ewido scan results missed earlier and a new HJT log. Include any comments you think will help.
Thanks
Here are the logs unable to find file Spywatrbot to delete as requested. Followed instructions and did all the rest
Ewido scan too long have shorten could not attach it.
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 19:36:38 01/09/2006
+ Scan result:
.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virgin Radio 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtFire 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtGuard 2.02.04.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virticon Millennium 1.05.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Instrument 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Oscilloscope 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Signal Generator 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Pocket Spectrum Analyzer 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Instrument 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Oscilloscope 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Signal Generator 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtins Sound Card Spectrum Analyzer 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtos Noise Wizard 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Fighter 2 demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Fighter PC demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Squad 2 demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Tennis demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtua Tennis rar.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtuaDisk 1.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtuaRAID Manager 2.3.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\VirtuaReminder 1.060.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Administrator 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Album - Photo Album Software 3.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Album Maker Standard 1.31.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Art Gallery USA Vol.1 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Audio Cable 3.10.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Ball Fighter SE 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Battle Field 1 Desert Wars Demo 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Bingo and Random Number Generator 4.0.2223.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Body Guards 1.1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual C.R.O. 2.0.3.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual CD 8.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual CD Manager 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Cigarette 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Cover Creator 2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual DJ 3.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual DJ Studio 4.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual DVD Shelf 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Desk 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Desktop Toolbox 2.72.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Domain Name Services 2.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Drive Creator 2.0.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Drum 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Dumpster Diver Pro 2.0.23.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Earth - Bus Tracker 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Edit 1.25.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Encrypted Disk 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Engine Calculator 2.20.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Fader Master 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Fashion MakeUp 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Fashion Professional 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Figure Drawing Studio 2.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual FireworX Screensaver 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Flash Drive 2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual FlashCards 2.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Gallery Sandra Bullock v1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Grand Prix 2 1.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Horse Racing Game 2.14.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Hymnal 2.01.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Image Printer 2000 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Impact 1.15.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Intelligence Matrix 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Juggler 3d Gold 2.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Keyboard 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Keyboard Assistant 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Layout Artist 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Library 1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Marbles 1.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Messenger 2.0.2.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Midi Controller 1.0.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Modem 1.5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Morse Key 2.5.39.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Music 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Music Jukebox 7.2.4.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Network Computing 3.3.7.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Null Modem 2.0.1 Build 5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Organizer 2.0.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Original CD Drive Emulator 2.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual PDF Printer 1.01.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Painter 5.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Pool 3 demo 3.2.1.7.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Pool Windows 95 demo .zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Port Monitor 4.0x.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Print Engine Professional Edition 3.20.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual Printer Driver for Windows 2000 1.0.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
C:\Documents and Settings\Lobo\Complete\Virtual RC Racing demo 3.2.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
PArt of the scan results system is still replicating. Help
pskelley
2006-09-01, 22:19
Copy and paste your logs as in the pinned (sticky) instructions. Do not attach them. I need to see that HJT log.
Read all instructions before you start, you have optional things to think about.
Now let's talk about ewido. Look at the scan results, you have infected files here:
C:\Documents and Settings\Lobo\Complete\Virgin Radio 1.1.zip/Setup.exe -> Worm.VB.dw : Error during cleaning.
and on down through all of those scan results files.
You will have to do this, I have no tool that will do it for you. ewido can't as you can see.
The only thing I can think of is to go here and manually delete the infected files:
C:\Documents and Settings\ <<< Leave this alone
Lobo\ <<< this is probably yours, look to see what is in it.
Complete\ <<< same, you will probably be deleting all files in these folders
Virgin Radio 1.1.zip/ <<< I would delete this
Setup.exe <<< and this.
What it appears to me is that something has infected these files and ewido is calls it: Worm.VB.dw
You will have to clean out the junk, once it is gone then you should be able to run ewido. If you believe this is an error that ewido is making and the files are not bad, then edit that stuff out of the log before posting it.
If you want to check files to make sure they are infected, here are free online tools:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Once you get rid of that infected junk, then post a ewido scan results and HJT log that is copy/pasted.
Thanks
Pskelley
Think the problem is solved, ran ewido a few times and it got rid of Worms.VB.dw See attached logs. There is one problem left. When I start the PC it seems to be doing someting and all actions are delayed and response is sluggish. Could it the virus/adwar checkers running on start up? As I write I have clicked on ewido to start but no response. It kicks in some 45minutes later. Have looked in Defender under tools to see what autostart prog kick in but can't see anything. As I write ewido has come up and pc seems faster (45minutes) Any ideas?
***************************************************
Logfile of HijackThis v1.99.1
Scan saved at 11:14:37, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\AntiSpyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://82.3.250.209/cab/OCXChecker_6110.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,84/mcinsctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
********************************************************
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:45:54 03/09/2006
+ Scan result:
Nothing found.
::Report end
****************************************************
pskelley
2006-09-03, 14:32
Thanks for the feedback, the HJT log looks to be clean, as was ewido. Do you know what this is?
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http:///cab/OCXChecker_6110.cab
I just checked and it tracks back to this:
http://whois.domaintools.com/82.3.250.209
so it is probably not a problem.
During the trial, ewido gives you realtime protection and it might slow you a little, but it should be nothing like that. Let's look at a couple of possiblilities.
1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
2) Let's check for a rootkit infections, download BlackLight from here:
https://europe.f-secure.com/blacklight/try.shtml
run the scan only and post it for me.
3) Any error messages at all?
Thanks
Pskelley
Here is the log as requested from hijackthis unistaller
2Wire Gateway
ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0.7
Beauty and the Beast Activity Centre
Broadcom Management Programs
Call of Duty
CCleaner (remove only)
Clue
CM 03-04
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Dell Media Experience
Dell Solution Center
DirectX Media Runtime 5.1
Disney's Get Ready for School with Mickey
DivX
DivX Converter
DivX Player
DivX Web Player
EA SPORTS online 2005
ewido anti-spyware 4.0
Football Manager 2006
GameSpy Arcade
HijackThis 1.99.1
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Lexmark 5200 Series
Macromedia Flash Player 8
Macromedia Shockwave Player
Mega Bomberman
Microsoft Office Standard Edition 2003
Microsoft Office Visio Viewer 2003 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Works 7.0
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 Parser and SDK
Native Instruments Sibelius Player
NBA LIVE 06
NBA LIVE 2005
PowerDVD 5.1
Princess Fashion Boutique II
Pro Evolution Soccer 5
QuickTime
rayman2
RealPlayer
Rugrats Go Wild
Rugrats(TM)
Scooby-Doo(TM), Showdown in Ghost Town(TM)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Shelly Club CD-ROM
Shrek 2 Activity Center
Sibelius 4
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
SpongeBob SquarePants - Battle for Bikini Bottom
SpongeBob SquarePants - The Movie
Spybot - Search & Destroy 1.4
Test For Success - English
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 University
The Sims Deluxe Edition
The Sims House Party
TrueMobile 1300 USB 2.0 WLAN
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Media Player
Westwood Shared Internet Components
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
Zoo Tycoon 2
**************************************************
Also ran Blacklight but it found no errors. Have chesced Defender from Mirrosoft but it kicks in at 2.00 am.
pskelley
2006-09-03, 22:29
1)Decided it would be a good time to remove old programs and ruthless went though and removed old games etc.
Hard to believe you still have all that junk, another of the experts had this to say:
He did mention that he went through and deleted a ton of programs, maybe he didnt uninstall a few correctly and parts are still hanging on. Seems it is never as easy to get the stuff out as it is to get it in!!
I will mention this stuff as it occurs to me and you can do with it what you wish:
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Hackers use script to infect you and they use these old programs to do it. You want to keep Java (and all programs that can't be updated) current.
Uninstall those.
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Read this:
Viewpoint Media Player <<< installed by aol without your knowledge
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
I would get that junk off your computer.
Have chesced Defender from Mirrosoft but it kicks in at 2.00 am.What are you saying here?
I suggest you take a hard look at what you have installed, if you don't know them or no longer use them, uninstall them.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray
If the Java scheduler is not working, you might as well turn it off in MSConfig. The Sonic update manager also, both are started at every boot and they are sure not needed everytime.
ewido is a trial, turn it of, you still get to keep the scanner with update and can start the program manually when ever you wish.
Since you pulled stuff from the hard as referenced to your quote above, you should give this machine a good maintenance. Run System File Checker to make sure no System Files are missing or corrupt:
http://www.updatexp.com/scannow-sfc.html run CHKDSK and Defrag. http://www.bsu.edu/ucs/article/0,1370,6327-1987-4756,00.html
http://www.geekgirls.com/windows_defrag.htm
Here are other ideas that may help the computer to run better:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Try these suggestions and let me know how they help, we appear to have removed all of the malware, let me know and I will ask tashi:) to close the topic.
Thanks
Will follow your instructions (tomorrow) and get rid of stuff not needed. I think the probelm is ewido. I switched my pc and then restarted it. Did Alt Ctrl Delete and saw ewido running. I ended it and system was ok. Is there a automatic scan at start up option?
pskelley
2006-09-03, 22:47
Is there a automatic scan at start up option?
There may be during the trial, but the installion directions does not include that.
Disable it in services: O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
Once it is turned off you should only see it in the log if you choose to start it from All Programs. I run my scanner once a month or so. Since I block all cookies (but necessary ones for passwords, banking, etc.) ewido rarely finds anything. Having the realtime protection at the same time as Windows Defender is a bit much and could cause conflicts.
Thanks
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.