View Full Version : Command Service Problem
To anyone who can help:
After running Spybot scans numerous times I am left only with the tricky Command Service in Red (3 entries). I followed the protocol of running Spybot in Safe and Command Service was the only thing left. This trojan leads to all other kinds of malware/adware to be added every time I go online. Here are my logs below (HijackThis and Panda virus scan respectively). Let me know if I need to include anything else. Thank you in advance for any help you can provide.
John
Logfile of HijackThis v1.99.1
Scan saved at 1:35:11 AM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\{4CDC2AC8-07CC-1033-1006-030516020001}\Update.exe
C:\PROGRA~1\COMMON~1\mrzz\mrzzm.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\COMMON~1\mrzz\mrzza.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aljpr.exe
F2 - REG:system.ini: UserInit=userinit.exe,lhptddg.exe
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [nnfznum.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nnfznum.dll,apdzneb
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mrzz] C:\PROGRA~1\COMMON~1\mrzz\mrzzm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Panda Virus Scan:
Incident Status Location
Adware:Adware/Sqwire Not disinfected c:\progra~1\common~1\mrzz\mrzzm.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fxgmxhod.dll
Adware:Adware/Sqwire Not disinfected C:\PROGRA~1\COMMON~1\mrzz\mrzza.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{4CDC2AC8-07CC-1033-1006-030516020001}\Services.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{4CDC2AC8-07CC-1033-1006-030516020001}\Update.exe
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\pjrljfq.dll
Adware:Adware/UltimateDefender Not disinfected C:\WINDOWS\system32\winccf32.dll
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\John McElwee\Application Data\Registry Cleaner
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\John McElwee\Cookies\john mcelwee@drivecleaner[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\John McElwee\Cookies\john mcelwee@hitbox[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\John McElwee\Cookies\john mcelwee@stats.drivecleaner[2].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\John McElwee\Cookies\john mcelwee@targetsaver[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\John McElwee\Cookies\john mcelwee@www.drivecleaner[1].txt
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\mrzz\mrzza.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\mrzz\mrzzm.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}\Activate.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}\MyToolBar.dll
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}\Uninst.exe
Spyware:Cookie/2o7 Not disinfected C:\Program Files\NetSpy Protector\quarantie\5-4-2006-4-32-20-AM\c94b764b-999a-4c6f-b6e5-b3566267497a.bak
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Sm9obiBNY0Vsd2Vl\mA6Cv21hsXpPxZp5.vbs
Adware:Adware/QoolAid Not disinfected C:\WINDOWS\system32\dmonwv.dll_tobedeleted
Possible Virus. Not disinfected C:\WINDOWS\system32\iifdawv.dll
Adware:Adware/PornMagPass Not disinfected C:\WINDOWS\system32\ishost.exe_tobedeleted
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ixt0.dll_tobedeleted
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\jrblvccr.exe
Virus:Trj/DNSChanger.MN Disinfected C:\WINDOWS\Temp\win6A.tmp.exe
Sorry for the wait, please see:
If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
Since it has been a few days, I decided to run the Vundo scan and fix to see if I've been infected by that also. I was able to remove all except for this one: C:\WINDOWS\system32\pmnnm.dll. The file is listed below along with a new HijackThis log and Panda virus scan. Not sure how much it differs from the first one, but it was requested to repost this after running the Vundo fix.
VundoFix V6.2.4
Checking Java version...
Java version is 1.4.2.6
Java version is 1.5.0.2
Java version is 1.5.0.4
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 1:51:08 PM 10/16/2006
Listing files found while scanning....
C:\WINDOWS\system32\nnfznum.dll
C:\WINDOWS\system32\ulpqbed.dll
C:\WINDOWS\system32\vdnegvxv.dll
C:\WINDOWS\system32\winccf32.dll
C:\WINDOWS\system32\jrblvccr.exe
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\nnfznum.dll
C:\WINDOWS\system32\nnfznum.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ulpqbed.dll
C:\WINDOWS\system32\ulpqbed.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\vdnegvxv.dll
C:\WINDOWS\system32\vdnegvxv.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\winccf32.dll
C:\WINDOWS\system32\winccf32.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\jrblvccr.exe
C:\WINDOWS\system32\jrblvccr.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.tmp
C:\WINDOWS\system32\mnnmp.tmp Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\nnfznum.dll
C:\WINDOWS\system32\nnfznum.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ulpqbed.dll
C:\WINDOWS\system32\ulpqbed.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vdnegvxv.dll
C:\WINDOWS\system32\vdnegvxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\winccf32.dll
C:\WINDOWS\system32\winccf32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.2.4
Checking Java version...
Java version is 1.4.2.6
Java version is 1.5.0.2
Java version is 1.5.0.4
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 2:16:02 PM 10/16/2006
Listing files found while scanning....
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnnmp.ini2
C:\WINDOWS\system32\mnnmp.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.4
Checking Java version...
Java version is 1.4.2.6
Java version is 1.5.0.2
Java version is 1.5.0.4
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 2:49:29 PM 10/16/2006
Listing files found while scanning....
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\mnnmp.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 3:18:51 PM, on 10/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\COMMON~1\mrzz\mrzzm.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\COMMON~1\mrzz\mrzza.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\aljpr.exe
F2 - REG:system.ini: UserInit=userinit.exe,lhptddg.exe
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [nnfznum.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nnfznum.dll,apdzneb
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [mrzz] C:\PROGRA~1\COMMON~1\mrzz\mrzzm.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Incident Status Location
Adware:Adware/Sqwire Not disinfected c:\progra~1\common~1\mrzz\mrzzm.exe
Adware:Adware/Sqwire Not disinfected C:\PROGRA~1\COMMON~1\mrzz\mrzza.exe
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\pjrljfq.dll
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\John McElwee\Application Data\Registry Cleaner
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt[.atwola.com/]
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\mrzz\mrzza.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\mrzz\mrzzm.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}\Activate.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}\MyToolBar.dll
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}\Uninst.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{4CDC2AC8-07CC-1033-1006-030516020001}\services.dll
Spyware:Cookie/2o7 Not disinfected C:\Program Files\NetSpy Protector\quarantie\5-4-2006-4-32-20-AM\c94b764b-999a-4c6f-b6e5-b3566267497a.bak
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\jrblvccr.exe.bad
Adware:Adware/UltimateDefender Not disinfected C:\VundoFix Backups\winccf32.dll.bad
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Sm9obiBNY0Vsd2Vl\mA6Cv21hsXpPxZp5.vbs
Adware:Adware/QoolAid Not disinfected C:\WINDOWS\system32\dmonwv.dll_tobedeleted
Adware:Adware/PornMagPass Not disinfected C:\WINDOWS\system32\ishost.exe_tobedeleted
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ixt0.dll_tobedeleted
Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\pahoe.dat
LonnyRJones
2006-10-17, 17:07
Hello
Start Hijackthis and place a check next to these items If there.
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [nnfznum.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nnfznum.dll,apdzneb
O4 - HKCU\..\Run: [mrzz] C:\PROGRA~1\COMMON~1\mrzz\mrzzm.exe
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next:
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Thanks for the help. I ran Hijackthis and removed the four files mentioned in your response. After restart, I ran the combofix and saved the log which is posted below. It appears that it removed qoologic virus, but not sure what else it removed. As for the command service, I ran Spybot again and it is still detecting the Command Service infection (3 entries). Not sure why it is still there, but I am posting a Hijackthis log, along with new Panda virus scan, in addition to the combofix log.
Online Panda Virus Scan:
Incident Status Location
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\John McElwee\Application Data\Registry Cleaner
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt[.atwola.com/]
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\mrzz\mrzza.exe
Adware:Adware/Sqwire Not disinfected C:\Program Files\Common Files\mrzz\mrzzm.exe
Spyware:Cookie/2o7 Not disinfected C:\Program Files\NetSpy Protector\quarantie\5-4-2006-4-32-20-AM\c94b764b-999a-4c6f-b6e5-b3566267497a.bak
Adware:Adware/Qoologic Not disinfected C:\QooBox\cjemy.exe.qoo
Adware:Adware/Qoologic Not disinfected C:\QooBox\jcrlsw.exe.qoo
Adware:Adware/Qoologic Not disinfected C:\QooBox\lhptddg.exe.qoo
Adware:Adware/Qoologic Not disinfected C:\QooBox\pahoe.dat.qoo
Adware:Adware/Qoologic Not disinfected C:\QooBox\pjrljfq.dll.qoo
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\jrblvccr.exe.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vdnegvxv.dll.bad
Adware:Adware/UltimateDefender Not disinfected C:\VundoFix Backups\winccf32.dll.bad
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Sm9obiBNY0Vsd2Vl\mA6Cv21hsXpPxZp5.vbs
Adware:Adware/QoolAid Not disinfected C:\WINDOWS\system32\dmonwv.dll_tobedeleted
Adware:Adware/PornMagPass Not disinfected C:\WINDOWS\system32\ishost.exe_tobedeleted
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\ixt0.dll_tobedeleted
Logfile of HijackThis v1.99.1
Scan saved at 10:22:05 PM, on 10/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17C91709-8792-C695-91E6-059065FCB2E2} - C:\WINDOWS\system32\ulpqbed.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\vdnegvxv.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Combofix Scan:
John McElwee - 06-10-17 20:31:06.09 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Program Files\Mozilla Firefox"
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *
O4 - HKCU\...\Run C:\WINDOWS\system32\jcrlsw.exe
O4 - HKLM\...\Run C:\WINDOWS\system32\jcrlsw.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\aljpr.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\lhptddg.exe
* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *
C:\WINDOWS\system32\jcrlsw.exe
C:\WINDOWS\system32\pjrljfq.dll
C:\WINDOWS\system32\lhptddg.exe
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\cjemy.exe
C:\WINDOWS\iwysj.dll
C:\WINDOWS\system32\pahoe.dat
C:\WINDOWS\system32\aljpr.exe
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
06-10-07 23:44 127488 cjemy.exe.qoo
06-10-07 23:44 127488 jcrlsw.exe.qoo
06-10-17 20:07 127488 pahoe.dat.qoo
06-10-07 23:44 51712 pjrljfq.dll.qoo
06-10-07 23:44 28672 aljpr.exe.qoo
06-10-14 16:26 23552 lhptddg.exe.qoo
06-10-14 14:25 325 iwysj.dll.qoo
06-10-07 23:44 52 vbwepe.dat.qoo
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3CDC2AC8-07CC-1033-1006-030516020001}
C:\Program Files\Common Files\{4CDC2AC8-07CC-1033-1006-030516020001}
((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))
2006-10-16 00:13 208,896 --a--c--- C:\WINDOWS\system32\nvudisp.exe
2006-10-11 01:14 76,560 --a--c--- C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-19 19:22 77,824 --a--c--- C:\WINDOWS\system32\MagicTuneUser.exe
2006-09-18 14:11 778,240 --a--c--- C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 14:11 778,240 --a--c--- C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 14:11 761,856 --a--c--- C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 14:11 620,180 --a--c--- C:\WINDOWS\system32\DivX.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-17 20:34 -------- d----c--- C:\Program Files\Symantec AntiVirus
2006-10-17 20:31 -------- d----c--- C:\Program Files\Common Files
2006-10-17 20:30 -------- d----c--- C:\Program Files\Mozilla Firefox
2006-10-16 20:35 -------- d----c--- C:\Program Files\Java
2006-10-16 15:40 -------- d----c--- C:\Program Files\SpywareGuard
2006-10-16 15:37 -------- d----c--- C:\Program Files\Microsoft IntelliPoint
2006-10-16 15:34 -------- d----c--- C:\Program Files\iTunes
2006-10-16 15:34 -------- d----c--- C:\Program Files\Internet Explorer
2006-10-16 15:33 -------- d----c--- C:\Program Files\Common Files\Symantec Shared
2006-10-16 15:33 -------- d----c--- C:\Program Files\Common Files\mrzz
2006-10-14 14:32 -------- d--h-c--- C:\Program Files\InstallShield Installation Information
2006-10-14 14:19 -------- d----c--- C:\Program Files\SpywareBlaster
2006-10-09 21:18 -------- d----c--- C:\Program Files\Lavasoft
2006-10-09 21:18 -------- d-------- C:\Documents and Settings\John McElwee\Application Data\Lavasoft
2006-10-07 14:28 -------- d----c--- C:\Program Files\AdwareAlert
2006-10-07 13:11 -------- d----c--- C:\Program Files\uTorrent
2006-10-03 02:05 -------- d----c--- C:\Program Files\DivX
2006-10-03 02:04 -------- d-------- C:\Documents and Settings\John McElwee\Application Data\DivX
2006-10-03 01:20 -------- d----c--- C:\Program Files\MUSICMATCH
2006-10-03 01:20 -------- d-------- C:\Documents and Settings\John McElwee\Application Data\Musicmatch
2006-10-03 01:08 -------- d----c--- C:\Program Files\ETS
2006-10-02 23:05 -------- d----c--- C:\Program Files\iPod
2006-10-02 23:04 -------- d----c--- C:\Program Files\QuickTime
2006-10-02 23:03 -------- d----c--- C:\Program Files\Apple Software Update
2006-09-20 23:22 -------- d----c--- C:\Program Files\WinASO
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\nvusmb.exe
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\NVUNINST.EXE
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\nvumctl.exe
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\nvuide.exe
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\nvugart.exe
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\nvuenet.exe
2006-09-15 16:39 208896 --a--c--- C:\WINDOWS\system32\nvuaudio.exe
2006-09-13 20:53 -------- d----c--- C:\Program Files\AIM
2006-09-13 20:52 -------- d----c--- C:\Program Files\aod
2006-09-13 01:01 1084416 --a--c--- C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a--c--- C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a--c--- C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a--c--- C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 -----c--- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-17 23:38 336271 --a------ C:\Documents and Settings\John McElwee\Application Data\com.kennettnet.PodUtil.plist
2006-08-17 22:05 -------- d-------- C:\Documents and Settings\John McElwee\Application Data\Allume Systems
2006-08-16 07:58 100352 --a--c--- C:\WINDOWS\system32\6to4svc.dll
2006-08-11 21:45 888832 --a--c--- C:\WINDOWS\system32\nvmobls.dll
2006-08-11 21:45 581632 --a--c--- C:\WINDOWS\system32\nvhwvid.dll
2006-08-11 21:45 5611520 --a--c--- C:\WINDOWS\system32\nvdisps.dll
2006-08-11 21:45 5251072 --a--c--- C:\WINDOWS\system32\nvdispsr.dll
2006-08-11 21:45 458752 --a--c--- C:\WINDOWS\system32\nvmccssr.dll
2006-08-11 21:45 45056 --a--c--- C:\WINDOWS\system32\nvmccsrs.dll
2006-08-11 21:45 3039232 --a--c--- C:\WINDOWS\system32\nvgames.dll
2006-08-11 21:45 2953216 --a--c--- C:\WINDOWS\system32\nvvitvsr.dll
2006-08-11 21:45 2928640 --a--c--- C:\WINDOWS\system32\nvgamesr.dll
2006-08-11 21:45 2904064 --a--c--- C:\WINDOWS\system32\nvvitvs.dll
2006-08-11 21:45 2859008 --a--c--- C:\WINDOWS\system32\nvmoblsr.dll
2006-08-11 21:45 229376 --a--c--- C:\WINDOWS\system32\nvmccs.dll
2006-08-11 21:45 188416 --a--c--- C:\WINDOWS\system32\nvmccss.dll
2006-08-11 21:45 1732608 --a--c--- C:\WINDOWS\system32\nvwssr.dll
2006-08-11 21:45 1236992 --a--c--- C:\WINDOWS\system32\nvwss.dll
2006-08-11 21:44 147456 --a--c--- C:\WINDOWS\system32\nvcolor.exe
2006-08-11 21:43 86016 --a--c--- C:\WINDOWS\system32\nvmctray.dll
2006-08-11 21:43 81920 --a--c--- C:\WINDOWS\system32\nvwddi.dll
2006-08-11 21:43 794624 --a--c--- C:\WINDOWS\system32\nvcplui.exe
2006-08-11 21:43 7630848 --a--c--- C:\WINDOWS\system32\nvcpl.dll
2006-08-11 21:43 466944 --a--c--- C:\WINDOWS\system32\nvshell.dll
2006-08-11 21:43 442368 --a--c--- C:\WINDOWS\system32\nvappbar.exe
2006-08-11 21:43 425984 --a--c--- C:\WINDOWS\system32\keystone.exe
2006-08-11 21:43 311296 --a--c--- C:\WINDOWS\system32\nvexpbar.dll
2006-08-11 21:43 286720 --a--c--- C:\WINDOWS\system32\nvnt4cpl.dll
2006-08-11 21:43 196608 --a--c--- C:\WINDOWS\system32\nvapi.dll
2006-08-11 21:43 1662976 --a--c--- C:\WINDOWS\system32\nvwdmcpl.dll
2006-08-11 21:43 1519616 --a--c--- C:\WINDOWS\system32\nwiz.exe
2006-08-11 21:43 1470464 --a--c--- C:\WINDOWS\system32\nview.dll
2006-08-11 21:43 1339392 --a--c--- C:\WINDOWS\system32\nvdspsch.exe
2006-08-11 21:43 1019904 --a--c--- C:\WINDOWS\system32\nvwimg.dll
2006-08-11 21:43 1011712 --a--c--- C:\WINDOWS\system32\nvcpluir.dll
2006-08-11 21:42 5636096 --a--c--- C:\WINDOWS\system32\nvoglnt.dll
2006-08-11 21:42 4496128 --a--c--- C:\WINDOWS\system32\nv4_disp.dll
2006-08-11 21:42 35840 --a--c--- C:\WINDOWS\system32\nvcodins.dll
2006-08-11 21:42 35840 --a--c--- C:\WINDOWS\system32\nvcod.dll
2006-08-11 21:42 155715 --a--c--- C:\WINDOWS\system32\nvsvc32.exe
2006-08-11 13:35 520192 --a--c--- C:\WINDOWS\system32\DivXsm.exe
2006-08-11 13:35 3596288 --a--c--- C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 13:35 200704 --a--c--- C:\WINDOWS\system32\ssldivx.dll
2006-08-11 13:35 1044480 --a--c--- C:\WINDOWS\system32\libdivx.dll
2006-08-11 13:31 73728 --a--c--- C:\WINDOWS\system32\dpl100.dll
2006-08-11 13:31 593920 --a--c--- C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 13:31 57344 --a--c--- C:\WINDOWS\system32\dpv11.dll
2006-08-11 13:31 53248 --a--c--- C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 13:31 344064 --a--c--- C:\WINDOWS\system32\dpus11.dll
2006-08-11 13:31 294912 --a--c--- C:\WINDOWS\system32\dpu11.dll
2006-08-11 13:31 294912 --a--c--- C:\WINDOWS\system32\dpu10.dll
2006-08-11 13:31 196608 --a--c--- C:\WINDOWS\system32\dtu100.dll
2006-08-11 13:31 12288 --a--c--- C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 13:31 118784 --a--c--- C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-07-27 09:24 679424 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a--c--- C:\WINDOWS\system32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NVMixerTray"="\"C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NVMixerTray.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20061017-201303-541
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
backup-20061017-201303-677
O4 - HKCU\..\Run: [mrzz] C:\PROGRA~1\COMMON~1\mrzz\mrzzm.exe
backup-20061017-201303-898
O4 - HKLM\..\Run: [nnfznum.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nnfznum.dll,apdzneb
backup-20061017-201303-512
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
Completion time: 06-10-17 20:34:41.93
C:\ComboFix.txt ... 06-10-17 20:34
LonnyRJones
2006-10-18, 06:21
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {17C91709-8792-C695-91E6-059065FCB2E2} - C:\WINDOWS\system32\ulpqbed.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\vdnegvxv.dll (file missing)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
====================================
Hit fix checked and close Hijackthis.
C:\Program Files\Common Files\mrzz < delete folder
C:\Program Files\AdwareAlert < uninstall program then delete folder
C:\WINDOWS\system32\MagicTuneUser.exe submit this file here and let us know results
http://www.virustotal.com/flash/index_en.html
Since you had a desktop hijack i suggest you fallow the instructions here to
http://forums.spybot.info/showthread.php?t=4015
Ok, I followed the last directions and deleted those files and folders. I also checked the one file (C:\WINDOWS\system32\MagicTuneUser.exe) in the virus-total scanner and it came back as non-infected. This is the name of samsung's monitor image software that comes with their monitors (my LCD monitor is a samsung).
After doing this and seeing that Command Service was still detected by Spybot, I decided to follow the directions in the link at the end of the message, being cautious to follow the directions as closely as possible. Below are the logs for
1.C:\rapport.txt (Smitfraud fix)
2.AVG Anti Spyware log
3.HJT log after the above two.
Smitfaud Log:
SmitFraudFix v2.110
Scan done at 22:13:23.85, Wed 10/18/2006
Run from C:\Documents and Settings\John McElwee\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ot.ico Deleted
C:\DOCUME~1\JOHNMC~2\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
AVG Anti-Spyware Log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:42:53 PM 10/18/2006
+ Scan result:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Ignored.
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP722\A0145143.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP722\A0145145.dll -> Adware.Softomate : Ignored.
C:\WINDOWS\system32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\QooBox\cjemy.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\jcrlsw.exe.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\pahoe.dat.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\QooBox\pjrljfq.dll.qoo -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP722\A0145146.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP722\A0145147.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP722\A0145149.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP712\A0140724.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP723\A0145274.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP723\A0145277.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP712\A0140723.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP722\A0145141.exe -> Downloader.Zlob.aop : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ishost.exe_tobedeleted -> Downloader.Zlob.aop : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP713\A0140791.exe -> Downloader.Zlob.apm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP712\A0140725.dll -> Not-A-Virus.Hoax.Win32.Renos.ds : Ignored.
C:\Program Files\NetSpy Protector\quarantie\3-4-2006-9-12-56-PM\5185cc3b-a1f8-44ed-8894-180ccf610680.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\5-4-2006-4-32-20-AM\68e07e72-b3d1-4d78-92c2-bb0130012a30.bak -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\NetSpy Protector\quarantie\5-4-2006-4-32-20-AM\c94b764b-999a-4c6f-b6e5-b3566267497a.bak -> TrackingCookie.2o7 : Cleaned.
:mozilla.55:C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.78:C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.92:C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.93:C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.94:C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.95:C:\Documents and Settings\John McElwee\Application Data\Mozilla\Profiles\default\tdym7v3v.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\System Volume Information\_restore{E8281CBF-7BEE-4CC6-8432-853560C39413}\RP717\A0142716.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\VundoFix Backups\winccf32.dll.bad -> Trojan.Agent.vg : Cleaned with backup (quarantined).
::Report end
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:59:05 PM, on 10/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
In addition, I am attaching the top portion of my Spybot log to show that the Command Service is still present. I can send the whole log if necessary, but it is very long (73806 characters in total). Let me know if this is preferred or if the information provided is sufficient. Thank you.
--- Search result list ---
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
E.C.S. International.Downloader: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{6BF52A52-394A-11D3-B153-00C04F79FAA6}
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-10-13 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-10-13 Includes\DialerC.sbi (*)
2006-10-13 Includes\Hijackers.sbi (*)
2006-10-13 Includes\HijackersC.sbi (*)
2006-10-13 Includes\Keyloggers.sbi (*)
2006-10-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-10-13 Includes\MalwareC.sbi (*)
2006-10-13 Includes\PUPS.sbi (*)
2006-10-13 Includes\PUPSC.sbi (*)
2006-10-13 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-10-13 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-10-13 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-10-13 Includes\Trojans.sbi (*)
2006-10-13 Includes\TrojansC.sbi (*)
LonnyRJones
2006-10-19, 08:52
Usualy when command service shows repeatadly it is becouse of the method ad-aware
uses to remove it. It leave's a harmless registry key with modified permisions.
Please download and unzip Ren-cmdservice to your desktop.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run SpyBot check for and fix any problems found.
When next you check for problems it wont or shouldnt be there.
alternate download
http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip
Thanks for the help. I ran the tool from the first link (Ren-cmdservice) and it appears to have removed the registrey key. After running Spybot there are no problems found. I have posted the ren-cmd service text as requested and my last spyboy run log. Thanks again and I hopefully won't have to post here again with any problems.
REN-CMDSERVICE:
Running from C:\Documents and Settings\John McElwee\Desktop\ren-cmdservice\ren-cmdservice
No Image Path Listed in Registry
-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------
SPYBOT LOG:
--- Search result list ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-10-07 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-10-13 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-10-13 Includes\DialerC.sbi (*)
2006-10-13 Includes\Hijackers.sbi (*)
2006-10-13 Includes\HijackersC.sbi (*)
2006-10-13 Includes\Keyloggers.sbi (*)
2006-10-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-10-13 Includes\MalwareC.sbi (*)
2006-10-13 Includes\PUPS.sbi (*)
2006-10-13 Includes\PUPSC.sbi (*)
2006-10-13 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-10-13 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-10-13 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-10-13 Includes\Trojans.sbi (*)
2006-10-13 Includes\TrojansC.sbi (*)
LonnyRJones
2006-10-20, 05:30
Looks good
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter. :)