PDA

View Full Version : Command Service and other Malware Problems


tekkieman880
2006-10-27, 01:31
Hello all, I'd first like to say that it's a wonderful thing you guys do here.

That said...I'm in a bit of a pickle. My computer is severely screwed up right now, thanks to a download gone wrong, courtesty of my little sister. I've run Ewido (turned out over 1600 infections on first run, 30 on second run, 3 on third and successive runs), Ad-Aware (170 on first run, 0 on successive runs), and Spybot S & D (123 infections on first run). When I run Spybot, it fixes all but 2 files, both of which are Command Service files. I've read a couple posts here that have had the same problem, so I'm guessing you guys are the go-to dudes for getting itfixed. Currently, My computer runs fine for about five minutes before all sorts of crazy stuff (pop-ups and freezing) begins to happen. Any help you could give would be much appreciated.

--Tekkie

PS: If I'm doin' anything wrong here, let me know.

Logfile of HijackThis v1.99.1
Scan saved at 3:22:30 PM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Dono\LOCALS~1\Temp\Rar$EX00.094\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - URLSearchHook: (no name) - {6960C562-5EA1-7551-87DC-03B599B5DCC4} - C:\WINDOWS\system32\scjhc.dll (file missing)
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hxkuhye.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\Dono\LOCALS~1\Temp\22630\gm.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161721458\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [rhbsnh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rhbsnh.dll,eqassoc
O4 - HKLM\..\Run: [ydhsdig.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ydhsdig.dll,urvzwib
O4 - HKLM\..\Run: [sys101082693326] C:\WINDOWS\sys101082693326.exe
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\Dono\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [ms046933261082] C:\WINDOWS\ms046933261082.exe
O4 - HKLM\..\Run: [ms059332610826] C:\WINDOWS\ms059332610826.exe
O4 - HKLM\..\Run: [gkofzdh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gkofzdh.dll,xtwsxbc
O4 - HKLM\..\Run: [{89-96-6C-CE-ZN}] c:\windows\system32\dwdsregt.exe SED001
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [win32101082693326] C:\WINDOWS\win32101082693326.exe
O4 - HKLM\..\Run: [yjvbdvuA] C:\WINDOWS\yjvbdvuA.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [bhxgx] C:\WINDOWS\system32\fsmnwt.exe reg_run
O4 - HKCU\..\Run: [PSCastor] "C:\Program Files\PSCastor\PSCastor.exe"
O4 - HKCU\..\Run: [Riaa] "C:\PROGRA~1\PPPATC~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [Apsnlqfw] C:\Documents and Settings\Dono\Application Data\?racle\w?nword.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Dono\Local Settings\Temp\TISED001.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159688689675
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159716204640
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: HHXZhXbabyj - {408896CF-EA22-3C65-6583-53CE69DA4E39} - C:\WINDOWS\system32\djjb.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RG9ub3ZhbiBKZXNrYQ\command.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\yjvbdvu.exe
tekkieman880
2006-10-27, 01:37
Sorry for the double post...but there was something I forgot to mention; I can no longer access my Task Manager; when I press Ctr+Alt+Del, it gives me a message saying it has been disabled by the adminisatrator, which is me.
LonnyRJones
2006-10-31, 11:17
Hi

What version of SpyBot S&D and Ad-Aware is it you have ?
Why is it you have no antivirus program ?

Your running Hijackthis from a temp and/Or it still hasnt been unzipped, neither is a good idea.
Create a new folder, for instance C:\AntiSpyware
Download the exe from here to that new folder.
http://www.merijn.org/files/HijackThis.exe
This is necessary to ensure you have backups should anything go wrong
Make and post a new log
tekkieman880
2006-11-01, 02:24
To my knowledge, I have the current versions of both Ad-Aware and Spybot.

As for the Anti-Virus, I had a rather complicated and frustrating motherboard exchange that left me without Norton. I...never got around to getting another Anti-Virus after that.

Any suggestions on a good Anti-Virus?

Will get to my PC ASAP and do as you have said. Will post a new log ASAP.
LonnyRJones
2006-11-01, 13:10
Yes thats why id like to actualy hear what versions they are :)
Please check

There are three free antivirus programs mention here , only choose one
http://forums.spybot.info/showthread.php?t=279
tekkieman880
2006-11-07, 08:09
Sorry for the delayed response...it's looking like I'm going to opt for a reformat--there is just so much wrong with it that even in safe mod it's jerking about. I'll let you know how it goes.

Thank you for your efforts! Keep it up, for as long as there are hackers and spyware in the world of computers, you'll be needed.
LonnyRJones
2006-11-07, 17:37
Sometimes a format reinstall is the only sure way to go.
Once windows is installed Be sure to first install and update an antivirus program, then get a firewall and go get all crittical windows update's.
tekkieman880
2006-11-08, 09:01
Will do. Thanks for all your help! So far, my HDD has been reformatted, and everytihng is smooth--first thing omorrow I'll be getting all my defenses up. Until then, I'm using my GFs computer. I'll let you know how everything goes :)
LonnyRJones
2006-11-15, 09:36
Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).

Surf safe