PDA

View Full Version : cmdservice removal



Mystic Dee
2006-11-01, 01:22
Hello all,

Thank you for being here and I have used this site for YEARS as well as spybot to fix problems and this time I find myself posting for HELP!!!! heheeh man this cmd is nasty I have gotten rid of it in registry and etc and got it down to 3 registry entries it will not let me delete ! But below is the log from hijackthis and your help is greatly appreciated ! Sincerely Denise :)

Logfile of HijackThis v1.99.1
Scan saved at 4:15:10 PM, on 10/31/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\HiJack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/30/checkin.php?cid=51493737&aid=30007&time=C:\DOCUME~1\princess\LOCALS~1\Temp\\abc123&fw=0&v=30&m=1&vm=0
F2 - REG:system.ini: UserInit=userinit.exe,movmyuv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab

Mr_JAk3
2006-11-01, 12:21
Hi Mystic Dee and welcome to Safer Networking Forums :)

You got some infections there...

Was this the full HijackThis log and was it taken from the safe mode? If so, please let me know.

Before we can start the cleaning I need you to do something important.

Please download and install Windows XP Service Pack 1A -> Windows XP SP1a (http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx)
NOTE! Do NOT install Service Pack 2 yet. We'll have to get you cleaned first

Post a fresh HijackThis log from the normal mode when you're ready :bigthumb:

Mystic Dee
2006-11-01, 22:06
Hello there and thank you so much for your help and expertise in this! First let me say the PC in question is NOT mine but my sons. Everytime I try to do anything on the net it chocks out the resourses (cpu) and I cannot do anything But I went to windows and downloaded the SP1a pack and installed it and below is a updated hijackthis. I took the liberty of already using the hijackthis to remove certain things I knew to be trojans. And now comes your expertise the CORE monster involved ! It does not want to die no matter HOW hard I try to convince it it needs to walk INTO the Light it won't go! Maybe you will teach me the sweet words to make it walk into the light yes? :D: Thanks again for your time and knowledge. And please excuse my typonese as when I type it is in the form of SEEK AND YE SHALL FIND !

NON-safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:26 PM, on 11/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R3 - URLSearchHook: (no name) - {2FCF21B3-EC70-BBFB-2C25-BDCE1EEDEDB7} - C:\WINDOWS\System32\fvfrv.dll
F2 - REG:system.ini: UserInit=userinit.exe,movmyuv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162404403069

Thank you very much ! Denise

Mystic Dee
2006-11-01, 22:07
Hello there and thank you so much for your help and expertise in this! First let me say the PC in question is NOT mine but my sons. Everytime I try to do anything on the net it chocks out the resourses (cpu) and I cannot do anything But I went to windows and downloaded the SP1a pack and installed it and below is a updated hijackthis. I took the liberty of already using the hijackthis to remove certain things I knew to be trojans. And now comes your expertise the CORE monster involved ! It does not want to die no matter HOW hard I try to convince it it needs to walk INTO the Light it won't go! Maybe you will teach me the sweet words to make it walk into the light yes? :D: Thanks again for your time and knowledge. And please excuse my typonese as when I type it is in the form of SEEK AND YE SHALL FIND !
PS it was hard. Had to try 3x as they kept locking up the install :-(

NON-safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 2:04:26 PM, on 11/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R3 - URLSearchHook: (no name) - {2FCF21B3-EC70-BBFB-2C25-BDCE1EEDEDB7} - C:\WINDOWS\System32\fvfrv.dll
F2 - REG:system.ini: UserInit=userinit.exe,movmyuv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/eliteview.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162404403069

Thank you very much ! Denise

Mystic Dee
2006-11-01, 22:16
sorry for the double post. I think it did that cause I had timed out and said I had to log in and I logged in and hit post. anyways sorry and also the first hijackthis was a NON- safe mose and yes the full log :) sorry for so mo mode !
I am slow but sincere as ermm my mother :D:

Mr_JAk3
2006-11-02, 12:02
Hi again :)

Ok, at first some questions...

How many accounts do you have on the pc ?
Which of these have administrative priviledges ?
Have you had any antivirus/firewall on the pc ?
Have you set some entries to IGNORE list ?

If you have ingnored entries, please unignore those and post a fresh HijackThis log.

Then:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Mystic Dee
2006-11-02, 20:01
Hi and thanks for all the help. This is going to sound weird but when I started up in Safe mode there was a admin account that neither I or my son created.
His account was the admin and he had a second account for his GF. When you start the PC in normal Mode thoughs ARE the only 2 that appear and in safe mode only his and the admin. The admin is also password protected and beings neither he nor I created it we have no idea what the PW is. Is that a safe guard the trojans install to safe guard itself? Also he installed Mc Afee and I uninstalled it when this all happened. and ypur 3rd Q is Should not be.

I tried to install the program you said and it would not let me. So i have decided to just re-partition and format and start from scratch. But I would like to ask is there a program that is specifically made to kill this thing off provided a person HAS done all the simple preventive things such as windows update and etc? Like spybot found them and would kill off 1 at a time but then they would just come back. And CW Shredder is a kill for Cool web, etc.
The problem is the pc will not let me do anything, it chokes it out and I just cannot do anything and I am courious did this monster create a ADMIN account as neither I nor my son know where the thing came from?
Thank you so much for your time and expertise and I would appreciate the answers but it seems it is so imbedded it will simply NOT let me do ANYTHING now so reinstalling.

Sincerely Denise and thank you so much for your time !

Mr_JAk3
2006-11-02, 21:28
Hi again, the admin account is created there by default...

I'll respect you decicion to do a clean install.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)

Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

These are good (free) firewalls:
- Kerio (http://www.sunbelt-software.com/Kerio.cfm)
- Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
- Outpost (http://www.majorgeeks.com/download.php?det=1056)

These are good (free) antiviruses:
- Antivir (http://www.free-av.com)
- Avast (http://www.avast.com)
- AVG (http://free.grisoft.com)


Get all Windows updates installed!Please ask me if you have any questions :)

Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

Mystic Dee
2006-11-05, 00:43
Thank you again for your time and knowledge. I felt a fresh install was in order as in was not that new of a install and I had told my son to get updates and etc.... BUT this time I got the updates and yes, I also put in the safe guards and talked to him of internet security and downloads and etc.
Thank you again fir your help and I KNOW i will return again and I have used your site for many years and spybot to help with problems over the years and it is a very valuable learning resource for me ! Be safe and happy in all do you !
Sincerely Denise :D:

Mr_JAk3
2006-11-05, 12:21
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: