Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Spybot is detecting Cmdservice

  1. 2006-04-07, 07:33 #1
    fadeinlight
    fadeinlight is offline
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default Spybot is detecting Cmdservice

    Hello,

    I've gotten nailed with the nastiest Malware I've ever gotten. I've tried running every antivirus/malware removal program I've come across (in safe mode and normal), to no avail. It's shutdown my Norton Antivirus (although I can still do scans), and rendered me unable to do a system restore (this may be due to some of the protective/removal programs I've run, although I'm not entirely sure).

    Here is a posting of my HJT log--I'd be indebted to you if you could look it over.

    Thank you for your time


    Logfile of HijackThis v1.99.1
    Scan saved at 10:28:09 PM, on 4/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Windows Defender\MsMpEng.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Scope\app\bin\sfp.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\HijackThis.exe
    D:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\dporm.exe
    F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,okvvwjw.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
    O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126253515984
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  2. 2006-04-07, 13:59 #2
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Welcome to the forums fadeinlight

    Create and run this batch file,

    Copy the contents of the quote box below into a new notepad document (not wordpad).
    Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
    Start /min Hijackthis.exe /autolog
    Run check.bat and post back with the text that will open

    And the results of this free online scan
    http://www.kaspersky.com/virusscanner
    Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
    Then choose: my computer: scan all your hard drives and mapped disks.
    when finished click save as text and post that in your reply.
  3. 2006-04-08, 05:15 #3
    fadeinlight
    fadeinlight is offline
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Hi Lonny, thanks for the quick response!

    Logfile of HijackThis v1.99.1
    Scan saved at 5:59:18 PM, on 4/7/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Windows Defender\MsMpEng.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\WINDOWS\system32\nfxnme.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\dporm.exe
    D:\WINDOWS\system32\dporm.exe
    D:\WINDOWS\system32\dporm.exe
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Scope\app\bin\sfp.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\dporm.exe
    F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,okvvwjw.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
    O4 - HKLM\..\Run: [mwcfmc] D:\WINDOWS\system32\nfxnme.exe reg_run
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [itjgn] D:\WINDOWS\system32\nfxnme.exe reg_run
    O4 - Global Startup: fnjos.exe
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
    O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
    O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126253515984
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    Results of Kaspersky scan:

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Friday, April 07, 2006 8:03:54 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.78.0
    Kaspersky Anti-Virus database last update: 8/04/2006
    Kaspersky Anti-Virus database records: 186900
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 111798
    Number of viruses found: 26
    Number of infected objects: 80
    Number of suspicious objects: 0
    Duration of the scan process: 01:02:43

    Infected Object Name / Virus Name / Last Action
    C:\Downloads\Software Install\Program Files\Inet Delivery\INTDEL.EXE Infected: Trojan.Win32.Delf.ff skipped
    C:\Downloads\Software Install\Program Files\Inet Delivery\INTDEL_2.exe Infected: Trojan.Win32.Delf.ff skipped
    C:\System Volume Information\_restore{0EC1744E-26E1-4BC4-BAE3-9CBCCF982A27}\RP68\A0010244.dll Infected: not-a-virus:AdWare.Win32.OWS skipped
    C:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040639.exe Infected: Trojan-Downloader.Win32.VB.zg skipped
    C:\w.exe Infected: Trojan-Downloader.Win32.Agent.aie skipped
    D:\Documents and Settings\Johnny\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\6E9E159E-A999-4735-89EF-1FE2E9\8680FFE4-4071-487E-9C94-8F4188 Infected: Trojan-Downloader.Win32.Agent.agw skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040252.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040253.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040258.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040261.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040265.exe Infected: Trojan-Dropper.Win32.VB.kk skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040302.exe Infected: Trojan-Downloader.Win32.Adload.af skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040305.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040306.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040307.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040309.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040310.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040326.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040509.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040513.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040514.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040637.exe Infected: Exploit.HTML.ObjData skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040638.exe Infected: Exploit.HTML.ObjData skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041709.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041709.exe Inno: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041709.exe CryptFF: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041710.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041711.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041712.exe Infected: Trojan-Downloader.Win32.Adload.af skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041713.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041713.exe Inno: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041713.exe CryptFF: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041714.exe Infected: Trojan-Downloader.Win32.Small.cjg skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041716.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041716.exe NSIS: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041716.exe CryptFF: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041717.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041718.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041719.exe Infected: Trojan-Downloader.Win32.VB.sh skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041720.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041721.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041722.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041723.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041723.exe NSIS: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041723.exe CryptFF: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041725.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041726.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP248\A0049210.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP248\A0049210.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP248\A0049210.exe NSIS: infected - 2 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049315.exe Infected: Exploit.HTML.ObjData skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049317.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049317.exe NSIS: infected - 1 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049318.exe Infected: Exploit.HTML.ObjData skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049319.exe Infected: Trojan.Win32.VB.tg skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049320.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049321.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP260\A0049697.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP260\A0049697.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP260\A0049697.exe NSIS: infected - 2 skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP261\A0049936.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP261\A0049936.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
    D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP261\A0049936.exe NSIS: infected - 2 skipped
    D:\WINDOWS\country.exe Infected: Exploit.HTML.ObjData skipped
    D:\WINDOWS\pss\fnjos.exeCommon Startup Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
    D:\WINDOWS\system32\q3.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\WINDOWS\system32\q5.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\WINDOWS\system32\sdmqx.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
    D:\WINDOWS\system32\Setup94.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
    D:\WINDOWS\system32\Setup94.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
    D:\WINDOWS\system32\Setup94.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
    D:\WINDOWS\system32\Setup94.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
    D:\WINDOWS\system32\Setup94.exe NSIS: infected - 4 skipped
    D:\WINDOWS\system32\Win3.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
    D:\WINDOWS\system32\Win3.exe NSIS: infected - 1 skipped
    D:\WINDOWS\system32\z1.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
    D:\WINDOWS\system32\ѕystem32\logonui.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
    D:\WINDOWS\uniq Infected: Exploit.HTML.ObjData skipped
    D:\WINDOWS\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
    D:\WINDOWS\YazzleBundle-1119.exe NSIS: infected - 1 skipped

    Scan process completed.


    Didn't come up with any viruses in scans before I got this adware...did it download them?

    Regardless, thank you again for your time
  4. 2006-04-08, 05:45 #4
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Download Brute Force Uninstaller.
    Unzip it to it’s own folder (c:\BFU) It must be unzipped and in the Root\BFU folder. Root equals the drive windows is installed to
    So in your case make the BFU folder on D:\
    Rightclick on this link and choose save target as, save qooFix.bat to that BFU folder.
    http://downloads.subratam.org/Lon/qooFix.bat
    Run qooFix.bat, Close all browsers and explorer folder's
    Choose option 1 (Qoolfix autofix) and fallow the prompts
    patience, it will take about five minutes.
    After the PC has restarted

    Delete these files and folder
    C:\w.exe
    D:\WINDOWS\country.exe
    D:\WINDOWS\pss\fnjos.exe
    D:\WINDOWS\system32\q3.exe
    D:\WINDOWS\system32\q5.exe
    D:\WINDOWS\system32\Setup94.exe
    D:\WINDOWS\system32\Win3.exe
    D:\WINDOWS\system32\z1.exe
    D:\WINDOWS\system32\ѕystem32\logonui.exe
    D:\WINDOWS\uniq
    D:\WINDOWS\YazzleBundle-1119.exe
    C:\Downloads\Software Install\Program Files\Inet Delivery
    ====================

    D:\WINDOWS\pss
    What else is in the PSS folder ?

    D:\WINDOWS\system32\ѕystem32
    What else is in that second system32 folder ?

    Once back at the forum make/post another hijackthis log.
  5. 2006-04-08, 10:49 #5
    fadeinlight
    fadeinlight is offline
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Hello Lonny

    I was unable to locate this file:
    D:\WINDOWS\system32\?ystem32\logonui.exe

    The contents of the PSS folder are as follows:
    Adobe Gamma Loader.exe.lnkCommon Startup
    Adobe Gamma Loader.lnkCommon Startup
    Adobe Reader Speed Launch.lnkCommon Startup
    boot.ini.backup
    LimeWire On Startup.lnkStartup
    Microsoft Office.lnkCommon Startup
    System.ini.backup
    win.ini.backup

    The contents of D:\WINDOWS\system32\?ystem32:
    <empty folder> (I may have made this folder a long time ago while trying to change some settings, and forgotten to delete it)

    Results of the latest HJT log:
    Logfile of HijackThis v1.99.1
    Scan saved at 1:48:39 AM, on 4/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Windows Defender\MsMpEng.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Scope\app\bin\sfp.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\NOTEPAD.EXE
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
    O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126253515984
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Thank you so much for your help...this has really been bothering me
  6. 2006-04-08, 14:30 #6
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Start Hijackthis and place a check next to these items If there.
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    ====================================
    Hit fix checked and close Hijackthis.

    Update then check for and fix any problems found with Spybot

    Put in place a good hosts file
    http://www.mvps.org/winhelp2002/hosts.htm
    Replace it about once monthly to keep it updated


    To help avoid reinfection see "So how did I get infected in the first place?"
    http://forums.spybot.info/showthread.php?t=279

    Are there any problems or questions now ?
  7. 2006-04-08, 23:39 #7
    fadeinlight
    fadeinlight is offline
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Hello Lonny

    Unfortunately, Spybot is still detecting Cmdservice :(. On a postive note, I've seen a boost in performance, and no unsolicited popups

    Results of the latest HJT log:
    Logfile of HijackThis v1.99.1
    Scan saved at 2:07:11 PM, on 4/8/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Windows Defender\MsMpEng.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    D:\WINDOWS\system32\Ati2evxx.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Scope\app\bin\sfp.exe
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
    O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126253515984
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    Note: I found the D:\WINDOWS\system32\ѕystem32\logonui.exe file, and deleted it after again running BFU as per your instructions. It turned out that I'd left the "hide system files/folders etc." checkbox checked.

    Do you think I should reinstall Norton Antivirus? I noticed that they had adware Yazzle listed as a new threat on their main page. At the moment, the Auto-Protect feature is disabled.

    Also, I've noticed that my hard drives seem to be at work at times when it doesn't seem that they should be (as if they were reading a large file or something). Norton Auto-Protect was serving as a basic firewall for me--do you think I should install Zone Alarm?

    I've followed all of the instructions on the preventative measures link you posted (although I didn have to change my settings temporarily so I could get Kaspersky to work).

    Thanks again for your help
  8. 2006-04-09, 00:54 #8
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Cmdservice is only a leftover, the permisions on the key are probaly messed up.

    Please download and unzip Ren-cmdservice to your desktop.
    It will only work correctly if the folder is placed on your desktop and extracted.
    http://downloads.subratam.org/Lon/ren-cmdservice.zip
    Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
    ren-cmdservice.bat file to run the program.
    A text will open when it is finished, Post it please.
    Then restart the PC run SpyBot check for and fix any problems found.
    In your next check it wont be there.

    Frankly i would can nortons program's (uninstaller reboot) and install some other program's for an av and firewall.
    Or uninstall reboot and install again, hopefully that will repair it.
    There are several listed on the page i posted for you.
  9. 2006-04-09, 08:27 #9
    fadeinlight
    fadeinlight is offline
    Junior Member
    Join Date
    Apr 2006
    Posts
    5

    Default

    Lonny,

    Everything is as you said it would be

    Results of rencmdservice.bat:
    Running from D:\Documents and Settings\Johnny\Desktop\ren-cmdservice
    No Image Path Listed in Registry

    Original perms.

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
    Read NT AUTHORITY\INTERACTIVE
    Full access BUILTIN\Administrators


    -----------------
    Adjusted permisions

    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\INTERACTIVE
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access NT AUTHORITY\SYSTEM


    -----------------
    Deleting cmdservie key
    [SWSC] DeleteService FAIL
    Delete Network Monitor if present
    [SWSC] DeleteService FAIL
    -----------------
    Commandline utilities (SWReg and SWSC)
    Written by Bobbi Flekman © 2005
    -----------------
    A Backup made was made, bakhive
    Finised, Post the logit.txt then restart your PC please
    ren-cmdservice.bat edited 2-4-2006
    -----------------


    Thank you so much for all of your help! I'm humbled by your knowledge. I'll be finished with bartending school in 3 weeks--if you ever find yourself in Vegas, send me an email at [Removed email address](make sure you put your name in the subject). Drinks will be on me Also, I'll be sending a donation as soon as humanly possible.

    Thanks again!
    Last edited by LonnyRJones; 2006-04-09 at 09:47. Reason: Removed email address
  10. 2006-04-10, 14:59 #10
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Are there any current problems ?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules