Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: cmdservice

  1. 2006-05-10, 16:01 #1
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default cmdservice

    Here is my hijackthis log

    Logfile of HijackThis v1.99.1
    Scan saved at 8:56:10 AM, on 5/10/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\TIREMOTE\wuser32.exe
    C:\WINNT\TIREMOTE\TIRemoteService.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\TIREMOTE\TIServiceMonitor.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Clow Valve Company
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\oyqpu.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,auwtfpe.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINNT\TIREMOTE\TIServiceMonitor.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O15 - Trusted Zone: http://www.realmofexcursion.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...sp?forceLoad=1
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/ed...fm?Release=rel
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129917352468
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
    O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} (RealPlayer G2 Control) - http://activex.microsoft.com/activex...n/nsmp2inf.cab
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax3426.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3A20A1-7F2A-42DD-B0E5-7DB48AFC3061}: Domain = clow.McWane-VHD.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINNT\TIREMOTE\wuser32.exe
    O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Intuit, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe

    Spybot finds cmdservice and can not be removed. Any help would be greatly appreciated.

    Thanks

    Eric
  2. 2006-05-10, 18:58 #2
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default

    Ive cleaned up some stuff and now everytime i open internet explorer i get a Microsoft Office XP Professional box that pops up and says please wait while Windows configures Microsoft Office XP Professional and then a message asking me to insert the Microsoft Office XP Professional CD so it and press continue.
  3. 2006-05-11, 02:08 #3
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hello Eric and welcome to the forum. If you still need help and are not receiving it elsewhere, You have markers for the Qoologic trojan along with other nasties. We will remove Qoologic first. I can tell you, if you do not follow the directions exactly as posted, the fix will not work.

    Download Brute Force Uninstaller to your C:\
    http://www.merijn.org/files/bfu.zip
    Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
    Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
    (rightclick on this link and choose save as)
    Place qoofix.bat in your C:\BFU - folder. (Important!)
    Doubleclick qooFix.bat, Close all browsers and explorer folders.
    Choose option 1 (Qoolfix autofix) and follow the prompts.
    Please be patient, it will take about five minutes.
    After the PC has restarted please post another hijackthis log.

    We will have more to do.

    Thanks...pskelley
    Safer Networking Forums
  4. 2006-05-11, 04:00 #4
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default

    I did alot of stuff today trying to fix it i actually did do what you just said earlier i will post my new HJT log in the morning when i get to that computer im on a different computer now. Thanks for steping up and helping I really apreciated it.

    Eric
  5. 2006-05-11, 14:29 #5
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default

    Okay so far i have ran Look2Me-Destroyer.exe and Brute Force Uninstall. Here is my new HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:28:47 AM, on 5/11/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\TIREMOTE\wuser32.exe
    C:\WINNT\TIREMOTE\TIRemoteService.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\TIREMOTE\TIServiceMonitor.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\msiexec.exe
    C:\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Clow Valve Company
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINNT\TIREMOTE\TIServiceMonitor.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O15 - Trusted Zone: http://www.realmofexcursion.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...sp?forceLoad=1
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/ed...fm?Release=rel
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129917352468
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
    O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} (RealPlayer G2 Control) - http://activex.microsoft.com/activex...n/nsmp2inf.cab
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax3426.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3A20A1-7F2A-42DD-B0E5-7DB48AFC3061}: Domain = clow.McWane-VHD.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINNT\TIREMOTE\wuser32.exe
    O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Intuit, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe


    Thanks for the help in advance.

    Eric
  6. 2006-05-11, 14:58 #6
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hello Eric, I want you to know I appreciate your zeal, but some of these fixes can damage your computer and there was no evidence of Look2me in your HJT log. Good job with the Qoofix, that trojan appears to be gone, let's get rid of the rest of the junk.

    1) Turn off TeaTimer until you are done, it may block the fix we must make: http://russelltexas.com/malware/teatimer.htm

    2) This trojan: C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe >>> Command Service (cmdService) X command.exe Adware is also running from your services. Let's try this:

    3) Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    4) Disable the offending Service
    Click Start > Run and type services.msc
    Scroll down to Command Service and right click on it.
    Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

    Delete the offending Service
    Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
    In the Delete window, type (cmdService) and press OK.
    OK any prompts, close HijackThis, and restart your computer.

    5) Close all programs but HJT and all browser windows, then click on "Fix Checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    (if you know this is safe, you can leave it, but that is a lot of access you are giving the site)
    O15 - Trusted Zone: http://www.realmofexcursion.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...sp?forceLoad=1
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe
    (service may be gone)

    RIGHT Click on Start then click on Explore. Locate and delete these items:

    (this next item may have been removed when you used HJT, but we need to be sure, if it is there, delete that folder. If it will not let you, then do it in safe mode: http://www.bleepingcomputer.com/tuto...utorial61.html )

    C:\WINNT\RXJpYyBOaWNob2xzb24\command.exe <<< folder

    If you don't have a good cleaner, use this free one with these instructions:
    Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
    Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

    If all goes well, that should do it, post a fresh HJT log for a final look. Please add any comments you think will help.

    Thanks...Phil
  7. 2006-05-11, 15:04 #7
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default

    I can not stop it all those options are grayed out
  8. 2006-05-11, 15:05 #8
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default

    Quote Originally Posted by _PuNiShEr_
    I can not stop it all those options are grayed out
    Sorry im refering to your #4
  9. 2006-05-11, 15:14 #9
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Please explain what you mean, what options are grayed out?? Are you saying that you can not disable that service?

    Since this is: Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    The service may be disabled different that WinXP. Continue with the balance of the instructions and watch for private messages. Once I find how to disable a service in 2M I will either post it or PM the information.

    Thanks
  10. 2006-05-11, 15:31 #10
    _PuNiShEr_
    _PuNiShEr_ is offline
    Junior Member
    Join Date
    May 2006
    Posts
    11

    Default

    After i did that command service is no longer listed so needing the stop option is no longer an issue. Thanks for the help heres my new HJT log hopes it clean...

    Logfile of HijackThis v1.99.1
    Scan saved at 8:29:33 AM, on 5/11/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\TIREMOTE\wuser32.exe
    C:\WINNT\TIREMOTE\TIRemoteService.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\TIREMOTE\TIServiceMonitor.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Netropa\Onscreen Display\OSD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HiJackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Clow Valve Company
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Track-It! Workstation Manager Service Monitor] C:\WINNT\TIREMOTE\TIServiceMonitor.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/ed...fm?Release=rel
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1129917352468
    O16 - DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} (RealPlayer G2 Control) - http://activex.microsoft.com/activex...n/nsmp2inf.cab
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax3426.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF3A20A1-7F2A-42DD-B0E5-7DB48AFC3061}: Domain = clow.McWane-VHD.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CLOW.McWane-VHD.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = clowvalve.com,clow.McWane-VHD.com
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Track-It! Remote Control (TIRmtCtl) - Intuit Track-It! - C:\WINNT\TIREMOTE\wuser32.exe
    O23 - Service: Track-It! Workstation Manager (TIRmtSvc) - Intuit, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules