Please Help: Popups (cmdservice)

bob2006 · Feb 16, 2006

Panda ActiveScan, HJT, and blacklight reports

Hello illukka.

Here are the reports:

Incident Status Location

Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\tool1.exe
Adware:adware/searchaid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\winsysupd1.dat
Adware:adware/savenow Not disinfected C:\PROGRAM FILES\VVSN
Adware:adware/maxifiles Not disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/cws.yexe Not disinfected C:\WINDOWS\inet20010
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@ads.pointroll[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@c5.zedo[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@statcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@zedo[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@ads.pointroll[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@c5.zedo[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@stat.onestat[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@statcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@yadro[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Vladimir\Cookies\vladimir@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Vladimir\Desktop\l2mfix\Process.exe
Virus:Trj/Goldun.EN Disinfected C:\WINDOWS\system32\avpe32.dll.ren
Virus:Trj/Goldun.EN Disinfected C:\WINDOWS\system32\qz.dll.ren
Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Temp\Cookies\vladimir@i.screensavers[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Temp\Cookies\vladimir@rn11[2].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Temp\Cookies\vladimir@zedo[2].txt
Virus:Trj/Clicker.MU Disinfected C:\WINDOWS\tool3.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs

Logfile of HijackThis v1.99.1
Scan saved at 9:58:07 PM, on 2/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\AntiSpyware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Sit streight my dear ;-)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - d:\Program Files\ICQLite\ICQLite.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128825914918
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

02/15/06 21:09:50 [Info]: BlackLight Engine 1.0.30 initialized
02/15/06 21:09:50 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/15/06 21:09:50 [Note]: 7019 4
02/15/06 21:09:50 [Note]: 7005 0
02/15/06 21:09:54 [Note]: 7006 0
02/15/06 21:09:54 [Note]: 7011 720
02/15/06 21:09:55 [Note]: FSRAW library version 1.7.1014
02/15/06 21:10:48 [Note]: 7007 0

Thank you very much.

Regards

illukka · Feb 16, 2006

hi

i am not saying that boclean is the holy grail but for instance those you had now, if you had boclean those would be yanked now..

these files need to be deleted
C:\secure32.html<<--file
C:\WINDOWS\tool1.exe<<--file
C:\WINDOWS\uninstall_nmon.vbs<<--file
C:\WINDOWS\winsysupd1.dat<<--file
C:\PROGRAM FILES\VVSN<<--folder
C:\PROGRAM FILES\COMMON FILES\InetGet<<--folder
C:\WINDOWS\inet20010<<--folder

i see no traces of firewalls, or antiviruses in your last log
having both is essential.

did you se t these yourself, using spybot for example?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

tashi · Feb 19, 2006

bob2006 how is it going?

tashi · Feb 23, 2006

This topic will now be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.

Please Help: Popups (cmdservice)

bob2006

New member

illukka

Expert-Emeritus

tashi

Member of Team Spybot

tashi

Member of Team Spybot