Author Topic: Command Service (and Other Spyware) Removal - Help Required (Read 3318 times)

guestolo · « **Reply #20 on:** July 11, 2006, 12:09:29 AM »

Let's keep digging
Download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[color=\"#3366FF\"]Note[/color] : [color=\"#FF0000\"]process.exe[/color] [color=\"#3366FF\"]is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.[/color]

If you find these file, can you send them too the recycle bin
Exact file names in the exact locations
They should be gone, but take a look
C:\WINDOWS\system32\sdclogon.dll
C:\WINDOWS\system32\wjploc.dll
C:\WINDOWS\system32\dround3d.dll

Could you also
Download: Registry Search Tool from this link, it's a very small download
http://billsway.com/vbspage/
You will have to scroll down to see it

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK

145DF32C-0A6A-1033-0818-041025200001

Wait for the results and post them back here

Wadinator · « **Reply #21 on:** July 11, 2006, 07:13:44 AM »

Hi,

I found none of the three files you specified. I think that's good. Below are the SmitfraudFix and Registry Search log files.

SmitFraudFix v2.69

Scan done at 8:08:21.62, Tue 07/11/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\ryle.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\pojyxi.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

=================================================

Here are the results from the registry searching download.

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "145DF32C-0A6A-1033-0818-041025200001" 7/11/2006 8:03:16 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"b"="C:\\Program Files\\Common Files\\{145DF32C-0A6A-1033-0818-041025200001}\\Update.exe"

[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\{145DF32C-0A6A-1033-0818-041025200001}\\Update.exe"="Update"

[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]

[HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003_Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]

=================================================

guestolo · « **Reply #22 on:** July 11, 2006, 08:26:18 PM »

Can you try the following please

Delete fix.reg you saved earlier on desktop
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003\Software\Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]

[-HKEY_USERS\S-1-5-21-3960438994-4057883899-726034567-1003_Classes\CLSID\{145DF32C-0A6A-1033-0818-041025200001}]

Double click on fix.reg and allow to merge to the registry at the prompt

Reboot back into safe mode, sign in with your normal user account

Find and delete these files if found
C:\Program Files\Common Files\ryle.html <-file
C:\\Program Files\ComPlus Applications\pojyxi.html <-file, this one should be gone, but take a look

==Open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process
I'll need to see these later, by default they are also saved at C:\rapport.txt

Reboot back to Normal mode
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Click the Customize Desktop button.
5. Click the Web tab in the Desktop Items window.
6. Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Post back the log from Smitfraudfix located here >> C:\rapport.txt
Post back one more fresh hijackthis log please

Wadinator · « **Reply #23 on:** July 11, 2006, 09:05:10 PM »

After the reboot to safe mode, I DID NOT find either of the two files you specified.
When I ran SmitfraudFix, I did not get any messages about wininet.dll.
Around this time, Disk Cleanup started. I let it run.
SmitfraudFix did not prompt me to restart the system, but I did anyway since that was the next instruction.
There were no checkboxes checked on the web tab of Display Settings.

My system is running identical to last time I explained. No taskbar. Slow Startup. Other than that, it seems OK.

Here are the two log files you wanted.

===================================

SmitFraudFix v2.69

Scan done at 21:47:01.28, Tue 07/11/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

===================================
HJT log file
===================================

Logfile of HijackThis v1.99.1
Scan saved at 10:04:16 PM, on 7/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for all your help.

Oh yeah, one more thing, the background of my desktop changed back to the original default blue color.

guestolo · « **Reply #24 on:** July 11, 2006, 09:08:38 PM »

Can you try a couple more things for me please
Then we can see if it's related to a legit program you have installed

1. Download this file - Combofix.exe and save it too desktop
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Also, Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log". Please post that log .

Wadinator · « **Reply #25 on:** July 11, 2006, 09:19:53 PM »

Please post a new link to the second file. Your link is outdated apparently.

Thanks

I'll run the first app and get back to you in a few minutes.

guestolo · « **Reply #26 on:** July 11, 2006, 09:22:03 PM »

Updated in last reply

Wadinator · « **Reply #27 on:** July 11, 2006, 09:38:45 PM »

I downloaded the two apps. Here are the log files created.

================
ComboFix
================

Start Time= Tue 07/11/2006 22:21:54.23
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-11 22:20:00 2182 ( A.... ) "C:\Documents and Settings\Owner\Application Data\.googlewebacchosts"
2006-07-10 22:59:16 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-10 12:46:02 ( .D... ) "C:\Program Files\CleanUp!"
2006-07-10 11:54:58 ( .D... ) "C:\Program Files\SymNetDrv"
2006-07-09 18:15:36 76800 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-06 23:58:22 ( .D... ) "C:\Program Files\Common Files\??stem"
2006-07-06 23:58:22 ( .D... ) "C:\Program Files\??crosoft.NET"
2006-07-06 23:58:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:41:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-06 22:24:52 2 ( A.... ) "C:\WINDOWS\system32\wnsintit.exe"
2006-07-06 21:07:00 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-06 21:06:30 ( .D... ) "C:\Program Files\PSHope"
2006-07-06 21:06:10 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-01 22:17:04 ( .D... ) "C:\Program Files\QuickTime"
2006-07-01 16:25:34 ( .D... ) "C:\Program Files\MSBuild"
2006-06-29 10:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-07 18:42:54 ( .D... ) "C:\Program Files\Need2Find"
2006-06-07 11:15:24 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-07 11:15:12 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-07 11:15:00 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-07 11:15:00 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-07 11:14:54 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-28 22:30:54 ( .D... ) "C:\Program Files\WinRAR"
2006-05-20 22:12:18 ( .D... ) "C:\Program Files\Derivator 2.4"
2006-05-11 17:07:22 ( .D... ) "C:\Program Files\gdShutdown"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-28 01:51:38 29968 ( A.... ) "C:\WINDOWS\system32\mdimon.dll"
2006-04-25 20:41:04 1190152 ( A.... ) "C:\WINDOWS\system32\FM20.DLL"
2006-04-25 20:41:04 32528 ( A.... ) "C:\WINDOWS\system32\FM20ENU.DLL"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-11   21:52   527,224,832      C:\hiberfil.sys
2006-07-10   23:01   53,346      C:\WINDOWS\system32\javaw.exe
2006-07-10   23:01   49,248      C:\WINDOWS\system32\java.exe
2006-07-10   23:01   127,078      C:\WINDOWS\system32\javaws.exe
2006-07-09   18:15   76,800      C:\WINDOWS\system32\VundoFix.exe
2006-07-06   22:01   2      C:\WINDOWS\system32\wnsintit.exe
2006-07-06   21:06   8,464      C:\WINDOWS\system32\sporder.dll
2006-07-06   21:06   1,063      C:\WINDOWS\system32\jxea7b22.sys
2006-07-01   16:29   29,968      C:\WINDOWS\system32\mdimon.dll
2006-06-30   20:24   163,840      C:\WINDOWS\system32\igfxres.dll
2006-06-29   10:07   61,440      C:\WINDOWS\system32\BattyRun.dll
2006-06-02   13:39   402,736      C:\WINDOWS\system32\WgaLogon.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,4d,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 07/11/2006 22:28:24.67
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

================
F-Secure Blacklight
================

07/11/06 22:32:06 [Info]: BlackLight Engine 1.0.42 initialized
07/11/06 22:32:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/11/06 22:32:06 [Note]: 7019 4
07/11/06 22:32:06 [Note]: 7005 0
07/11/06 22:32:12 [Note]: 7006 0
07/11/06 22:32:12 [Note]: 7011 1808
07/11/06 22:32:12 [Note]: 7026 0
07/11/06 22:32:12 [Note]: 7026 0
07/11/06 22:32:26 [Note]: FSRAW library version 1.7.1019
07/11/06 22:38:05 [Note]: 7007 0

guestolo · « **Reply #28 on:** July 12, 2006, 06:46:33 PM »

Sorry for the delay, can you try running an uninstaller for me please

Follow the instructions at the below link
and run the OiUninstaller.exe
Be sure to reboot when done

Back in Windows
Run Combofix again and post the new log from it please
Let's see what we're left with

Wadinator · « **Reply #29 on:** July 12, 2006, 09:30:55 PM »

I ran the OIUninstaller. It rebooted at the end saying that some files would be deleted on during reboot.

Once the computer rebooted, I still encountered the disappearing taskbar error. (It disappeared after about 5 seconds)

Then, I ran ComboFix again. Here is the log file it created.

Start Time= Wed 07/12/2006 22:19:29.39
Running from: C:\Documents and Settings\Owner\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-07-12 22:14:08 2223 ( A.... ) "C:\Documents and Settings\Owner\Application Data\.googlewebacchosts"
2006-07-10 22:59:16 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-10 12:46:02 ( .D... ) "C:\Program Files\CleanUp!"
2006-07-10 11:54:58 ( .D... ) "C:\Program Files\SymNetDrv"
2006-07-09 18:15:36 76800 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-07-06 23:58:22 ( .D... ) "C:\Program Files\??crosoft.NET"
2006-07-06 23:58:22 ( .D... ) "C:\Documents and Settings\Owner\Application Data\?racle"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:47:22 1063 ( A.... ) "C:\WINDOWS\system32\jxea7b22.sys"
2006-07-06 23:41:12 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-06 21:07:00 0 ( A.... ) "C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
2006-07-06 21:06:30 ( .D... ) "C:\Program Files\PSHope"
2006-07-06 21:06:10 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-07-01 22:17:04 ( .D... ) "C:\Program Files\QuickTime"
2006-07-01 16:25:34 ( .D... ) "C:\Program Files\MSBuild"
2006-06-29 10:07:36 61440 ( A.... ) "C:\WINDOWS\system32\BattyRun.dll"
2006-06-07 18:42:54 ( .D... ) "C:\Program Files\Need2Find"
2006-06-07 11:15:24 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-06-07 11:15:12 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-06-07 11:15:00 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-06-07 11:15:00 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-06-07 11:14:54 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-06-02 13:39:46 402736 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-28 22:30:54 ( .D... ) "C:\Program Files\WinRAR"
2006-05-20 22:12:18 ( .D... ) "C:\Program Files\Derivator 2.4"
2006-05-03 02:56:58 127078 ( A.... ) "C:\WINDOWS\system32\javaws.exe"
2006-05-03 01:19:40 53346 ( A.... ) "C:\WINDOWS\system32\javaw.exe"
2006-05-03 01:19:30 49248 ( A.... ) "C:\WINDOWS\system32\java.exe"
2006-04-28 01:51:38 29968 ( A.... ) "C:\WINDOWS\system32\mdimon.dll"
2006-04-25 20:41:04 1190152 ( A.... ) "C:\WINDOWS\system32\FM20.DLL"
2006-04-25 20:41:04 32528 ( A.... ) "C:\WINDOWS\system32\FM20ENU.DLL"

(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))

2006-07-11   21:52   527,224,832      C:\hiberfil.sys
2006-07-10   23:01   53,346      C:\WINDOWS\system32\javaw.exe
2006-07-10   23:01   49,248      C:\WINDOWS\system32\java.exe
2006-07-10   23:01   127,078      C:\WINDOWS\system32\javaws.exe
2006-07-09   18:15   76,800      C:\WINDOWS\system32\VundoFix.exe
2006-07-06   21:06   8,464      C:\WINDOWS\system32\sporder.dll
2006-07-06   21:06   1,063      C:\WINDOWS\system32\jxea7b22.sys
2006-07-01   16:29   29,968      C:\WINDOWS\system32\mdimon.dll
2006-06-30   20:24   163,840      C:\WINDOWS\system32\igfxres.dll
2006-06-29   10:07   61,440      C:\WINDOWS\system32\BattyRun.dll
2006-06-02   13:39   402,736      C:\WINDOWS\system32\WgaLogon.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SunKistEM"="C:\\Program Files\\Digital Media Reader\\shwiconem.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,30,01,00,00,00,00,00,00,4d,03,00,00,44,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,44,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 07/12/2006 22:25:59.12
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-07-12.221929.txt

guestolo · « **Reply #30 on:** July 12, 2006, 09:58:14 PM »

Make sure windows is
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete this file from another fix
C:\WINDOWS\system32\VundoFix.exe
and these folders
C:\Program Files\PSHope
C:\Program Files\Need2Find

I want you to find the next folders and send them too the recycle bin also
Leave them there for now
They are the folders with question marks in them, the ? marks will not actually be found, they are characters not recognized by Windows
They may actually appear as legit folder names
Remain in the Program Files folder and look for the next folder name
C:\Program Files\??crosoft.NET <--in the Exact location, may be named as a legit folder Microsoft.NET which is located in the Windows folder
Right click on the folder, it should have a creation date of 2006-07-06

and then navigate to this one
C:\Documents and Settings\Owner\Application Data\?racle
May be named Oracle
Creation date also
2006-07-06

Can you again go to either
http://virusscan.jotti.org/
or
http://www.virustotal.com/flash/index_en.html

Can you scan these files and post the results please
C:\WINDOWS\system32\jxea7b22.sys
C:\Documents and Settings\Owner\Application Data\internaldb41.dat"
C:\WINDOWS\system32\BattyRun.dll"

Wadinator · « **Reply #31 on:** July 12, 2006, 10:03:36 PM »

Hi questolo,

I found and removed the first three files/folders you told me to.
I also found the Microsoft.NET folder but its creation date was August 15, 2005. So I did not move it to the recycle bin.
The Oracle folder did have a creation date of 2006-07-06 so I deleted that one.

The online virus scan I did on the three files produced the following results:

1) jxea7b22.sys >> nothing found
2) internaldb41.dat >> This file brought up another page which said "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
3) BattyRun.dll >> nothing found

Thanks for your help.

guestolo · « **Reply #32 on:** July 12, 2006, 10:30:36 PM »

I can't find no info on jxea7b22.sys
Can you send it to the recycle bin for now, we'll leave it there
Could you also send BattyRun.dll with it

Can you do the following
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as find.bat

Save this file on the desktop

Code: [Select]

REMOVED
Double click on find.bat, a text file called find.txt should open, can you copy>paste back here the whole contents please

Wadinator · « **Reply #33 on:** July 12, 2006, 10:33:43 PM »

Did you misinterpret me when I said Nothing Found? I meant that the online scan said both of those files were clear. I did not mean that the files could not be found.

I'll do what you said anyway, just checking.

OK, here are the results of find.bat

Volume in drive C has no label.
Volume Serial Number is 145D-F32C

Directory of C:\Program Files\Microsoft.NET

guestolo · « **Reply #34 on:** July 12, 2006, 10:37:30 PM »

Please do what I posted previously

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Wadinator · « **Reply #35 on:** July 12, 2006, 10:41:48 PM »

It's Done. Look up. ^^^^^^^

guestolo · « **Reply #36 on:** July 12, 2006, 10:54:25 PM »

Sorry again

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Can you do this one more time
Delete find.bat

And create a new one with the following entry in the code box below
Then post the results please

Code: [Select]

@echo off
cd C:\Program Files\??crosoft.NET
dir /s /a > C:\find.txt
notepad C:\find.txt
del /q C:\find.txt

Wadinator · « **Reply #37 on:** July 12, 2006, 11:00:20 PM »

It's no problem. Here is the resulting text file.

Volume in drive C has no label.
Volume Serial Number is 145D-F32C

Directory of C:\Program Files\Microsoft.NET

08/19/2005 08:49 PM <DIR> .
08/19/2005 08:49 PM <DIR> ..
08/19/2005 09:23 PM <DIR> Primary Interop Assemblies
0 File(s) 0 bytes

Directory of C:\Program Files\Microsoft.NET\Primary Interop Assemblies

08/19/2005 09:23 PM <DIR> .
08/19/2005 09:23 PM <DIR> ..
03/19/2003 05:49 AM 110,592 adodb.dll
03/19/2003 05:53 AM 8,007,680 Microsoft.mshtml.dll
03/19/2003 05:50 AM 13,312 Microsoft.stdformat.dll
03/19/2003 05:50 AM 4,096 msdatasrc.dll
03/19/2003 05:50 AM 40,960 msddslmp.dll
03/19/2003 05:50 AM 143,360 msddsp.dll
03/19/2003 05:51 AM 16,384 stdole.dll
7 File(s) 8,336,384 bytes

Total Files Listed:
7 File(s) 8,336,384 bytes
5 Dir(s) 39,414,722,560 bytes free

guestolo · « **Reply #38 on:** July 12, 2006, 11:31:21 PM »

Leave the contents we removed in the recycle bin for now
Don't delete Microsoft.NET

If you find this file, send it to the recycle bin also
C:\WINDOWS\system32\ntmsdba.exe

Reboot the computer

Any luck with taskbar?

If not, Can you do the following for me

Go to START>>RUN>>type in msconfig
Hit OK

Under the SERVICES tab Select "Hide All Microsoft Services"
Then Choose Disable ALL and select APPLY

Under the STARTUP tab select Disable ALL
APPLY and then CLOSE
Reboot the computer
Any luck with the taskbar?

I don't want you running like this for long, just let me know if the taskbar appears

Wadinator · « **Reply #39 on:** July 12, 2006, 11:35:12 PM »

Will do.

By the way, I do not see a file with the name ntmsdba.exe but I do have a .dll with the same name.

News:

Author Topic: Command Service (and Other Spyware) Removal - Help Required (Read 3318 times)