Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google search redirected

Started by Wazoo , Nov 01 2005 04:23 PM

  • Please log in to reply

#1
Wazoo
Posted 01 November 2005 - 04:23 PM

Wazoo

    Member

  • Member
  • PipPip
  • 23 posts
My google searchs are being redirected to different sites than selected. I have run the full range of tools with no success. I did check a couple of other posts on the same topic and it looks like HJT can fix the problem but I could not readily identify the files that need to be deleted. I did see a file that is questionable but I wanted to have someone here look before I deleted a file that might be needed to keep the system running.

Here is my HJT file. Any help is greatly appreciated.

Wazoo

ogfile of HijackThis v1.99.1
Scan saved at 1:55:23 PM, on 11/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\d2F6\command.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jucheck.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmogt.exe] C:\WINNT\system32\dmogt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.careerbuilder.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent...s/custappx3.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hobsonassoc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E067B82-B45D-482A-A973-7A04CD338159}: NameServer = 85.255.114.62,85.255.112.75
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

Advertisements

#2
didom
Posted 05 November 2005 - 07:38 AM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
click Start> Run> type in CMD tap enter. Copy/Paste the following into command prompt:

sc stop cmdService

Hit 'enter' and copy/past the following:

sc delete cmdService

At the command prompt: type exit.

Make sure all hidden files and folders are visible (Instructions )

Navigate to:
C:\WINNT\d2F6 <--Delete folder if listed.

---------------------------------------------

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O4 - HKLM\..\Run: [dmogt.exe] C:\WINNT\system32\dmogt.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8E067B82-B45D-482A-A973-7A04CD338159}: NameServer = 85.255.114.62,85.255.112.75
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe

Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Edited by didom, 05 November 2005 - 07:41 AM.

  • 0

#3
Wazoo
Posted 07 November 2005 - 10:37 AM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank you for getting back to me. I was out over the weekend so I did not get to the fix until today.

When I went to the command prompt and typed in sc stop cmdservice, I got a message that sc was not a reconized command. So I was not able to stop or delete the service. So, when I tried to delete the folder it said one of the files was in use. Am I missing something with "sc stop cmdservice"?

I did run that fixwareout and deleted the files. The HJT log is provided below. It looks like things are better but I got an internet wizard when I ran IE so I am concerned that I am reinfecting until I can delete that folder.

Wazoo
  • 0

#4
didom
Posted 07 November 2005 - 11:07 AM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Try to disable and delete the service this way:

Click Start>Run, type services.msc into the Open: text box and click the Ok button.
  • In the Services window look for the Command Service (cmdService) service and double-click on it.
  • Click on the Stop button
  • In the Startup type dropdown box select Disabled
  • Click Apply button and then the Ok button.
  • Please run HijackThis and click Config -> Misc Tools -> Delete an NT service.
  • In the Delete window, type cmdService and press OK.
  • OK any prompts, close HijackThis, and restart your computer.
Make sure all hidden files and folders are visible (Instructions )

Navigate to:
C:\WINNT\d2F6 <--Delete file if listed.

Then reboot your computer.

----------------------------------

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.
  • 0

#5
Wazoo
Posted 08 November 2005 - 06:28 PM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I am still having a problem stopping the command service. I was trying to fix the problem yesterday and while I was working on it the entire office lost our internet connection. I am guessing this was just a coincidence but we have never had a problem with our ISP connection before. Do you think the two things could be connected? I would still like to get rid of that folder but not if there is a chance it will screw up my internet connection. It took almost two days to get it back.

Thank you,

Wazoo
  • 0

#6
didom
Posted 09 November 2005 - 01:16 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Hi wazoo,

That has to be a coincidence!! I am sure you don't screw up your internet connection when you delete that folder!

After you did that please run Panda ActiveScan and post the results from Panda and the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Regards,
  • 0

#7
Wazoo
Posted 09 November 2005 - 01:30 PM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thank you for the response. I can access the command services but the actions functions are grayed out. Do you have any suggestion on how to stop the service?
  • 0

#8
didom
Posted 09 November 2005 - 01:39 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
To stop the service:

Scan again with HijackThis and check the following items:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer.
  • Please run HijackThis and click Config -> Misc Tools -> Delete an NT service.
  • In the Delete window, type cmdService and press OK.
  • OK any prompts, close HijackThis, and restart your computer.
After you did that please run Panda ActiveScan and post the results from Panda and the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
  • 0

#9
Wazoo
Posted 11 November 2005 - 12:56 PM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I was able to delete the folder and things appear to be okay. Thank you very much for your efforts. I have attached the latest HJT log. Please let me know if there is anything else that I need to do.

Wazoo

Logfile of HijackThis v1.99.1
Scan saved at 10:52:13 AM, on 11/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\waz\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.careerbuilder.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent...s/custappx3.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hobsonassoc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#10
didom
Posted 11 November 2005 - 02:20 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with the contents of the logfile C:\fixwareout\report.txt and a new HijackThis log.
  • 0

Advertisements

#11
Wazoo
Posted 11 November 2005 - 07:38 PM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I have completed the fixes and here are the logs.


Incident Status Location

Adware:adware/coupons No disinfected C:\WINNT\cpbrkpie.ocx
Adware:adware/sidesearch No disinfected C:\Documents and Settings\waz\Application Data\Lycos
Adware:adware/commad No disinfected Windows Registry
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\2332134.rar[dddd.exe]
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\543.rar[dddd.exe]
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\asappsrv.dll
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\command.exe
Adware:Adware/Findspy No disinfected C:\WINNT\system32\bndmod.exe
Adware:Adware/Dloader No disinfected C:\WINNT\system32\dgprpsetup.exe
Adware:Adware/Adultpage No disinfected C:\WINNT\system32\favme.exe
Adware:Adware/QuickWeb No disinfected C:\WINNT\system32\hlmicro.exe

Logfile of HijackThis v1.99.1
Scan saved at 5:31:55 PM, on 11/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\waz\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.careerbuilder.com
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - http://www.cabeagent...s/custappx3.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://hobsonassoc....bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = intra.zbitnoffgroup.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\d2F6\command.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
  • 0

#12
didom
Posted 12 November 2005 - 04:38 AM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please run Notepad and copy the following text into a new file:

attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler

Save the file as recyclerem.bat and make sure the "Save as type" field says "All files".
Double-Click on the file recyclerem.bat, a small DOS type window should open and close immediately.

Step #2

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
C:\WINNT\cpbrkpie.ocx <= this file
C:\WINNT\system32\favme.exe <= this file
C:\WINNT\system32\bndmod.exe <= this file
C:\WINNT\system32\hlmicro.exe <= this file
C:\WINNT\system32\dgprpsetup.exe <= this file

C:\Documents and Settings\waz\Application Data\Lycos <= this folder


Reboot your computer normally.

Step #5

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.

Step #6

Make sure all hidden files and folders are visible (see step Step #3)

Please go to this site: http://virusscan.jotti.org/
On top you'll find "File to upload and scan".
Browse to the next file, submit it on that site and let it scan:

C:\Program Files\QuickTime\qttask.exe

Several scanning engines will be used to check the file for any threats. Please post the results of the scans back here.


Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
  • 0

#13
Wazoo
Posted 14 November 2005 - 01:16 PM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I completed the steps from you email. The Panda Activescan log is provided below. virusscan.jotti.org came back with all showing nothing detected.

Incident Status Location

Adware:adware/coupons No disinfected Windows Registry
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\2332134.rar[dddd.exe]
Virus:Trj/Mitglieder.BO No disinfected Archive Folders\Deleted Items\543.rar[dddd.exe]
Adware:Adware/Adultpage No disinfected C:\RECYCLER\S-1-5-21-331111937-1843285713-1505308654-500\Dc10.exe
Adware:Adware/Findspy No disinfected C:\RECYCLER\S-1-5-21-331111937-1843285713-1505308654-500\Dc8.exe
Adware:Adware/Dloader No disinfected C:\RECYCLER\S-1-5-21-331111937-1843285713-1505308654-500\Dc9.exe
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\asappsrv.dll
Adware:Adware/CommAd No disinfected C:\RECYCLER\S-1-5-21-335706114-155547560-1845911597-1003\Dc10\command.exe
Adware:Adware/QuickWeb No disinfected C:\WINNT\system32\hlmicro.exe
  • 0

#14
didom
Posted 14 November 2005 - 01:51 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

You need to clean these items from your archived items:
2332134.rar[dddd.exe]
543.rar[dddd.exe]

Please look here for help:
http://www.uwb.edu/l...tml#Archivedpst

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
C:\WINNT\system32\hlmicro.exe <= this file

Double-Click on the file recyclerem.bat (you made before), a small DOS type window should open and close immediately.

Reboot your computer normally.

Step #5

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the Panda ActiveScan log. Start HijackThis and perform a new scan.


Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
  • 0

#15
Wazoo
Posted 14 November 2005 - 04:21 PM

Wazoo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I am able to access my archived files but would you have any suggestions other than the standard outlook to find those two files? I have also eliminated the other folder.

Wazoo
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP