HERE'S my LOG - cmd infection, McAfee thingie

Started by babyoh, December 06, 2005, 03:40:49 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

babyoh

December 06, 2005, 03:40:49 PM
 :rose: TWO THINGS:
1) according to spybot s&d, i've got this:
hkey_local_machine\system\ControlSet001\Services\cmdService
hkey_local_machine\system\CurrentControlSet\Services\cmdService
  --  spybot can't get rid of it, even when it loads at start-up... i googled it, and it does seem to be some nefarious adware.
:beg: ...i'm "clean" according to adaware se, ms anti-spyware beta 1, bazooka and symantec av.
:uhm:
2) a long time ago i bought and tried loading McAfee Firewall. it had a shoot-out with the pre-installed symantec apps on my computer.
so i "UNINSTALLED" McAfee -- it didn't want to go quietly, so i manually kept deleting, until norton stopped flashing me all the alerts.
:rose:
i noticed i have the following McAFEE stuff on my drive; is it safe to manually delete? -- it's not doing me any good, since i don't run the app.
C:\Documents and settings\All Users\Application Data  - McAfee.com FOLDER
C:\Documents and settings\Owner\Application Data - McAfee FOLDER
C:\Documents and settings\Owner\Application Data - McAfee.com Personal Firewall
C:\Documents and settings\Owner\Application Data\McAfee - McAfee Shared Components

HERE'S MY LOG:
Logfile of HijackThis v1.99.1
Scan saved at 7:21:59 AM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computers.us.fujitsu.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\0ebmk1gj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://c%3a%5cprogram%20files%5cnetscape%5cnetscape%5csearchplugins%5csbweb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\0ebmk1gj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe

O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{7553038C-6FA9-4856-B81B-262434504804}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{7553038C-6FA9-4856-B81B-262434504804}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Die Hard

#1
December 09, 2005, 09:50:24 AM
babyoh :)

1. cmdService is adware for sure.
I made an instruction on how to edit the registry here: http://www.landzdown.com/index.php?topic=3566.msg14803#msg14803
The keys you are about  to remove is almost located at the same place in the registry.

Do not forget to backup, you can backup anywhere down the ladder and that key and all the subkeys will be saved.

Click the arrow,or "+" next to these:

+ hkey_local_machine
+system
+ControlSet001
+Services
cmdService
Rightclick cmdService and "Delete"

Do the same thing with this:
+hkey_local_machine
+system
+CurrentControlSet
+Services
cmdService

If you hesitate the slightest, please come back for more assistance.

2. Regarding the McAfee folders, I do not think removing them should cause any problems.But it´s not recommended to delete the folders of a program as a way to uninstall.There are registry keys left, that could cause the system to malfunction.
In this case, when you already have rid you of McAfee, I would recommend that you download McAfee ,unplug the internet cable,close down every single instance of Norton and install McAfee. Then use the uninstall feature in the control panel. After that, delete all remaining files and folders belonging to McAfee.

regards

Die Hard :)
I create and edit my posts in GS-NOTES

babyoh

#2
December 09, 2005, 12:18:25 PM
thanks, die hard....    a couple things --

1) i use an app called ERUNT to back up the registry. i've never needed to restore the reg; is it ok for me to assume ERUNT is backing up fine, or is it better for me to do manually, like you explained?

2) do i have to be in "SAFE MODE" to edit the registry? i don't understand why sometimes that's necessary, and sometimes not.

3) should i turn off SYSTEM RESTORE before doing this? so the malware doesn't hide there?

THANKS AGAIN!  :rose:

Die Hard

#3
December 09, 2005, 12:45:10 PM
babyoh :)

1. I have no experience of ERUNT, but if it promises to backup, I´m sure it will.What I know it is a program with a good reputation  :thumbsup:
Following my directions is a rather simple operation, too.

2. You do not need to be in safe mode. However, make sure you log in as an administrator, or with an account with those permissions.

3. It´s not nessesary to turn off the system restore, but since you after this operation seem to be squeeky clean,it could be a good idea to create a new restore point .

regards

Die Hard :)

I create and edit my posts in GS-NOTES

babyoh

#4
December 10, 2005, 04:49:23 AM
well, the good news is, my system seems to be clean.
** what's WEIRD, is that this DIDN'T EXIST --
+hkey_local_machine
+system
+CurrentControlSet
+Services
cmdService
:rose:
I let spybot delete this:
hkey_local_machine\system\ControlSet002\Services\cmdService
***
OH: eventho i logged in as administrator, i had trouble deleting  hkey_local_machine\system\ControlSet001\Services\cmdService
i had to reset the PERMISSIONS, and then i could delete it
(i had something like this happen before, where i could delete logged on as owner but NOT administrator. weird)
***
I've been infected with this CMD a few times. anyway to block it from coming back? (i'm fairly well protected already, w/ spyware blaster, spybot immunize, proper firewall & browser settings; i don't use explorer, just FIREFOX & OPERA)

any way i can specifically block CMD? i've definitely gotten it twice recently, maybe even 3 times.


Die Hard

#5
December 10, 2005, 02:13:14 PM
babyoh :)

Maybe an installation of MS AS could be a good idea. Its real time monitor is efficient and would probably alert you if anything is trying to break in.
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Die Hard :)
I create and edit my posts in GS-NOTES

babyoh

#6
December 11, 2005, 01:10:02 AM
 :rose:
sorry; i ALREADY have the microsoft anti-spywayre beta 1 app TOO. i forgot to list it before.
it must not stop CMD... or else the darn thing is hiding somewhere on my drive, and re-infecting me every so often.

(thanks for your help, by the way) :thumbsup:

Die Hard

#7
December 11, 2005, 06:27:35 AM
babyoh :)
Quotesorry; i ALREADY have the microsoft anti-spywayre beta 1 app TOO.

Of course you have, I should have seen it  :exorcize:
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

If it returns, please come back here .And maybe post a HJT-log before you make any cleaning attempts.We might find the culprit.It could also be a drive-by installation on one of the regular pages you visit.Could be just any site hosted on a free server.

Die Hard :)
I create and edit my posts in GS-NOTES

Die Hard

#8
December 20, 2005, 11:22:55 PM
gsgi :)

I made a topic of your own here :
http://www.landzdown.com/index.php?topic=3870.0

Die Hard :)
I create and edit my posts in GS-NOTES
Print
Go Up Pages1
User actions