Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Command Service And Smitfraud


  • Please log in to reply
3 replies to this topic

#1 jessicado

jessicado

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 20 August 2007 - 03:27 PM

Hi--I hate to post a topic asking for help, but I have been trying forever to get rid of these two problems. I am not very computer literate, but I can usually search and find the solution to viruses online, but to no avail with these, so this is my last resort! I downloaded a file about 2 months ago and when it opened, it was the Command Service virus. Immediately whenever I got online ( I use Firefox), ads would pop up through Internet Explorer. It was horrible--about an ad a mintue or more sometimes. I tried to get rid of it using HiJack this, but to no avail. I tried to delete the Command file in my add and remove section, but it still didn't work. I revealed hidden files and went into the System 32 and deleted the file that HiJack showed, and still it was working. I tried following the directions on this website to delete it and installed a better firewall (Sygate), which at least now blocks the popups. When I ran Spybot, I was shown that I also had Smitfraud, which it couldn't delete. I tried directions I found online to delete that as well, but also with no success. Here is my HiJack file...any help would be appreciated!!!

Logfile of HijackThis v1.99.1
Scan saved at 1:18:17 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jess n Cliff\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 20 August 2007 - 06:29 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jessicado :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 jessicado

jessicado
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 07 September 2007 - 01:31 PM

Hi--Thanks so much. Sorry it has taken so long to reply--right after I started this topic, We had a crisis and I had to leave the house for a few weeks. I hope you can still help! Here are the logs requested:


ComboFix 07-09-08 - "Jess n Cliff" 2007-09-07 11:20:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.205 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\JESSNC~1\APPLIC~1\PPPATC~1
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\wcpsvsu32.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-07 11:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-08-20 11:50 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Talkback
2007-08-20 11:31 <DIR> d-------- C:\Program Files\Yahoo!
2007-08-20 11:30 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-08-20 11:22 1,294 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-20 11:21 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-20 11:21 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-20 11:21 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-18 22:05 <DIR> d-------- C:\DOCUME~1\JESSNC~1\.housecall6.6
2007-08-18 20:40 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-08-18 20:39 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-08-18 20:39 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-08-18 20:39 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-08-18 20:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-08-18 20:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-08-18 20:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-08-18 20:39 <DIR> d-------- C:\Program Files\Sygate
2007-08-18 20:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-11 14:13 <DIR> d-------- C:\Program Files\iTunes
2007-08-11 14:13 <DIR> d-------- C:\Program Files\iPod
2007-08-09 18:44 <DIR> d-------- C:\Rio600
2007-08-08 19:01 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-28 09:03 --------- d-------- C:\DOCUME~1\JESSNC~1\APPLIC~1\uTorrent
2007-08-18 20:16 --------- d-------- C:\Program Files\Enigma Software Group
2007-08-17 11:58 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-08-07 16:16 --------- d-------- C:\Program Files\MSN Messenger
2007-08-04 16:26 --------- d-------- C:\Program Files\NCH Swift Sound
2007-08-04 16:26 --------- d-------- C:\DOCUME~1\JESSNC~1\APPLIC~1\NCH Swift Sound
2007-08-01 20:25 --------- d-------- C:\DOCUME~1\JESSNC~1\APPLIC~1\dvdcss
2007-07-30 09:52 --------- d-------- C:\Program Files\QuickTime
2007-07-30 09:50 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-26 12:47 --------- d-------- C:\Program Files\MFInstall
2007-07-16 17:45 --------- d-------- C:\Program Files\Common Files\Ahead
2007-07-11 12:23 87608 --a------ C:\DOCUME~1\JESSNC~1\APPLIC~1\inst.exe
2007-07-11 12:23 47360 --a------ C:\DOCUME~1\JESSNC~1\APPLIC~1\pcouffin.sys
2007-07-11 12:23 --------- d-------- C:\Program Files\vso
2007-07-11 12:23 --------- d-------- C:\DOCUME~1\JESSNC~1\APPLIC~1\Vso
2007-07-11 12:21 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-07-10 17:59 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-10 17:25 --------- d-------- C:\Program Files\DVDFab HD Decrypter 3
2007-07-10 17:02 --------- d-------- C:\Program Files\FREE Hi-Q Recorder
2007-07-10 15:37 --------- d-------- C:\DOCUME~1\JESSNC~1\APPLIC~1\Azureus
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-02-22 23:00 9232 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmmdfl.sys
2007-02-22 23:00 92064 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmmdm.sys
2007-02-22 23:00 79328 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmserd.sys
2007-02-22 23:00 66656 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmbus.sys
2007-02-22 23:00 6208 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmcmnt.sys
2007-02-22 23:00 5936 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmwhnt.sys
2007-02-22 23:00 4048 --a--c--- C:\DOCUME~1\JESSNC~1\mqdmcr.sys
2007-02-22 23:00 25600 --a--c--- C:\DOCUME~1\JESSNC~1\usbsermptxp.sys
2007-02-22 23:00 22768 --a--c--- C:\DOCUME~1\JESSNC~1\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

R3 Dot4 HPH11;Dot4 HPH11;C:\WINDOWS\system32\DRIVERS\hphid411.sys
R3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11;C:\WINDOWS\system32\DRIVERS\hphipr11.sys
R3 Dot4Storage HPH11;Storage Class Driver for IEEE-1284.4 (HPH11);C:\WINDOWS\system32\Drivers\hphs2k11.sys
R3 Dot4Usb HPH11;Dot4Usb HPH11;C:\WINDOWS\system32\drivers\hphius11.sys
R3 Eplpdx02;Eplpdx02;\??\C:\WINDOWS\System32\Drivers\EPLPDX02.SYS
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\CBTNDIS5.SYS
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys
S3 RioDrv;Rio600 driver;C:\WINDOWS\system32\Drivers\RioDrv.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;C:\WINDOWS\system32\DRIVERS\wind502u.sys

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 11:24:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-08 11:25:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 11:25
.
--- E O F ---


SmitFraudFix v2.221

Scan done at 11:27:33.14, Sat 09/08/2007
Run from C:\Documents and Settings\Jess n Cliff\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\Documents and Settings\Jess n Cliff


C:\Documents and Settings\Jess n Cliff\Application Data


Start Menu


C:\DOCUME~1\JESSNC~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.87.69.146
DNS Server Search Order: 68.87.85.98

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1ED6343D-F7E6-4DFF-B569-EFE6B236A41A}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1ED6343D-F7E6-4DFF-B569-EFE6B236A41A}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1ED6343D-F7E6-4DFF-B569-EFE6B236A41A}: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.69.146 68.87.85.98


Scanning for wininet.dll infection


End


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:24 AM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 1264 bytes



Thanks again! :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 07 September 2007 - 03:10 PM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\Documents and Settings\JESSNC~1\Application Data\inst.exe

Restart your pc normally.


You've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Restart your pc.
Post a new Hijackthis log.
Let me know how your pc is running now please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users