TechSpot

Help with command service and outer info removal

By DarbyG
Mar 30, 2008
  1. I have been working on recovering a computer from malware, viruses, and adware. I currently am running McAfee antivirus and antispyware. McAfee kept hitting on command service but couldn't manage to get rid of it completely. Outer info and other hijackers would continue to take IE in just about every direction even after complete virus and spyware scans. Many items would return after a reboot and I know it's got something to do with the registry but I am not knowledgeable enough to attempt editing anything in there. I am attaching the most current log from hijackthis. The combofix log won't upload due to it being over 500KB. Looking for some help to finish cleaning this mess up. I am well away from my comfort level now. Any help would be greatly appreciated!
     
  2. DarbyG

    DarbyG TS Rookie Topic Starter

    latest combofix log

    I ran combofix again last night. Here is the latest version.
     
  3. jobeard

    jobeard TS Ambassador Posts: 9,348   +622

    this one doesn't look good

    O4 - HKCU\..\Run: [Jjcgww] "C:\Program Files\M?crosoft.NET\d?dplay.exe"

    delete these
    O4 - Global Startup: palstart.exe

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -

    popcaploader_v6.cab ?? unnecessary and you should strongly consider deleting
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/3ef815/games/files/663/popcaploader_v6.cab

    ViewpointService.exe
    see this
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good eye joe, just a heads up for you, whenever you see distorted characters like that it is tricky to delete because, when you tell the person to search for it - the characters are normal, and it is almost always named after a legit program. The trick is that after removing the registry entry, when you search for the file in windows explorer it will be listed at the bottom. Everything will be in alphabetical order except the infected file (that is as long as the victim hasn't changed the way files are displayed)

    Go to Start - control panel - add/remove programs and uninstall anything to do with
    PurityScan/Clickspring

    Palstart.exe is Trojan/Backdoor.
    Safe Mode - Kill the process palstart.exe - remove palstart.exe from Windows startup using Hijackthis, then search for and delete the file

    I am also pretty sure I see Vundo on there ->"6cb45f98"="C:\WINDOWS\system32\hhjvlrtl.dll

    So I would suggest to have them Download and run these three tools. Follow the instructions for using each tool on the download site for each tool.

    Tool1 Tool2 Tool3
     
  5. DarbyG

    DarbyG TS Rookie Topic Starter

    Cool. I'll try those tools also. I got the ones last night that jobeard mentioned but still had a systemerrorfixer popup soon thereafter. I looked in the popup controls in IE and found 'popupmgr' listed as an allowed program(?) Deleted it and any other exceptions listed. I'll work on it some more tonight after work and post my results.

    I also did another antivirus and antispyware scan last night. It found and removed combofix. Hopefully I'm not the only one finding that humorously ironic...
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    A lot of malware tools have the same characteristics as the malware itself. That is called a false positive.

    Open Internet Explorer

    click tools -> internet options.

    Click the Security tab
    Click on the Trusted sites icon.
    Click the sites button and remove all sites from the trusted zone by selecting
    them and clicking the remove button.
    Once done, click ok.(if you already did this great)

    Then, click the privacy tab and click the sites button. In the address bar type each offending site


    Click ok, then ok again and close IE. reboot your system.

    I would also recommend you use an alternative browser for day to day task:
    2 great ones are Firefox and Opera (easily found with google)

    ---------------------------------------------------------------------------------------------------
    After the 3 tools please run a scan with Hijackthis and attach a fresh log
     
  7. DarbyG

    DarbyG TS Rookie Topic Starter

    there's still something there

    I've done everything listed except for using tool 3. Everytime I tried to open tool 3 I would end up with 46 new windows open on my desktop. Tool 1 and 2 both ran fine. The line for vundo doesn't match up with the latest HJT so I didn't do anything with it yet. Wanted to double check prior to deleting. The latest HJT log is included.
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  9. DarbyG

    DarbyG TS Rookie Topic Starter

    re:

    The latest link for tool 3 worked but it didn't find anything. Ran it both in normal and safe mode with the same results. Up to date HJT file is attached. Still having something change setting for cookies and re-enabling IE add-ons (geedd.dll).

    After running tool 3, I tried to run HJT and I wasn't able to since something changed the permissions. It worked after reinstalling. When I tried to upload the file to Techspot this morning I had fake warning banner in the upload window. I've seen in other posts mentions of renaming HJT. Should I do that?

    Quote from Blind Dragon-"I am also pretty sure I see Vundo on there ->"6cb45f98"="C:\WINDOWS\system32\hhjvlrtl.dll" I haven't deleted this line since the file name at the end keeps changing. Should I delete whatever is in the line that starts with "6cb45f98"?
     
  10. jobeard

    jobeard TS Ambassador Posts: 9,348   +622

    both of these need your attention
    O4 - HKLM\..\Run: [BM6f876c04] Rundll32.exe "C:\WINDOWS\system32\cnmovyeq.dll",s
    O4 - HKLM\..\Run: [6cb45f98] rundll32.exe "C:\WINDOWS\system32\glccgvpr.dll",b

    Blue Searchbar is Extremely Evasive -
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Hit Ctrl+Alt+Del and end process for PowerReg Scheduler V3.exe (if there)

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries: Then close all windows except Hijackthis

    O4 - HKLM\..\Run: [BM6f876c04] Rundll32.exe "C:\WINDOWS\system32\cnmovyeq.dll",s
    O4 - HKLM\..\Run: [6cb45f98] rundll32.exe "C:\WINDOWS\system32\glccgvpr.dll",b
    O4 - Startup: PowerReg Scheduler V3.exe
    O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\cnmovyeq.dll <-This file only
    C:\WINDOWS\system32\glccgvpr.dll <-This file only

    Search for files:
    While still in windows explorer click search, select all files and folders, make to check the 3 top boxes in the More advanced options section
    Then in the box type:
    PowerReg Scheduler V3.exe
    Then
    PowerReg Scheduler.exe

    Delete any instances found

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
     
  12. DarbyG

    DarbyG TS Rookie Topic Starter

    Okay I got all that done. The line 04 - HKLM\...\Run:[6cb45f98]... keeps returning with a different file name. Is that an issue?

    Systemerrorfixer still keeps opening new windows. Now there is a SafeHardDrive doing the same.

    My cookie policy in IE keeps getting reset to 'accept all cookies' even though I keep resetting it to medium.

    New HJT file attached.
     
  13. kritius

    kritius TS Guru Posts: 2,084

    Download and Run ComboFix
    If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    EDIT|||| just saw you already had Combo, apologies
     
  14. DarbyG

    DarbyG TS Rookie Topic Starter

    I ran combofix today. Had to re-download it since my anti spyware deleted it the other day.

    Still having something hijack my browser. I updated it today to IE7. I have placed numerours sites in the restricted sites list. Now the window opens but won't load the site. It still however is opening new windows.

    Is there anything else I can do?

    There are 2 files that keep re-enabling themselves in IE under the manage add-ons list. They are 'geedd.dll and wimdrpb.dll'. Are these an issue?

    Latest combofix log is attached.
     
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here


    Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Once the updates have been installed,exit SuperAntiSpyware.

    Scan with SuperAntiSpyware
    • Start SuperAntiSpyware.
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.

      It's possible that the program will ask you to reboot in order to delete some files.

      Obtain the SuperAntiSpyware log as follows:
      Click on 'Preferences'.
      Click on the 'Statistics/Logs' tab.
      Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
      It will then open in your default text editor,such as Notepad.
      Attach the notepad file here on your next reply


    Attach both of these reports and with a fresh Hijackthis log afterwards
     
  16. DarbyG

    DarbyG TS Rookie Topic Starter

    Alright. Got all that done. The computer seemed to hang while it was rebooting from the superspyware scan so I ran it again. Both logs are included along with the HJT and SDfix report. It found alot on the second run. Thanks for all your help so far!
     
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    SuperAntiSpyware appears to have done a great job and cleaned out a lot of nasties.

    However, I still see some things I don't like. So lets try 1 more alternative and then we can remove manually if we have to.

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    You know the drill afterwards post a fresh Hijackthis
     
  18. DarbyG

    DarbyG TS Rookie Topic Starter

    Hopefully getting close...

    Files attached.
     
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O2 - BHO: (no name) - {2C14FBAF-3715-1F91-3022-3C71B5019FCA} - C:\WINDOWS\system32\ryhh.dll (file missing)
    O4 - HKLM\..\Run: [6cb45f98] rundll32.exe "C:\WINDOWS\system32\lejfyumm.dll",b
    O20 - Winlogon Notify: tuvssro - tuvssro.dll (file missing)


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\lejfyumm.dll <-This file only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log



    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  20. DarbyG

    DarbyG TS Rookie Topic Starter

    Got all that done. When I searched for the C:\WINDOWS\system32\lejfyumm.dll file I couldn't find it after deleting it with HJT. Enclosed is the HJT file.

    I was unable to attach the log file from the Kaspersky scan due to the large file size. It was over 2MB.

    How should I go about getting that to you?
     
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Click on my name and select send an email to blind dragon, then attach it there.

    make sure the subject is DarbyG Kaspersky scan
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The user account kelsey is extremely cluttered and is the reason for the size of the kaspersky log. Music, games, pictures, and a ton of temporary data, more that I think I have ever seen in an online scan. It also appears to be the source of your infections.

    Are you sure you followed the ATF cleaner instructions properly a lot of this should have been cleared out.

    In addition to running ATF cleaner again and insuring that the appropriate boxes are checked.


    Crap Cleaner
    • Download from HERE
    • Close all browsers.
    • Run the programme and make sure all the boxes are ticked under the Windows and Applications tabs, Also check All Advanced tabs(except for the Old prefetch Data option, this should be unticked)
    • Click the run cleaner button. Do this several times


    Afterwards scan again with Kaspersky and see if you can attach the log here if not email it to me again
     
  23. DarbyG

    DarbyG TS Rookie Topic Starter

    I've done all the previous scanning with ATF and the other tools under the username Kathy. I figured it should get all the files on the computer. Do I need to redo the tools under the username Kelsey also?

    I'm emailing the kaspersky scan. I think it came out as 3 MB.
     
  24. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Do this top part for kathy and kelsey ;)

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:

    For Internet Explorer 7

    * Click Start, click Control Panel, and then double-click Internet Options.
    * On the General tab, click Delete... under Browsing History.
    * Next to Temporary Internet Files, click Delete files, and then click OK.
    * Next to Cookies, click Delete cookies, and then click OK.
    * Next to History, click Delete history, and then click OK.
    * Click the Close button.
    * Click OK.

    For Mozilla 1.x and Up

    * Click Edit from the Mozilla menubar.
    * Click Preferences... from the Edit menu.
    * Expand the Advanced menu by clicking the plus sign.
    * Click Cache.
    * Click the Clear Cache button.

    For Opera

    * Click File from the Opera menubar.
    * Click Preferences... from the File menu.
    * Click the History and Cache menu.
    * Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
    * Click Ok to close the Preferences menu.

    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
    -----------------------------------------------------------------------------------------------------------

    Manually clear cache

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    ---------------------------------------------------------------------------------------------------------


    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    -----------------------------------------------------------------------------------------------------

    Try kaspersky again
     
  25. DarbyG

    DarbyG TS Rookie Topic Starter

    I went ahead and reran all the tools that I had used previously again in the kelsey username (before I got your latest post.)

    The tools cleaned out alot of the temp files so most of the temp folders were empty. When I went to the content.ie5 folder I was able to delete all but 1 of the temp folders under kathy and kelsey. It kept telling me the files were in use. I even tried deleting in safe mode, but kept getting the same warning.

    Fresh HJT and combofix logs are included.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...