Check out some similar questions!

basanp · Dec 1, 2005, 05:16 PM

Hello,

I really need some help here. I had some bad spyware and browsing through these forums I was able to clean some of it out (at least I hope). But I still have the problem that when I start up Windows XP I get messages from Symantec sending mass e-mails out and I don't know how to stop that. Most of them aren't able to send but they are constant pop-ups. Also, checking the CPU percentage it's at 100% and the PF usage is also high. Can someone please help? I have completed running ewido security and fixed and/or deleted whatever programs the earlier forums stated. I have also completed running CCleaner. Well here is my latest HijackThis info.

THANKS!

Paul

Logfile of HijackThis v1.99.1
Scan saved at 5:38:13 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\sywsvcs.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Net Snippets - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O4 - HKLM\.. \Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\.. \Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\.. \Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\.. \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\.. \Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\.. \Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\.. \Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\.. \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\.. \Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\.. \Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\.. \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\.. \Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\.. \Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\.. \Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\.. \Run: [bxproxy] C:\WINDOWS\bxproxy.exe
O4 - HKCU\.. \Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\.. \Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\.. \Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - HKCU\.. \Run: [bxproxy] C:\WINDOWS\bxproxy.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Add to Net Snippets - C:\PROGRA~1\NETSNI~1\Res\Clipper.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - C:\PROGRA~1\NETSNI~1\NetSnip.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\aCaamon.dll (file missing)
O20 - Winlogon Notify: Mixer - C:\WINDOWS\SYSTEM32\sndmix.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\system32\epaiiicp.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

LTheobald · Dec 2, 2005, 01:49 AM

Did you run just CCleaner and nothing else? CCleaner is not even going to touch the spyware on your computer. All that does is remove some temporary files.

There's 3 spyware tools in my signature - download and run all three. Ad-Aware and Spybot:S&D will run best in Safe Mode (reboot your PC, hold F8 as it boots, when prompted - choose Safe Mode). See if that helps.

You HijackThis log looks fine though.

Also like to point out this site I found: http://hjt.iamnotageek.com/

An automatic HijackThis parser. Tells you what's bad, what you can remove if you want to, what shouldn't be touched etc.

fredg · Dec 2, 2005, 04:23 AM

Hi,
LT has already given you some very good suggestions.
I would like to add trying SpyWare Blaster 3.4

http://www.javacoolsoftware.com/sbdownload.html

After you get rid of the spyware, this free program can be updated regularly with anti-spyware definitions, and keeps spyware/advertising programs from getting into the computer in the first place. It blocks them, by integrating with the Restricted Zone with your browser automatically.
I haven't had any spyware since using this great program.
Best of luck.

basanp · Dec 3, 2005, 03:21 PM

Ok, so I used adaware and spybot both under safe mode. I first ran adaware then spybot. When I ran spybot it found a few infections. 2 of them spybot could not fix. It asked if it can run during the next time the computer is turned on. I clicked yes and still those 2 infections could not be removed.They are:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c mdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\cmdService

When I started Windows XP it worked okay for about a minute. Then symantec started scanning messages non stop.

I also ran ewido security once again under safemode and I still have symantec scanning for e-mails that are trying to send. Is there anything else that I can try?

fredg · Dec 4, 2005, 05:14 AM

Hi,
Did you try Editing the Registry to remove:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c mdService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\cmdService

You can manually delete these from the Registry. If you don't know how, please post back.

basanp · Dec 4, 2005, 12:52 PM

Hi Fredg, :o

I don't know how to manually delete it.

basanp · Dec 6, 2005, 02:32 PM

I tried deleting both of the registry files in Safe Mode however, I get an Error Deleting Key message saying: Cannot delete cmdService: Error while deleting key. Any more ideas?? :(
Thanks!

Curlyben · Dec 6, 2005, 02:36 PM

OK Try Trend Housecall, run a FULL scan and complete ALL the recommendations that they give.
This should resolve your issues.

basanp · Dec 6, 2005, 09:19 PM

I tried many times to use HouseCall but after it runs for a while the website keeps closing unexpectedly. I am even running the site in Safe mode with networking capabilities. I don’t think it’s the website because I ran HouseCall on my laptop and it worked fine. Again I tried to delete those two files from the registry manually but cannot do so. :confused:

rkim291968 · Dec 7, 2005, 01:56 AM

Some spy/adwares are impossible to get rid of and it isn't worth tracking down all these freeware and going through various procedures. How much time did you already spend on this vs what would it take to save your files and re-install your OS? I find it a lot less aggravating to re-install OS once in a while, rather than trying to outwit the spyware induusty (they do this for a living!).

fredg · Dec 7, 2005, 05:44 AM

Hi,
Even in Safe Mode, as you said, you cannot delete these registry entries, so do it manually.
With XP, shut down your computer, then turn it back on. This will save a good Registry. BE CAREFUL in editing the Registry, your computer might not start again. If it doesn't, then you can start up your computer, pressing the F8 key, then select "Last known good configuration", and it will reset your registry for you.
To edit the Registry,
Go to Start/Run , then type in REGEDIT , and click on OK.
This brings up the Registry. Start click on the + signs, on the left of the entries you want to find. Keep click on the + signs to the left, until you eventually come to the part at the end of the path.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c mdService.
Again, click on the + sign to the left of HKEY_LOCAL_MACHINE.
Then, click on the + sign to the left of SYSTEM. Keep going until you come to the c mdservice.
Then, Left click on the folder, and Right click on Delete. Tell the pop-up YES, and then move on to the next pathway you mentioned.
When finished, click on File at the top, then Exit.
Re-boot the computer, and hopefully all will be well.

basanp · Dec 7, 2005, 05:59 AM

Hi Fredg, I tried deleting both of the registry files manually in Safe Mode however, I get an Error Deleting Key message saying: Cannot delete cmdService: Error while deleting key. There was another post saying to try HouseCall but tried many times to use it however after it runs for a while the website keeps closing unexpectedly. I am also running the site in Safe mode with networking capabilities. I don’t think it’s the website because I ran HouseCall on my laptop and it worked fine. Again I tried to delete those two files from the registry manually but cannot do so. There was another post saying to reimage the computer... would that be my last option?

Thanks for your help so far!

fredg · Dec 7, 2005, 06:12 AM

Hi,
Try this when you edit the registry for these two values:

Right Click that entry and Select "Properties">> Click "Stop">> Go up and Change the "Startup Type" to "Disabled"

Now Click Start>> Run>> Copy&Paste the command below into the Open box, and Click OK!

sc delete cmdService

This should delete the cmdservice.
Best of luck.

LTheobald · Dec 7, 2005, 06:17 AM

Try the following to remove those registy entries:

Open Notepad.
Enter the following:
Code:
```
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]
```
Delete the spaces that the forum enters in these reg links so there's no spaces between the square brackets. Why the forum does that I don't know.
Save the file as "fixme.reg". The filename doesn't matter as long as it's saved with a .reg extension.
Double click on this new file to make the changes (press yes when prompted).

If this doesn't work, it could be worth trying the following:

Click on Start >> Run
Type in "msconfig" and press enter (no need for the quotes).
Check the Services tab for cmdservice. If it's there disable it. Might also be worth checking the startup tab as well to make sure there's nothing there that shouldn't be there.

This CmdService doesn't seem to cause the problems you have described but I guess we should get it out the way first anyway. More info on CMDService