Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

BenjaminD83

3 Posts

173

December 14th, 2005 15:00

Hijack Log - Plz help me remove command.exe

Here is my log. When I boot my computer I get a toolbar on the leftside of my screen. I've used Spybot - Search and Destroy in advanced mode and Lavasoft Adware with no luck permanatly removing the program. Would it almost be easier to reload Windows? But I'm unsure if this will repair my registry problem. I'm almost to the frustration of reformating my hard drive. Thank you for reading over my information. Log as follows:
 
 
Logfile of HijackThis v1.99.1
Scan saved at 11:29:34 AM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\QmVuamFtaW4gRHVidWlzc29u\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {B40F4B03-E6D0-E8C0-9ADA-16288BAD4CB8} - backorif.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134162675862
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B315233-B39C-4EDE-B677-5C43EAF3C750}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{720A857C-D4F5-42B7-95DF-EDC97BCF4B88}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{81BAD0E8-24CC-4E3F-A3A7-129ABF3F18B2}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{C316C8F6-4294-4020-9160-97F0E7E816C1}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A729A2-1E09-43EC-8339-6EBF5C3C1784}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9FC339A-EEA5-40F6-85C0-108D69D2F270}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVuamFtaW4gRHVidWlzc29u\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 

RKinner

2 Intern

 • 

5.9K Posts

December 15th, 2005 23:00


You have a DNS hijack so first run HijackTHis and check/Fix Checked these:
R3 - URLSearchHook: (no name) - {B40F4B03-E6D0-E8C0-9ADA-16288BAD4CB8} - backorif.dll (file missing)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B315233-B39C-4EDE-B677-5C43EAF3C750}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{720A857C-D4F5-42B7-95DF-EDC97BCF4B88}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{81BAD0E8-24CC-4E3F-A3A7-129ABF3F18B2}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{C316C8F6-4294-4020-9160-97F0E7E816C1}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A729A2-1E09-43EC-8339-6EBF5C3C1784}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9FC339A-EEA5-40F6-85C0-108D69D2F270}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
 
Now Start, Run, cmd, OK to bring up a black cmd screen.  Type:
ipconfig /release
ipconfig /renew
This should set your DNS back to the ISP's usual DNS.  Type:
ipconfig /all
and verify that the DNS server listed in the output is NOT 85.255.114.42 or 85.255.112.77. 
Now type:
services.msc
which should bring up the services window.  Look in the right pane for Command Service (cmdService)
and double click on it.  Press the Stop button then checnge the Startup Type to Disabled.  OK

 
Download the Hoster from:
Unpack to your desktop and run it.  If you have green print at the top then just press Restore Original Hosts then OK. 
IF you have red print then press make Hosts Writeable first.  After you Restore Original Hosts  then press Make Host Read Only.
 
Get DelDomain.inf from:
 
http://www.mvps.org/winhelp2002/DelDomains.inf  and then right click on it and Install. 
 

Download and install ccleaner.exe from http://www.ccleaner.com. Don't let
 
Get and run Smitrem from http://noahdfear.geekstogo.com/ per the instructions on the page.


it clean anything yet. 
 
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option.
Run HijackThis and just do a Scan only. Check  then Fix Checked the following (if any remain):
 
R3 - URLSearchHook: (no name) - {B40F4B03-E6D0-E8C0-9ADA-16288BAD4CB8} - backorif.dll (file missing)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B315233-B39C-4EDE-B677-5C43EAF3C750}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{720A857C-D4F5-42B7-95DF-EDC97BCF4B88}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{81BAD0E8-24CC-4E3F-A3A7-129ABF3F18B2}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{C316C8F6-4294-4020-9160-97F0E7E816C1}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A729A2-1E09-43EC-8339-6EBF5C3C1784}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9FC339A-EEA5-40F6-85C0-108D69D2F270}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CE36446-9C01-4F53-98FB-2E09FEC1F4F9}: NameServer = 85.255.114.42,85.255.112.77
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVuamFtaW4gRHVidWlzc29u\command.exe
 
Run ccleaner.exe, uncheck everything on the first page except the two entries
with Temporary and then Run Cleaner.


Reboot into regular mode

Run another HijackThis log and post it as a reply. Let's
see how we did.
Ron

Was this post helpful?

View All

No Events found!

Top