command.exe

I seem to have got a trojan on the computer running under the alias command.exe. I have run the steps in the read & run me and Spybot S&D said it fixed the problems. However it still says it has detected it on startup so it doesnt seem to have removed it completley.

Here is my Hijack This log. I hope you can help me

 

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

http://www.majorgeeks.com/images/grenade.gif In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• CounterSpy - ONLY IF you were not able to run Windows Defender
• Bitdefender (Step 6)
• Panda Scan (Step 6)
• HijackThis

 

It wont let me run GetRunKey.bat or ShowNew.bat it says "C:\WINDOWS\System32\regedit is not a valid Win32 application"

 

Skip this step for now, we will address it later, proceed with the other steps.

 

Ok here are the bitdefender, panda and hijack log files.

 

Please look in Add/Remove Programs for the following and uninstall them if found:

IGN Download Manager
(If your familiar with this you can ignore it thru this fix.)

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:[/FONT][/B]

DLM.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {A94C890F-E09F-4449-A1AE-00ED20F213A4} - C:\Program Files\MSN\hozemod.dll (file missing)

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [vpyd782b] RUNDLL32.EXE w031fb3a.dll,n 002d78290000000a031fb3a
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\kfdhela3.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINDOWS\system32\IGETWH32.DLL (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\outlook ← Delete this whole folder if it exist!

C:\Program Files\IGN ← Delete this whole folder if it exist!

w031fb3a.dll ← Search for this file and delete if found!

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now and if possible try to run GetRunKeys and ShowNew.

 

Ok I have followed all those steps. I am getting 'Update.exe - Unable to Locate Component' "This application has failed to start because services.dll was not found. Re-installing this application may fix this problem" on startup. I think this must be to do with the virus?

Everything else seems to work ok now. Getrunkeys and ShowNew still give the same error. Here is the HiJack This log.

 

Before we do anything else, I need you to do a search for the below file. Be sure the viewing of hidden files and folders is enabled.

Search for the file regedit.com and delete if found. Also, manually look in the following locations and see if you can locate it.

• C:\WINDOWS
• C:\WINDOWS\System32

It may or may not exist, let me know what you find out.

 

Ah ha yes I found it in the system32 folder. I can now run GetRunKeys and ShowNew

 

I also got an icon problem since the virus now instead of icons having transparent backrounds they have white ones. Is there a way to get them back to normal? It wont let me do it in display.

 

Attach the GetRunKey and ShowNew logs. Yeah, we can remove those backgrounds, first let's address all of your problems.

 

Here you go

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

ext, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you complete this post let me know how things are running.

 

Ok followed those orders. Nothing has gone wrong yet Whats next

 

Right Click on your Desktop and select Properties. Go to the Desktop Tab and click on the button "Customize". Once your in here click on the "Web" Tab. Once in here uncheck anything listed here.

If that does not work then exit that and go back to the "Appearance" Tab and click the "effects" button. Now uncheck the box "Show shadows under menus".

Let me know if this works.

 

Ok thanks my icons are now working normally

Thanks for all your help!

 

Still seem to have some problems :S Downloads seem to take ages to start up and PC seems to be running slightly slower than normal. It might be me being paranoid but I am not sure.

 

As a precuation, see the below thread on how to install and run Spy Sweeper.

• Running Spy Sweeper...

 

Spybot came up with a few things which I deleted. Here is my latest HJT log if you be so kind just to see if anything suspicious is running.

 

*EDIT*

I just remembered I am also getting 'Update.exe - Unable to Locate Component' "This application has failed to start because services.dll was not found. Re-installing this application may fix this problem" on startup. This never happened before my infection.

 

Did you run SS as requested? Did you save the log? I didn't request Spybot to be ran only SS as a precaution.

If you ran SS and saved the log please attach it to your next post.

 

Firstly the link in the post you reffered me to does not link to the downloader. However I found Spy Sweeper and installed it.

I started the sweep left for it for two hours and it had still not scanned a single file. I tried to stop the scan and close the program but all it does is crash my computer. The program seems to be a dud :S

 

I just noticed that, we are working on it trying to figure out what's wrong with the link.

You can go ahead and uninstall Spy Sweeper and fix the below items with HJT. Once you complete this run CCleaner once more. Then reboot and let me know how things are running.

O2 - BHO: (no name) - {A94C890F-E09F-4449-A1AE-00ED20F213A4} - C:\Program Files\MSN\hozemod.dll (file missing)

O4 - HKCU\..\RunOnce: [SpySweeperUninstallSurvey] http://products.webroot.com/disp0201.php?pc=64021&rc=4971&ps=T&oc=33&mjv=5&mnv=0 &bld=1287&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=GBR&opi=2&omj=5&omn=1&rsc=

 

Ok done that but I am still getting the same error on startup.

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

 

Once you complete my last let me know if you still get the error.

 

Nothing happened

 

Nothing happened as in your not getting the error still or nothing happeneded as in it didnt work?

 

It didn't work

 

Attach a fresh GetRunKey log.