Darn Trojans Don't play Nice

Welcome to Majorgeeks!

You have some nasty stuff installed including a rootkit.

Download, install, and run a scan with this Prevx1 allow it to fix what it finds. Attach any logs you can from it.


Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

 

No! I guess they just are not as good as they advertise. Did you get updates before scanning?

Run this tool about:Buster use the instructions in the download page. Attach the log when finished. Then continue onto the next steps.


Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6

Now install the current version of Sun Java from: Sun Java Runtime Environment

Lets continue by downloading a tools we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,supmkos.exe
O2 - BHO: (no name) - {754515CD-5059-4133-B6D5-3757DD84D6C0} - (no file)
After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Dan.DANNO\Application Data\Dxcuknwrd.dll
C:\165.exe
C:\dxva.log
C:\mpnaaq7.exe
C:\yz02.exe
C:\WINDOWS\stub_mm3.exe
C:\WINDOWS\cfg32p.dll
C:\WINDOWS\system32\supmkos.exe
C:\WINDOWS\system32\lzx32.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Common Files\{7941CCA4-05D8-1033-0602-051222200001}

Also delete all files and subfolders in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Dan.DANNO\Local Settings\Temp

Now run this procedure: Using Sophos Anti-Rootkit

Now attach the below new logs and tell me how the above steps went.

1. sarscan.log from Sophos
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

I had a typo in the last one so I'm going to repost a corrected one below to rerun.

Right now I want you to just uninstall Prevx because I want to get one more scan from CounterSpy. I'm concerned because it keeps finding things. I will ask you to run it again later in the below procedure.

Let's see if this improves after we finish all cleaning.

Every PC is different and what you have running is mostly a result of what you have installed or what came with the PC. Most people runs lots of things they will never need and never use just because it came with the PC or because it got setup that way when they installed some application (i.e., qttask.exe for Quicktime which I'm removing below).

The below items are all running of your problem PC! Are they also installed and running on the other PC??????

You cannot compare apples to oranges. If both PCs are the same PC requiring the same drivers and if they both have the exact same software installed, then you can compare the process list.

Why were you running this C:\Program Files\nbpro\nbpro.exe when you got your HJT log?


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

No run a new scan with CounterSpy and save another log.

Now reboot and continue


Now attach the below new logs and tell me how the above steps went.

1. CounterSpy
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

That's up to you whether you need to features. Why did you install them to begin with? For example cdac11ba.exe is a process belonging to MacroVision safeCast copy protection software. This piece of software allows manufacturers to protect their products from illegal duplication. What game or software did you install that requires this.

Why did you install FarStone if you don't need it.
Why did you install all the HP Printer or Scanner Photo Imaging Software if you don't need it.

These are not malware issues. You have to research what the process are actually used for and whether they are needed by you. Everyone use there PCs differently and wants different features. We cannot decide what you need or do not need in this area.

You can uninstall the CounterSpy trial now.


Download the Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

CMDSERVICE

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

 

Not sure. It is not cause by any current malware problems but it is possible that some particular registry setting was corrupted at some point.

The CMDSERVICE item in your registry is still there. The below may or may not work. We may need a special step to remove it.

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

No run the RegSrch procedure again to attach a new log. If those lines still appear, I will give you another method to remove them.

 

Yes that is what you were supposed to do. If you left out REGEDIT4, you would have received an error message when you tried to add it to the registry. It did not work. We will have to use the other method which requires taking ownership of the registry keys. The malware is blocking you from deleting the keys because the changed the ownership so that you are not allowed to touch them.


Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE


To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixWLK.reg REGISTRY PATCH that you previously downloaded.
• Tell me the results. Any error messages? Or do you get a success message?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
• If any of the keys still exist, right click on it and select Delete. Let me know if you have to do this and if you get any error messages at this point.

Then reboot your PC!

Now repeat the search using RegSrch and attach a new log.

If this does not work, we may need to repeat taking ownershipship but at a higher level up the registry key tree structure.

 

Let's give it a try! Make sure you follow these steps very carefully. Notice the difference in the steps from last time.


Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Take Ownership
• Repeat these steps for all of the registry keys given above before continue to the next steps below.
• Now leave RegistrarLite running and continue
• Now run the fixWLK.reg REGISTRY PATCH that you previously downloaded.
• Tell me the results. Any error messages? Or do you get a success message?
• Now in RegistrarLite click View and then Refresh
• Now navigate one at a time to each of the BELOW keys and check to see if they were deleted.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
• If any of the keys still exist, right click on it and select Delete. Let me know if you have to do this and if you get any error messages at this point.

Then reboot your PC!

Now repeat the search using RegSrch and attach a new log.

 

Don't use RegSrch like you just did. Search only for CMDSERVICE as instructed in message number 8.

When you try to take ownership of each key in Registrar Lite, what message do you receive?

Download the current version of ShowNew.

Please attach new logs from GetRunKey, ShowNew, and HJT.

 

You did not attach anything!

Paste the below into the address bar of Registrar Lite:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

Then click Security and select Edit Permissions

In the part of the form labeled Group or user names: what names do you see in that box.

When you select your user name ( dan ) from the list (assuming it is still in the list), tell me what you see in the lower part of the form labeled Permissions for dan

I want to know what is checked and unchecked in the Allow and Deny columns.

Code:

 
                                       Allow          Deny
Read
Full Control
Special Permissions

Do the same at the next level higher: HKEY_LOCAL_MACHINE\SYSTEM

 

And when you are logged in trying to fix this, what user account name is used and what user group are you a member of.

 

Uninstall Windows Defender and SpywareGuard and then try the previous fixes. If they still do not work, keep Windows Defender and Spyware Guard uninstalled and run thru the below procedure.

Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted.

http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.

A text will open when it is finished, Please attach it here.

Then reboot your PC and run SpyBot check for and fix any problems found. Save a log from Spybot and attach it herer too.

 

Sorry about that! No you don't have them installed. I forgot to edit that text out of the message. The message was a boilerplate I had saved and used in other threads at some point. I normally edit it to replace Windows Defender and SpywareGuard with whatever protection software programs are still installed. Just ignore that sentence and continue.

I really think this is still related to a permissions issue in the registry and I'm not sure why it is not allowing the keys to be deleted after it allows you to take ownership. We may have to Edit Permissions and add a new Group/user name Everyone and give it full permission for the problems keys and then see if we can remove them. But first let's see the results from the steps in message # 23.

 

Okay! You can come do mine next.

Let's try something slightly different. After this I may be out of ideas.

• Click Start, Run and enter regedit and click OK.
• Navigate to HKEY_LOCAL_MACHINE\SYSTEM
• Right click on HKEY_LOCAL_MACHINE\SYSTEM and select Permissions
• In the next window to open click the Add button
• In the next window to open type Everyone and click OK
• Now you will be back on the Security tab of the Permissions for SYSTEM window. Under the Group or user names area there should now be an Everyone entry. Select Everyone if not already selected (it should be selected by default)
• Now in the lower form a tile of Permissions for Everyone should appear. In the Allow column select the Full Control check box. This will cause checks to appear in both the Full Control box and the Read box
• Click the Apply button and then click OK
• Now you should be back to the HKEY_LOCAL_MACHINE\SYSTEM registry key.
• Now navigate one at a time to each of the below keys and right click on them and select Delete. Tell me later what happens and if you get any error messages tell me exactly what they say and for which key(s).
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE
• After deleting each key, now click the View menu selection at the top and then select Refresh.
• Now navigate back to each key (one at a time)! Are they gone?