a little help please...

Liam-M · #1 (**permalink**) 17-06-2006, 01:59 PM

Hello all,
My first post here, and I'll get down to it. Was browsing the net yesterday using forefox, had to leave in a rush, and when I came back a few hours later there was many pop-ups which i got rid of, it took far longer than it should have, then it froze.
Anyway, when I restarted, the desktop backround and the mouse cursor were the only things visible, pressing ctrl+alt+delete brought up task manager, and there seemed to be no out of place processes running, but it was going really slow, the CPU usage was constanly at 100%.
The only way to access it is by starting in safe mode and logging in as administrator. In this mode I have already run spyware doctor, ewido, ad-aware SE and smitfraudfix. Spybot SD will not work as it needs an internet connection to work initially and I can only start in safe mode so...no go for that. After running all these, quite a few infections were found and removed but the problem still occurs, all I get is desktop image and mouse cursor.
Then I used HJT and removed everthing dodgy looking (have been using it for a few months now, I know I should have posted a log then but i stupidly didnt). Here is a HJT log i just done, hope someone can help:

Logfile of HijackThis v1.99.1
Scan saved at 13:50:57, on 17/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Hijckthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Hijckthis\HijackThis.exe /startupscan
O4 - Global Startup: 54 Mbps Wireless Configuration Utility.lnk = ?
O20 - Winlogon Notify: MCD - C:\WINDOWS\system32\m664lgjq16oe.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VG9ueSBCdXJucw\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Regards,
Liam

Neal · #2 (**permalink**) 17-06-2006, 11:33 PM

Welcome to DAL,

Was your HJT log done from safe mode? Can you post one from normal mode? In the mean time...

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find Command Service.

Click once on the service to highlight it.

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Run HijackThis -> config -> misc tools -> delete an NT service
In the box, type or copy/paste : cmdService or command service
then ok.

Reboot

Please download Look2Me-Remover.exe by Atribune to your desktop.

Close all windows before continuing.
Double-click Look2Me-Remover.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

I really need to see an ewido scan log. Thanks.

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Liam-M · #3 (**permalink**) 18-06-2006, 09:22 AM

Hello Neal,
Was about to start about how I cant get HJT running in normal mode etc but that Look2Me has done the trick! Thanks ever so much, don't have to format my laptop now, phew.

Thanks,
Liam

Neal · #4 (**permalink**) 18-06-2006, 09:26 PM

I would post a new hijackthis log just in case there is more to do.