# Command.exe virus help!



## Groff (Feb 18, 2008)

My sister has been complaining forever that her desktop has been running slow, and I finally got a chance to look at it yesterday...

After a virus scan (That she ALWAYS cancels when she turns it on) I cleansed the machine of *328* viruses... Yeah, you heard me right... Mostly trojans.

And did an Ad-aware and Spybot S&D sweep, got rid of everything except a pesky command.exe that is practically hijacking the computer. It prevents firefox from opening, forcing you to use IE (Which she never used) and proceeds to pop up "Internet speed monitor" And pop ups about removing DLL errors (Which is caused by command.exe) Plus about every 5 minutes AVG picks up a trojan that Command.exe is trying to inject. It's really troublesome. Spybot S&D sees it, but cannot remove it, and I can't shut it down... What should I do?

Perhaps a Safe Mode scan? Are there any programs/tools to remove this?


----------



## Carrion (Feb 18, 2008)

Is it in your startup?


----------



## Chris (Feb 18, 2008)

Post up a hijackthis log, pronto.


----------



## Groff (Feb 18, 2008)

Carrion said:


> Is it in your startup?



No, I checked, unless I missed it, but I didn't see it.



Chris said:


> Post up a hijackthis log, pronto.



Will do when I get home.

EDIT: I forgot to also mention that every few seconds a "Windows notification" pops up at the bottom right screen saying "*insert program name here* is corrupted! Run CHKDSK"

...But the programs work fine...


----------



## BigM555 (Feb 18, 2008)

I had a similar issue a couple of years ago with a file that would be renamed to a specific .dll at every start up. I was finally able to get around it by finding the source and renaming it but no matter what I did I could not delete the file.

It bothered me enough that I finally wiped the whole machine clean, reformatted the drive and started from scratch. Hopefully you won't have to go that far (and I really didn't either...but not being able to delete a suspect file made me paranoid).

Go luck mate.

PS - It was this episode that also drove me to linux for the vast majority of my home computing. I've barely looked back since.

_*BigM555 loathes the fact that he must use MS windows at work and for university._


----------



## Groff (Feb 18, 2008)

BigM555 said:


> I had a similar issue a couple of years ago with a file that would be renamed to a specific .dll at every start up. I was finally able to get around it by finding the source and renaming it but no matter what I did I could not delete the file.
> 
> It bothered me enough that I finally wiped the whole machine clean, reformatted the drive and started from scratch. Hopefully you won't have to go that far (and I really didn't either...but not being able to delete a suspect file made me paranoid).
> 
> ...



The computer has been wiped twice, and honestly, for being a PIII machine from 1999, when It's clean, it runs VERY fast and smooth. But as soon as my sister gets a hold of it, it just goes downhill from there.

In all the years i've had my own computer (About 4 now, 3 with my lappy, and 1 with my new desktop) I've only encountered ONE problem, and that was the blaster worm, which I fixed with no issues. In the year i've had my Desktop, the total files ad-aware has removed is 25, on my sisters computer? (It's been a year since I last wiped it) 875... I don't know WHAT she does to these damn things... But i've never had ad problems nor has my browser ever been hijacked.

Stupid things happen to stupid people I guess... I mean seriously... 300+ viruses in one scan?! I'm afraid to do a scan on her new laptop...


----------



## D-EJ915 (Feb 18, 2008)

Does she need Windows? Doesn't sound like she gives a shit about her computer, so maybe Linux or BSD would be better since you can't really break it by downloading trojans and stuff


----------



## HamBungler (Feb 18, 2008)

I'm pretty sure I had a similar virus back in October, which if you can go into the registry and delete it yourself, you should be able to get rid of it, but this is highly risky if you don't know what you're doing. I'd google it up on some IT sites and see if there are any programs you can get to destroy the virus.


----------



## Chris (Feb 18, 2008)

D-EJ915 said:


> Does she need Windows? Doesn't sound like she gives a shit about her computer, so maybe Linux or BSD would be better since you can't really break it by downloading trojans and stuff



That's not entirely true, you know.


----------



## Xaios (Feb 18, 2008)

I've had this computer for 3 and a half years. My virus protection is adequate, but meager. I don't even have a software firewall...


Never had a virus. Hell, thing still runs just fine.


----------



## Regor (Feb 18, 2008)

Check out Virus, Spyware, Internet Protection | Security Response - Symantec Corp

It gives great information about manually removing viruses. Its what I goto when I have a 'pesky' virus that slips through.


----------



## Groff (Feb 18, 2008)

D-EJ915 said:


> Does she need Windows? Doesn't sound like she gives a shit about her computer, so maybe Linux or BSD would be better since you can't really break it by downloading trojans and stuff



We're talking about someone who picked up over 300 viruses on her computer. Do you think she is even remotely capable of learning a new OS?

Don't know when i'll get the hijackthis log up, latest will be thursday. Busy with school etc...


----------



## BigM555 (Feb 19, 2008)

TheMissing said:


> The computer has been wiped twice, and honestly, for being a PIII machine from 1999, when It's clean, it runs VERY fast and smooth. But as soon as my sister gets a hold of it, it just goes downhill from there.
> 
> In all the years i've had my own computer (About 4 now, 3 with my lappy, and 1 with my new desktop) I've only encountered ONE problem, and that was the blaster worm, which I fixed with no issues. In the year i've had my Desktop, the total files ad-aware has removed is 25, on my sisters computer? (It's been a year since I last wiped it) 875... I don't know WHAT she does to these damn things... But i've never had ad problems nor has my browser ever been hijacked.
> 
> Stupid things happen to stupid people I guess... I mean seriously... 300+ viruses in one scan?! I'm afraid to do a scan on her new laptop...



I hear ya man! Some people just shouldn't own PC's. I fix a fair number of them for friends and family. Like you, I've only ever really had that one problem, but it was enough to put me over the edge and explore Linux (and I love it....honestly Vista and "trusted computing" had a lot to do with it too). I've been running Windows PC's since Win98 and while I've had my fair share of blue screens, crashes, etc. I've never run up against the "re-install every six months" like some people have. My machines generally run pretty damn well and don't take a lot of maintenance. God knows what some people get into.

I've got a daughter in the house and she's always able to gather up a pile of adware warnings between scans.  Kids!


----------



## El Caco (Feb 19, 2008)

TheMissing said:


> We're talking about someone who picked up over 300 viruses on her computer. Do you think she is even remotely capable of learning a new OS?
> 
> Don't know when i'll get the hijackthis log up, latest will be thursday. Busy with school etc...



I doubt she picked them all up herself, she probably got one trojan that opened the door for the others, if she had run the scan regularly I doubt it would have been so bad.


----------



## Groff (Feb 21, 2008)

Chris said:


> Post up a hijackthis log, pronto.



Here it is. I'm forced to use IE >.< because it will not let me open firefox (Says it's already running and that I need to shut it down first, but it's not in my running programs list...)

-------


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\katie\Desktop\HiJackThis_v2.exe

O1 - Hosts: 75.126.25.138 Lookmaze- Pay-Per-Click Search Engine Marketing Network
O2 - BHO: (no name) - {03770B87-7AC8-4862-9970-5BB7D5A59773} - C:\WINDOWS\system32\werweg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\System32\rI7Yl6qv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll
O2 - BHO: (no name) - {8C5D82E9-9D36-4158-B074-20A87B4928E4} - C:\WINDOWS\system32\reginix86d.dll (file missing)
O2 - BHO: (no name) - {9841B06E-5D9A-4005-A064-CE028CEEC2C0} - C:\WINDOWS\system32\werwef.dll (file missing)
O2 - BHO: (no name) - {B426F491-094C-43D4-8F16-ED4AE190032D} - C:\WINDOWS\system32\driverm.dll (file missing)
O2 - BHO: H - {DA42BBFB-8F4D-4e94-8B0C-D7E0211BF116} - eddd11.dll (file missing)
O2 - BHO: (no name) - {e5968481-83e1-456c-b59b-9d86f8c0ab0f} - C:\WINDOWS\System32\isrcat.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\IEXPLORE.exe
O4 - HKCU\..\Policies\Explorer\Run: [{28573A4A-0359-1033-0912-001122020001}] "C:\Program Files\Common Files\{28573A4A-0359-1033-0912-001122020001}\Update.exe" te-110-12-0000213
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] c:\progra~1\mozill~1\plugins\GetFlash.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] c:\progra~1\mozill~1\plugins\GetFlash.exe -p (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.spamblockerutility.com/installs/spamblockerutility/programs/spamblockerutility.cab
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - AppInit_DLLs: c:\windows\system32\nnnnklj.dll
O20 - Winlogon Notify: isrcat - isrcat.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\a2F0aWU\command.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## Stitch (Feb 21, 2008)

What is hijackthis?


----------



## D-EJ915 (Feb 21, 2008)

Stitch said:


> What is hijackthis?


it's a utility that helps you determine what is borking your windows


----------



## Groff (Feb 21, 2008)

D-EJ915 said:


> it's a utility that helps you determine what is borking your windows



And I literally discovered what it was about 5 minutes before Chris asked me to post a hijackthis log.


----------



## Groff (Feb 23, 2008)

Can anyone make sense of the Hijackthis log I posted?


----------



## Groff (Mar 1, 2008)

again


----------



## MrJack (Mar 1, 2008)

1. You seem to either not have a firewall or it's just not enabled
2. You should use Ad-Aware to get rid of some trojans and other pesky things you have, like Win32.Kolweb.m, AdWare.Win32.Agent.db, AdWare.Win32.AdBand.b, Kolweb.Y, Infostealer.Banker.D. Also the AdWare stuff is apparently detected by Kaspersky anti-virus.

More details can be found here by pasting the log into the box.


----------



## Groff (Mar 1, 2008)

Yeah, The only firewall that she had was the windows one, nothing separate (It slowed the computer to a CRAWL) but she only used it for AOL, so I didn't think it'd be a problem. I tried running ad-aware, and it's clean, but Spybot S&D is picking up a few things it can't get rid of, same with AVG.


----------



## MrJack (Mar 1, 2008)

You could try CounterSpy and get some info on Kolweb.
Concerning the command.exe, you could try to do a repair install and see if it replaces the command.exe that's causing trouble.


----------



## Battousai (Mar 4, 2008)

the viewpoinrservice.exe in the end looks a bit fishy... i searched it and it says it shows ads when you use the internet... also..

i realised you use spybot S&D as a spyware detector, and AVG as your anti virus.. i find them both to be mediocre at what they do.. and for a person like your sister who looks seems like the person that clicks on any thing that pops up on her screen (same as my mother). i would suggest something better... you could try getting an antivirus called NOD32 which i find is the best ive had so far. ever since i installed it i had ZERO problems with viruses and trojans.. and for extra protection.. maybe NoAdware? 

S&D always gave me a lot of bullshit on spyware i have on the system but never fully removed them.. so therefore i hate it


----------



## El Caco (Mar 5, 2008)

+1 for the recommendation of Nod32. Nod32 also has the advantage of being very light on resources which sounds like something you need.

You need to get rid of the nasty's that you have first, some of them will need to be removed in safe mode, you should research the links that you have been provided with here, print out the instructions and follow them.

A firewall is a must, the windows one is useless and if memory serves me correct it only monitors traffic in one direction and even then it's not great.

I've never been a fan of AVG but recently it seems to score pretty well in tests, for a free antivirus I prefer Avast but no free one will be as secure as Nod32.

For the best free protection I recommend you download all of the following,

Antivirus: Avast or continue to use AVG (do not use more than one antivirus)
Firewall: Comodo Firewall Comodo Free Firewall Software Download
Antimalware: Comodo BO Clean Anti Malware - Comodo BOClean
Spyware Guard SpywareGuard
Spyware Blaster SpywareBlaster

You can also use Adaware and Spybot for backup scans but in my experience they don't do much and on a slow system activating Spybots Teatimer can slow you right down and can cause conflicts with other security software.


----------



## Groff (Mar 5, 2008)

s7eve said:


> +1 for the recommendation of Nod32. Nod32 also has the advantage of being very light on resources which sounds like something you need.
> 
> You need to get rid of the nasty's that you have first, some of them will need to be removed in safe mode, you should research the links that you have been provided with here, print out the instructions and follow them.
> 
> ...



You know, I tried booting it into safe mode, but it locks up.


----------



## El Caco (Mar 6, 2008)

That's beyond my limited knowledge but there are people here who should know what to do like Chris and I'm not sure if it's Techno or Zimbloth who is right up on windows, I think it's one of them. If it was me I'd start with Trend Housecall Trend Micro HouseCall - Free Online Virus and Spyware Scan - Trend Micro USA and if that failed to help or at least fix it so you could get into safe mode I would try the ultimate boot disk Ultimate Boot CD - Overview


----------



## Battousai (Mar 8, 2008)

id say back up all the important information you have and format the whole drive and re install windows... then before you put back the backed up data just scan them to remove any threats...


----------



## Blexican (Mar 17, 2008)

This might help, I had to use it a few weeks on my buddy's mom's computer to get rid of the SecurePCCleaner trojan.zlob virus...

SmitFraudFix


----------



## Chris (Mar 17, 2008)

Battousai said:


> id say back up all the important information you have and format the whole drive and re install windows... then before you put back the backed up data just scan them to remove any threats...



This is definitely your best bet. 

All of those free AV programs just don't work as well as the commercial ones do in my experience. At work we use Checkpoint's Integrity Flex client for a firewall and Symantec AV. At home, though I can use the work licenses, I go with McAfee's AV/OAS. It's the best I've ever used, and the fact that it does realtime on-access scanning of everything without even the slightest noticable performance hit is pretty fantastic.

In either case, any time you have more than 2-3 different types of infections, chances are they're covering up other shit as well. The risk involved with doing ANYTHING even remotely personal on your machine after getting worms is just way too great. Put it this way - would you log in to say, your online banking, on that machine? I know I sure wouldn't. 

Backup the essentials and blow the OS away. Reinstall the apps and scan, scan, scan the backup before you even consider moving it back to the OS drive. Don't just rely on the software - take a look through the directory structure yourself and look at what's there. These things tend to stick out if you actually look around, and I'd wager that nobody ever saves a word document called W32.Spoon.Doom on their machine.

Edit: Also, it sounds like the end user is prone to clicking bait-links. I don't like Firefox, but in this case absolutely make sure that it, and NoScript is installed and that they never, ever use an IE based browser again.


----------



## Chris (Mar 17, 2008)

> O2 - BHO: (no name) - {8C5D82E9-9D36-4158-B074-20A87B4928E4} - C:\WINDOWS\system32\reginix86d.dll (file missing)
> O2 - BHO: (no name) - {9841B06E-5D9A-4005-A064-CE028CEEC2C0} - C:\WINDOWS\system32\werwef.dll (file missing)
> O2 - BHO: (no name) - {B426F491-094C-43D4-8F16-ED4AE190032D} - C:\WINDOWS\system32\driverm.dll (file missing)



All of those are no good, nuke 'em. I'll take a look at the rest of the log tomorrow (midnight here, zzzz).

Edit: Only if you really must keep using the OS. But man, if she doesn't let you format it, tell her to never login to any sort of financial (banking/credit card/etc) website again. She's an identity thief's wet dream.


----------



## ibznorange (Mar 17, 2008)

Im with battousai hardcore man


----------



## Groff (Mar 17, 2008)

I'd put some form of linux on it (As it's free) but i'm not sure how easy it would be to find proper drivers for some of the hardware, plus I don't think she could learn a new OS.

I told her not to do anything that wasn't printing her projects or anything on the desktop, but she still uses her laptop. I'm kinda afraid of what's on her laptop...

What sucks is that i'd like to re-format it, but I don't have an XP cd anymore. The first time I ever put XP on it, it was a pirate copy, then when I re-formatted it last summer I used the XP cd that came with my laptop that I no longer used. And I have no clue where either CD is...


----------



## MF_Kitten (Mar 18, 2008)

i´ve only had viruses on my pc... i had a virus that made all sorts of fake shortcuts and ".exe" files all over my computer, like "age of empires 2 keygen" and shit like that 

no problems on my mac though


----------



## Groff (Mar 18, 2008)

MF_Kitten said:


> i´ve only had viruses on my pc... i had a virus that made all sorts of fake shortcuts and ".exe" files all over my computer, like "age of empires 2 keygen" and shit like that
> 
> no problems on my mac though



Like you mac, i've NEVER had any problems with viruses on any PC i've owned that was used by only me. 5 years running, 2 PC's, no issues.

My friends mac... She's had nothing but headaches. 

A computer is only as reliable as the person using it. It's just that a lot of these people are dumb shits. 

And I never understood the whole "Blue screen of death" stigma. Sure i've seen it... But the first time was because my RAM was bad, and the second time was because I yoinked out a piece of hardware out of my laptop that was in use, not a problem with Windows.


----------



## MF_Kitten (Mar 18, 2008)

i had no problems with my pc either, except for viruses once (getting rid of Norton Antivirus, the worst virus of them all, and getting a proper antivirus fixed that), and then having the OS just crap out on me once. i reformatted, and it was as good as new! i used to get a stutter all the time, like when playing games, watching movies, basically if anything moved, it would stutter shortly once a minute or so... after a reformat, that was all gone 

anyways, my mom is using my PC now, i´m all macintosh now


----------

