PDA

View Full Version : cmdservice removal



hucky
2008-02-28, 18:04
Hello everyone, and thanks for being here - I'd appreciate any kind of help.

using S&D I've discovered, as probably many before me have, that a nasty CommandService is in my computer and has no intention to leave. S&D, as other programs, couldn't remove it, so you are my hope before formatting.

I can't say that I know my way with computers that well, so explaining what seems to be obvious might be needed in my case. However - I did read the Sticky and hopefully I have the info you need in order to help me.

This is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 4:43:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/02/2008
Kaspersky Anti-Virus database records: 585361
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 81002
Number of viruses found: 4
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 01:57:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_YUVAL.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_YUVAL.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\FM_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip/message.dat.bat Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip/document.msg.exe Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 4 skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF1E2C.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF1E42.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF3102.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF311A.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF388E.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFED08.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFF835.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRC0512.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~WRS0005.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\KG8TYDX6\TF29X5Z8\Offline\0x00000001_R Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\KG8TYDX6\TF29X5Z8\Offline\0x00000003_R Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\KG8TYDX6\TF29X5Z8\Offline\HashFile.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\quarantine\A0059649.exe.Vir Infected: Trojan-Dropper.Win32.Agent.abo skipped
C:\quarantine\kl.exe.Vir Infected: Trojan-Dropper.Win32.Agent.abo skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D9120EF-2D0A-4289-9B58-91B31A79094D}\RP1097\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\ yuvcheck's documents\programs\DivXPro502GAINBundle.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
F:\ yuvcheck's documents\programs\DivXPro502GAINBundle.exe Vise: infected - 1 skipped
F:\ yuvcheck's documents\programs\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
F:\ yuvcheck's documents\programs\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
F:\ yuvcheck's documents\programs\DivXPro511Adware.exe NSIS: infected - 2 skipped
F:\ yuvcheck's documents\דנה\Dana Yoeli cv.doc Object is locked skipped
F:\ yuvcheck's documents\דנה\~WRL1578.tmp Object is locked skipped
F:\ yuvcheck's documents\דנה\~WRL3212.tmp Object is locked skipped
F:\ yuvcheck's documents\דנה\לכל המעונייןדנה.doc Object is locked skipped
F:\ yuvcheck's documents\דנה\מסמך ללירון.doc Object is locked skipped
F:\outlook\Outlook2.pst/Personal Folders/ /18 Feb 2005 14:07 from Smith Barney:****SPAM(7.3)**** Smith Barn/18 Feb 2005 13:52 from Smith Barney:Smith Barney - urgent securi.html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
F:\outlook\Outlook2.pst Mail MS Mail: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


and this is the hjt report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:47:24, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteAccess/ie/bridge-c356.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC36A87D-F258-4434-A2B1-7C2553F62F6F}: NameServer = 192.117.235.235 62.219.186.7
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

--
End of file - 6230 bytes



Thank you in advance for any suggestion that yuou might have, regarding the cmdservice I got, or any other viruses That might be causing my very very okd computer to work so slowly lately.


Huck

pskelley
2008-02-29, 13:56
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\PROGRAM FILES~1\Grisoft\AVG7\
C:\Program Files\Network Associates\
(uninstall one of those)

2) You are storing infected email here:
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/o d/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip/message.dat.bat ------> Email-Worm.Win32.Warezov.fb
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/o d/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip ------> Email-Worm.Win32.Warezov.fb
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/o d/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip/document.msg.exe ------> Email-Worm.Win32.Warezov.fb
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/o d/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip ------> Email-Worm.Win32.Warezov.fb
and here:
F:\outlook\Outlook2.pst/Personal Folders/o d/18 Feb 2005 14:07 from Smith Barney:****SPAM(7.3)**** Smith Barn/18 Feb 2005 13:52 from Smith Barney:Smith Barney - urgent securi.html ------> Trojan-Spy.HTML.Smitfraud.c
(Remove those from your computer)

3) C:\quarantine\ <<< delete that folder and contents

Delete the files in red
F:\ yuvcheck's documents\programs\DivXPro502GAINBundle.exe
F:\ yuvcheck's documents\programs\DivXPro511Adware.exe

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Start > Control Panel > Add Remove Programs and uninstall RXToolBar, Need2Find if there.

7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...ridge-c356.cab G
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab G
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

8) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\windows\adtech2005.exe <<< delete that file

C:\Program Files\RXToolBar\ <<< delete that folder and contents

9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart, post a new HJT log and some feedback.

Thanks

hucky
2008-02-29, 16:18
First of all - Thank you so much for helping me out, I really appreciate it.

Now, I've tried to do everything, but some things didn't go too well:

1. The anti-virus program: I unintalled the AVG, but then I got a warning that I have no anti-virus running at all. I tried to re-install the mc'affee, but it was no go, then I tried to uninstall it completely, but couldn't. I am happy with having the AVG, so if you can explain how to remove the mc'affee all toghether that could be great.

6. I didn't have RXToolBar on the list. I did find the need2find, but couldn't remove it.

8. I didn't find the programs adtech2005 or RXToolBar.

9. The link for downloading atf-cleaner was broken, so I searched it and downloaded the latest version, I hope it is OK.

here is the new HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:33, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC36A87D-F258-4434-A2B1-7C2553F62F6F}: NameServer = 192.117.235.235 62.219.186.7
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

--
End of file - 4825 bytes




Again - I can't thank you enough!

Hucky

hucky
2008-02-29, 16:25
Sorry - The HJT report I posted was before restarting.

This is the one after restart:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:00, on 29/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

--
End of file - 4405 bytes



sorry and thanks alot, again

Huck

pskelley
2008-02-29, 16:35
If I get this right, you are saying you wish to run AVG by Grisoft and wish to remove the other antivirus programs.

You have looked in Add Remove programs for an uninstaller and none is there.

You also have Symantec left from some point:
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
See this: http://basconotw.mvps.org/SymRem.htm


and McAfee:
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
Try this: http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

That will leave you with no antivirus protection, here is the link to AVG Free:
http://free.grisoft.com/doc/download-free-anti-virus/us/frt/0

I run AVG Free myself, as soon as you have those other antivirus programs removed and AVG Free installed and running, post a new HJT log and let me know how the computer is running. It looks like you killed the junk that was running.

Sorry about the problem with ATF-Cleaner, as long as you got it, that is fine.

Thanks

hucky
2008-03-01, 11:33
Hey,

Thanks again. I've done as told - but S&D still finds cmdservice and can't remove it.

Also, I don't know if it has any relevance, but lately, I have been having troubles with Firefox, which I am using: The pages look "pixeld" - The pictures are bigger and blurry and such, and it is working very slowly. Do you know the reason?

Here is the new HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:05, on 01/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC36A87D-F258-4434-A2B1-7C2553F62F6F}: NameServer = 192.117.235.235 62.219.186.7
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

--
End of file - 5355 bytes

Thanks again for all the help - You are a life saver!

Huck

pskelley
2008-03-01, 12:49
Thanks for returning your HJT log, give this a try for the "cmdservice" issue:

delcmdservice (by Marckie),
Please download delcmdservice (by Marckie), http://users.telenet.be/marcvn/tools/delcmdservice.zip
and save it to your Desktop.
Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Is this your IP location? http://whois.domaintools.com/192.117.235.235

The HJT log looks good:bigthumb: run a new Kaspersky online scan using these settings:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. <<< I do not need to see a clean scan, only if there are questions you can not answer.

Also, I don't know if it has any relevance, but lately, I have been having troubles with Firefox, ETC
Do you have the same issues with Internet Explorer? It may be you will need to uninstall and reinstall Firefox? Do you have the newest version?
http://www.mozilla.com/en-US/firefox/

Unfortunately the trash hackers send out and the hackers care little about your system and changes that might occur when they infect you. Have you looked at Desktop Properties?
http://www.optimizingpc.com/install/desktopandscreen.html
http://www.google.com/search?hl=en&q=setting+desktop+properties+in+XP&btnG=Google+Search

I will post this information for you now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

hucky
2008-03-02, 12:13
You are great!!!
Thanks for all the help, all the badstuff are gone (almost - details ahead) and the computer is working fine.

S&D cleared everything, including the cmdservice, and all is well, except that kaspersky still finds the email worm I got. When you first told me about it, I deleted it from my outlook, not from the pst file. Sholud I do something different?

Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 02, 2008 1:31:10 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/03/2008
Kaspersky Anti-Virus database records: 545417
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 77231
Number of viruses found: 1
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:48:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\parent.lock Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\search.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\dfsr.db Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\fsr.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\fsrtmp.log Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\tmp.edb Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip/message.dat.bat Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip/document.msg.exe Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ /20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip Infected: Email-Worm.Win32.Warezov.fb skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 4 skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Live Contacts\yuval.avivi@gmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012008030120080302\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF5141.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DF516B.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D9120EF-2D0A-4289-9B58-91B31A79094D}\RP1106\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D4877110-444D-4887-8FF6-6CBB70226980}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Thanks for everything, and thanks for the useful tips. I hope that I'll be able to keep my com clean.

Huck.

pskelley
2008-03-02, 14:17
Thanks for the feedback and you are right, the infected email are still there. First, let me show you what you have infecting your email folders:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Email-Worm.Win32.Warezov.fb&threatid=91424
This is a nasty item and I have no knowledge of Outlook, but it may still be able to send itself to others in your address book and infect them.
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ <<< you may want to consider deleting everything in those personal folders

Looks like they came to you from:
20 Oct 2006 03:03 from george
20 Oct 2006 02:40 from james

Does not mean they sent them, they probably had no idea they were infected, but the junk has been on your computer for a while. Hold on to Kaspersky Online Scan as a backup to your resident. While it does not do anything, it will sure find anything being missed.

I also need to point out that I see both AVG and NA running in this HJT log: Scan saved at 11:21:05, on 01/03/2008

C:\PROGRA~1\Grisoft\AVG7\

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

As long as this is occuring, it is a good possibility neither antivirus progam can function properly. If you want NA gone, try that tool again and then check the HJT log to make sure it has been removed.

Safe surfing...Phil:bigthumb: