Results 1 to 9 of 9

Thread: cmdservice removal

  1. #1
    Junior Member
    Join Date
    Feb 2008
    Posts
    5

    Default cmdservice removal

    Hello everyone, and thanks for being here - I'd appreciate any kind of help.

    using S&D I've discovered, as probably many before me have, that a nasty CommandService is in my computer and has no intention to leave. S&D, as other programs, couldn't remove it, so you are my hope before formatting.

    I can't say that I know my way with computers that well, so explaining what seems to be obvious might be needed in my case. However - I did read the Sticky and hopefully I have the info you need in order to help me.

    This is the Kaspersky report:


    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, February 28, 2008 4:43:52 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 28/02/2008
    Kaspersky Anti-Virus database records: 585361
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 81002
    Number of viruses found: 4
    Number of infected objects: 14
    Number of suspicious objects: 0
    Duration of the scan process: 01:57:01

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_YUVAL.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_YUVAL.log Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\FM_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
    C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip/message.dat.bat Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip/document.msg.exe Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 4 skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF1E2C.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF1E42.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF3102.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF311A.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF388E.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DFED08.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DFF835.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~WRC0512.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~WRS0005.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\KG8TYDX6\TF29X5Z8\Offline\0x00000001_R Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\KG8TYDX6\TF29X5Z8\Offline\0x00000003_R Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\KG8TYDX6\TF29X5Z8\Offline\HashFile.dat Object is locked skipped
    C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
    C:\quarantine\A0059649.exe.Vir Infected: Trojan-Dropper.Win32.Agent.abo skipped
    C:\quarantine\kl.exe.Vir Infected: Trojan-Dropper.Win32.Agent.abo skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{6D9120EF-2D0A-4289-9B58-91B31A79094D}\RP1097\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    F:\ yuvcheck's documents\programs\DivXPro502GAINBundle.exe/Gain_Trickler.exe Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
    F:\ yuvcheck's documents\programs\DivXPro502GAINBundle.exe Vise: infected - 1 skipped
    F:\ yuvcheck's documents\programs\DivXPro511Adware.exe/stream/data0019 Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
    F:\ yuvcheck's documents\programs\DivXPro511Adware.exe/stream Infected: not-a-virus:AdWare.Win32.Gator.3202 skipped
    F:\ yuvcheck's documents\programs\DivXPro511Adware.exe NSIS: infected - 2 skipped
    F:\ yuvcheck's documents\דנה\Dana Yoeli cv.doc Object is locked skipped
    F:\ yuvcheck's documents\דנה\~WRL1578.tmp Object is locked skipped
    F:\ yuvcheck's documents\דנה\~WRL3212.tmp Object is locked skipped
    F:\ yuvcheck's documents\דנה\לכל המעונייןדנה.doc Object is locked skipped
    F:\ yuvcheck's documents\דנה\מסמך ללירון.doc Object is locked skipped
    F:\outlook\Outlook2.pst/Personal Folders/ôøéèéí ùðîç÷å/18 Feb 2005 14:07 from Smith Barney:****SPAM(7.3)**** Smith Barn/18 Feb 2005 13:52 from Smith Barney:Smith Barney - urgent securi.html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
    F:\outlook\Outlook2.pst Mail MS Mail: infected - 1 skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.


    and this is the hjt report:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:47:24, on 28/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\GSICON.EXE
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...ridge-c356.cab
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC36A87D-F258-4434-A2B1-7C2553F62F6F}: NameServer = 192.117.235.235 62.219.186.7
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    --
    End of file - 6230 bytes



    Thank you in advance for any suggestion that yuou might have, regarding the cmdservice I got, or any other viruses That might be causing my very very okd computer to work so slowly lately.


    Huck

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
    http://service1.symantec.com/SUPPORT...00031316555206
    "Microsoft recommends that you have only one anti-virus program installed on your computer."
    http://www.washingtonpost.com/wp-dyn...120300087.html
    http://www.smartcomputing.com/editor...8s07/38s07.asp

    C:\PROGRAM FILES~1\Grisoft\AVG7\
    C:\Program Files\Network Associates\
    (uninstall one of those)

    2) You are storing infected email here:
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/“o‚Š‚¡ —dŒ‡ö†/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip/message.dat.bat ------> Email-Worm.Win32.Warezov.fb
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/“o‚Š‚¡ —dŒ‡ö†/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip ------> Email-Worm.Win32.Warezov.fb
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/“o‚Š‚¡ —dŒ‡ö†/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip/document.msg.exe ------> Email-Worm.Win32.Warezov.fb
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/“o‚Š‚¡ —dŒ‡ö†/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip ------> Email-Worm.Win32.Warezov.fb
    and here:
    F:\outlook\Outlook2.pst/Personal Folders/“o‚Š‚¡ —dŒ‡ö†/18 Feb 2005 14:07 from Smith Barney:****SPAM(7.3)**** Smith Barn/18 Feb 2005 13:52 from Smith Barney:Smith Barney - urgent securi.html ------> Trojan-Spy.HTML.Smitfraud.c
    (Remove those from your computer)

    3) C:\quarantine\ <<< delete that folder and contents

    Delete the files in red
    F:\ yuvcheck's documents\programs\DivXPro502GAINBundle.exe
    F:\ yuvcheck's documents\programs\DivXPro511Adware.exe

    4) How to make files and folders visible:
    Click Start > Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm. Click OK.
    You may reverse this for safety when we are finished.

    5) Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    6) Start > Control Panel > Add Remove Programs and uninstall RXToolBar, Need2Find if there.

    7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
    O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
    O8 - Extra context menu item: &Search - http://kn.bar.need2find.com/KN/menusearch.html?p=KN
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...ridge-c356.cab G
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab G
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Filter hijack: text/html - (no CLSID) - (no file)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    8) Right click Start > Explore and navigate to these files/folders and delete them if there.

    C:\windows\adtech2005.exe <<< delete that file

    C:\Program Files\RXToolBar\ <<< delete that folder and contents

    9) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart, post a new HJT log and some feedback.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Feb 2008
    Posts
    5

    Default Thanks!

    First of all - Thank you so much for helping me out, I really appreciate it.

    Now, I've tried to do everything, but some things didn't go too well:

    1. The anti-virus program: I unintalled the AVG, but then I got a warning that I have no anti-virus running at all. I tried to re-install the mc'affee, but it was no go, then I tried to uninstall it completely, but couldn't. I am happy with having the AVG, so if you can explain how to remove the mc'affee all toghether that could be great.

    6. I didn't have RXToolBar on the list. I did find the need2find, but couldn't remove it.

    8. I didn't find the programs adtech2005 or RXToolBar.

    9. The link for downloading atf-cleaner was broken, so I searched it and downloaded the latest version, I hope it is OK.

    here is the new HJT report:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:13:33, on 29/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\GSICON.EXE
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS\system32\WISPTIS.EXE
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC36A87D-F258-4434-A2B1-7C2553F62F6F}: NameServer = 192.117.235.235 62.219.186.7
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    --
    End of file - 4825 bytes




    Again - I can't thank you enough!

    Hucky

  4. #4
    Junior Member
    Join Date
    Feb 2008
    Posts
    5

    Default Oops - my Bad

    Sorry - The HJT report I posted was before restarting.

    This is the one after restart:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:20:00, on 29/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\GSICON.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Network Associates\Common Framework\McTray.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    --
    End of file - 4405 bytes



    sorry and thanks alot, again

    Huck

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    If I get this right, you are saying you wish to run AVG by Grisoft and wish to remove the other antivirus programs.

    You have looked in Add Remove programs for an uninstaller and none is there.

    You also have Symantec left from some point:
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    See this: http://basconotw.mvps.org/SymRem.htm


    and McAfee:
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    Try this: http://www.majorgeeks.com/McAfee_Con...ool_d5420.html

    That will leave you with no antivirus protection, here is the link to AVG Free:
    http://free.grisoft.com/doc/download...virus/us/frt/0

    I run AVG Free myself, as soon as you have those other antivirus programs removed and AVG Free installed and running, post a new HJT log and let me know how the computer is running. It looks like you killed the junk that was running.

    Sorry about the problem with ATF-Cleaner, as long as you got it, that is fine.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    Feb 2008
    Posts
    5

    Default back again

    Hey,

    Thanks again. I've done as told - but S&D still finds cmdservice and can't remove it.

    Also, I don't know if it has any relevance, but lately, I have been having troubles with Firefox, which I am using: The pages look "pixeld" - The pictures are bigger and blurry and such, and it is working very slowly. Do you know the reason?

    Here is the new HJT report:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:21:05, on 01/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\system32\GSICON.EXE
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\Google\Gmail Notifier\gnotify.exe
    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FC36A87D-F258-4434-A2B1-7C2553F62F6F}: NameServer = 192.117.235.235 62.219.186.7
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    --
    End of file - 5355 bytes

    Thanks again for all the help - You are a life saver!

    Huck

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your HJT log, give this a try for the "cmdservice" issue:

    delcmdservice (by Marckie),
    Please download delcmdservice (by Marckie), http://users.telenet.be/marcvn/tools/delcmdservice.zip
    and save it to your Desktop.
    Unzip the content to your Desktop (a folder named delcmdservice)
    Double-click on the delcmdservice folder
    Double-click on delreg.bat to launch the tool
    When the tool has finished, please reboot your computer.

    Is this your IP location? http://whois.domaintools.com/192.117.235.235

    The HJT log looks good run a new Kaspersky online scan using these settings:
    * The program will launch and then begin downloading the latest definition files:
    * Once the files have been downloaded click on NEXT
    * Now click on Scan Settings
    * In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    * Standard
    * Scan Options:
    * Scan Archives
    * Scan Mail Bases
    * Click OK
    * Now under select a target to scan:
    * Select My Computer
    * This will program will start and scan your system.
    * The scan will take a while so be patient and let it run.
    * Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
    * Save the file to your desktop.

    Then post it here. <<< I do not need to see a clean scan, only if there are questions you can not answer.
    Also, I don't know if it has any relevance, but lately, I have been having troubles with Firefox, ETC
    Do you have the same issues with Internet Explorer? It may be you will need to uninstall and reinstall Firefox? Do you have the newest version?
    http://www.mozilla.com/en-US/firefox/

    Unfortunately the trash hackers send out and the hackers care little about your system and changes that might occur when they infect you. Have you looked at Desktop Properties?
    http://www.optimizingpc.com/install/...andscreen.html
    http://www.google.com/search?hl=en&q...=Google+Search

    I will post this information for you now so you can benefit from it.

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Feb 2008
    Posts
    5

    Default Thanks so much!!!!

    You are great!!!
    Thanks for all the help, all the badstuff are gone (almost - details ahead) and the computer is working fine.

    S&D cleared everything, including the cmdservice, and all is well, except that kaspersky still finds the email worm I got. When you first told me about it, I deleted it from my outlook, not from the pst file. Sholud I do something different?

    Here is the log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, March 02, 2008 1:31:10 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 1/03/2008
    Kaspersky Anti-Virus database records: 545417
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 77231
    Number of viruses found: 1
    Number of infected objects: 5
    Number of suspicious objects: 0
    Duration of the scan process: 01:48:42

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\cert8.db Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\formhistory.dat Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\history.dat Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\key3.db Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\parent.lock Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
    C:\Documents and Settings\user\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt Object is locked skipped
    C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\pending.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\dfsr.db Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\fsr.log Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\fsrtmp.log Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Messenger\yuval.avivi@gmail.com\SharingMetadata\Working\database_3600_8EA1_8E_6827\tmp.edb Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip/message.dat.bat Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 03:03 from george:MCAFEE E-MAIL SCAN ALERT!~MAIL TRA/message.zip Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip/document.msg.exe Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ôøéèéí ùðîç÷å/20 Oct 2006 02:40 from james:MCAFEE E-MAIL SCAN ALERT!~SERVER RE/document.zip Infected: Email-Worm.Win32.Warezov.fb skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 4 skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows Live Contacts\yuval.avivi@gmail.com\real\members.stg Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\xq4v2nlt.default\XUL.mfl Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012008030120080302\index.dat Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF5141.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temp\~DF516B.tmp Object is locked skipped
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{6D9120EF-2D0A-4289-9B58-91B31A79094D}\RP1106\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{D4877110-444D-4887-8FF6-6CBB70226980}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.




    Thanks for everything, and thanks for the useful tips. I hope that I'll be able to keep my com clean.

    Huck.

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for the feedback and you are right, the infected email are still there. First, let me show you what you have infecting your email folders:
    http://research.sunbelt-software.com...threatid=91424
    This is a nasty item and I have no knowledge of Outlook, but it may still be able to send itself to others in your address book and infect them.
    C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst/Personal Folders/ <<< you may want to consider deleting everything in those personal folders

    Looks like they came to you from:
    20 Oct 2006 03:03 from george
    20 Oct 2006 02:40 from james

    Does not mean they sent them, they probably had no idea they were infected, but the junk has been on your computer for a while. Hold on to Kaspersky Online Scan as a backup to your resident. While it does not do anything, it will sure find anything being missed.

    I also need to point out that I see both AVG and NA running in this HJT log: Scan saved at 11:21:05, on 01/03/2008

    C:\PROGRA~1\Grisoft\AVG7\

    C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

    As long as this is occuring, it is a good possibility neither antivirus progam can function properly. If you want NA gone, try that tool again and then check the HJT log to make sure it has been removed.

    Safe surfing...Phil
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •