Thanks, that got some of it, follow these instructions:
1) Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
- Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
2) Careful that you get the correct service:
Disable the Service
Click Start > Run and type services.msc
Scroll down to Command Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (cmdService) and press OK.
OK any prompts, close HijackThis, and restart your computer.
3) Turn off TeaTimer, it will black changes we must make:
http://russelltexas.com/malware/teatimer.htm
4) Start > Control Panel > Add Remove programs and uninstall DeluxeCommunications if there. Please uninstall any other programs you know do not belong there, if you are unsure let me know and I will look.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {6DC25841-9CD6-E455-80FB-B6693F8CDCB3} - C:\WINDOWS\system32\dsozhfmd.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e48.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
(you can remove the next two restrictions if you wish)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(if you did not set the advanced option, you can remove it)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TW9uaWNhIEdyZWdvcnk\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
c:\nwnmff_e48.exe <<< delete the file
C:\\kybrdff_e48.exe <<< delete the file
C:\WINDOWS\TW9uaWNhIEdyZWdvcnk <<< delete that folder
C:\Program Files\DeluxeCommunications\ <<< delete that folder
Run ATF-Cleaner again, you can skip Prefetch this time, see this tutorial:
http://forums.security-central.us/showthread.php?t=1925
Follow the instruction in this link: http://www.virusvault.co.uk/fusionbb...ic.php?tid/33/
Thanks to John McKenna for the tutorial. Make sure you delete or at least quarantine everything located unless you know it is not bad.
Restart the computer and post the Report from SD fix, the results of the spyware scan and a new HJT log.
Thanks