I'm struggling with multiple problems, but command service seems to be the most troublesome. Can't get through the Kaspersky scan without computer crashing. below is the last copy of the HJT log though. Will try again to run Kaspersky.

Any help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:59:14 AM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\SmVhbm5pZSBNY0NhcnJvbGw\command.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ZPOINT32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\CURITY~1\regedit.exe
C:\Program Files\??crosoft\l?gonui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeannie McCarroll\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www1.sympatico.ca"); (C:\Documents and Settings\JEANNIE MCCARROLL\Application Data\Mozilla\Profiles\default\4uy5kckx.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JEANNIE MCCARROLL\Application Data\Mozilla\Profiles\default\4uy5kckx.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0BC009F5-2F6A-459D-BBEC-8CB48765F4DC} - (no file)
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll
O2 - BHO: 0 - {2F137B32-C598-4205-BBA0-C6215CB03242} - C:\Program Files\Common Files\zytila.dll
O2 - BHO: (no name) - {45908BBA-ECB4-4B09-B341-14B50ACD93FE} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6E349CB1-5821-0ED8-5316-5F00BFC2DB97} - C:\WINDOWS\system32\yqeepn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91223DE9-F8E6-4FFD-8889-BE6784C18696} - C:\WINDOWS\system32\opnljih.dll
O2 - BHO: (no name) - {EFC170B0-40F3-4F23-A59F-5B50E54A7D7C} - C:\WINDOWS\system32\mlljk.dll (file missing)
O4 - HKLM\..\Run: [REGRUN] C:\WINDOWS\system32\lc32.exe
O4 - HKLM\..\Run: [Windows TM] SVPHOST.exe
O4 - HKLM\..\Run: [Acecad.Wtxpload] C:\WINDOWS\Acecad\Wtxpload.exe Acecad
O4 - HKLM\..\Run: [ZPOINT32] C:\WINDOWS\system32\ZPOINT32.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [35704244] rundll32.exe "C:\WINDOWS\system32\jnldgktb.dll",b
O4 - HKLM\..\Run: [BM364371d8] Rundll32.exe "C:\WINDOWS\system32\pfsagprt.dll",s
O4 - HKLM\..\RunServices: [Windows TM] SVPHOST.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6266] command /c del "C:\Documents and Settings\Jeannie McCarroll\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1457] cmd /c del "C:\Documents and Settings\Jeannie McCarroll\Start Menu\Programs\Outerinfo\Terms.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5006] command /c del "C:\Documents and Settings\Jeannie McCarroll\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC721] cmd /c del "C:\Documents and Settings\Jeannie McCarroll\Start Menu\Programs\Outerinfo\Uninstall.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6141] command /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2361] cmd /c del "C:\Program Files\Outerinfo\FF\install.rdf"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9868] command /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9606] cmd /c del "C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5197] command /c del "C:\WINDOWS\b128.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2085] cmd /c del "C:\WINDOWS\b128.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4754] command /c del "C:\WINDOWS\system32\fsscgpow.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7416] command /c del "C:\WINDOWS\system32\mlljk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4172] cmd /c del "C:\WINDOWS\system32\mlljk.dll"
O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
O4 - HKCU\..\Run: [Windows TM] SVPHOST.exe
O4 - HKCU\..\Run: [Aaou] "C:\PROGRA~1\CURITY~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Emox] "C:\Program Files\??crosoft\l?gonui.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Jeannie McCarroll\Application Data\Microsoft\Windows\gvujll.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows TM] SVPHOST.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Windows TM] SVPHOST.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows TM] SVPHOST.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Windows TM] SVPHOST.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://ca8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: opnljih - C:\WINDOWS\SYSTEM32\opnljih.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\
O20 - Winlogon Notify: tuvvtqo - C:\WINDOWS\
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmVhbm5pZSBNY0NhcnJvbGw\command.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\system32\Wintab32.exe

--
End of file - 11358 bytes

Hello Skafaze

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Let me tell ya straight up, this is one of the most heavily infected computers that I have come across in some time, your infected with the Vundo Trojan, also a trojan downloader that is installing more of this garbage when your online, misc malware, worms and also a Rootkit that may be difficult to remove. Even if this stuff can be cleaned I would tend to never trust this computer again to do any online transactions. I have been at this for a long time and sometimes I scratch my head wondering what people use there computers for to get so infected. If this was my computer I would not hesitate to reformat the drive and install a clean copy of windows, but this is your call, if you want to proceed with the cleaning we can try to remove this stuff, if you do I strongly urge you that outside from posting here that you stay off the internet as one of your infections will be out looking for more garbage to download and install.

Let me know what you want to do ???

Thanks ken545, your findings are not a total surprise based on what's been happening with it lately.

I'm as confused as you as to where this stuff is coming from, but I'm also not the only one using it. I think I'll take your advice and do the reformat after I've salvaged my essential documents. Reformat will ensure future "safe" usage for transactions? Can you suggest future defenses against reinfection once the format is done? Eg. most effective software, browser defense etc.

Skafaze,

When there are multiple people using one computer, God only knows what they download. The trojan downloader looks for other malware while your on the net . The Rootkit is sometimes real difficult to remove as it hides files all over your system.

A reformat and a clean install of windows would be a good idea but I will leave this thread open for you for a week or so in case you change your mind.

We do not help with reformats on this forum, can you do it yourself ? if not I can link you to some free windows support sites that can assist you, let me know?



How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.12 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Glad we could help

Safe Surfn
Ken

Thanks for the help Ken. I think I'm good to go through the formatting, but will check out the links you provided before. If anything seems too difficult, I'll check back with you about trying the clean up first.

The first one on my list would be my first choice, a lot of knowledgeable windows experts in that forum.

Windows Tech Support Forums

Windows Helpnet (http://www.windowsbbs.com/) <-- Excellent XP Forum
PcPitStop (http://pcpitstop.com/) <-- You can take your system in for a checkup here.
Windows Support (http://forums.whatthetech.com/Microsoft_Windows_f119.html)



Good Luck,
Ken

Reformat seems to have worked. Thanks for the help.

Thats great, thanks for getting back to me. Make sure you install some or all of the free programs that I listed in a previous reply to help stop this garbage from getting back into your system.

Ken:)