PDA

View Full Version : Cannot Delete Adware


owfsasha1
2008-06-12, 19:09
I recently acquired adware and downloaded Spybot-S&D to find and delete the file that is causing this. It ran through all the files, destroyed a ton of them and then said:

"Some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory). This could be fixed after a restart. May Spybot-S&D run on your next system startup?"

I said yes, restarted my computer, and it took 30 minutes to search through all of the files again. After this, it had the same exact message. The file is called "Command Service". Please help?
md usa spybot fan
2008-06-12, 19:35
owfsasha1:

Please post a log of the actual detection(s) you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.
Thanks
owfsasha1
2008-06-12, 19:36
Command Service: System Service (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

CoolWWWSearch: [SBI $21C4E0C1] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{17DA0C9E-4A27-4AC5-BB75-5D24B8CDB972}

CoolWWWSearch: [SBI $856E2E0D] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF021F40-3E14-23A5-CBA2-717765721306}

CoolWWWSearch: [SBI $05AABB3F] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}

CoolWWWSearch: [SBI $53B1EFC5] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880}

CoolWWWSearch: [SBI $B9E15D79] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}

CoolWWWSearch: [SBI $8A4A2DFC] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D38A51A-23C9-48A1-A33C-48675AA2B494}

CoolWWWSearch: [SBI $7FD71731] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E}

CoolWWWSearch: [SBI $997CFB38] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{17DA0C9E-4A27-4ac5-BB75-5D24B8CDB972}

CoolWWWSearch.008k: [SBI $4BF722AC] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD9BC004-8331-4457-B830-4759FF704C22}

CoolWWWSearch.008k: [SBI $B9F681B7] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{587DBF2D-9145-4c9e-92C2-1F953DA73773}

CoolWWWSearch.008k: [SBI $7935A70E] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD9BC004-8331-4457-B830-4759FF704C22}

CoolWWWSearch.Aff.Iedll: [SBI $450485B1] Executable (File, fixed)
C:\WINDOWS\iedll.exe

CoolWWWSearch.Aff.Iedll: [SBI $8C04C923] Executable (File, fixed)
C:\WINDOWS\loader.exe

CoolWWWSearch.Aff.Winshow: [SBI $21A0F4E7] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2DDF680-9905-4DEE-8C64-0A5DE7FE133C}

CoolWWWSearch.Aff.Winshow: [SBI $EDDBEA88] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}

CoolWWWSearch.Aff.Winshow: [SBI $049CBFB9] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2E9CAFF6-30C7-4208-8807-E79D4EC6F806}

CoolWWWSearch.Aff.Winshow: [SBI $D5551A55] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E2DDF680-9905-4dee-8C64-0A5DE7FE133C}

CoolWWWSearch.BlowSearch: [SBI $2F81B0E2] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{79369D5C-2903-4B7A-ADE2-D5E0DEE14D24}

CoolWWWSearch.Bootconf: [SBI $805EA7D4] Executable (File, fixed)
C:\WINDOWS\msupdate.exe

CoolWWWSearch.Dreplace: [SBI $07DD1156] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{086AE192-23A6-48D6-96EC-715F53797E85}

CoolWWWSearch.Dreplace: [SBI $EE9A4467] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{086AE192-23A6-48D6-96EC-715F53797E85}

CoolWWWSearch.Gonnasearch: [SBI $503651AA] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{799A370D-5993-4887-9DF7-0A4756A77D00}

CoolWWWSearch.Gonnasearch: [SBI $10F83C44] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A55581DC-2CDB-4089-8878-71A080B22342}

CoolWWWSearch.Gonnasearch: [SBI $640CC338] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970}

CoolWWWSearch.Gonnasearch: [SBI $F8BC1ACA] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{150FA160-130D-451F-B863-B655061432BA}

CoolWWWSearch.Leftovers: [SBI $54B61FCC] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00110011-4B0B-44D5-9718-90C88817369B}

CoolWWWSearch.Leftovers: [SBI $D28FD146] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2}

CoolWWWSearch.Leftovers: [SBI $D0C96F1F] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1}

CoolWWWSearch.Leftovers: [SBI $3BC88477] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2}

CoolWWWSearch.Leftovers: [SBI $BDF14AFD] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00110011-4B0B-44D5-9718-90C88817369B}

CoolWWWSearch.SmartSearch: [SBI $D0FDF930] Executable (File, fixed)
C:\WINDOWS\notepad32.exe

CoolWWWSearch.Svcinit: [SBI $222D2525] Executable (File, fixed)
C:\WINDOWS\mssys.exe

CoolWWWSearch.WCADW: [SBI $EBBDAA3B] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B847676D-72AC-4393-BFFF-43A1EB979352}

CoolWWWSearch.WinRes: [SBI $252DB9D3] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2D38A51A-23C9-48a1-A33C-48675AA2B494}

CoolWWWSearch.WinSearch: [SBI $BAFE8D4B] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}

CoolWWWSearch.Yexe: [SBI $E7391681] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5321E378-FFAD-4999-8C62-03CA8155F0B3}

ToolbarCC: [SBI $E20BEABD] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB1}

Command Service: [SBI $C53578BD] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: [SBI $F0D8CEEE] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

DeepDive: [SBI $633C4225] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}

DeepDive: [SBI $8AF8A653] Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}

DeepDive: [SBI $C63F022C] Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}

Smitfraud-C.gp: [SBI $7D81C16D] Executable (File, fixed)
C:\WINDOWS\x.exe

Smitfraud-C.gp: [SBI $29222CE9] Web page (File, fixed)
C:\WINDOWS\default.htm

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $FD4267D3] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Microsoft.WindowsSecurityCenter.TaskManager: [SBI $B2E55F62] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr

ClientMan: [SBI $7157E101] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

ClientMan: [SBI $439564A3] Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

CoolWWWSearch.GonnaSearch: [SBI $11FB4FFB] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{150FA160-130D-451F-B863-B655061432BA}

CoolWWWSearch.GonnaSearch: [SBI $8D4B9609] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7AFFF2A-1B57-49C7-BF6B-E5123394C970}

Smitfraud-C.: [SBI $13E62E68] Executable (File, fixed)
C:\WINDOWS\users32.exe

Smitfraud-C.: [SBI $6CA15C70] Executable (File, fixed)
C:\WINDOWS\winmgnt.exe

Smitfraud-C.: [SBI $B10DB83E] Library (File, fixed)
C:\WINDOWS\avpcc.dll

Smitfraud-C.: [SBI $CDB2E61E] Executable (File, fixed)
C:\WINDOWS\window.exe

Smitfraud-C.: [SBI $2F25FB5A] Executable (File, fixed)
C:\WINDOWS\systemcritical.exe

Smitfraud-C.: [SBI $C1D3236A] Executable (File, fixed)
C:\WINDOWS\clrssn.exe

Smitfraud-C.: [SBI $3814E202] Executable (File, fixed)
C:\WINDOWS\systeem.exe

Smitfraud-C.: [SBI $18599D31] Library (File, fixed)
C:\WINDOWS\xxxvideo.hta

Smitfraud-C.: [SBI $F6F1FE46] Executable (File, fixed)
C:\WINDOWS\waol.exe

Smitfraud-C.: [SBI $4801815D] Executable (File, fixed)
C:\WINDOWS\y.exe

Smitfraud-C.: [SBI $31B4405F] Executable (File, fixed)
C:\WINDOWS\accesss.exe

Smitfraud-C.: [SBI $9D6DEEA6] Executable (File, fixed)
C:\WINDOWS\olehelp.exe

Smitfraud-C.: [SBI $68E08DD7] Executable (File, fixed)
C:\WINDOWS\win32e.exe

Smitfraud-C.: [SBI $D1D74B75] Executable (File, fixed)
C:\WINDOWS\win64.exe

Smitfraud-C.: [SBI $33A479D9] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-507921405-706699826-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E3EEBBE8-9CAB-4C76-B26A-747E25EBB4C6}

Smitfraud-C.: [SBI $4A940688] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}

Smitfraud-C.: [SBI $9E628A33] Library (File, fixed)
C:\WINDOWS\cpan.dll

Smitfraud-C.: [SBI $DF8A3C1C] Library (File, fixed)
C:\WINDOWS\mtwirl32.dll

Smitfraud-C.: [SBI $434EE262] Library (File, fixed)
C:\WINDOWS\winajbm.dll

Smitfraud-C.: [SBI $7D9C464E] Library (File, fixed)
C:\WINDOWS\xplugin.dll

Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, fixed)
C:\WINDOWS\system32\drivers\core.cache.dsk

Win32.Small.ny: [SBI $4746BC1E] Executable (File, fixed)
C:\WINDOWS\iexplorer.exe

Virtumonde.dll: [SBI $4DB0E149] Library (File, fixed)
C:\WINDOWS\system32\qoMeEUKD.dll_old


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-06-12 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-06-03 Includes\Adware.sbi (*)
2008-06-10 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-10 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-04 Includes\Hijackers.sbi (*)
2008-06-03 Includes\HijackersC.sbi (*)
2008-06-03 Includes\Keyloggers.sbi (*)
2008-06-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-06-03 Includes\Malware.sbi (*)
2008-06-11 Includes\MalwareC.sbi (*)
2008-06-03 Includes\PUPS.sbi (*)
2008-06-10 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-06-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-03 Includes\Spyware.sbi (*)
2008-06-03 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-06-11 Includes\Trojans.sbi (*)
2008-06-11 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
md usa spybot fan
2008-06-12, 19:55
owfsasha1:

There one thing that you can try to get rid of the "Command Service" detection that Spybot-S&D is having difficulty removing:
Try running Spybot in Safe mode.
Reboot your system in Safe mode and run Spybot-S&D.
If Spybot still fails to correct the problem consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, making sure to post the logs produced from the above instructions.