Hopefully, I have it right this time. Can you help me remove this malware and its related nasties?

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:14:00 PM, on 3/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\msput.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.zoomtown.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {04AA3AE8-56F9-AE74-F27A-619E8F7622E7} - C:\WINDOWS\yxmsvemo.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\System32\w9seq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124231536144
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124244409033
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\System32\w9seq.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Microsoft Startup Manager. (Microsoft Startup Manager) - Unknown owner - C:\WINDOWS\msput.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hello and welcome to the forum. You do have some nasties that need to go, this one: http://www.sophos.com/virusinfo/analyses/w32sdbotbay.html is running from Programs and Services. You need to review the information so you can understand how it got on your computer and what you need to do to fix damage it has caused.
C:\WINDOWS\msput.exe >>>
When first run W32/Sdbot-BAY copies itself to <Windows>\msput.exe.
The file msput.exe is registered as a new system driver service named "Microsoft Startup Manager", with a display name of "Microsoft Startup Manager." and a startup type of automatic, so that it is started automatically during system startup.

1) Follow the directions in the posted order, some items may have been removed by earlier scans, do not be concerned, just do not miss any.

2) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


3) Disable the offending Service
Click Start > Run and type services.msc
Scroll down to Microsoft Startup Manager and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

4) Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Microsoft Startup Manager and press OK.
OK any prompts, close HijackThis, and restart your computer.


5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {04AA3AE8-56F9-AE74-F27A-619E8F7622E7} - C:\WINDOWS\yxmsvemo.dll
O2 - BHO: Yvakt Class - {DAAC59E5-093D-4D24-A105-55BFE4ACDE14} - C:\WINDOWS\System32\w9seq.dll
O18 - Filter: text/html - {CEA53356-C414-4331-A35E-AA4CE9D8DFA2} - C:\WINDOWS\System32\w9seq.dll
O23 - Service: Microsoft Startup Manager. (Microsoft Startup Manager) - Unknown owner - C:\WINDOWS\msput.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\msput.exe >>> file

C:\WINDOWS\yxmsvemo.dll >>> file

C:\WINDOWS\System32\w9seq.dll >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

7) If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and your comments, tell me how the computer is running now.

Thanks...pskelley
Safer Networking Forums

Thanks PSKelley! Per your instructions, here are ny ewido scan results and the latest HJT log. Please advise as to next steps.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:41:44 PM, 3/26/2006
+ Report-Checksum: E09C4E2D

+ Scan result:

[348] C:\WINDOWS\System32\w9seq.dll -> Adware.Suggestor : Ignored
C:\Documents and Settings\Rachel\Cookies\rachel@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Ignored
C:\Documents and Settings\Rachel\Cookies\rachel@axa.addcontrol[1].txt -> TrackingCookie.Addcontrol : Ignored
C:\Documents and Settings\Rachel\Cookies\rachel@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Ignored
C:\Documents and Settings\Rachel\Cookies\rachel@com[2].txt -> TrackingCookie.Com : Ignored
C:\Documents and Settings\Rachel\Local Settings\Temporary Internet Files\Content.IE5\C5KR6HWP\visfx500[1].exe -> Dropper.Agent.aie : Ignored
C:\krw1dn.exe -> Downloader.Agent.afi : Ignored
C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Ignored
C:\WINDOWS\system32\w9seq.dll -> Adware.Suggestor : Ignored
C:\WINDOWS\Temp\F0E13.tmp/slk8x2peu.exe -> Adware.Suggestor : Ignored
C:\ZICORN001.exe -> Adware.ZenoSearch : Ignored
[1728] C:\WINDOWS\msput.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjkokoajoco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjkyspc5ebo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjlowlcjshp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@e-2dj6wjnyqgdjihq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@efashionsolutions.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@meetupcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@polo.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Rachel\Cookies\rachel@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Rachel\Local Settings\Temp\Cookies\rachel@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Rachel\Local Settings\Temp\Cookies\rachel@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Rachel\Local Settings\Temp\Cookies\rachel@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Rachel\Local Settings\Temp\Cookies\rachel@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\msput.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\pyzgynjc.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\system32\faotvpap7.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\Temp\F0E13.tmp/faotvpap7.exe -> Trojan.Runner.h : Error during cleaning
C:\WINDOWS\Temp\i1B.tmp -> Adware.SurfSide : Cleaned with backup
C:\WINDOWS\yxmsvemo.dll -> Adware.BookedSpace : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 10:42:59 PM, on 3/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Program Files\HijackThis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.zoomtown.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124231536144
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124244409033
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hello Rachel? Thanks for promptly returning this information. Looking at your ewido scan report:
ewido anti-malware - Scan report Created on: 9:41:44 PM, 3/26/2006I see you ignored a lot of nasties in the beginning and there is one bad one: C:\WINDOWS\Temp\F0E13.tmp/faotvpap7.exe -> Trojan.Runner.h : Error during cleaning
that ewido could not clean, and it could be that is because of something you ignored? Since it is easier to run the scan again instead of trying to do it manually, that is what I suggest. I would also like to run it in safe mode as ewido cleans better with the junk not running:
http://www.bleepingcomputer.com/tutorials/tutorial61.html Then post a new ewido scan result so I can make sure it cleaned it all.

The HJT log is clean so I will not need to see it again unless I reguest it, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Recap: I want to make sure you ran CCleaner as it should have cleaned this folder during the process: C:\WINDOWS\Temp\
Post the new ewido scan results and let me have some feedback, how is the computer running?

Thanks...Phil

Hello Phil --

Per your instruction, I ran ewido again (this time in safe mode), and I also ran CCleaner again. Here is the ewido scan result log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:25:52 PM, 3/28/2006
+ Report-Checksum: 4CE074F3

+ Scan result:

C:\krw1dn.exe -> Downloader.Agent.afi : Cleaned with backup
C:\Program Files\HijackThis\hijackthis\backups\backup-20060326-215416-985.dll -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\slk8x2peu.exe -> Adware.Suggestor : Cleaned with backup
C:\ZICORN001.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

Please let me know what next steps, if any, to take. Thank you very much!

-- Dave (Rachel's dad)

Hi Dave, I expected to see the items that were ignored in the last ewido log removed in this one? Is it possible the log was run more than once? It appears it is clean as was the HJT log. If all is running well, then you are good to go.

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...Phil:bigthumb:

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Hi Phil --

I don't know why the ewido log didn't show the entries I had previously ignored -- I did not run it a second time after your last post.

In any event, I just now completed a re-boot (in normal mode) and ran a Spybot Search & Destroy. Much to my chagrin, the Command Service malware is still showing up. What should I do? Thanks very much.

-- Dave

OK Dave and thanks for that information. I understand this is just a glitch, make sure Spybot is updated.
Our own LonnyRJones has created a tool to take care of it:

Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.

http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks...Phil

Phil --

Here is the ren-cmdservice text file:

Running from C:\Documents and Settings\Rachel\Desktop\ren-cmdservice\ren-cmdservice
No Image Path Listed in Registry

Original perms.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Read NT AUTHORITY\INTERACTIVE
Full access BUILTIN\Administrators


-----------------
Adjusted permisions

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Full access BUILTIN\Administrators
Full access NT AUTHORITY\INTERACTIVE
Read BUILTIN\Users
Full access NT AUTHORITY\SYSTEM


-----------------
Deleting cmdservie key
[SWSC] DeleteService FAIL
Delete Network Monitor if present
[SWSC] DeleteService FAIL
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
A Backup made was made, bakhive
Finised, Post the logit.txt then restart your PC please
ren-cmdservice.bat edited 2-4-2006
-----------------

Please let me know what next steps, if any, I should take. Thanks again.

-- Dave

Hi Dave, That's it, review that security information posted in the links, if you do not own ewido, turn it off in services and make sure it is not running and wasting resources. You can still update and run it manually when you wish and it will still do the job, you just loose the realtime protection once the trial is over, and you should follow the instructions to clean the System Restore files.

Thanks...Phil:)

Hey Phil --

YOU ROCK!!!!
I just ran Spybot Search & Destroy (after following your last set of instructions), and it brought up several collateral maladies that had appeared before -- but NOT "Command Service". Spybot then fixed these problems. I re-booted and ran Spybot again. . . and EUREKA! It came up clean.

Just two final questions:
1. If I decide not to purchase the full version of ewido, is there any reason why I wouldn't want to uninstall it using Windows' "Add/Remove Programs" tool in the Control Panel? Would it hurt anything to uninstall it?

2. How can I thank you in a meaningful way, other than by just saying "thank you." You have no idea of the euphoria you have caused.

THANK YOU!!!

-- Dave

Thanks Dave, but alas I can't take credit for another persons work. I always try to remember to give the credit to folks such as Lonny who give us the tools that without which our jobs would be much harder. To answer your questions to the best of my ability:

1) ewido: I also use ewido and I do not own the program, if you have the disk space you get free updates for as long as you like and it will continue to do the job, you just do not get the realtime protection. You would need to disable it in services and you do not want to see it in the log anywhere unless you are scanning. It will then just use a little disk space and be there in case you need a good scan, your option.

2) Just by saying "thank you" and caring enough to do it, you have given me what I work for. Tell Rachel to be careful online, it is a cyber jungle out that.

tashi will be along to close you in a day or so.

Thanks...Phil

Hey Phil --

Thanks again for your help, your magic bullets, and your answers. Rachel is thrilled to get her laptop back, and my wife is happy that I'm not spending all my evenings trying to de-worm it.

It's people like you that make life a lot better for people like me.

The laptop is running perfectly now. No sign of the nasties.

Thanks again. If I can ever return the kindness, let me know.

-- Dave

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me, pskelley or Tashi know.