I am really fustrated with the virus or spyware on my laptop. I am unable to surf the web. I believe my browser has been hijacked. After running several different Anti Virus programs I have not had complete success. After a reboot I can access the internet for a short moment and then with no avail I lose access. The virus' that are apparently still on my machine are two occurrences of CmdService in my registry. I have no idea how to remove them and anything else that isn't apparent. Tools that I have used are Spyware Nuke XT, HaxFix, Spybot,Ad-AwareSE, WinsockxpFix, Windows Deffender, SpywareGuard. Any help will be greatly appreciated. I have attached a copy of my HijackThis file and Spybot file according to the instructions on this forum.

Logfile of HijackThis v1.99.1
Scan saved at 2:57:26 AM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$RETSDATA\Binn\sqlservr.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spyware Nuker\swnxt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\AntiSpyWare\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.elivert.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ePrint 3.0 Service] C:\PROGRA~1\LEADTE~1\LEADTO~1.0\bin\EPRINT3.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PUFLITE - http://rooseveltelivert.point2agent.com/Photo/Control/PUFLITE.CAB
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://inagag073/projectserver/objects/pjclient.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124162350221
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://inagag073/projectserver/objects/1033/pjcintl.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_24.cab
O20 - Winlogon Notify: accies98 - C:\WINDOWS\SYSTEM32\accies98.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\SYSTEM32\mmx4xt.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\mbuni11.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: EPrint III Service - Unknown owner - C:\Program Files\LEAD Technologies, Inc\LEADTOOLS ePrint 3.0\Bin\LPSVS03N.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Hello and sorry for the delay. Can you please post back with a fresh HijackThis log so that we can get started. :)

Hello Rawe,
Thanks so much for responding. Here is the latested HJT log I just took minutes ago.

Hello again,

Lets get started. :) Your log is doesn't looking too bad..

==

Please download Haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe):
Save it to your desktop.
Double-click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
Checkmark "Create a desktop icon".
Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish".
A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread. :bigthumb:

Hello Rawe,
I hope you are right that this isn't that bad. I have attached a copy of the haxfix log to this post.

Hello again,
Please open the following folder: C:\Program Files\Haxfix\
Double-click on Fix.bat.
Close all other open windows since this step requires a reboot.
Select option 3. Run manu fix by typing 3 and then pressing Enter.

This message will appear:

echo Insert the haxdoorkey,
and then press Enter:
Type the following: mmx4
When this is a valid choice, the key will be added to delete.
There is the possibility to add a new key: Yes (type Y) or No (type N).
Followed by this message:

Haxdoorkey mmx4 added to delete.

Do you want to add a new haxdoorkey?

Press Y for YES or N for NO and then press Enter:
Type N for No and press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of the logfile together with a fresh HijackThis log. :bigthumb:

Hello Rawe,
I reran the HaxFix exe as you requested. I must admit I can see a difference already. My zone alarm now comes up. Although something keeps trying to change my internet explorer current user default page from <none> to about:blank. Here I my logs.

Ok then, lets continue :)

Please print these instructions out, or write them down, as you can't read them during the fix.

Please run a scan with HijackThis and check the following objects for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O20 - Winlogon Notify: accies98 - C:\WINDOWS\SYSTEM32\accies98.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\mbuni11.dll (file missing)

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Next:
Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file - C:\WINDOWS\SYSTEM32\accies98.dll
Double-click on that file.
HJT asks you if you want to reboot, now. Click "Yes".

==

Finally:

Please download Look2Me-Destroyer (http://www.atribune.org/ccount/click.php?id=7) to your desktop.

Before continuing with the fix there is something you must do:

Click Start -> Run and type in: services.msc
Check that the following services are running and that their startup is set to automatic:
Seclogon, or Secondary logon service
Next your machine needs to be offline, manually disconnect the network cable if necessary.
Your antivirus, and every other security software MUST be disabled.

Now continue:

Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Re-launch your security softwares protections.
Re-connect back to the internet.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :bigthumb:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

I tried to find the file accies98.dll and was unable to find it. Although I proceeded with the rest of your instructions. During the entire process I had stopped all access to the network and internet. The last step in your instructions was to give my system access again. Once I did that I noticed the same problem I had before that is I can't even open an Internet Explorer window. I also noticed the problem with my IE being changed is still occuring. I have attached the two files that you requested.

Go ahead and delete Haxfix & Look2Me-Destroyer. :)

Then lets continue.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)

Please read Ewido Setup Instructions (http://rstones12.geekstogo.com/ewidosetup.htm)
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Once in Safe Mode, run a scan with HijackThis and check the following objects for removal if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: Acrobat IE Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE083} - C:\WINDOWS\system\ctldlg32.dll
O20 - Winlogon Notify: accies98 - C:\WINDOWS\SYSTEM32\accies98.dll

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Please run a scan with Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
Close Ewido Anti-Malware.
==

Navigate to, and delete the following files (if present):

C:\WINDOWS\system\ctldlg32.dll
C:\WINDOWS\SYSTEM32\accies98.dll

Empty recycle bin.

==

Now, please reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :bigthumb:

Hello Rawe,
I did everything you asked. Great instructions. Very well detailed I might add. The two files that you asked me to find and delete were not there.
C:\WINDOWS\system\ctldlg32.dll
C:\WINDOWS\SYSTEM32\accies98.dll

Upon rebooting into normal mode after doing all the instructions there was another attempt to change IE to "about:blank" But it should show that in my new HJT log. I have attached both logs that you asked for to this post. Thanks again.

Hello Rawe,
One more thing I forgot to mention. There was another file called acciesX2 that I saw in the C:\Windows\system32\ . I didn't know if that was related to the other file that you wanted me to remove.

Well, it's starting to look a lot better now :bigthumb:

Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.zip).

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\acciesX2.sys


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.

==

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:

http://www.java.com/en/download/manual.jsp (http://www.java.com/en/download/manual.jsp)

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.


==

Then finally:

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. ;)

I followed all the steps once again. As for the message you were looking for "PendingFileRenameOperations" I didn't see it. I have attached a copy of the active scan report. Oh yeah it took a long time to run that scan. Thanks.

Ok, lets continue :)

Looks a lot better at this point.

==

Read the following info on Spyware Nuker (do a search with your browser):

http://www.spywarewarrior.com/rogue_anti-spyware.htm

It is not an recommended Anti-malware scanner. I strongly recommend uninstalling it through Add/Remove programs. After that, delete the following folders:

C:\Program Files\Spyware Nuker
C:\WINDOWS\uniq
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon

Then fix this entry within HijackThis:

O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h

==

Please download
ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

Run Killbox again:
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\keyboard41.dat
C:\WINDOWS\Um9vc2V2ZWx0IEVsaXZlcnQg\oA6SwZpZtqUXKHpPurt5wBk0.vbs


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.

==

Finally, post back with a fresh HijackThis log. :bigthumb:

The steps this time around were a little more difficult Let me begin.

1) I could not find Spyware Nuker in my Add/Remove programs list. So I used the uninstall utility that came with the product. I know it is usually recommended to do it the way you described but I couldn't find anything to remove except for a Startup program that also came along with it which I removed by the Add/Remove programs process.
2) After doing so I looked for the "C:\Program Files\Spyware Nuker" folder and this no longer existed.
3) I did remove "C:\WINDOWS\uniq "
4) I could not find the path "C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NetMon " so I just didn't do anything about this.
5) After running Hijack again I was unable to find "O4 - HKLM\..\Run: [SWN2] C:\Program Files\Spyware Nuker\swnxt.exe /h"
6) The rest of the steps went smoothly from there.

I have attached the HJT log.

Thanks.

Well, thats looking great. Please fix this entry within HijackThis:

O20 - Winlogon Notify: accies98 - accies98.dll (file missing)

How's the PC running now? :)

Hello Rawe,
I must admit you are really good at this. My system is running a whole lot better. But, I wanted to make sure this system was completely clean. I am glad you guys are out here to help us. This site is really great. I am really glad I found this site. Any good antispyware and or firewall you would recommend. I am currently using Zone Alarm for my firewall. I have McAffee for virus protection. I am considering paying for the upgrade but I really want to know what is the best combination out there. Thanks. I have attached my HJT log.

Yep, looks clean to me! ;)

==

Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Sygate (http://www.sygate.com/) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)

I attempted to run Spybot Search & Destroy and it found 2 Command Service I guess malware that it is trying to remove that It is unable to. I continues to tell me that it will try upon rebooting but is unsuccessful. What do you think? Everything seems to be working great. Although that was one of the the original problems I had recognized.

Could you post your SpyBot log? :)

I have attached a copy of the log. Thanks.

Lets try this.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixcmd.reg to your desktop.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]

Now double-click on the Fixcmd.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

==

Run SpyBot and let me know if it still detects those entries. :)

Hello Rawe,
I tried the fix that you requested but didn't see any success. It implemented the change to the registry but when I try to rerun Spybot again same problem. It seems to think the to Cmd Services that I am trying to delete is being used. What do you recommend from here.

Regards,

This should take care of the bugger..

Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.
Try SpyBot again. :)

Hello Rawe,
I truly appreciate all the help that you offered me in getting my system up and running. That last step did the trick. You truly did a great job. I am truly impressed with the service that you offering many people out there who are struggeling with these different virus' and spyware out there. Thanks again for the future tips. And I will take the time to put a comment in to the link that you gave me about Malware complaints. :bigthumb:

Since this issue is now resolved, this Topic has been archived. Should you need it reopened for any reason, please PM an Staff member with it's address and request. This only applies to the Original poster. Glad we were able to help. :)