Hi, brand new to this site, thankfully it exists! Somehow got this command service spyware crap on my system, now I've got these nagging popups, ran spybot and Adaware several times, but neither will remove the Command Service for whatever reason, so I'm really hoping someone can help me. Thanks! Below is a log from Hijack this........thanks again to anyone that can help me get rid of this problem!

Logfile of HijackThis v1.99.1
Scan saved at 4:57:27 PM, on 4/17/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\windows\mousepad11.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\DU50AA~1.BUL\LOCALS~1\Temp\83.tmp
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/bridge-c10.cab?9cafc83d74bf72550829a4a72edc1eb426f273ce9eae780cc0a8a70990bebe7ca57e753481048c1ec8d4025b8a961dbd586749925f110a2e4d392c622e:e0fb714c33977432bf309a90768cf64e
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Hello and welcome.. Lets get started. :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)

Please read Ewido Setup Instructions (http://rstones12.geekstogo.com/ewidosetup.htm)
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

4. Once in Safe Mode, Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.

==

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by double-clicking BFU.exe
In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:

Thanks for the reply and the detailed instructions, very helpful, and everything went as it was supposed to from the instructions.

Here is the new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:24 PM, on 4/18/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


And here is the contents of the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:47:49 AM, 4/18/06
+ Report-Checksum: B15B7B0D

+ Scan result:

[604] C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\All Users\Cookies\du@e-2dj6wgkocpdjigo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\!update.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\71.tmp -> Backdoor.Rbot.adf : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\7A.tmp -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\83.tmp -> Logger.Small.ak : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\Cookies\du@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\i44.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temporary Internet Files\Content.IE5\KTQJ0PEF\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\Documents and Settings\du.BULMER\My Documents\ѕystem32\rundll32.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\kl1.exe -> Trojan.Sinowal.i : Cleaned with backup
C:\ms1.exe -> Downloader.Tiny.bz : Cleaned with backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\drsmartload95a.exe -> Downloader.Adload.ai : Cleaned with backup
C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\system32\shell386.exe -> Not-A-Virus.Hoax.Win32.Renos.cm : Cleaned with backup
C:\WINDOWS\system32\winapi32.dll -> Not-A-Virus.Hoax.Win32.Renos.ck : Cleaned with backup
C:\WINDOWS\system32\winbrume.dll -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\winsrv32.exe -> Not-A-Virus.Hoax.Win32.Renos.cl : Cleaned with backup


::Report End


FYI, I still have those annoying icons on the taskbar beside the clock.....but I suppose there is still more stuff youre going to get me to do....

Again, many thanks!

Ok.. Go ahead and remove Ewido aswell as BFU. :)

Create a folder on your desktop called Sysclean.

Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.

Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.

This file will be called lptXXX.zip (XXX represents the version number)

Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.

Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.

Turn off your antivirus which is installed on your system because it can interfere with the Sysclean-scan.

Open the sysclean-folder and double-click sysclean.com.
Check: "Automatically clean or delete detected files."
Click "Scan".
When the scan is finished, select: "View log".

Copy and paste this log in your next reply. :bigthumb:

Hi again, everything seemed to work correctly again as detailed in your instructions. Here is the new log as requested:



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-04-18, 13:09:03, Auto-clean mode specified.
2006-04-18, 13:09:03, Running scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\TSC.BIN"...
2006-04-18, 13:09:36, Scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\TSC.BIN" has finished running.
2006-04-18, 13:09:36, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Apr 18 2006 13:09:04

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\tsc.ptn" (version 730) [success]

Complete time : Tue Apr 18 2006 13:09:36
Execute pattern count(3033), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-04-18, 13:10:07, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612": Access is denied.
2006-04-18, 13:13:43, An error was detected on "C:\Documents and Settings\du\*.*": Access is denied.
2006-04-18, 13:13:43, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\NTUSER.DAT": Access is denied.
2006-04-18, 13:13:43, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\ntuser.dat.LOG": Access is denied.
2006-04-18, 13:13:48, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Application Data\Microsoft\Outlook\outcmd.dat": Access is denied.
2006-04-18, 13:15:25, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-18, 13:15:25, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-18, 13:15:26, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Temp\JETA6BF.tmp": Access is denied.
2006-04-18, 13:15:26, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Temp\~DF1CC0.tmp": Access is denied.
2006-04-18, 13:15:26, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Temp\~DF8C6.tmp": Access is denied.
2006-04-18, 13:15:36, An error was detected on "C:\Documents and Settings\du.BULMER\My Documents\?ystem32\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-18, 13:17:55, An error was detected on "C:\Program Files\Common Files\A?pPatch\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-04-18, 13:20:13, Could not set file for reading on "C:\Program Files\palmOne\UsselmD\HotSync.Log": Access is denied.
2006-04-18, 13:21:02, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-1CE22EA3.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\ANALYST.EXE-2C01E0F2.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\AU_.EXE-1E1402DE.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDO-SETUP.EXE-2AAA7D62.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDOCTRL.EXE-074330EC.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EXCEL.EXE-1734EECA.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-2AE24617.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\HKCMD.EXE-0F06AE14.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\IGFXSRVC.EXE-1D88F978.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\JUSCHED.EXE-2A1A87DD.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGON.SCR-24ADF392.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\MMCOMP~1.EXE-22A4A7BD.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\MMDIAG.EXE-1F73FCD1.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-0A81AB7B.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-1D3BEDBF.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\PHOTOED.EXE-21D745D3.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\PROFILE.EXE-3AB46D33.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\PROFILEUPDATE.EXE-15712223.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3C500167.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4532DDE6.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E8D4657.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SECURITYSUITE.EXE-2054E35A.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1702AD5F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-064F0EA1.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-2F2DA3DE.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-1DF4E05F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINSTALL.EXE-22A06B0F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-0BDC03E6.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\VPC32.EXE-00144898.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-23347E4F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIAPSRV.EXE-02740A4B.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2006-04-18, 13:23:24, An error occurred while scanning file "C:\WINDOWS\SoftwareDistribution\EventCache\{26815A75-DE4A-431C-BE9C-6D70B936F5CF}.bin": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\DEFAULT": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SOFTWARE": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SYSTEM": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2006-04-18, 13:24:52, An error occurred while scanning file "C:\WINDOWS\Temp\~RMS1232.TMP": Access is denied.
2006-04-18, 13:24:52, An error occurred while scanning file "C:\WINDOWS\Temp\~RMS123C.TMP": Access is denied.
2006-04-18, 13:24:58, Running scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN"...
2006-04-18, 13:36:40, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/18/2006 13:24:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 355 (114018 Patterns) (2006/04/18) (335500)
Command Line: C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\du.BULMER\Desktop\Sysclean

37706 files have been read.
37706 files have been checked.
32138 files have been scanned.
73088 files have been scanned. (including files in archived)
2 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/18/2006 13:36:39
---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-18, 13:36:40, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/18/2006 13:24:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 355 (114018 Patterns) (2006/04/18) (335500)
Command Line: C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\du.BULMER\Desktop\Sysclean

Success Clean [ JAVA_BYTEVER.S]( 1) from C:\Documents and Settings\du.BULMER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-13470a7f.zip,(NewURLClassLoader.class)
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\du.BULMER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1ab62644-43a3aba2.zip,(Parser.class)
37706 files have been read.
37706 files have been checked.
32138 files have been scanned.
73088 files have been scanned. (including files in archived)
2 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/18/2006 13:36:39 11 minutes 37 seconds (697.02 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-18, 13:36:40, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/18/2006 13:24:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 355 (114018 Patterns) (2006/04/18) (335500)
Command Line: C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\du.BULMER\Desktop\Sysclean

37706 files have been read.
37706 files have been checked.
32138 files have been scanned.
73088 files have been scanned. (including files in archived)
2 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/18/2006 13:36:39 11 minutes 37 seconds (697.02 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-18, 13:36:40, Scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN" has finished running.

Should also tell you that the same popups and items on the taskbar still exist same as before.......you likely know that!

This step should remove those cmdService findings.. :)

Go ahead and delete Sysclean.

==

Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

==

Next:

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :bigthumb:

OK, below is that report..........and those same popups and items on the taskbar are still there too...just so you know! Thanks again!


Incident Status Location

Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\osaupd.exe
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\wupdmgr.exe
Adware:adware/azesearch Not disinfected C:\WINDOWS\SYSTEM32\azebar.xml
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\du.BULMER\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:application/adwaresheriff Not disinfected C:\Documents and Settings\du.BULMER\Desktop\Adware Reviews.url
Adware:adware/adwaresheriff Not disinfected C:\WINDOWS\osaupd.exe
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@247realmedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@mediaplex[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@www.advnt01[1].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@247realmedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@mediaplex[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@www.advnt01[1].txt
Virus:Trj/Sinowal.K Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Adware:Adware/AzeSearch Not disinfected C:\Program Files\Hijack this\backups\backup-20060417-172256-280.inf
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\osaupd.exe
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\rfscanax.dll
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\wupdmgr.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\ZHU\tJo.vbs
Virus:W32/Sober.G.worm Disinfected Personal Folders\Deleted Items\hey dude!\photo.zip[p-zipped_file_data .pif]
Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Deleted Items\Undeliverable: hello\hello\data.zip[data.scr]
Virus:W32/Sobig.C Disinfected Personal Folders\Deleted Items\Re: 45443-343556\documents.pif
Virus:W32/Lentin.K Disinfected Personal Folders\Deleted Items\Let's Dance and forget pains\dance.scr
Virus:W32/Lentin.K Disinfected Personal Folders\Deleted Items\The Hotmail Hack\hotmail_hack.exe

Yes, I know. I need this log please..

==

Please download SmitfraudFix by S!Ri (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Sure thing, here is that report...

SmitFraudFix v2.33b

Scan done at 9:53:10.99, 04/19/06
Run from C:\Documents and Settings\du.BULMER\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» M:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\osaupd.exe FOUND !
C:\WINDOWS\wupdmgr.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\du.BULMER\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DU50AA~1.BUL\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

This should take care of those issues you're having. :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.

==

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. :bigthumb:
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Sure thing, below is that log........also when I restarted to normal windows, my background is now changed to a solid blue? Not sure whats up with that?

SmitFraudFix v2.33b

Scan done at 10:37:54.69, 04/19/06
Run from C:\Documents and Settings\du.BULMER\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\osaupd.exe Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

You should be able to change your background normally.. If not, let me know. We should be able to fix that too :)

OK, and again, should have let you know that popups and crap on the toolbar still remain as well...

Clean out temporary files:
Click Start -> Run and type in: cleanmgr
Click "Ok".
Let it scan your system.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
Click "OK" to remove them.
Click "Yes" to confirm the deletion.


==

Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

==

Post back with a fresh HijackThis log please..

Last thing you told me in above post, item was not present......

Here is the newest Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:07:39 AM, on 4/19/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Profile\ProFile.exe
F:\Profile\ProfileUpdate.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijack this\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

First, please hit CTRL - ALT - DEL.

On the Task Manager, please end the following processes on the Processes- tab.

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe

==

Next, please navigate to, and delete these files & folder if present:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\ZHU\

==

Now, run a scan with HijackThis and make sure to check the following object for removal, then close other open windows except for HijackThis and hit FIX CHECKED:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)

==

Ok. Can you now list all the problems you have at the moment, as detailed as possible, please. :)

First, please hit CTRL - ALT - DEL.

On the Task Manager, please end the following processes on the Processes- tab.

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe

==

Next, please navigate to, and delete these files & folder if present:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\ZHU\

==

Now, run a scan with HijackThis and make sure to check the following object for removal, then close other open windows except for HijackThis and hit FIX CHECKED:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)

==

Ok. Can you now list all the problems you have at the moment, as detailed as possible, please. :)


Gotta say amazing help....everything seems to be gone, no stuff on the taskbar anymore, no more popups it looks like, at least not yet! And no more links on my desktop to adware website.....all looks like its cleaned up.

FYI a couple things from instructions above, couldnt stop those processes, they kept being deleted then reappearing, so I stopped the process tree on the second file and both disappeared, which then let me delete the wupdmgr.exe file.

I did not have the ibm00001.dll file, but did have one ibm00002.dll, left that alone...

Does this mean I'm cured?

Please delete ibm00002.dll and empty recycle bin...

Glad I was able to help :)

==

Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Sygate (http://www.sygate.com/) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)

Thanks a bunch again.....I've added the Spyware Blaster program now too, hopefully that will help down the road if I get into trouble again.

Seriously hoping I don't have to return to the site, but just great to know there's people out there that can help without taking the computer to the "doctor"......again, many thanks!!

Actually, when I run Spybot now, it still shows that I have 3 Command Service entries still present in the registry........looks like I still need help!

Should also add though that popups are NOT present and nothing on taskbar either........are these just stray things that need to be manually deleted from the registry?

Ok.. Please try delreg.bat again.. I know we ran it earlier but maybe something else was interfering at that time

Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

Any better now?

Tried that and still nothing, those entries still exist in the registry....but they appear to be inactive or damages or something. I searched the registry where they are and tried to manually delete them, but I couldn't, said I could not delete them....?

Below is the partial results from spybot as to where exactly those registry entries are. And in the folder below the cmdservice in the registry tree is a zip folder that can't even be accessed manually.


--- Search result list ---
Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

Try to fix 'em with SpyBot ?

Lets try a normal regedit for removal.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixcmd.reg to your desktop.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService]

Now double-click on the Fixcmd.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

==

Now, if that didn't work, please try this.. Click Start -> Run and type in: sc delete cmdService

Hit ok.

==

Scan with SpyBot again.. Still there?

Still there after doing both things. First thing worked, ran spybot, still there, spybot won't remove.

Did second thing, ran spybot, still there, and spybot wont remove!

Well.. That is interesting.

We could try this. Download Regseeker here: http://www.snapfiles.com/get/regseeker.html

Unzip it, open the folder, double-click Regseeker.exe.

Click to 'Find in Registry'.

Check this box under a section named Keys: HKEY_LOCAL_MACHINE

Check all the boxes under a section named Search Options.

On the lower left-hand corner, check the box for Backup Before Deletion.

In the 'Search For' bar, type in: cmdService

There should be about three hits. Right-click each of them, and hit Delete Selected Items.

Close Regseeker, reboot and try running SpyBot again. Any better?

You're going to love this......ran that utility, seemed to work fine, and actaully appeared to delete the entries. Restarted machine, ran Spybot, and they are still there, Spybot will not remove them either....

Wait.. Can you post a new SpyBot log? It might just be that Regseeker did remove them and now SpyBot shows their backups.

Sure, look at the stuff below...

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-03-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-14 Includes\Cookies.sbi (*)
2006-04-14 Includes\Dialer.sbi (*)
2006-04-14 Includes\Hijackers.sbi (*)
2006-04-14 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-04-14 Includes\Malware.sbi (*)
2006-04-14 Includes\PUPS.sbi (*)
2006-04-14 Includes\Revision.sbi (*)
2006-04-14 Includes\Security.sbi (*)
2006-04-14 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-14 Includes\Trojans.sbi (*)

I hope you don't mind my adding something here.

What does this mean please?
And in the folder below the cmdservice in the registry tree is a zip folder that can't even be accessed manually

A Zip folder in the registry? This is very odd. What is the name of the key you are talking about please?


May I ask you to try something else for this? Although I am not sure it is going to work.


Go to Start >run and type services.msc
Press enter
When the services console opens, scroll to the Task Scheduler entry and be sure it is running. If not double click on the entry and then start the service. If it is disabled, enable it and then start it. Close the services console.

Copy the contents of the quote box to notepad.
Name the file Delete cmdservice System priv.vbs
Save as Type: All files
Wait until the minute on the clock in systray turns over
Double click on Delete cmdservice System priv.vbs
Wait a minute or so and a black command window will open and run quickly
'A file named results.txt will open
Post the contents of results.txt into your next reply here.



'Deletes the cmdservice Service Registry Entries

'Written by Mosaic1
'Use at your own risk

'Wait until the minute on the clock in systray turns over
'Double click on Delete cmdservice System priv.vbs
'Wait a minute or so and a black command window will open and run quickly
' A file named results.txt will open
'Post the contents of results.txt into your Forum post.



Dim Future, NewD ,Short,Location ,batty, present, fpath ,F , DT
Dim Current, Failed, Default, LKG , Place , R ,ImagePath ,slash

set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")

On Error Resume next
ImagePath = Wshshell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ImagePath")


If fso.FileExists(ImagePath) then present = True
slash = InstrRev(ImagePath,"\")
fpath = Mid(ImagePath, 1,Slash -1)
F = fpath
If fso.FolderExists(fpAth) then fpath = true




Current = Wshshell.RegRead("HKLM\SYSTEM\Select\Current")
Current = "HKLM\System\CurrentControlSet" & "\Enum\Root\LEGACY_cmdservice"

Default = Wshshell.RegRead("HKLM\SYSTEM\Select\Default")
Default = "HKLM\SYSTEM\ControlSet00" & Default & "\Enum\Root\LEGACY_cmdservice"

On error Resume Next
Failed = Wshshell.RegRead("HKLM\SYSTEM\Select\Failed")
Failed = "HKLM\SYSTEM\ControlSet00" & Failed & "\Enum\Root\LEGACY_cmdservice"

Err.clear
LKG = Wshshell.RegRead("HKLM\SYSTEM\Select\LastKnownGood")
LKG = "HKLM\SYSTEM\ControlSet00" & LKG & "\Enum\Root\LEGACY_cmdservice"


Set batty = Fso.CreateTextFile("r.bat", false)

Set Location = fso.GetFile("r.bat")
Short = Location.ShortPath
Place = fso.GetParentFolderName(Short) & "\results.txt"
R = fso.GetParentFolderName(Short) & "\r.bat"

DT = Now

Batty.Writeline "Echo " & DT & " >>" & Place


Batty.Writeline "Echo >>" & Place


Batty.Writeline "Echo Working on HKLM\Select ,Current >>" & Place
Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>" & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"

Current = Replace(Current,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place

Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>" & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place



Batty.Writeline " Echo Working on HKLM\Select ,Default>>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Default & ">>" & Place
Batty.WriteLine "Reg delete" & Chr(32) & Default & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Default = Replace(Default,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place

Batty.Writeline "Echo Deleting" & Chr(32) & Default & ">>" & Place
Batty.WriteLine "Reg delete" & Chr(32) & Default & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place




Batty.Writeline "Echo Working on HKLM\Select ,Failed >>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Failed & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Failed = Replace(Failed,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place

Batty.Writeline "Echo Deleting" & Chr(32) & Failed & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place


Batty.Writeline "Echo Working on HKLM\Select ,LastKnownGood >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & LKG & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
LKG = Replace(LKG,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & LKG & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place


If present = True then Batty.WriteLine "echo ImagePath File found here: " & ImagePath & ">>" & Place

If present <> True then Batty.WriteLine "echo ImagePath File not found: " & ImagePath & ">>" & Place

Batty.Writeline

If fpath = True then Batty.WriteLine "echo ImagePath Folder found here: " & F & ">>" & Place

If fpath <> True then Batty.WriteLine "echo ImagePath Folder not found: " & F & ">>" & Place

Batty.Writeline "Echo >>" & Place


Batty.WriteLine "Start Notepad" & Chr(32) & Place
Batty.WriteLine "del " & R


Batty.Close

NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)



Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive" & Chr(32) & Short ,vbhidden 'Set the task


Set fso = nothing
Set Wshshell = nothing
Set Location = nothing


MsgBox "Wait for the command box to run and close" & vbcrlf & "This will take a minute."




If you get a warning about a malicious script running please allow this to run. It is not malicious.


*** NOTE: This script only works on Windows XP. It is not for Win2k or 9x.


Then since it did come back after a reboot, please restart the computer and see if the entries are permanently gone again.

Your first question, what I mean is when I manually find the cmdService entries in the registry (regedit), in the folder that is beneath all 3 cmdService entries, there is a folder named "Zip" that I can not access....not sure what thats all about? (ie...HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService\zip)

TaskScheduler was running when I did the services.msc

Restarted the machine after doing everything you said, and the 3 cmdService entries still exist as before...wit that "Zip" folder beneath the "cmdservice" folder in the registry tree


Here's the contents of that txt file:

4/21/06 1:13:29 PM
ECHO is on.
Working on HKLM\Select ,Current
Deleting HKLM\System\CurrentControlSet\Enum\Root\LEGACY_cmdservice

Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\System\CurrentControlSet\Services\cmdservice

Error: Access is denied.
~~~~~~~~~~
Working on HKLM\Select ,Default
Deleting HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_cmdservice

Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet001\Services\cmdservice

Error: Access is denied.
~~~~~~~~~~
Working on HKLM\Select ,Failed
Deleting HKLM\SYSTEM\ControlSet000\Enum\Root\LEGACY_cmdservice

Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet000\Services\cmdservice

Error: The system was unable to find the specified registry key or value
~~~~~~~~~~
Working on HKLM\Select ,LastKnownGood
Deleting HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_cmdservice

Error: The system was unable to find the specified registry key or value
ECHO is on.
Deleting HKLM\SYSTEM\ControlSet003\Services\cmdservice

Error: Access is denied.
~~~~~~~~~~
ImagePath File not found:
ImagePath Folder not found:
ECHO is on.

Can you go into the registry and find that subkey named zip please? Right click on it and choose export.

Save as type Registry Hive Files if it will allow it. Then send the hiv file to me please at this address:

Katie_3232ATHotmail.com

Change the At to @ for the address to work .

When I try to save it, it says "the selected branch does not exist. Make sure that the correct path is given"

That's because you don't have access to it. And therefore it is a permissions issue. You cannot remove the parent if the child is protected. IT's the child and so is the reason you can't do much here.

What happens when you right click on zip it and click permissions?


Can you highlight Administrators on the list and then look at the box labeled
Permissions for administrators?

See the boxes in that list?

Can you place a checkmark in Allow Full control? If so, do that and then click apply. Let me know. Then you should be able to delete the key if that worked.

This is just too bizarre.....when I right click on the "zip" and pick permissions, it says you do not have permission to view the current permission settings for zip but you can make permission changes.......so I click OK, and there are no permissions set for this folder, so I click "add" and then save, but it will not allow me to save it, says unable to save permissions, access denied....thats weird as I have full access rights on the network. So I log in as "administrator" on our network, and same thing, wont let me add any permissions to this folder...

Actually did some more messing around, changed some settings on the parent directory (cmdservice), and then was able to add myself as a user for the zip folder as a permission..........deleted the zip folder and then the parent cmdservice folder in all 3 instances in the registry.........just running spybot again to make sure its gone, will post results when spybot has finished....

Sweet......spybot says no immediate threats!

Thanks a bunch guys, really appreciate all the help!

This has been happening more often. I feel that the subkey miust be involved in these other instnces as well. I have been in my own registry creating keys and subkeys with altered permissions. I had no users set at one point for the subkey and then added a user. I changed child permissions inheritance... and on and on.

Do you remember what you did to the parent key?

Adding a user and allowing full access?


I can do all kinds of things, but unless I know what this thing is really doing. it's all guesses. Thanks.

Yup, right click then permissions, highlighted my profile in the list, hit advanced, another box pops up, used permissions tab, highlight my profile again, hit edit, select full control, select OK, applied and saved and I was good to go....

Ok thanks.

no problem........thank you!

Im Glad we could help

Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.