I've been running serveral spyware removal programs such as Ad-aware, Kaspersky, A-squared, Ewido, and Spybot. Spybot found something called Command Service but it can't be removed. Unfortunately I also used Hijackthis to delete a few entries that I believed to be troublesome:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: (no name) - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - (no file)
O4 - HKLM\..\Run: [zbXb] E:\WINDOWS\system32\ekuxpv3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfg_8.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "E:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [ad8rIU3s] E:\WINDOWS\system32\cvn0.exe
O23 - Service: DDTL - Sysinternals - www.sysinternals.com - E:\DOCUME~1\MR5E03~1.SPO\LOCALS~1\Temp\DDTL.exe

Anyway, here are the logs of Kaspersky online and Hijackthis that I just ran.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, August 09, 2006 2:44:40 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/08/2006
Kaspersky Anti-Virus database records: 213490
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 53413
Number of viruses found: 2
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:39:59

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0194_pdm_eventcritlog.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0194_pdm_eventlog.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0196_File_Monitoring_eventlog.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\019a_Web_Monitoring_eventlog.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
E:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
E:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\Mr.Spock\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Mr.Spock\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Mr.Spock\Local Settings\History\History.IE5\MSHist012006080920060810\index.dat Object is locked skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\DC4NGMBJ\popup[1].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\DC4NGMBJ\popup[2].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\DC4NGMBJ\popup[3].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\DC4NGMBJ\popup[4].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\FYHC0Q0T\popup[1].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Mr.Spock\Local Settings\Temporary Internet Files\Content.IE5\VP79QHBV\popup[1].htm Infected: Trojan-Clicker.HTML.Agent.a skipped
E:\Documents and Settings\Mr.Spock\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Mr.Spock\ntuser.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
E:\Program Files\Valve\Steam\Steam.log Object is locked skipped
E:\Program Files\Valve\Steam\SteamApps\winui.gcf Object is locked skipped
E:\Program Files\Valve\Steam\SteamLogs\SteamStats.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
E:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
E:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
E:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
E:\WINDOWS\Internet Logs\MRSPOCK.ldb Object is locked skipped
E:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
E:\WINDOWS\SchedLgU.Txt Object is locked skipped
E:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
E:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
E:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\default Object is locked skipped
E:\WINDOWS\system32\config\default.LOG Object is locked skipped
E:\WINDOWS\system32\config\SAM Object is locked skipped
E:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
E:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\SECURITY Object is locked skipped
E:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
E:\WINDOWS\system32\config\software Object is locked skipped
E:\WINDOWS\system32\config\software.LOG Object is locked skipped
E:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
E:\WINDOWS\system32\config\system Object is locked skipped
E:\WINDOWS\system32\config\system.LOG Object is locked skipped
E:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
E:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
E:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
E:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
E:\WINDOWS\system32\ekuxpv3.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
E:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
E:\WINDOWS\Temp\ZLT0585c.TMP Object is locked skipped
E:\WINDOWS\Temp\ZLT0585f.TMP Object is locked skipped
E:\WINDOWS\Temp\~DFDE12.tmp Object is locked skipped
E:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 3:18:13 AM, on 8/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\AGEIA Technologies\TrayIcon.exe
E:\WINDOWS\system32\devldr32.exe
E:\WINDOWS\system32\RunDLL32.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\Valve\Steam\Steam.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\spyware stuff\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anandtech.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] E:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kav] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Steam] E:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - Winlogon Notify: klogon - E:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Welcome to the forum, I see nothing in the HJT log that looks like malware. Would you please post a new HJT log and as much information about your problem as you think will help. Is Spybot the program that is finding this problem, where is Spybot saying it is located? Do you have the most recent version of Spybot on board.

If your issues have been resolved, I would appreciate a quick post to let us know so we can close the topic.

Thanks...pskelley
Safer Networking Forums

hey :)

Yes, Spybot is updated and still detects six entries for "command service". Command service is difficult to remove. Spybot tells me that it's in memory and can be deleted on system reboot. This never works however. I also ran the trial version of Spyware Doctor and it found several things, such as Network Monitor, LinkMaker Hijacker, I-Search Desktop Search Toolbar, Targetsavers, 2nd-thought.com, Pop Marketing, and eXact Advertising. I don't seem to be getting popups at the moment though :confused:

Here are the locations for command service that spybot found:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdService

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\services\cmdService\\SYSTEM\CurrentControlSet\Services\mchlnjDrv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdService\\SYSTEM\CurrentControlSet\Services\mchlnjDrv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdService\\SYSTEM\CurrentControlSet\Services\mchlnjDrv

And here is a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:14 AM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINDOWS\System32\alg.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\AGEIA Technologies\TrayIcon.exe
E:\WINDOWS\system32\RunDLL32.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\WINDOWS\system32\devldr32.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\WinFast\WFTVFM\WFWIZ.exe
E:\Program Files\Valve\Steam\Steam.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\WINDOWS\system32\wuauclt.exe
E:\spyware stuff\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anandtech.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] E:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kav] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WinFast Schedule] E:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKCU\..\Run: [Steam] E:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - Winlogon Notify: klogon - E:\WINDOWS\system32\klogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thank you for taking the time to assist me, hope to hear from you soon! :bigthumb:

First let's take care of the command.exe problem. I understand other programs, perhaps Ad-aware, leave the registry entires when they remove the program and Spybot can not remove them.

1) Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.

http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

2) I have absolutely no faith in Spyware Doctor. It is no longer on the official Rouge spyware list: http://www.spywarewarrior.com/rogue_anti-spyware.htm but it is on mine. I have seen it time and again find false positives to sell the product. That's about all I will say.

3) The HJT log looks to be clean of malware, the only issue I see is an out of date Java program: http://forums.spybot.info/showpost.php?p=12880&postcount=2

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Let us know if that took care of the command.exe issue and tashi:) will close your topic.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Running from E:\Documents and Settings\Mr.Spock\Desktop\ren-cmdservice
No Image Path Listed in Registry

-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------

I ran Spybot and command service finally seems to be gone :D: . There's one other thing I've been wondering about though. Whenever I open Internet explorer or run a program Kaspersky displays a message along the lines of "Running process E:\Windows\Explorer.EXE: detected new variant of riskware Invader". Is this anything I need to be worried about or just a false positive?

I will need the exact message "word for word". Take a look here:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=define+riskware
Kaspersky's definition of "riskware" and yours might differ. Without knowing exactly what Kaspersky is calling riskware, I can't give you an answer.

Thanks...Phil

I see what you mean. I checked KAV's logs and it was just detecting things like Adobe Acrobat and Java. Thank you so much for your help! I think everything's ok now :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Glad we could help. :)