So i have searched the forums extensively regarding command service, and each case was dealt with basically in a different manner. I have gotten myself up to speed, and spent about 4-6 hours today running various tools. I have read the sticky at the top, and did a Trend Micro scan, albeit did not seem to find an option to create a log. I seem to be totally clean minus cmdservice. Also, I was still seeing sysc00.exe under Startup in regedit, and unchecked it obviously, but was unable to locate it in order to delete it.

Here are the various tools I have used and ran today, preferably in Safe Mode:

SmitFraudFix (safemode)
Look2me Destroyer.(safemode)
AboutBuster.(safemode)
CWShredder. (safemode)
SmartKiller(safemode)
Next run (safemode)
AdAware(safemode)

Spybot several times (safemode) + startup

ewido anti-spyware (in safemode)
AVG anti-virus

And finally, my HJT with no word wrap and no progs running in its own dir

(Running an Acer laptop)



Logfile of HijackThis v1.99.1
Scan saved at 8:38:44 PM, on 8/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\SMSC\Seticon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\GraviSense\GraviSense.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\sklrr7ycysnl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\Taylor\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,bhvuovx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6A173197-E094-402F-A156-9F07598B2E7C} - \
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D24C104C-8704-433C-8FEF-CB62C6BFE04F} - \
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GraviSense] C:\Acer\GraviSense\GraviSense.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: Media Center - C:\WINDOWS\system32\kxrnel32.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\ip50_32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\system32\sklrr7ycysnl.exe
O23 - Service: System Internal AntiVirus (SVSAV) - Unknown owner - C:\WINDOWS\system32\svsnt.exe (file missing)
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7srpl.exe (file missing)

bump to the top

here we go up up up


Sticky topic,
If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836) Please don't bump - tashi

Hi dritzz

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.


In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.