Hi all,

I've been infected for about a week now, with no success at my clean up attempts.

Ad-aware finds nothing, Panda finds about 20-25 things every time it scans, and Spybot S&D is convinced I have cmd.Service.

Here are some log files. Please help!

Thanks in advance,

Richard

Logfile of HijackThis v1.99.1
Scan saved at 4:14:58 PM, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ima kadoozie\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe

Incident Status Location

Adware:adware/commad Disinfected HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CMDSERVICE
Spyware:Cookie/2o7 Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@2o7[1].txt
Spyware:Cookie/YieldManager Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@adopt.hbmediapro[2].txt
Spyware:Cookie/Falkag Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@as-eu.falkag[1].txt
Spyware:Cookie/nCase Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@banners.searchingbooth[1].txt
Spyware:Cookie/Bluestreak Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@bluestreak[2].txt
Spyware:Cookie/Enhance Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@c.enhance[1].txt
Spyware:Cookie/Doubleclick Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@doubleclick[2].txt
Spyware:Cookie/Screensavers Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@i.screensavers[2].txt
Spyware:Cookie/Mediaplex Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@mediaplex[1].txt
Spyware:Cookie/Overture Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@perf.overture[1].txt
Spyware:Cookie/RealMedia Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@realmedia[1].txt
Spyware:Cookie/WUpd Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@revenue[2].txt
Spyware:Cookie/Searchportal Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@searchportal.information[2].txt
Spyware:Cookie/Server.iad.Liveperson Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@server.iad.liveperson[1].txt
Spyware:Cookie/DriveCleaner Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@statse.webtrendslive[2].txt
Spyware:Cookie/Mammamediasolutions Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@targetnet[2].txt
Spyware:Cookie/Zedo Disinfected C:\Documents and Settings\ima kadoozie\Cookies\ima kadoozie@zedo[2].txt
Adware:Adware/Gmter Disinfected C:\Documents and Settings\ima kadoozie\Local Settings\Temporary Internet Files\Content.IE5\HDBQ6UAU\popup[1].htm

Sorry, just saw the recent post and decided to try it out... here's the result, with the latest hijackthis log file below that:

ima kadoozie - 06-10-18 14:37:45.01 Service Pack 2
ComboFix 06.10.16 - Running from: "D:\Program Files\Mozilla Firefox"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\ima kadoozie\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3C279AC1-0898-4105-1206-050111080002}
C:\Program Files\Common Files\{9C279AC1-0898-4105-1206-050111080002}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\TSKS~1
C:\QooBox\Purity\Program Files\Common Files\TSKS~1\d?xplore_exe.vir
C:\QooBox\Purity\WINDOWS\CROSOF~1
C:\QooBox\Purity\WINDOWS\CROSOF~1\w?nspool.exe
C:\QooBox\Purity\WINDOWS\system32\STEM32~1
C:\QooBox\Purity\WINDOWS\system32\STEM32~1\??stem32


((((((((((((((((((((((((((((((( Files Created from 2006-09-18 to 2006-10-18 ))))))))))))))))))))))))))))))))))


2006-10-15 12:42 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2006-10-15 12:24 126,976 --a------ C:\WINDOWS\system32\npckdsm.dll
2006-10-15 09:28 2 --a------ C:\WINDOWS\system32\wcpsvcc.exe
2006-10-15 09:27 1,259 --a------ C:\WINDOWS\system32\qhsd53bf.sys
2006-10-11 12:51 298,496 --a------ C:\WINDOWS\uninst.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-18 14:38 -------- d-------- C:\Program Files\Common Files
2006-10-17 16:21 -------- d-------- C:\Program Files\iTunes
2006-10-17 16:21 -------- d-------- C:\Program Files\Internet Explorer
2006-10-17 15:40 -------- d-------- C:\Program Files\MSN Messenger
2006-10-15 13:11 -------- d-------- C:\Program Files\VBTUCopy
2006-10-15 13:11 -------- d-------- C:\Program Files\QuickTime
2006-10-15 13:10 -------- d-------- C:\Program Files\Common Files\wrwm
2006-10-15 09:36 -------- d-------- C:\Program Files\Online Services
2006-10-15 09:23 -------- d-------- C:\Program Files\Windows NT
2006-10-13 17:45 -------- d-------- C:\Program Files\Apple Software Update
2006-10-04 17:59 -------- d-------- C:\Documents and Settings\ima kadoozie\Application Data\uTorrent
2006-09-22 08:12 -------- d-------- C:\Documents and Settings\ima kadoozie\Application Data\Lavasoft
2006-09-15 17:21 53248 --a------ C:\WINDOWS\uninst108.exe
2006-09-15 15:07 -------- d-------- C:\Documents and Settings\ima kadoozie\Application Data\Adobe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-07 12:58 -------- d-------- C:\Documents and Settings\ima kadoozie\Application Data\4Team
2006-09-07 12:04 -------- d---s---- C:\Documents and Settings\ima kadoozie\Application Data\Microsoft
2006-09-07 12:02 38434 --a------ C:\Documents and Settings\ima kadoozie\Application Data\Comma Separated Values (Windows).ADR
2006-09-07 11:45 -------- d-------- C:\Program Files\Common Files\System
2006-08-29 16:38 2508 --a------ C:\Documents and Settings\ima kadoozie\Application Data\$_hpcst$.hpc
2006-08-29 16:37 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 05:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-04 19:19 879 --a------ C:\Documents and Settings\ima kadoozie\Application Data\AdobeDLM.log
2006-08-04 19:19 0 --a------ C:\Documents and Settings\ima kadoozie\Application Data\dm.ini
2006-08-03 18:40 0 -rahs---- C:\MSDOS.SYS
2006-08-03 18:40 0 -rahs---- C:\IO.SYS
2006-08-03 18:40 0 --a------ C:\CONFIG.SYS
2006-08-03 18:40 0 --a------ C:\AUTOEXEC.BAT
2006-08-03 14:27 62 --ahs---- C:\Documents and Settings\ima kadoozie\Application Data\desktop.ini
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"WinPatrol"="D:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Easy-PrintToolBox"="C:\\Program Files\\Canon\\Easy-PrintToolBox\\BJPSMAIN.EXE /logon"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"VBTUCopy"="C:\\Program Files\\VBTUCopy\\VBTUCopy.exe /a /f"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Windows NT\\kyzeves.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\howysyqul.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,84,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoRecentDocsMenu"=hex:01,00,00,00
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoRecentDocsHistory"=hex:01,00,00,00
"NoRecentDocsNetHood"=hex:01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-10-18 14:39:24.34
C:\ComboFix.txt ... 06-10-18 14:39

Logfile of HijackThis v1.99.1
Scan saved at 2:41:00 PM, on 18/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VBTUCopy\VBTUCopy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\ima kadoozie\Desktop\HijackThis.exe

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinPatrol] D:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VBTUCopy] C:\Program Files\VBTUCopy\VBTUCopy.exe /a /f
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe

Hi imakadoozie

Usualy when command service shows repeatadly it is becouse of the method ad-aware
uses to remove it. It leave's a harmless registry key with modified permisions.
Please download and unzip Ren-cmdservice to your desktop.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run SpyBot check for and fix any problems found.
When next you check for problems it wont or shouldnt be there.
alternate download
http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip


Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


Windows Registry Editor Version 5.00
;
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
;

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Restart your PC.

delete these if they exist >
C:\Program Files\Internet Explorer\howysyqul.html
C:\Program Files\Windows NT\kyzeves.html
---------------------------------
submit each of these files and report back
http://www.virustotal.com/flash/index_en.html
C:\WINDOWS\system32\asprouni.exe
C:\WINDOWS\system32\npckdsm.dll
C:\WINDOWS\system32\wcpsvcc.exe
C:\WINDOWS\system32\qhsd53bf.sys
C:\WINDOWS\uninst.exe
---------------------------------
C:\Program Files\Common Files\wrwm < what are the contents ?

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.