2 lingering Command Service entries to remove

H

habsolutely

New member
Hi, brand new to this site, thankfully it exists! Somehow got this command service spyware crap on my system, now I've got these nagging popups, ran spybot and Adaware several times, but neither will remove the Command Service for whatever reason, so I'm really hoping someone can help me. Thanks! Below is a log from Hijack this........thanks again to anyone that can help me get rid of this problem!

Logfile of HijackThis v1.99.1
Scan saved at 4:57:27 PM, on 4/17/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\windows\mousepad11.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard11.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad11.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname11.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: C:\DOCUME~1\DU50AA~1.BUL\LOCALS~1\Temp\83.tmp
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zan...2e4d392c622e:e0fb714c33977432bf309a90768cf64e
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
 
Hello and welcome.. Lets get started. :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

2. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk ( C: ) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

4. Once in Safe Mode, Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.

==

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:
 
Thanks for the reply and the detailed instructions, very helpful, and everything went as it was supposed to from the instructions.

Here is the new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:24 PM, on 4/18/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


And here is the contents of the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:47:49 AM, 4/18/06
+ Report-Checksum: B15B7B0D

+ Scan result:

[604] C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\All Users\Cookies\du@e-2dj6wgkocpdjigo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\du.BULMER\Cookies\du@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\!update.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\71.tmp -> Backdoor.Rbot.adf : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\7A.tmp -> Downloader.Agent.afl : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\83.tmp -> Logger.Small.ak : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\Cookies\du@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temp\i44.tmp -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\du.BULMER\Local Settings\Temporary Internet Files\Content.IE5\KTQJ0PEF\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\Documents and Settings\du.BULMER\My Documents\ѕystem32\rundll32.exe -> Downloader.PurityScan.w : Cleaned with backup
C:\kl1.exe -> Trojan.Sinowal.i : Cleaned with backup
C:\ms1.exe -> Downloader.Tiny.bz : Cleaned with backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned with backup
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\drsmartload95a.exe -> Downloader.Adload.ai : Cleaned with backup
C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\system32\shell386.exe -> Not-A-Virus.Hoax.Win32.Renos.cm : Cleaned with backup
C:\WINDOWS\system32\winapi32.dll -> Not-A-Virus.Hoax.Win32.Renos.ck : Cleaned with backup
C:\WINDOWS\system32\winbrume.dll -> Adware.BHO : Cleaned with backup
C:\WINDOWS\system32\winsrv32.exe -> Not-A-Virus.Hoax.Win32.Renos.cl : Cleaned with backup


::Report End


FYI, I still have those annoying icons on the taskbar beside the clock.....but I suppose there is still more stuff youre going to get me to do....

Again, many thanks!
 
Ok.. Go ahead and remove Ewido aswell as BFU. :)

Create a folder on your desktop called Sysclean.

Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.

Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.

This file will be called lptXXX.zip (XXX represents the version number)

Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.

Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.

Turn off your antivirus which is installed on your system because it can interfere with the Sysclean-scan.

Open the sysclean-folder and double-click sysclean.com.
Check: "Automatically clean or delete detected files."
Click "Scan".
When the scan is finished, select: "View log".

Copy and paste this log in your next reply. :bigthumb:
 
Hi again, everything seemed to work correctly again as detailed in your instructions. Here is the new log as requested:



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-04-18, 13:09:03, Auto-clean mode specified.
2006-04-18, 13:09:03, Running scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\TSC.BIN"...
2006-04-18, 13:09:36, Scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\TSC.BIN" has finished running.
2006-04-18, 13:09:36, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Apr 18 2006 13:09:04

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\tsc.ptn" (version 730) [success]

Complete time : Tue Apr 18 2006 13:09:36
Execute pattern count(3033), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-04-18, 13:10:07, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612": Access is denied.
2006-04-18, 13:13:43, An error was detected on "C:\Documents and Settings\du\*.*": Access is denied.
2006-04-18, 13:13:43, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\NTUSER.DAT": Access is denied.
2006-04-18, 13:13:43, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\ntuser.dat.LOG": Access is denied.
2006-04-18, 13:13:48, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Application Data\Microsoft\Outlook\outcmd.dat": Access is denied.
2006-04-18, 13:15:25, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-18, 13:15:25, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-18, 13:15:26, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Temp\JETA6BF.tmp": Access is denied.
2006-04-18, 13:15:26, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Temp\~DF1CC0.tmp": Access is denied.
2006-04-18, 13:15:26, An error occurred while scanning file "C:\Documents and Settings\du.BULMER\Local Settings\Temp\~DF8C6.tmp": Access is denied.
2006-04-18, 13:15:36, An error was detected on "C:\Documents and Settings\du.BULMER\My Documents\?ystem32\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-18, 13:15:38, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-18, 13:17:55, An error was detected on "C:\Program Files\Common Files\A?pPatch\*.*": The filename, directory name, or volume label syntax is incorrect.
2006-04-18, 13:20:13, Could not set file for reading on "C:\Program Files\palmOne\UsselmD\HotSync.Log": Access is denied.
2006-04-18, 13:21:02, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\ACRORD32.EXE-1CE22EA3.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\ANALYST.EXE-2C01E0F2.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\AU_.EXE-1E1402DE.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDO-SETUP.EXE-2AAA7D62.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDOCTRL.EXE-074330EC.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EXCEL.EXE-1734EECA.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-2AE24617.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\HKCMD.EXE-0F06AE14.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\IGFXSRVC.EXE-1D88F978.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\JUSCHED.EXE-2A1A87DD.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGON.SCR-24ADF392.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\MMCOMP~1.EXE-22A4A7BD.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\MMDIAG.EXE-1F73FCD1.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-0A81AB7B.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-1D3BEDBF.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\PHOTOED.EXE-21D745D3.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\PROFILE.EXE-3AB46D33.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\PROFILEUPDATE.EXE-15712223.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3C500167.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4532DDE6.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E8D4657.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SECURITYSUITE.EXE-2054E35A.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1702AD5F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-064F0EA1.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-2F2DA3DE.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-1DF4E05F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINSTALL.EXE-22A06B0F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\UPDATE.EXE-0BDC03E6.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\VPC32.EXE-00144898.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-23347E4F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIAPSRV.EXE-02740A4B.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf": Access is denied.
2006-04-18, 13:23:06, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2006-04-18, 13:23:24, An error occurred while scanning file "C:\WINDOWS\SoftwareDistribution\EventCache\{26815A75-DE4A-431C-BE9C-6D70B936F5CF}.bin": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\DEFAULT": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SOFTWARE": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\SYSTEM": Access is denied.
2006-04-18, 13:24:26, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2006-04-18, 13:24:52, An error occurred while scanning file "C:\WINDOWS\Temp\~RMS1232.TMP": Access is denied.
2006-04-18, 13:24:52, An error occurred while scanning file "C:\WINDOWS\Temp\~RMS123C.TMP": Access is denied.
2006-04-18, 13:24:58, Running scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN"...
2006-04-18, 13:36:40, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/18/2006 13:24:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 355 (114018 Patterns) (2006/04/18) (335500)
Command Line: C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\du.BULMER\Desktop\Sysclean

37706 files have been read.
37706 files have been checked.
32138 files have been scanned.
73088 files have been scanned. (including files in archived)
2 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/18/2006 13:36:39
---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-18, 13:36:40, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/18/2006 13:24:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 355 (114018 Patterns) (2006/04/18) (335500)
Command Line: C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\du.BULMER\Desktop\Sysclean

Success Clean [ JAVA_BYTEVER.S]( 1) from C:\Documents and Settings\du.BULMER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-13470a7f.zip,(NewURLClassLoader.class)
Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and Settings\du.BULMER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-1ab62644-43a3aba2.zip,(Parser.class)
37706 files have been read.
37706 files have been checked.
32138 files have been scanned.
73088 files have been scanned. (including files in archived)
2 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/18/2006 13:36:39 11 minutes 37 seconds (697.02 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-18, 13:36:40, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/18/2006 13:24:58
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 355 (114018 Patterns) (2006/04/18) (335500)
Command Line: C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\du.BULMER\Desktop\Sysclean

37706 files have been read.
37706 files have been checked.
32138 files have been scanned.
73088 files have been scanned. (including files in archived)
2 files containing viruses.
Found 7 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/18/2006 13:36:39 11 minutes 37 seconds (697.02 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-18, 13:36:40, Scanner "C:\Documents and Settings\du.BULMER\Desktop\Sysclean\VSCANTM.BIN" has finished running.
 
This step should remove those cmdService findings.. :)

Go ahead and delete Sysclean.

==

Please download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer.

==

Next:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :bigthumb:
 
OK, below is that report..........and those same popups and items on the taskbar are still there too...just so you know! Thanks again!


Incident Status Location

Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\osaupd.exe
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\wupdmgr.exe
Adware:adware/azesearch Not disinfected C:\WINDOWS\SYSTEM32\azebar.xml
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\du.BULMER\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:application/adwaresheriff Not disinfected C:\Documents and Settings\du.BULMER\Desktop\Adware Reviews.url
Adware:adware/adwaresheriff Not disinfected C:\WINDOWS\osaupd.exe
Adware:adware/commad Not disinfected Windows Registry
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@247realmedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@mediaplex[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@www.advnt01[1].txt
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@247realmedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@mediaplex[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\du.BULMER\Cookies\du@www.advnt01[1].txt
Virus:Trj/Sinowal.K Disinfected C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
Adware:Adware/AzeSearch Not disinfected C:\Program Files\Hijack this\backups\backup-20060417-172256-280.inf
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\osaupd.exe
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\rfscanax.dll
Adware:Adware/AdwareSheriff Not disinfected C:\WINDOWS\wupdmgr.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\ZHU\tJo.vbs
Virus:W32/Sober.G.worm Disinfected Personal Folders\Deleted Items\hey dude!\photo.zip[p-zipped_file_data .pif]
Virus:W32/Mydoom.A.worm Disinfected Personal Folders\Deleted Items\Undeliverable: hello\hello\data.zip[data.scr]
Virus:W32/Sobig.C Disinfected Personal Folders\Deleted Items\Re: 45443-343556\documents.pif
Virus:W32/Lentin.K Disinfected Personal Folders\Deleted Items\Let's Dance and forget pains\dance.scr
Virus:W32/Lentin.K Disinfected Personal Folders\Deleted Items\The Hotmail Hack\hotmail_hack.exe
 
Yes, I know. I need this log please..

==

Please download SmitfraudFix by S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 
Sure thing, here is that report...

SmitFraudFix v2.33b

Scan done at 9:53:10.99, 04/19/06
Run from C:\Documents and Settings\du.BULMER\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» M:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\osaupd.exe FOUND !
C:\WINDOWS\wupdmgr.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\du.BULMER\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DU50AA~1.BUL\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
This should take care of those issues you're having. :)

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.

==

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. :bigthumb:
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
 
Sure thing, below is that log........also when I restarted to normal windows, my background is now changed to a solid blue? Not sure whats up with that?

SmitFraudFix v2.33b

Scan done at 10:37:54.69, 04/19/06
Run from C:\Documents and Settings\du.BULMER\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\osaupd.exe Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End
 
You should be able to change your background normally.. If not, let me know. We should be able to fix that too :)
 
Clean out temporary files:
  • Click Start -> Run and type in: cleanmgr
  • Click "Ok".
  • Let it scan your system.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.

==

Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

==

Post back with a fresh HijackThis log please..
 
Last thing you told me in above post, item was not present......

Here is the newest Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:07:39 AM, on 4/19/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Profile\ProFile.exe
F:\Profile\ProfileUpdate.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijack this\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
 
First, please hit CTRL - ALT - DEL.

On the Task Manager, please end the following processes on the Processes- tab.

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe

==

Next, please navigate to, and delete these files & folder if present:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\ZHU\

==

Now, run a scan with HijackThis and make sure to check the following object for removal, then close other open windows except for HijackThis and hit FIX CHECKED:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)

==

Ok. Can you now list all the problems you have at the moment, as detailed as possible, please. :)
 
Rawe said:
First, please hit CTRL - ALT - DEL.

On the Task Manager, please end the following processes on the Processes- tab.

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe

==

Next, please navigate to, and delete these files & folder if present:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\ZHU\

==

Now, run a scan with HijackThis and make sure to check the following object for removal, then close other open windows except for HijackThis and hit FIX CHECKED:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)

==

Ok. Can you now list all the problems you have at the moment, as detailed as possible, please. :)
Click to expand...


Gotta say amazing help....everything seems to be gone, no stuff on the taskbar anymore, no more popups it looks like, at least not yet! And no more links on my desktop to adware website.....all looks like its cleaned up.

FYI a couple things from instructions above, couldnt stop those processes, they kept being deleted then reappearing, so I stopped the process tree on the second file and both disappeared, which then let me delete the wupdmgr.exe file.

I did not have the ibm00001.dll file, but did have one ibm00002.dll, left that alone...

Does this mean I'm cured?
 
Please delete ibm00002.dll and empty recycle bin...

Glad I was able to help :)

==

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
 
Thanks a bunch again.....I've added the Spyware Blaster program now too, hopefully that will help down the road if I get into trouble again.

Seriously hoping I don't have to return to the site, but just great to know there's people out there that can help without taking the computer to the "doctor"......again, many thanks!!
 
You must log in or register to reply here.
Back
Top