Can't get Spybot to remove Command Service

[Itoao]

Ok Here is the new log:
I am thinking about going to the Malware University in your signature. I am an A+ Certified Tech and this would be great info to have so I can help others and help myslef.
Logfile of HijackThis v1.99.1
Scan saved at 3:18:35 AM, on 1/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

[Mr_JAk3]

Looks good

Nice to hear that you're interested in the university

Please post the Qoofix logfile too. (Qoofix Logfile inside the C:\Qoofix folder)

[Itoao]

Sorry forgot that log file.
Qoofix v1.04 by http://www.malwarebytes.org
Scan started on [1/6/2007] at [3:11:41 AM]
-------------------------------------------------------------
Terminated module: lgvrlly.dll found in Qoofix.exe (2660)
Terminated module: lgvrlly.dll found in wscntfy.exe (672)
Terminated module: lgvrlly.dll found in fyvrud.exe (1144)
Terminated module: lgvrlly.dll found in explorer.exe (1176)
Terminated module: lgvrlly.dll found in vimvu.exe (1204)
Terminated module: lgvrlly.dll found in vimvu.exe (1296)
Terminated module: lgvrlly.dll found in vimvu.exe (1336)
Terminated module: lgvrlly.dll found in smax4pnp.exe (1848)
Terminated module: lgvrlly.dll found in realplay.exe (1688)
Terminated module: lgvrlly.dll found in IntelMEM.exe (1364)
Terminated module: lgvrlly.dll found in igfxpers.exe (172)
Terminated module: lgvrlly.dll found in hkcmd.exe (160)
Terminated module: lgvrlly.dll found in hpztsb09.exe (1200)
Terminated module: lgvrlly.dll found in hpwuSchd.exe (1604)
Terminated module: lgvrlly.dll found in hpcmpmgr.exe (304)
Terminated module: lgvrlly.dll found in DVDLauncher.exe (368)
Terminated module: lgvrlly.dll found in wuauclt.exe (760)
-------------------------------------------------------------
C:\WINDOWS\system32\fyvrud.exe will be deleted on reboot!
C:\WINDOWS\system32\hetyfjn.exe will be deleted on reboot!
C:\WINDOWS\system32\lgvrlly.dll will be deleted on reboot!
C:\WINDOWS\system32\lwkug.dat will be deleted on reboot!
C:\WINDOWS\system32\vimvu.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xgisb.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [1/6/2007] at [3:14:42 AM]

Note: Some registry keys may have been removed.

[Mr_JAk3]

Ok good

You don't seem to a firewall running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.

These are good (free) firewalls:

• Sunbelt-Kerio
• ZoneAlarm
• Sygate
• Outpost

You don't have an antivirus on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses:

• AVG
• Antivir
• Avast

Since you were very infected, it is best to run a one more scanner.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[Itoao]

Kapersky Scan
Saturday, January 06, 2007 11:47:50 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/01/2007
Kaspersky Anti-Virus database records: 256394
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 62349
Number of viruses found 5
Number of infected objects 12 / 0
Number of suspicious objects 2
Duration of the scan process 00:38:51

Infected Object Name Virus Name Last Action
C:\!KillBox\gcij1cu.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\!KillBox\jdkfjdskfjkdsjf.bat Infected: Trojan.BAT.DelFiles.be skipped
C:\!KillBox\srvwbbpaon.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped
C:\!KillBox\srvwbbpaon.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip/stub_sca4.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\removal tools Dont Touch!\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\removal tools Dont Touch!\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\removal tools Dont Touch!\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Stephanie Johnson\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Stephanie Johnson\jdkfjdskfjkdsjf.bat Infected: Trojan.BAT.DelFiles.be skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Stephanie Johnson\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\RECYCLER\S-1-5-21-3775689361-1539287093-405260182-1006\Dc1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{DD4931E7-276D-4552-87C6-4980F63CBFE3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

[Mr_JAk3]

Hi again, it is looking clean now

Now you can clean AVG's Quarantine:

• Open AVG Anti-Spyware
• Click Infections
• Click Quarantine tab
• Click Select all
• Click Remove finally
• Close the program

You can remove the tools we used.
You may delete the following backup folders:
C:\!KillBox
C:\QooBox

Then you should update your Java to the latest version (6.0)

• Start
• Control Panel
• Add/Remove Programs
• Delete the old Java, J2SE Runtime Environment 5.0 Update 6
• Download the latest version of Java Runtime Environment (JRE) 6.0.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement."
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Install it

Now you can make your hidden files hidden again.

• Go to My Computer
• Select the Tools menu and click Folder Options
• Click the View tab.
• Checkmark the "Display the contents of system folders"
• Under the Hidden files and folders select "Show hidden files and folders"
• Check "Hide protected operating system files"
• Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

• Clear your system restore
  This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  
• Use ATF Cleaner
  Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  
• Use Ad-Aware
  Download and install Ad-Aware. Update it and scan your computer regularly with it.
  
• Use AVG Anti-Spyware
  Update it and scan your computer regularly with it.
  
• Use Spybot S&D
  Download and install Spybot S&D. Update it and scan your computer regularly with it.
  
• Install SpywareBlaster
  SpywareBlaster will prevent spyware from being installed.
  
• Install MVPS Hosts file
  This prevents your computer from connecting to harmful sites.
  
• Use Firefox browser
  Firefox is faster, safer and better browser than Internet Explorer.
  
• Keep your systen up-to-date
  Visit Windows Update regularly.
  
• Keep your antivirus and firewall up-to-date
  Scan your computer regularly with your antivirus.
  
• Read this article by TonyKlein
  So how did I get infected in the first place?
  
• Stand Up and Be Counted !
  The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

[Itoao]

I have followed your directions. I really appreciate all your help. I will be looking into the University.

[Mr_JAk3]

That's great news and you're very welcome

Welcome to the University

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help