You're welcome.
The reason that and some other entries weren't present in
Safe Mode is that you were not signed into your own account.
I think you missed this part of the directions:
Restart into Safe mode:
BUT when the welcome screen appears, Press CTRL + ALT +DEL twice to bring up
a logon. Log on to your Profile!
--------------
Let's see if you can fix these in regular windows mode.
Run hijackthis. Select the following items and press the fix checked button:
O4 - HKCU\..\Run: [Windows Security Service] wowvp.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\RunServices: [Windows Security Service] wowvp.exe
---------------
The batch file I had you create and run made a new folder:
C:\outtahere
Can you go there, open it, and tell me if it contains any files please? It very well may not.
---------------------------------
The command service entries are just leftovers. But we can get rid of those too.
Go to Start >run and type services.msc
Press enter
When the services console opens, scroll to the Task Scheduler entry and be sure it is running. If not double click on the entry and then start the service. If it is disabled, enable it and then start it. Close the services console.
Copy the contents of the code box to notepad.
Name the file Delete cmdservice System priv.vbs
Save as Type: All files
Wait until the minute on the clock in systray turns over
Double click on Delete cmdservice System priv.vbs
Wait a minute or so and a black command window will open and run quickly
A file named results.txt will open
Post the contents of results.txt into your next reply here.
Code:
'Deletes the cmdservice Service Registry Entries
'Written by Mosaic1
'Use at your own risk
'Wait until the minute on the clock in systray turns over
'Double click on Delete cmdservice System priv.vbs
'Wait a minute or so and a black command window will open and run quickly
' A file named results.txt will open
'Post the contents of results.txt into your Forum post.
Dim Future, NewD ,Short,Location ,batty, present, fpath ,F , DT
Dim Current, Failed, Default, LKG , Place , R ,ImagePath ,slash
set fso = Wscript.CreateObject("Scripting.FilesystemObject")
Set Wshshell = Wscript.CreateObject("Wscript.shell")
On Error Resume next
ImagePath = Wshshell.RegRead("HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ImagePath")
If fso.FileExists(ImagePath) then present = True
slash = InstrRev(ImagePath,"\")
fpath = Mid(ImagePath, 1,Slash -1)
F = fpath
If fso.FolderExists(fpAth) then fpath = true
Current = Wshshell.RegRead("HKLM\SYSTEM\Select\Current")
Current = "HKLM\System\CurrentControlSet" & "\Enum\Root\LEGACY_cmdservice"
Default = Wshshell.RegRead("HKLM\SYSTEM\Select\Default")
Default = "HKLM\SYSTEM\ControlSet00" & Default & "\Enum\Root\LEGACY_cmdservice"
On error Resume Next
Failed = Wshshell.RegRead("HKLM\SYSTEM\Select\Failed")
Failed = "HKLM\SYSTEM\ControlSet00" & Failed & "\Enum\Root\LEGACY_cmdservice"
Err.clear
LKG = Wshshell.RegRead("HKLM\SYSTEM\Select\LastKnownGood")
LKG = "HKLM\SYSTEM\ControlSet00" & LKG & "\Enum\Root\LEGACY_cmdservice"
Set batty = Fso.CreateTextFile("r.bat", false)
Set Location = fso.GetFile("r.bat")
Short = Location.ShortPath
Place = fso.GetParentFolderName(Short) & "\results.txt"
R = fso.GetParentFolderName(Short) & "\r.bat"
DT = Now
Batty.Writeline "Echo " & DT & " >>" & Place
Batty.Writeline "Echo >>" & Place
Batty.Writeline "Echo Working on HKLM\Select ,Current >>" & Place
Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>" & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Current = Replace(Current,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place
Batty. Writeline "Echo Deleting" & Chr(32) & Current & " >>" & Place
Batty. Writeline "Reg delete" & Chr(32) & Current & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place
Batty.Writeline " Echo Working on HKLM\Select ,Default>>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Default & ">>" & Place
Batty.WriteLine "Reg delete" & Chr(32) & Default & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Default = Replace(Default,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Default & ">>" & Place
Batty.WriteLine "Reg delete" & Chr(32) & Default & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place
Batty.Writeline "Echo Working on HKLM\Select ,Failed >>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Failed & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Failed = Replace(Failed,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place
Batty.Writeline "Echo Deleting" & Chr(32) & Failed & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & Failed & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place
Batty.Writeline "Echo Working on HKLM\Select ,LastKnownGood >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & LKG & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
LKG = Replace(LKG,"Enum\Root\LEGACY_cmdservice" ,"Services\cmdservice")
Batty.Writeline "Echo >>" & Place
Batty.Writeline "Echo Deleting " & Chr(32) & LKG & ">>" & Place
Batty.Writeline "Reg delete" & Chr(32) & LKG & Chr(32) & "/f >>" & Place & Chr(32) & "2<&1"
Batty.Writeline "Echo ~~~~~~~~~~ >>" & Place
If present = True then Batty.WriteLine "echo ImagePath File found here: " & ImagePath & ">>" & Place
If present <> True then Batty.WriteLine "echo ImagePath File not found: " & ImagePath & ">>" & Place
Batty.Writeline
If fpath = True then Batty.WriteLine "echo ImagePath Folder found here: " & F & ">>" & Place
If fpath <> True then Batty.WriteLine "echo ImagePath Folder not found: " & F & ">>" & Place
Batty.Writeline "Echo >>" & Place
Batty.WriteLine "Start Notepad" & Chr(32) & Place
Batty.WriteLine "del " & R
Batty.Close
NewD = DateAdd("n" , 1, Now)
Future = FormatDateTime(NewD,3)
Wshshell.run "Cmd.exe /c" & "At" & Chr(32) & Chr(34) & Future & Chr(34) & Chr(32) & "/Interactive" & Chr(32) & Short ,vbhidden 'Set the task
Set fso = nothing
Set Wshshell = nothing
Set Location = nothing
MsgBox "Wait for the command box to run and close" & vbcrlf & "This will take a minute."
*** NOTE: This script only works on Windows XP. It is not for Win2k or 9x.
After we get you cleaned up you need to update your Windows to Service Pack2.