2 lingering Command Service entries to remove

**Rawe** · 2006-04-19, 18:22

This should take care of those issues you're having.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode
5) Choose your usual account.

==

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

**habsolutely** · 2006-04-19, 18:39

Sure thing, below is that log........also when I restarted to normal windows, my background is now changed to a solid blue? Not sure whats up with that?

SmitFraudFix v2.33b

Scan done at 10:37:54.69, 04/19/06
Run from C:\Documents and Settings\du.BULMER\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\osaupd.exe Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

**Rawe** · 2006-04-19, 18:49

You should be able to change your background normally.. If not, let me know. We should be able to fix that too

**habsolutely** · 2006-04-19, 18:50

OK, and again, should have let you know that popups and crap on the toolbar still remain as well...

**Rawe** · 2006-04-19, 19:01

Clean out temporary files:

Click Start -> Run and type in: cleanmgr
Click "Ok".
Let it scan your system.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
Click "OK" to remove them.
Click "Yes" to confirm the deletion.

==

Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

==

Post back with a fresh HijackThis log please..

**habsolutely** · 2006-04-19, 19:06

Last thing you told me in above post, item was not present......

Here is the newest Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:07:39 AM, on 4/19/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\JFaxMailNTHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Profile\ProFile.exe
F:\Profile\ProfileUpdate.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijack this\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [JFaxMailNTHelper] C:\WINDOWS\JFaxMailNTHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: OUTLOOK.EXE.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Bulmer.ca
O17 - HKLM\Software\..\Telephony: DomainName = Bulmer.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Bulmer.ca
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

**Rawe** · 2006-04-19, 19:26

First, please hit CTRL - ALT - DEL.

On the Task Manager, please end the following processes on the Processes- tab.

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe

==

Next, please navigate to, and delete these files & folder if present:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\ZHU\

==

Now, run a scan with HijackThis and make sure to check the following object for removal, then close other open windows except for HijackThis and hit FIX CHECKED:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)

==

Ok. Can you now list all the problems you have at the moment, as detailed as possible, please.

**habsolutely** · 2006-04-19, 20:06

Originally Posted by Rawe

First, please hit CTRL - ALT - DEL.

On the Task Manager, please end the following processes on the Processes- tab.

C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe

==

Next, please navigate to, and delete these files & folder if present:

C:\WINDOWS\SYSTEM32\azebar.xml
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\WINDOWS\rfscanax.dll
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\ZHU\

==

Now, run a scan with HijackThis and make sure to check the following object for removal, then close other open windows except for HijackThis and hit FIX CHECKED:

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)

==

Ok. Can you now list all the problems you have at the moment, as detailed as possible, please.

Gotta say amazing help....everything seems to be gone, no stuff on the taskbar anymore, no more popups it looks like, at least not yet! And no more links on my desktop to adware website.....all looks like its cleaned up.

FYI a couple things from instructions above, couldnt stop those processes, they kept being deleted then reappearing, so I stopped the process tree on the second file and both disappeared, which then let me delete the wupdmgr.exe file.

I did not have the ibm00001.dll file, but did have one ibm00002.dll, left that alone...

Does this mean I'm cured?

**Rawe** · 2006-04-19, 20:08

Please delete ibm00002.dll and empty recycle bin...

Glad I was able to help

==

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Other necessary Programs:

AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.

And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

**habsolutely** · 2006-04-19, 21:24

Thanks a bunch again.....I've added the Spyware Blaster program now too, hopefully that will help down the road if I get into trouble again.

Seriously hoping I don't have to return to the site, but just great to know there's people out there that can help without taking the computer to the "doctor"......again, many thanks!!

Thread: 2 lingering Command Service entries to remove

Thread Tools

Display

Posting Permissions