I need help!- Spybot found Command Service!

[nikoanime]

I am new at trying to get rid of useless crap from my computer and I need help. I noticed a lot of pop ups (which I believe is due to Command Service). I also have the problem of firefox working but internet explorer not. Please help me!

Someone needs to help me from absolute beginning. Thanks a bunch and I look forward to assistance!

 

[mobbish]

microtrend antivirus might find it...ad-aware2007...firefox was a big pain for me, so i got rid of and stuck with yahoo and goggle.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go and read this thread HERE and post a HJT log as an attachment into this thread.

Regards Howard :wave: :wave:

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

HJT Log

I hope this is right..
After I ran HJ, I had 2 internet explorer pop ups (IE still isnt working though)
They were trying to get to:
h.t.t.p://65.243.103.60/go//?cmp=nm_ff_dz_ron&uid=d57c0eac76e411dcadf8f68089faffff&nid=dz&guid=b1231730be8045d3a060ecc37ecde653&affid=68089&lid=http>
Also my desktop picture was taken away and now I'm left with the Active Desktop Recovery.
I really appreciate your help!!

 

[mobbish]

have you tried rolling back your computer...START..PROGRAMS..ACCESSORIES..SYSTEM TOOLS...if a virus hasnt wiped out you save points, goto the date before the problem started...i am a trail and error person...just like you...let me know what happens.

 

[nikoanime]

?

From what I understood and have read throughout the forums, I'm supposed to wait for a response from howard_hopkinso with his advice on what to do since he welcomed me to TechSpot. I'm just confused now..

 

[mobbish]

i dont understand why you would have to wait, you dont need permission to roll back you pc..........now im confused...let me know what happens...have you gone to windows update and looked at how to uninstall and reinstall the explorer?.....you have to wait?....keep me posted....this is getting interesting..ok?

 

[howard_hopkinso]

Your system is infected with a variety of malware.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mobbish]

i agree that you should exhaust all options before clean or format..but..i got infected with AVG was installed and ended up formating...am i the only person thats tried microtrend...30 days free, i used it before i purchased my firewall and antivirus program...

oops..i just noticed something....its trendmicro not microtrend...sorry ...disabled vet had a plate in me head and i transpose things..i do apologize...

 

[Bobbye]

mobbish, once you have started the hijack this process and Howard has begun viewing your logs, you should continue until completion.

But I sometimes look at the logs, not for the malware, but to see what else is running. So far, with no exceptions, users have way too many programs and apps starting at boot and running in the background. This also will affect performance. Things like TCSServer.exe don't need to start at boot. If they do, they will continue running in the background

Another example is the SMAgent.exe- it shouldn't be on startup and so on. So what I do is suggest the hijacklog process be completed so that the system is clean and offer to help streamline the system for the user 'after' the malware is gone.

 

[howard_hopkinso]

Hi Bobbye.

This thread was actually started by nikoanime. It is nikoanime that has the malware problem and not mobbish.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Bobbye]

I understood that Howard. But mobbish was wanting nikoanime to try some various things. My only intention was to suggest nikoanine finish with your help before tyring other things.

 

[howard_hopkinso]

Sorry mate, I obviously misunderstood lol.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

Here goes nothing...

My computer already seems to be running quicker than it was. When I scanned with Panda, it did not find anything. I may have to rerun AVG Anti Spyware because when I wrote my notes for what to do while in Safe Mode, I only wrote AVG, so I didn't run AVG Anti Spyware until I was out of Safe Mode. Please let me know if I need to go back into Safe Mode for this. Thank you for all of your help!

If for some odd reason all of these steps and your help doesn't work, I will have to try to "Roll Back" my computer as suggested by mobbish. The only problem with this option is that one of my friend's computers had Command Center virus on it and it didn't start acting up until months after it was already on his computer. He took it somewhere and they were able to pinpoint the exact day and time it was put onto his system. Without me knowing when this virus was put onto my computer, I could spend days upon days trying to guess when to roll back to.

Mobbish, if you are still reading this thread, I wasn't trying to be rude when posting back to you and I am sorry if I seemed so. I just took it into consideration that you also are new to these forums and howard_hopkinso is pretty much from what I saw from other posts (before posting my own problem) one of the specific people who are part of TechSpot that are to help people like me. I just wanted to wait for his help first.

 

[howard_hopkinso]

Don`t worry about the AVG Antispyware, it`s fine.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Delete all files in AVG Antispyware quarantine.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://download.microsoft.com/download/0/a/9/0a9587bc-2dc5-420e-89e0-f74d8b75b12 8/setup.exe

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {F2D99483-3BC2-4737-955B-E7F761C36FCD} - C:\WINDOWS\system32\vturs.dll (file missing)

Click on the fix checked button.

Close HJT.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\srutv.bak2
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\B86DDD8C09.sys
C:\WINDOWS\RUxMRU5LVUlQRVI\loUglocMpo5klpK.vbs
Folder::
C:\Qoobox
C:\Vundofix backups
C:\WINDOWS\RUxMRU5LVUlQRVI
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2D99483-3BC2-4737-955B-E7F761C36FCD}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

I do not have Spybot in my system tray. I opened up the program and have always had it running in advanced mode. I checked tools and looked in the list and there is not a check mark next to Resident. Spybot was showing up in the list of tea times or whatever?

Also- deleted the AVG Anti Spy's quaritined list.

I am working on the rest of the list of things to do that you gave to me, just wanted to inform you of this part. I will reply again with the required information as soon as I can!

 

[howard_hopkinso]

Ok mate, no problem.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

Fixed the files in HJT. (all 3 were present)

While trying to install the update for Java, I am receiving the error: The installer cannot proceed with the current Internet Connection settings. Visit the website for more information. Is it safe to skip this part for now or should I delete previous versions of the Java and try to get a fresh install for the updated version?

 

[howard_hopkinso]

Yes, skip that part for now and we`ll deal with it later.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

Combofix and HJT logs

 

[howard_hopkinso]

All clean.

Try this for your Java problem.

Go to your control panel and double click on the Java icon. Click the update tab, followed by the update button. Once the updates have downloaded and installed, close Java.

Now, go to add remove programs and uninstall al previous versions of Java, except for version 6 update 3.

If you`re not having any further problems, please do the following.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

Thanks a bunch and sorry for the delayed reply! I was sick for a few days and didn't want anything to do with the computer.

I am currently working on trying to get the Java update to work, it looks like I need to do something else since the update won't start automatically even through the Control Panel.

I still do have the problem with only Firefox working and Internet Explorer not. Could this be because of the Java not being updated?

 

[howard_hopkinso]

Sorry to hear you`ve not been well, hope you`re better now.

Perhaps the easiest way to deal with your Java problem is to uninstall all versions of Java from add remove programmes and reboot your system.

Then, download and install the latest version from HERE.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[nikoanime]

Now I'm absolutely stumped. I removed all Java from add/remove, restarted my computer and clicked on the link you provided for me to install the new Java and I still am getting the error that the installer cannot proceed with the current Internet Connection settings.

 

[howard_hopkinso]

I think this is caused by the proxy server you are using.

Run HJT and have it fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = (null)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

Click the fix checked button, close HJT and reboot your system.

Now try downloading and installing Java. Once installed, you might want to reset your proxy settings back to what they were.

Regards Howard

This thread is for the use of nikoanime only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.