WinFixer/ISearch and Start > Run > CMD Issue (HJT log)

The hidden files was already checked, I'll do a search for it and see what comes up.

 

Sorry, but the procedure didn't yield results and I couldn't find those two folders by using search or searching Windows and System32 myself.

 

Click here << (link removed ..... noahdfear) to download delcom.exe
Save it to the desktop, then double click to extract delcom.bat
Double click the delcom.bat file to run. Post the contents of log1.txt, which will open when it completes.

 

Ok.

 

Here it tis.

cmd.com found

deleting cmd.com

cmd.com not deleted

Sm9obiBNYXRoZXdz found

Volume in drive C has no label.
Volume Serial Number is 4480-3596

Directory of C:\WINDOWS\Sm9obiBNYXRoZXdz

08/05/2006 07:55 PM <DIR> .
08/05/2006 07:55 PM <DIR> ..
07/29/2005 04:24 PM 472 mA6Cv21hsrlCtrxW.vbs
1 File(s) 472 bytes

Total Files Listed:
1 File(s) 472 bytes
2 Dir(s) 1,606,516,736 bytes free

 

Download the Killbox from here and save it to the desktop.
Copy the bolded blue list below by highlighting and pressing Ctrl+C


C:\WINDOWS\system32\cmd.com
C:\WINDOWS\Sm9obiBNYXRoZXdz\mA6Cv21hsrlCtrxW.vbs


Double-click the KillBox icon on your desktop to open it
Select the box Delete on Reboot
Then click the All Files button.
Click File and choose Paste from Clipboard.
Click the red x [Delete File] button.
Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If the computer does not reboot on it's own, restart it yourself.

Note: it may just be a glitch in my own system, but when testing this myself with the above filepaths, the list would not paste using the above method (and it should). If the list will not paste into killbox for you as outlined, paste just one filepath directly into the Killbox address box, process by clicking the red x button and restart, then repeat with the second filepath after reboot.

When done, delete the log1.txt file on the desktop and run the delcom.bat file again, then post the log.

 

Ok.

 

Here's the log, I even did the sm9ob file twice.

cmd.com not found
Sm9obiBNYXRoZXdz found

Volume in drive C has no label.
Volume Serial Number is 4480-3596

Directory of C:\WINDOWS\Sm9obiBNYXRoZXdz

06/21/2007 09:15 PM <DIR> .
06/21/2007 09:15 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 1,604,993,024 bytes free


 

Doing good

cmd from Run should work now. Open a command prompt and type (make sure you include the spaces). You can also copy then right click>paste in the command window.

cd c:\windows

then hit enter
the path should show as C:\Windows>
now type

attrib -a -s -r -h Sm9obiBNYXRoZXdz

hit enter
then type

rmdir Sm9obiBNYXRoZXdz

hit enter
delete log1.txt and run delcom.bat again, then post the log

 

Looks like things are finally working. Here's the log.

cmd.com not found
Sm9obiBNYXRoZXdz not found



 

A funny thing happened on the way to the forum (if you remember that silly movie). This all started because I couldn't get my music downloader (Limewire) to work. Just for kicks, I tried to see if it was working (it wasn't still). I went to the Windows firewall in my control panel and turned it off. My Limewire perked up and began working again. Knowing that having the firewall off is not a good thing, I turned it back on. Guess what, my Limewire is still working. I rebooted to see if that would somehow cause the firewall problem again but it didn't. My music downloader is working fine now and so is my cmd from the run box. I'm very happy and glad that this is over, I was beginning to feel like a performing seal.

 

That's great!

You can remove the tools we used (batches, logs, dss.exe, etc) and delete the folders C:\Deckards System Scanner and C:\!KillBox. Uninstall MoveOnBoot if you want as well.
Please update Spybot and run a full scan. Fix all it finds and preselects.
Create a new HijackThis log when done and post it. Let us know if you're having any other problems.

 

Thanks for all the hard work in helping me.

 

Whew! That's WONDERFUL news, Bubba! Your patience is outstanding! I'm glad you're back up and running!

Dave, you are awesome!

BTW, Bubba, please remember...

Thought you might have missed Dave's suggestion in your excitement.

 

I looked to see some of the sites that the site you googled but it didn't seem to give up anything. I'll try again later.

-----------------------------------------------------------------------------------------------

Mailman, no, I didn't overlook it, just taking a breather. This has been several days of working on these problems and sometimes fairly late at night. I will do the update and post a hijach log, arf arf, flap flap.

 

I updated the spybot, fixed everything and here id the Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 2:42:18 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\john\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138381294296
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.237/ecwplugins/ncs.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E596DF5F-4239-4D40-8367-EBADF0165917} - http://privacyprotector.com/.freeware/cab/installprivacyprotector.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

 

Looks good, Bubba. Just a few more things I recommend you do.

1. Using Add/Remove Programs in the Control Panel, remove all Java and/or JRE installations. Reboot when done. Navigate to C:\Program Files\Java and delete all files and folders within the Java folder. Then go to Sun Java and click the Get the JDK download link next to the picture of the kid (lady?) in the tree at the top of the page. Accept the license agreement then click the Windows Online Installation Link in the first section, labeled Windows Platform - Java(TM) SE Development Kit 6 Update 1. Note that it may try to install the Google Desktop, which you should have the option to opt out of if you wish.

2. Open Spybot. Click Mode on the menu and select Advanced. Click Yes to the prompt. In the left pane, click Immunize. If promted that 0 (zero) products are blocked, click OK, then click the green plus sign labeled immunize in the upper left corner. Check the box below labeled Enable permanent blocking of bad addresses in Internet Explorer. Now click the Tools button in the left pane. Click Resident. Check the box labeled Resident "SD Helper" (Internet Explorer bad download blocker) active. Close Spybot.

3. Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Check for updates occassionally and install them when applicable.

4. I highly recommend you install a third party firewall. You will find many different recommendations on this BBS for free firewall alternatives, but I still prefer and recommend Zone Alarm Free (basic Zone Alarm protection).

If you have any questions, or need help with anything, don't hesitate to ask.

 

Wow, that's an armload full. And here I was thinking I was through.

 

First of all, I placed all the music that was in my Limewire library into a special folder and uninstalled Limewire. As far as the other things that were recommended including Zone Alarm, they have all been done. A bigThanks to everyone involved for all the help.