Command Service (and Other Spyware) Removal - Help Required

[guestolo]

the .dll is a legit file, we can leave it alone
In addition, can you ensure that a program such as Stardock doesn't have an option such as hide taskbar enabled

[Wadinator]

Yipee!!!!!! Aw Great, you made me wake up everyone. Yes, the taskbar is back. (Hopefully for good)
Would you like a list of the services I disabled?
No, Stardock has no hide taskbar settings. Nevermind, I think it does. (Just checked their website)
I'll restart with ObjectDock service and startup features enabled to see if I can get it back. OK?

[guestolo]

Would you like a list of the services I disabled?

Sure, or could  it have been a startup entry?

No, Stardock has no hide taskbar settings. Nevermind, I think it does. (Just checked their website)
I'll restart with ObjectDock service and startup features enabled to see if I can get it back. OK?

EDIT>>That would be your next move, by process of elimination find out which startup entry or Service is the cause of the problem

[Wadinator]

Hey questolo, you were right (as usual)

I found it. It turns out there IS in fact a setting in ObjectDock that reads "Show Windows Taskbar". I have no idea how that got unchecked.

You have been a tremendous help. I appreciate the time you put in to helping me. You and the other people on this forum really do a great job. Thank you for all your continued assistance. I could have never cleared this up without you.

Could you leave this thread open for a while? In case that was not the last problem. I'll test everything the next few days and if everything works, I'll add even more thanks to the above paragraph.

[guestolo]

I'm off to bed anyways
Make sure you don't empty the contents of the recycle bin yet

The PSHope
 and Need2Find folders you removed you can definitely live without, they are NOT legit
Same with BattyRun.dll

I want to make sure you can live without the  Oracle folder and jxea7b22.sys file

Ensure to reenable all Services and startup entries related to Anti-Virus as soon as possible

We did clear you of some malware, so that's a good thing
I have some other recommendations later, for now goodnight  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

Let me know how things are running as soon as you can.
By tomorrow evening, or soon after, post one last hijackthis log when you post back

[Wadinator]

Hi questolo,

Things are running OK. I do have 2 minor concerns however.
1) Windows Security Center brings up a popup (speech bubble style) near my taskbar everytime I reboot. It says that my computer may be at risk because Norton AV is disabled. However, when I open NAV, I find everything is up to date and enabled. See picture below.
[attachment=935:attachment]
2) Secondly, before I got infected, I used a program called Windows Blinds ( perhaps you've heard of it ) to change the appearance of my pc. Now, the skins will still load, but they do not do so automatically like they did before. I've looked around for any settings that may have caused this but I can't find anything. Since everything in the startup tab in MSCONFIG is enabled, I assume the startup app that loaded the skins is now disabled and no longer on the list.

I have deleted the 3 things you specified above permanently. Have you found anything about the Oracle folder and jxea7b22.sys file?

You said you had a few more recomendations. I would love to hear them, considering how well your previous advice has worked.

Here is an updated HijackThis log you requested.


Logfile of HijackThis v1.99.1
Scan saved at 6:49:32 PM, on 7/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Mavis Beacon Teaches Typing 11.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 11\MiniMavis.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Wadinator]

Don't worry about the WindowBlinds issue. I got it fixed. The NAV thing is really weird though. If you have any ideas, please share.

Why am I only able to edit once or twice? That is the only reason I posted again.

[guestolo]

Have you made sure that Norton's Auto protect is enabled?
You can also reenabe Script blocking if disabled

If that's not the problem, let me know, I have other options

[Wadinator]

Hi questolo,

Yeah, I'm sure Auto-Protect and Script Blocking are enabled. I don't know what's wrong. Even when I use all default settings ( everything enabled ), I still get the strange error. Should I just assume it is working and tell Windows not to warn me about NAV being disabled?

[guestolo]

Should I just assume it is working and tell Windows not to warn me about NAV being disabled?

Yes, just to double check
Go into Security Center in Control panel and ensure it states that AntiVirus is enabled

Then you can tell it the next time it pops up
Click the balloon >>Recommended Solutions then put a check mark at "I have an anti-virus program that i will monitor myself....."

[Wadinator]

Hi questolo,
I've double and triple checked. I'll just tell Windows not to worry about it.

I have some other recommendations later, for now goodnight

Ok, so what are they? Please...

I want to make sure you can live without the Oracle folder and jxea7b22.sys file

What did you find out?

Hey cool, I'm a Journeyman.

[guestolo]

If everything is running better
We should flush all your restore points

Go to START>>RUN
Type in

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]                          
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

                 [indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install  SpywareBlaster 3.5.1 by JavaCool  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure
Make sure you check for updates at least once a month and/or set to Autoupdate
                   
*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Keep your Firewall protection enabled
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission

Update and do scan's with your Anti-Spyware programs on a regular basis
In addition, open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Immunize after every update

About the folder and file I couldn't find info on
They both had creation dates about the same time as your problems
To be safe, try the following
Open the MyDocuments folder>>Right click an empty spot and select NEW>>Folder
Name the new folder>>Backup
Go into the recycle bin and restore both folder and file

Then navigate to both the following
C:\Documents and Settings\Owner\Application Data\?racle (Oracle)
Right click on Oracle and select CUT then PASTE it to the Backup folder you created
Don't select Copy, we actually want to remove them from their original locations
Do the same for
C:\WINDOWS\system32\jxea7b22.sys

Keep them in the backup folder for a couple of weeks, if you have no problems with any programs
Chances are they were/are bad and you can delete the Backup folder
Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Wadinator]

questolo,

I'll delete all the restore points and try your advice with the folders. You have been a tremendous help. I sincerely thank you for your help and patience.

[guestolo]

Your welcome, optionally, I leave this up to you
These entries in your log
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

Not malicious, but here's some info
You can disable these from running on startup to save on system resources

Name:   [TkBellExe]Application Scheduler installed along with RealOne_Player Once installed it runs independently of RealOne To disable tkbell.exe in the new version (1) Start RealOne Player (2) Tools - Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK

Name:   [bigfix]Can automatically download and read technical support information provided by computer and software manufacturers and other technical support experts (published in the form of Fixlet® Messages) and can automatically check your computer for bugs configuration conflicts and security holes. Should only be started manually as it's a resource hog

If you decide to fix both or either
After doing the above instructions to disable Realone Player updater

With all other windows closed have Hijackthis fix checked both those entries

Reboot the computer

If you have no other problems I'll lock this topic shortly, take care