Gidday guys!

Been a while since I've been to DaniWeb, but again I need you blokes more than ever!

I'm running XP Prof with SP2. I've been running it about 8 months now hassle free, as basic internet security measures from you guys' advice have lounged me well.

Same old story, my sister has clicked a link she got through MSN saying "omg look at my new picture". Needless to say I got infected something cruel, and no matter what my futile efforts involve, I can't seem to rid myself of the spyware. -BUT-, I honestly don't think the spyware is causing my problem.

Basically right now, I'm in Safe Mode with Networking. My internet works, evidently everything that CAN work in Safe Mode with Networking, is working.

My problem is trying to boot normally. I get to my logon screen, go to logon, the Windows ding-down-ding-doong plays, and my computer reboots. Now the weird thing is, if I don't try to log on, it seems that about the time it'd normally take me to log on, my computer reboots! It's like it's timed.

If it's any help to you, I've HijackThis, AVG 7.5 Prof', Spyware Doctor, Ad-Aware, Spybot, CCleaner, ZoneAlarm etc all now installed. I can run all except AVG 7.5, as I bought the CD yet can't install it in Safe Mode.

My findings tell me I'm constantly infected with "Command Services" (cmdservices), but it doesn't seem to be doing any damage. At one point during my infection, I could run my computer with no hassles, which lasted about 10 minutes before I booted MSN (Windows Live Messenger), at which point my computer made it's loading sound and restarted.

I got a few phonecalls from a few mates telling me I just gave them a link to a photo. Seems everyone on my contact list got it. Thankfully none that I know personally clicked it, though I do feel terrible for those that did. The associated spyware/virus is drsmartload, which loads first when I open Windows Live Messenger, then immediatly followed by goll.exe (which I couldn't find any information on, seems to be a randomly named process). I know this because I've Process Explorer by SysInternals running constantly in the hope to catch out whatever it is screwing me over.

Now the reason I don't think it's a virus/spyware hammering my computer is because when I press F8 at the boot screen to obviously get some extra startup options, I -enabled- the "disabled reboot on system failure" (or something similar) option, and now instead of instant-rebooting in normal mode, I get a blue screen of death.

Any information you need I will gladly hand over, and of course like last time I'll be decent-donating upon immediate fix of my problem.

Thanks guys, and let me assure you sister-related computer problems won't happen again, though I can guarentee something else will.

Let me know what you need.

Yours hopefully,
Kiel

Oh, and I forgot to mention, normally I'd use System Restore immediatly, but the ******* deleted all my restore points!

From now on every so days I'm going to backup my system restore files. I didn't know they were not recoverable after deletion. This sucks.

drsmartload is a spyware and ad delivery trojan , and naturally that one does not aim to give you a BSOD. Cmdservices is a pest. You may have a virus which is designed to do that, or it is unintentional from a bad bit of hacker code. Anyway run HT in safe mode from its own folder with nothing else running [apps or windows], and send the log....

Heya gerbil, and thanks for your reply mate!

Here's the HJT log!



Logfile of HijackThis v1.99.1
Scan saved at 8:52:12 PM, on 10/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\HJT\HijackThis.exe

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &eBay Search - res://C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5EDE0E-D293-460A-BD2D-23C5DF92BBD8}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\..\{13F15250-BC91-4D7E-9E5D-471D49E60DFF}: Domain = wa.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - D:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe



Edit: Justg noticed I still had ZoneAlarm running...is it okay like this? I'm not overly-confident in shutting it down. But if I must, I must.

Oh, and excuse the double post, but I've lost my Windows XP CD (not lost, I know exactly where it is, it's just not accessible), so I'm wondering, do I need that EXACT CD or will any other XP CD work as a Restore/Recovery feature on my machine?

That is, of course, as an extreme last resort.

Anyone analyze my HJT log?

Kiel, i am prompted by the history of the affair, your subsequent fault and actions, plus the appearance of the F2 key about userinit.exe in the log to suggest this: As explained in the M$ article [http://support.microsoft.com/kb/892893] the trojan could have inserted a .exe and changed this key's data to point to it....

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

name:- Userinit
data:- C:\WINDOWS\system32\userint.exe,

::: this is what the data should be, if there is a different .exe there then while in Safe Mode regedit it to userinit.exe, [and you must include that comma!]
Reboot.

Adaware or one of your other scans may have deleted the actual dud .exe, and so this key points to nothing. I doubt if userinit.exe is bad or corrupt, so just change the key data.
But you got into safe mode via the login screen already...!! so I may be contradicting my own thinking.......wondering...you have not passworded the default computer Administration account, have you? I'm not suggesting that you do...
Anyway, just search for userinit.exe in the registry, or that key, and report what you find. I could be way wrong....cos without that file running you should not be able to get in.... but you will not hurt anything by looking.
NOTE. Do NOT fix that F2 entry in the HT log.... u have to have it.

Thanks for your effort mate!

Unfortunatly, everything seems to be correct in the registry key, it's pointing to C:\Windows\System32\userinit.exe , so I'm assuming it's fine.

What's next!

Edit: Oh, and for your info', the BSoD states the following:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

***STOP 0x000000D1 (0x00000000, 0x00000002, 0x00000000, 0x00000000)

Hi,this is from the site im linking ,
==================
0x000000D1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
(Click to consult the online Win XP Resource Kit article.)
The system attempted to access pageable memory using a kernel process IRQL that was too high. The most typical cause is a bad device driver (one that uses improper addresses). It can also be caused by caused by faulty or mismatched RAM, or a damaged pagefile.
===================
scroll way down near the bottom of the list for you bsod error .
http://www.aumha.org/win5/kbestop.php

The product key is not coded into the XP CD, but is a unique code and when used with M$ activation creates a code specific to the major hardware models and serial numbers in your pc. So any genuine Microsoft CD will do, just make sure to use your product code.

Do you still have cmdservices? Spybot should detect it and disclose its keys. If so, get delcmdservice from here:-
http://users.telenet.be/marcvn/tools/delcmdservice.zip

Unzip it, onto your desktop will do nicely, and dclick on the delcmdservice folder, dclick on delreg.bat to start it. When the tool finishes reboot your computer

The Driver irql not less than or equal error implies that a driver with a high irql was unable to over-ride a driver operation with a lower irql => conflict. This can come from a RAM error [swap sticks to check it, or run a memtest] or other hardware problems such as overheating on a graphics card..... or driver conflicts. The code STOP 0x000000D1 (0x00000000, 0x00000002, 0x00000000, 0x00000000) does not help me much more that that...
You can check your drivers at the windows update catalog :-
http://update.microsoft.com/microsof....aspx?ln=en-us
...and of course at your manufacturer's sites.
Btw, your log is clean.. if u suspect something lingering go to f-secure at http://www.f-secure.com/blacklight/ and download their trial blacklight tool, or to www.sysinternals.com and run RKR [follow their instructions to a T!!], or do the pandaonlinescan from here:-
http://www.pandasoftware.com/products/activescan?
Keep in touch....

...an then we never heard from kiel again....