Spyware.AproposMedia

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Command Service (or if not found look for cmdService) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Command Service

If that does not work try entering the short name: cmdService

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Windows Overlay Components ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Windows Overlay Components

Now exit HJT but do not reboot if told it need to do so. We will do that later after restarting HJT to fix other problems. We will also double check in HJT to fix the above.

Did you want the below two R1 lines set to about:blank? If not, add them to the list for HJT to fix.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2hhcnVjaw\command.exe (file missing) <--- may be gone already
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\kvvbhay.exe (file missing) <--- may be gone already


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\AutoUpdate <--- the whole folder
C:\WINDOWS\Q2hhcnVjaw <--- the whole folder
C:\WINDOWS\kvvbhay.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.


.

 

You're log is clean!

I would recommend getting rid of Windows Messenger as it can be a source or pops.
You can use this to do that: Disable/Remove Windows Messenger

Also you should now check out the below:

How to Protect yourself from malware!

 

You should have already had MS Antispyware installed and run! It is part of the READ & RUN ME which you said you ran.

The more tools you run the more stuff you can find. Quite often, the additional things found like this are either dormant or harmless. As long as they were fixed, there is nothing to worry about.

 

OK! So is everything running OK now?

 

That's just a tracking cookie! You will get them on many sites including Majorgeeks. Most tracking cookies are not problems. They are just used to determine which advertisements on each web page to show you. They will keep coming back each time you do any surfing anywhere.

 

A friend of mine (PhilliePhan) has pointed out that it may be worth running the below procedure to be sure we have gotten all of AproposMedia. Run the steps in the below link. Make sure they are run from safe mode boot.

AproposMedia Fix

 

You're welcome! Your clean. Just make sure you complete the steps in How to Protect yourself from malware! as I mentioned before. You need a real firewall which is covered there too.