This laptop comes up clean in all scans. (Or does it?) Except for those three pesky cmdservice registry keys that just won't go away. Suggestions?

Logfile of HijackThis v1.99.1

Scan saved at 12:16:34 PM, on 5/7/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\Program Files\ltmoh\Ltmoh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\TFNF5.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\Toshiba\ConfigFree\NDSTray.exe

C:\WINDOWS\System32\ezSP_Px.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\LogMeIn\ragui.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Real\RealPlayer\starz\starzd.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\ms036100549195.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\SMBOLS~1\regsvr32.exe

C:\Program Files\??stem32\??erinit.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [starzd] "C:\Program Files\Real\RealPlayer\starz\starzd.exe" 86400000

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [ms036100549195] C:\WINDOWS\ms036100549195.exe

O4 - HKLM\..\Run: [wda08222.dll] RUNDLL32.EXE wda08222.dll,I2 0008247a0da08222

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Uuse] "C:\WINDOWS\SMBOLS~1\regsvr32.exe" -vt yazr

O4 - HKCU\..\Run: [Ncdsn] C:\Program Files\??stem32\??erinit.exe

O4 - HKCU\..\Run: [fkqi] C:\PROGRA~1\COMMON~1\fkqi\fkqim.exe

O4 - HKCU\..\Run: [icxhc] C:\WINDOWS\System32\nomobe.exe reg_run

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = ?

O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O15 - Trusted Zone: *.napster.com

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/296b70ce676e8c8f0b02/netzip/RdxIE601.cab

O16 - DPF: {5CAD44F7-50E5-4761-84A9-7C84F8EC2158} (Napster inforeader control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe

O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\guard.tmp (file missing)

O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\l00u0ad9ed0.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



]).

Welcome dadawa

Put hijackthis in a folder such as C:\antispyware run it again, save a log and post it, the formating is all messed up in you first one.
sample of how it should look http://forums.spybot.info/showpost.php?p=24434&postcount=12

Thanks for your reply. I hope this log is more legible. I have attached it as a .txt. I'm pulling it off p.c. and sending on a mac, so formatting gets messed up when I paste.

Thanks

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28/
After the pc is restarted post its log


Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
04 - HKLM\..\Run: [ms036100549195] C:\WINDOWS\ms036100549195.exe
O4 - HKLM\..\Run: [wda08222.dll] RUNDLL32.EXE wda08222.dll,I2 0008247a0da08222
O4 - HKCU\..\Run: [Uuse] "C:\WINDOWS\SMBOLS~1\regsvr32.exe" -vt yazr
O4 - HKCU\..\Run: [Ncdsn] C:\Program Files\??stem32\??erinit.exe
O4 - HKCU\..\Run: [fkqi] C:\PROGRA~1\COMMON~1\fkqi\fkqim.exe
O4 - HKCU\..\Run: [icxhc] C:\WINDOWS\System32\nomobe.exe reg_run
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\l00u0ad9ed0.dll (file missing)
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.



Chcp 1251
cmd /U /C dir /B /AD %windir% >log.txt
cmd /U /C echo.___________________________________ >>log.txt
cmd /U /C dir /B /AD "%ProgramFiles%" >>log.txt
cmd /U /C echo.___________________________________ >>log.txt
cmd /U /C dir /B /AD "%CommonProgramFiles%" >>log.txt
cmd /U /C echo.___________________________________ >>log.txt
cmd /U /C dir /B /AD "%userprofile%\MYDOCU~1" >>log.txt
exit


Run check.bat and post back the log.txt


Post a fresh hijackthis log please, be sure to mention any current problems.

log attached.

files attached

Manualy delete these folders
c:\program files\common files\fkqi
c:\windows\fkqi
c:\program files\ѕуstem32
c:\program files\Yazzle Snowball Wars

Replace your hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly to keep it updated

Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run SpyBot check for and fix any problems found.

file attached

This time, Spybot was able to remove the three CmdService Registry keys. Life is good.

Many thanks.

Great

C:\WINDOWS\SYMBOLS\regsvr32.exe Delete that file at only that location
Are there any other files in that folder ?
Dont delete it unless it is empty

I didn't find anything in the symbols file.

Regsvr32.exe is present at several other locations on the hard drive, but I did not delete any of those copies.

You can delete the symbols folder
Your good to go :)
Surf safe

As the problem appears to be resolved this topic will be archived.

If you need it re-opened please send me a pm and provide a link to the thread.