View Full Version : Cmdservice and lots of pop ups
Im not really into this all. But after visiting a wrong site and clicking a wrong file I got totally infected by all kind of crap (pop-ups an even more pop ups).
Spy-bot does find the infected files, but cant delete them. Adaware has the same problem. So I installed hijackthis and made a log:
Logfile of HijackThis v1.99.1
Scan saved at 22:52:40, on 12-5-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\HP_Eigenaar\Mijn documenten\Downloads\BitLord\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\defender19a.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HP_EIG~1\LOCALS~1\Temp\Tijdelijke map 1 voor hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Documents and Settings\HP_Eigenaar\Mijn documenten\Downloads\BitLord\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard19.exe
O4 - HKLM\..\Run: [newname] C:\\newname19.exe
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g4jo0e13eh.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
I hope someone can help me. Thanks in advance.
pskelley
2006-05-13, 02:34
Hello and welcome to the forum. You have a Look2me infection and some other junk. Follow these directions and we will see how does.
1) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
2) See this: http://castlecops.com/startuplist-5306.html >>> C:\WINDOWS\ALCMTR.EXE I will schedule removal, if you don't wish it removed, pass over the instructions, it is optional.
Thanks to Atribune and any others who helped with this fix
3) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
(please hold the logs until the end of the instructions)
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [keyboard] C:\\keyboard19.exe
O4 - HKLM\..\Run: [newname] C:\\newname19.exe
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g4jo0e13eh.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\\keyboard19.exe >>> file
C:\\newname19.exe >>> file
C:\\defender19a.exe >>> file
C:\WINDOWS\ALCMTR.EXE >>> file
C:\Program Files\Network Monitor\ >>> folder
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. Please include any information you think I should have and any comments you think will help.
Thanks...pskelley
Safer Networking Forums
Thank you for the help.
Comments in advance:
- I placed HijackThis in a folder of his own (C;//Program Files/Hijack, and I tried more), but he keeps saying that the folder is temporarely.
- I did the entire checklist, Look2Me scan completed without problems, but I couldnt get it an automatic restart after that.
- This file wasnt there at all: O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\g4jo0e13eh.dll
- Except from the above part everything went fine, so thanks again, because at the moment for the first time in a few weeks I can see an forum page without having pop-ups every minute.
HJ log file
Logfile of HijackThis v1.99.1
Scan saved at 11:06:32, on 13-5-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\HP_Eigenaar\Mijn documenten\Downloads\BitLord\daemon.exe
C:\WINDOWS\THVjYXMgTG9lZmZlbg\command.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\WINDOWS\System32\alg.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Documents and Settings\HP_Eigenaar\Mijn documenten\Downloads\BitLord\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\THVjYXMgTG9lZmZlbg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Look2Me-Destroyer File:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 13-5-2006 10:44:08
Infected! C:\WINDOWS\system32\r48slel71hq.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019753.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019807.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019818.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019824.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019952.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019958.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0020045.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0020046.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0021050.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022054.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022057.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022073.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022074.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022087.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022096.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022097.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022106.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022107.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP142\A0022119.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP142\A0022120.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP143\A0022129.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP143\A0022131.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP144\A0022145.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP144\A0022146.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP145\A0022157.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP145\A0022158.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022170.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022171.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022178.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022179.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022197.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022287.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022288.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022296.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022306.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022314.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022319.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022322.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022327.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022331.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022338.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022340.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022347.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022352.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022405.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022439.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022453.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP149\A0022489.dll
Infected! C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP149\A0022496.dll
Infected! C:\WINDOWS\system32\g6jo0g13e6.dll
Infected! C:\WINDOWS\system32\h60qlgd5160.dll
Infected! C:\WINDOWS\system32\kddit.dll
Infected! C:\WINDOWS\system32\lbfax13n.dll
Infected! C:\WINDOWS\system32\meprivs.dll
Infected! C:\WINDOWS\system32\mycories.dll
Infected! C:\WINDOWS\system32\nzrspl.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\r48slel71hq.dll
C:\WINDOWS\system32\r48slel71hq.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019753.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019753.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019807.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019807.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019818.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019818.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019824.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019824.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019952.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019952.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019958.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0019958.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0020045.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0020045.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0020046.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0020046.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0021050.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0021050.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022054.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022054.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022057.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022057.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022073.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022073.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022074.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP140\A0022074.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022087.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022087.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022096.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022096.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022097.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022097.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022106.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022106.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022107.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP141\A0022107.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP142\A0022119.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP142\A0022119.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP142\A0022120.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP142\A0022120.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP143\A0022129.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP143\A0022129.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP143\A0022131.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP143\A0022131.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP144\A0022145.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP144\A0022145.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP144\A0022146.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP144\A0022146.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP145\A0022157.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP145\A0022157.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP145\A0022158.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP145\A0022158.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022170.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022170.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022171.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022171.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022178.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022178.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022179.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022179.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022197.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP146\A0022197.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022287.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022287.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022288.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022288.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022296.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022296.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022306.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022306.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022314.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022314.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022319.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022319.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022322.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022322.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022327.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022327.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022331.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022331.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022338.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022338.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022340.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022340.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022347.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022347.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022352.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022352.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022405.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022405.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022439.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022439.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022453.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP147\A0022453.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP149\A0022489.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP149\A0022489.dll could not be deleted!
Attempting to delete: C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP149\A0022496.dll
C:\System Volume Information\_restore{89F3906E-EC2B-460B-AE11-2F9FAB20AC86}\RP149\A0022496.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\g6jo0g13e6.dll
C:\WINDOWS\system32\g6jo0g13e6.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\h60qlgd5160.dll
C:\WINDOWS\system32\h60qlgd5160.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\kddit.dll
C:\WINDOWS\system32\kddit.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\lbfax13n.dll
C:\WINDOWS\system32\lbfax13n.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\meprivs.dll
C:\WINDOWS\system32\meprivs.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\mycories.dll
C:\WINDOWS\system32\mycories.dll could not be deleted!
Attempting to delete: C:\WINDOWS\system32\nzrspl.dll
C:\WINDOWS\system32\nzrspl.dll could not be deleted!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnceEx
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FACE09F4-A641-4EBD-AEA1-09E183AACB41}"
HKCR\Clsid\{FACE09F4-A641-4EBD-AEA1-09E183AACB41}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0C0F22C8-8BA1-479F-A226-64DC9342E5A1}"
HKCR\Clsid\{0C0F22C8-8BA1-479F-A226-64DC9342E5A1}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4455DC91-3BBE-4D0C-96FF-D32E6E5646DE}"
HKCR\Clsid\{4455DC91-3BBE-4D0C-96FF-D32E6E5646DE}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{42CB14E2-6710-4B64-91D7-BEE5E82A24BD}"
HKCR\Clsid\{42CB14E2-6710-4B64-91D7-BEE5E82A24BD}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
pskelley
2006-05-13, 13:59
I am looking over your information and your comments and will respond. First I need to say that while you did remove the Loom2me infection, you have become infected with more junk, see this:
C:\WINDOWS\THVjYXMgTG9lZmZlbg\command.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com and this:
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
While your computer is infected and in a weakened state you must keep it offline as much as possible or we will not be able to clean it up...thanks.
I will only comment where on is required:
I placed HijackThis in a folder of his own (C;//Program Files/Hijack, and I tried more), but he keeps saying that the folder is temporarely.
Here is where it is now: C:\HijackThis.exe (no folder) Return to C:\ and point your mouse at a blank area and right click it, then choose NEW > Folder. In the box type HJT. Then drag the HJT.exe into that folder (you can also cut and paste) then it will be like this: C:\HJT\HijackThis.exe which is perfect.
I hope you did not install this Webhancer junk on purpose? Make sure you complete one instruction before starting another and complete them in the numbered order.
(DO NOT use System Restore for any reason, it is badly infected and we will clean it before we are done)
1) Follow the instruction in this link, because Webhancer has hijacked your LSP/Winsock, we can not remove it with HJT. Read and follow these instructions:
http://www.webhancer.com/support/index.asp?s=30
2) We need to remove the bad service like this:
A) Disable the offending Service
Click Start > Run and type services.msc
Scroll down to Command Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
B) Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (cmdService) and press OK.
OK any prompts, close HijackThis, and restart your computer.
C) Open HJT then click the "Open the Misc Tools section" then click "Open process manager" look on that list for: C:\WINDOWS\THVjYXMgTG9lZmZlbg\command.exe If it is there, highlite it and click the Kill process button.
3) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(I left the Google startpage, you can set and Home Page you wish in Internet Explorer. If you need help doing this let me know)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
(webhancer should be gone, but just in case, I am including it)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\THVjYXMgTG9lZmZlbg\command.exe
(should be gone)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
RIGHT Click on Start then click on Explore. Locate and delete these items:
(these should be gone also, but double check)
C:\Program Files\webHancer\ <<< folder
C:\WINDOWS\THVjYXMgTG9lZmZlbg\ <<< folder
Empty the recycle bin and restart the computer. Post the ewido scan results and a new HijackThis log.
Thanks...
I really appreciate all the help you are giving me, tho I dont really understand all the steps you gave the first time, I did them all 1 by 1.
But before Im going to follow all the other steps I have to confess something. I dont know if it was smart, but I did a few scans (Adaware and Spy-bot) and they deleted a bunch of stuff. Only Spybot finds 3 more Command Service entries and 1 entry of Coolwwwsearch.
I made a Hijacklog, again, and hopefully I didnt screw things up. If you think its smart just to do the steps you gave me in the last post, just say so, and I will comply.
Again thanks for the help.
Hijacklog:
Logfile of HijackThis v1.99.1
Scan saved at 18:09:17, on 13-5-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\HP_Eigenaar\Mijn documenten\Downloads\BitLord\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\HP_Eigenaar\Mijn documenten\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=NL_NL&c=Q305&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Documents and Settings\HP_Eigenaar\Mijn documenten\Downloads\BitLord\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Verbindingshelp - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
pskelley
2006-05-13, 18:39
If you wanted to do this yourself, there was no reason to post here, and we could have used the time to help others, having said that, this HJT log is clean of malware. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
(if you used ewido, since I saw no scan report as requested)
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
This is important >>> System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
But before Im going to follow all the other steps I have to confess something. I dont know if it was smart, but I did a few scans (Adaware and Spy-bot) and they deleted a bunch of stuff. Only Spybot finds 3 more Command Service entries and 1 entry of Coolwwwsearch.Yes, you should have followed my directions exactly. You have done no harm running the programs, but as I look at the prograss I gauge it according to what I am doing on this end. When you run programs I have not assed for, I am here assuming the changes are occuring becuase of my instructions. Two people can not drive the same car, you know what will soon happen.
You need to make sure those programs Spybot and Ad-aware are updated and configured like this: http://tomcoyote.org/aawsb.php
Then run Spybot again and if you still get the Command Service issues, try this:
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
The CWS item should be removed by a updated Spybot. No need to post again if this takes care of all issues.
tashi will close you in a couple of days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Yes, you should have followed my directions exactly. You have done no harm running the programs, but as I look at the prograss I gauge it according to what I am doing on this end. When you run programs I have not assed for, I am here assuming the changes are occuring becuase of my instructions. Two people can not drive the same car, you know what will soon happen.
Please, dont get me wrong. After you gave me those first instructions I followed them exactly. But while I was waiting for a response I thought it would be harmless to do a few extra scans. With that, the old Hijack log I gave you was kinda useless and because of that, so was your second instruction. My apologies for that, and for the extra time you spended.
But, in the end, without your help I coulnt have done it, so thank you for the last time. Next time, Ill let you drive the car...
Greetings
LonnyRJones
2006-05-14, 14:53
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.