PDA

View Full Version : Command Service / Adware_CommandDesktop / cmdService



clifft20
2006-07-20, 14:15
Hi,

A 'friend' has a laptop that he's managed to get infected to the eyeballs. I have managed to get rid of nearly all the bad stuff now (I think) but am still stuff on one (?) last problem.
I've been searching t'internet and you guys seem to be the only ones that have been able to get rid of this particular pest.

details:
Toshiba Satellite A30
XP Home sp1
3 user accounts + admin (I have run most scans from a new admin account I created)
All scans have been in normal and safe mode
I've now read that I shouldn't apply updates but had attempted to but couldn't - Microsoft comments were to ensure Autoupdates, BITS, and Event log services were running (they were not, but it still didnt work in normal or safe when they were)

At startup I get error message that it can't find w00597f2.dll

So far I have run spybot 1.4 and that finds but cant del:
"Command Service"
HKLM\SYSTEM\ControlSet004\Services\cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService

Housecall shows one event of "Adware_CommandDesktop" which it can't del (plus a number of vulnerabilities)

Ewido 4.0 finds nothing now.

I appreciate I may have muddied the water somewhat as I have thrown a number of different antibad apps at this laptop to get rid of all the other stuff. I have included the obligatory HJT log in the vein hope that you guys can show me the light and make me look good in front of my mate...

Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 11:09:04, on 20/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\tris\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/time/reg/anytime/choice2.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {510FA18B-54BC-4041-8BC2-D5FD4D4CC8EF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [CPLDBL10] "C:\Program Files\EzButton\CPLDBL10.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [w00597f2.dll] "RUNDLL32.EXE" w00597f2.dll,I2 0002d517000597f2
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [47E25341] C:\WINDOWS\System32\hlsqzkgij.exe
O4 - HKLM\..\Run: [rkfvtm] C:\WINDOWS\System32\stbeto.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\ADHelper.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/time/reg/anytime/choice2.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/sites/winantivirus.com/main/pages/scanner/files/WinAntiVirusPro2006ScannerInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48A9A87C-7BA3-49A1-83A6-CA44E6922B85}: NameServer = 212.159.13.50,212.159.13.49
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msmgs.exe (file missing)

Obviously, all assistance is greatly appreciated - if you have the time could you also give an indication of where I went wrong also as I think it would be a valuable thread for a) me to see how I can improve and b) other people to not waste your time with the basics

kind regards

clifft20
2006-07-20, 14:30
also, adaware 1.6 doesnt show anything anymore either

pskelley
2006-07-24, 03:08
Hello and welcome to the forum. Learning to evaluate a HJT log is a complex and long learning experience. I am in my 6th year and there is something new to learn everyday. I can point you at several free schools if you want to learn more, we are very outnumbered and can use all of the help we can get.

This item so you know one of the trojans at work, there are others I can't even identify.
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msmgs.exe (file missing) <<< that file is not missing, a Google of the file:
http://www.liutilities.com/products/wintaskspro/processlibrary/msmgs/
These hackers can call their junk what they want, we have to learn to identify and remove it.

Let's give this a try and see if it works.

1) You are running HJT.exe from a .zip file in a Temporary Directory. This is unsafe as we will have no backups. That is why you received this message when you used HJT: http://russelltexas.com/malware/images/unsafefolder.gif
Please use the information in the following link to place HJT in a permanent, safe folder, I prefer C:\HJT\HijackThis.exe. If you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
do this before you proceed

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) We must stop the item from running by disabling it, then we will try to delete it. I don't know what will happen without a name, if HJT won't delete it for us, we will need to manually delete the file.

Disable the offending Service
Click Start > Run and type services.msc
Scroll down to Windows web messenger and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Windows web messenger and press OK.
OK any prompts, close HijackThis, and restart your computer.
(don't know if that will work but give it a try. and let me know)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {510FA18B-54BC-4041-8BC2-D5FD4D4CC8EF} - (no file)
O4 - HKLM\..\Run: [w00597f2.dll] "RUNDLL32.EXE" w00597f2.dll,I2 0002d517000597f2
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [47E25341] C:\WINDOWS\System32\hlsqzkgij.exe
O4 - HKLM\..\Run: [rkfvtm] C:\WINDOWS\System32\stbeto.exe reg_run
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
(rouge spyware program)
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://locator1.cdn.imagesrvr.com/si...nerInstall.cab
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msmgs.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\hlsqzkgij.exe <<< delete this file

C:\WINDOWS\System32\stbeto.exe <<< delete this file

C:\Program Files\SpywareBot\ <<< delete this folder

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log along with your comments. How is the computer running now?

I will see how we did as soon as possible after you post. We may have issues with SpySweeper or ewido blocking the fix, we will see. I do want to know if you own either of those programs so I will know how to advise you.

As soon as you have the HJT log posted, then update ewido and run a complete system scan, remove what it finds unless you know it is not bad. Post the ewido scan results as soon as you have them.

If Command Service is still an issue, we will address that once the rest of the malware is gone.

Thanks...pskelley
Safer Networking Forums

clifft20
2006-07-26, 00:07
sorry for slow reply (away from pc 4 a cpl days)
to run through instructions:

1 through 4 - done ok

5 - all checked and fixed except: O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msmgs.exe. It was not present

6 - 2 files, 1 folder were not present

7 - done ok
######################
restarted and ran HJT:

Logfile of HijackThis v1.99.1
Scan saved at 21:06:18, on 25/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\EzButton\CPLDBL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Audible\Bin\ADHelper.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/time/reg/anytime/choice2.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [CeEPOWER] "C:\Program Files\TOSHIBA\Power Management\CePMTray.exe"
O4 - HKLM\..\Run: [CPLDBL10] "C:\Program Files\EzButton\CPLDBL10.EXE"
O4 - HKLM\..\Run: [CeEKEY] "C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe"
O4 - HKLM\..\Run: [TPNF] "C:\Program Files\TOSHIBA\TouchPad\TPTray.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\ADHelper.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/time/reg/anytime/choice2.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48A9A87C-7BA3-49A1-83A6-CA44E6922B85}: NameServer = 212.159.13.50,212.159.13.49
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
#########################
updated and ran ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:35:55 25/07/2006

+ Scan result:



C:\WINDOWS\aa6cncte.exe -> Adware.Sahat : Cleaned with backup (quarantined).


::Report end
#############
ran spybot and found command service again
###############

I've only got trial copies of SpySweeper or ewido. iv been reluctant to buy them as a) it's not my pc b) every app i've tried seems to find different problems and it feels like the once you buy one you'll start a spiral of having to buy them all.

whats next, boss?

pskelley
2006-07-26, 00:36
Good work, the HJT log is clean:bigthumb: how is the computer running? If all is well, tashi:) will close your topic in a day or so.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

ewido and SpySweeper are both good programs, but I personally find freeware programs do a good job. I can see no reason to keep SpySweeper, though I do suggest the free scanner with ewido can be updated and used for as long as you like. One way or another, there is no reason for you to have them running in services (023) they both use a load of resources. My suggestion is disable ewido and keep it, and uninstall SpySweeper.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

clifft20
2006-07-26, 00:57
what's the deal with spybot still finding command service? is it still there?

pskelley
2006-07-26, 01:18
Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

clifft20
2006-07-26, 01:32
Running from C:\Documents and Settings\tris\Desktop\ren-cmdservice\ren-cmdservice
No Image Path Listed in Registry

-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------

clifft20
2006-07-26, 01:38
thanks for the note sjc. will take a look.

looking at the log that pskelley's batch file has produced, this also appears to have done the trick.

Am doing as ordered now and rebooting so watching this space...

clifft20
2006-07-26, 13:41
The man's (?) a genius!

Thanks pskelley for all your help. I now have one clean machine (and a happy friend)

moe than happy for tashi to close.

I will look through the other links you have included here also to try and get a bit of learning done.

thanks again!:angel:

LonnyRJones
2006-07-31, 00:25
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).