View Full Version : Unable to remove Command Service
Hi,
I have run a full scan with Norton Anti Virus 2004 and AVG Free Edition which found nothing, then rebooted into Safe Mode and run a Spybot scan which was unable to remove Command Service. Here is HiJack log taken after I rebooted back into normal Windows: -
Logfile of HijackThis v1.99.1
Scan saved at 13:13:32, on 27/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [Windows Recylinder Check] sluqxnugsv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb049AXGB_ZNxdm414YYCA
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Any help is greatly appreciated.
pskelley
2006-07-28, 02:56
Hello and welcome to the forum, review this information: http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
Update and run a complete sustem scan with the one you keep. Post for me the complete name and pathway of anything found that can not be removed.
Is Spybot the only program finding Command Service? Could you copy and paste the information about Command Service Spybot is locating.
Post a new HJT log.
Thanks...pskelley
Safer Networking Forums
Thanks for your prompt reply.
OK, I've removed AVG Free Anti Virus from my machine and I've updated Norton Anti Virus 2004 to the latest definitions and run a full system scan, but still nothing. Rebooting into Safe Mode and running Spybot it has again found Command Service: -
Settings - > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService (which it says it has fixed after I select "Fix selected problems" but it keeps re-appearing in subsequent scans)
Settings -> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService (which Spybot is unable to fix)
Settings -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (which Spybot is unable to fix)
I have run a full system scan with AdAware and eWido Antispyware and both found problems and removed them, but I can't remember if Command Service was one of them.
Here is the new HJT log: -
Logfile of HijackThis v1.99.1
Scan saved at 13:50:10, on 28/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [Windows Recylinder Check] sluqxnugsv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb049AXGB_ZNxdm414YYCA
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks in advance.
pskelley
2006-07-28, 15:42
Thanks for returning that information, we do have other problems, like this one:
O4 - HKLM\..\RunServices: [Windows Recylinder Check] sluqxnugsv.exe
Read about it: http://www.sophos.com/security/analyses/w32rbotegj.html
so you will know what it have done to your computer.
The following registry entries are created to run zwdomsgemw.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Recylinder Check
zwdomsgemw.exe
I see a little more junk also. We will try to take care of all problems at once and clean a little also. Let's see what happens.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Windows Defender will block the changes we must make, turn it off until you are done:
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
4) Same applies to SpybotSD TeaTimer, use these instructions:
http://russelltexas.com/malware/teatimer.htm
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(with the file missing this item is not working or not working right, if you use it, reinstall it when we are done)
O3 - Toolbar: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O4 - HKLM\..\RunServices: [Windows Recylinder Check] sluqxnugsv.exe
W32/Rbot <<< BAD
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...B_ZNxdm414YYCA
O9 - Extra button: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: Morpheus Toolbar - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - C:\Program Files\Morpheus Toolbar\morpheustoolbar.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
sluqxnugsv.exe <<< file (search for that file and delete it, it may be gone but you must be sure!!)
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
8) Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
Post a new HJT log, let me know if that took care of all issues.
Thanks...Phil
Once that is done, update ewido and run a complete system scan, post those results as soon as you have them.
The post from ren-cmdservice: -
Running from C:\Documents and Settings\ziggy\Desktop\ren-cmdservice\ren-cmdservice
No Image Path Listed in Registry
-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------
Restarted PC and then ran Spybot and it found the following problem: -
Windows Security Center.AntiVirusDisableNotify
Settings - > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0
which I haven't fixed as I'm not sure whether it is legitimate or not.
Here is the new HJT log: -
Logfile of HijackThis v1.99.1
Scan saved at 11:45:37, on 31/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/broadband
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/broadband
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for your help.
Please see below the report from ewido AntiSpyware. I successfully quarantined the item in question.
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 13:08:07 31/07/2006
+ Scan result:
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP312\A0109858.exe/toolbar.dll -> Adware.Softomate : No action taken.
::Report end
Please see below two further reports from ewido that I had previously to give you some background information: -
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 14:56:11 26/07/2006
+ Scan result:
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP307\A0108757.exe -> Adware.ClickSpring : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP307\A0108756.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP291\A0074293.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0074445.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP300\A0091150.dll -> Adware.Softomate : No action taken.
C:\WINDOWS\zornnn.exe/toolbar.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091397.dll -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075471.exe/mmx0wn3.exe -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075476.exe -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108788.dll -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108803.exe -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108805.exe/mmx0wn3.exe -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\snapshot\MFEX-13.DAT -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\snapshot\MFEX-14.DAT -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\snapshot\MFEX-15.DAT -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP300\A0091164.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091400.dll -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091401.DLL -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091402.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP304\A0105500.exe/whAgent.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108790.exe -> Downloader.Adload.ce : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075471.exe/drsmartload408a.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075473.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108791.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108796.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108797.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108798.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108802.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108804.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108805.exe/drsmartload408a.exe -> Downloader.Adload.ch : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\A0068194.exe -> Downloader.PurityScan.cm : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108793.exe -> Downloader.VB.afn : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108794.exe -> Downloader.VB.afn : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108795.exe -> Downloader.VB.afn : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108799.exe -> Downloader.VB.afn : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108800.exe -> Downloader.VB.afn : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108801.exe -> Downloader.VB.afn : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@112.2o7[3].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@122.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@thomascook.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@stats1.reliablestats[3].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@server3.web-stat[2].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@server3.web-stat[3].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\ziggy\Cookies\ziggy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP296\A0078521.exe -> Trojan.VB.abv : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP296\A0079508.exe -> Trojan.VB.abv : No action taken.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP296\A0079510.exe -> Trojan.VB.abv : No action taken.
::Report end
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 14:57:45 26/07/2006
+ Scan result:
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP307\A0108757.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP307\A0108756.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP291\A0074293.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0074445.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP300\A0091150.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\zornnn.exe/toolbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091397.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075471.exe/mmx0wn3.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075476.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108788.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108803.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108805.exe/mmx0wn3.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\snapshot\MFEX-13.DAT -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\snapshot\MFEX-14.DAT -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\snapshot\MFEX-15.DAT -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP300\A0091164.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091400.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091401.DLL -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP301\A0091402.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP304\A0105500.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108790.exe -> Downloader.Adload.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075471.exe/drsmartload408a.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP293\A0075473.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108791.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108796.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108797.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108798.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108802.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108804.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108805.exe/drsmartload408a.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP290\A0068194.exe -> Downloader.PurityScan.cm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108793.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108794.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108795.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108799.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108800.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP309\A0108801.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\Documents and Settings\ziggy\Cookies\ziggy@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@112.2o7[3].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@opodo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@thomascook.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@stats1.reliablestats[3].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@server3.web-stat[3].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ziggy\Cookies\ziggy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ziggy\Local Settings\Temp\Cookies\ziggy@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP296\A0078521.exe -> Trojan.VB.abv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP296\A0079508.exe -> Trojan.VB.abv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E5AFDB1E-03D1-475D-8C1E-9A550FA363CC}\RP296\A0079510.exe -> Trojan.VB.abv : Cleaned with backup (quarantined).
::Report end
pskelley
2006-07-31, 16:52
For this one: Windows Security Center.AntiVirusDisableNotify
Review these faqs: http://www.safer-networking.org/en/faq/46.html
Your HJT log is clean of malware, the one item ewido found is in System Restore and my closing instructions will clean out those files.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually. If you keep the scaner, which I would, make sure you clean out that quarantine folder.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Safe surfing...tashi:) will close your topic in a day or so.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thanks for the info.
I ran SpyBot again and this time it found AstaKiller: -
Application data folder
C:\Program Files\Cowabanga
Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Cowabanga
which it says it has now fixed as well as the Windows Security Center, which again it has fixed.
I have also done the System Restore clean up.
I still think something is wrong with the laptop though, as it still boots into windows saying "Windows - Virtual Memory Minimum Too Low" and takes about 5 minutes to login correctly. If you look in Task Manager memory usage (PF Usage) is at the top of graph at 650MB and the system runs really, really slow! I also get a Symantec Email Proxy message saying that Symantec Email Proxy cannot scan your email messages because your network is not properly configured (1003,13). Also explorer.exe crashes every 5 minutes resulting in the taskbar dissapearaing and any Windows Explorer/My Computer windows with it as well.
HELP!!!!
pskelley
2006-08-01, 14:50
I think you have problems other than malware, try registering and posting here:
http://forums.tomcoyote.org/index.php?showforum=83
Give them as much information as possible about your problem.
You might also run a diagnostic here and you can register and post for help understanding the report:
Diagnostic: http://www.pcpitstop.com/
Results: http://pcpitstop.invisionzone.com/index.php?showforum=6
I also get a Symantec Email Proxy message saying that Symantec Email Proxy cannot scan your email messages because your network is not properly configured (1003,13).
I would contact Symantec tech support for help with this: http://www.symantec.com/techsupp/
Here is some information about Virtual Memory issues:
http://www.aumha.org/win5/a/xpvm.php
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Virtual+Memory+Minimum+Too+Low
A couple of forums where you can ask questions about it:
http://pressf1.pcworld.co.nz/archive/index.php/t-48709.html
http://forum.theispguide.com/isp-ftopic1887.html
Post a report from this tool if any FILES show
https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.
Thanks
This topic has been archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.