Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Help me clean up this machine

  1. #1
    Member
    Join Date
    Jan 2006
    Posts
    41

    Default Help me clean up this machine

    Logfile of HijackThis v1.99.1
    Scan saved at 7:46:32 PM, on 1/17/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\DL\hijack\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\msbk32.dll,DllRun
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
    O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://seaz.fnismls.com/Paragon/Code...temChecker.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

  2. #2
    Member
    Join Date
    Jan 2006
    Posts
    41

    Default

    .......btt

  3. #3
    Member
    Join Date
    Jan 2006
    Posts
    41

    Default

    I am posting as new log because the last one was in safemode.


    Logfile of HijackThis v1.99.1
    Scan saved at 8:54:01 AM, on 1/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\w?nspool.exe
    C:\Program Files\wate\ansb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\DL\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{6753C728-2AB8-2D4D-EAEA-5230FBA2DBBB} - (no file)
    R3 - URLSearchHook: (no name) - {1253C75E-2AC9-2331-EA98-2330F6ABDBCC} - C:\WINDOWS\system32\yhnhm.dll
    F3 - REG:win.ini: load=???
    ?
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {1253C75E-2AC9-2331-EA98-2330F6ABDBCC} - C:\WINDOWS\system32\yhnhm.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\msbk32.dll,DllRun
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [Woywy] C:\WINDOWS\system32\w?nspool.exe
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [freexstyle] lockbr.exe
    O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
    O4 - HKCU\..\Run: [ltdxml] C:\WINDOWS\system32\ltdxml.exe
    O4 - HKCU\..\Run: [Acuc] "C:\Program Files\wate\ansb.exe" -vt ndrv
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinksap.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rjdsregs.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.fnismls.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
    O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://seaz.fnismls.com/Paragon/Code...temChecker.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi BooBoo

    What version of SpyBot is it you have and when was it last updated ?

    Is the trial of spysweeper expired ?

    Why do we not see any signs of an antivirus program ?

    Start Hijackthis and place a check next to these items If there.
    Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
    R3 - URLSearchHook: (no name) - _{6753C728-2AB8-2D4D-EAEA-5230FBA2DBBB} - (no file)
    R3 - URLSearchHook: (no name) - {1253C75E-2AC9-2331-EA98-2330F6ABDBCC} - C:\WINDOWS\system32\yhnhm.dll
    F3 - REG:win.ini: load=????
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {1253C75E-2AC9-2331-EA98-2330F6ABDBCC} - C:\WINDOWS\system32\yhnhm.dll
    O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll (file missing)
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\msbk32.dll,DllRun
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd.exe
    O4 - HKCU\..\Run: [Woywy] C:\WINDOWS\system32\w?nspool.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [freexstyle] lockbr.exe
    O4 - HKCU\..\Run: [EQTraffic] "C:\Program Files\EQTraffic\EQTraffic.exe"
    O4 - HKCU\..\Run: [ltdxml] C:\WINDOWS\system32\ltdxml.exe
    O4 - HKCU\..\Run: [Acuc] "C:\Program Files\wate\ansb.exe" -vt ndrv
    O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinksap.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\rjdsregs.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.fnismls.com
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c32.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    ====================================
    Hit fix checked and close Hijackthis.
    Restart the PC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Post a fresh hijackthis log please, be sure to mention any current problems.

    Also an uninstall list
    Start HiJackThis
    Press 'Config'
    Press 'Misc Tools'
    Press 'Open Uninstall Manager'
    Press 'Save List'
    Save the log to a convenient location
    Copy the log and post its contents in this thread

  5. #5
    Member
    Join Date
    Jan 2006
    Posts
    41

    Default

    What version of SpyBot is it you have and when was it last updated ?
    V1.4 updated 1-13-2006


    Is the trial of spysweeper expired ?
    Spysweeper is uninstalled


    Why do we not see any signs of an antivirus program ?
    I was using AVG AntiVirus but it has misteriously dissappeared.



    After Rebooting, Spybot automatically started and found the following.

    Advertising.com
    Avenue A Inc
    BFast
    CommandService
    Coremetrics
    Doubleclick
    Fastclick
    HitBox
    Linksynergy
    MediaPlex
    Valueclick

    It cleaned all except CommandService
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Servicees\cmdService
    HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Servicees\cmdService

    Before doing what you asked the machine would get lots of popups and Internet Explorer would change home pages to a site, I can't remember the name as it is not doing it right now. I think it was called something like "lookforithere". Also, when I typed Google.com in the address bar, I was directed to MSN.com.


    Logfile of HijackThis v1.99.1
    Scan saved at 9:33:52 AM, on 1/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DL\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
    O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://seaz.fnismls.com/Paragon/Code...temChecker.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Go start run and type in
    sc delete cmdService
    Check for and fix any problems with SpyBot twice, the second time command shouldnt be there.

    I need that uninstall list ?
    Zango is one that should definatly be uninstalled

    Re-download and install avg antivirus, do a full system scan if it has problem's with any files do a scan while in safe mode.

    If Spysweeper is uninstalled have hiajckthis fix
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

  7. #7
    Member
    Join Date
    Jan 2006
    Posts
    41

    Default

    Go start run and type in
    sc delete cmdService
    Check for and fix any problems with SpyBot twice, the second time command shouldnt be there.
    This did not work. I got the error

    [SC] OpenService FAILED 1060:
    The specified service does not exist as an installed service.

    Spybot finds it every time and can't get rid of it.

    BTW, I updated Spybot to the 1/20/2006.


    I need that uninstall list ?
    Zango is one that should definatly be uninstalled
    Ad-Aware SE Personal
    Adobe Acrobat 5.0
    AOL Instant Messenger
    a-squared Personal 1.6.1
    Avery LabelPro 3.0
    AVG Free Edition
    C-Media WDM Audio Driver
    Crown Print Monitor+
    elitemediagroup
    ewido anti-malware
    Form Viewer
    Google Toolbar for Internet Explorer
    HijackThis 1.99.1
    Informatik Docview 10.0
    iPod for Windows 2005-09-23
    iTunes
    Jasc Paint Shop Photo Album
    KONICA MINOLTA magicolor 2300 DL Printer Driver Software
    Label Printer Version 3.1
    magicolor 2300 DL
    MediaGateway
    MediaTickets by OIN
    Microsoft .NET Framework 1.1
    Microsoft Data Access Components KB870669
    Microsoft Office 2000 Professional
    Microsoft Publisher 98
    Microsoft Windows Journal Viewer
    MSN Messenger 7.0
    Nero - Burning Rom
    Net Nanny 5
    Network Monitor
    Network Play System (Patching)
    PaperPort 9.0
    PCI Audio Driver
    Photodex Presenter
    Professional Real Estate 2001
    Quicklinks
    QuickScan 3.0
    QuickTime
    QuickTime 3.0
    Real Estate Transaction Viewer
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB912919)
    Spybot - Search & Destroy 1.4
    The Sims House Party
    The Sims Livin' Large
    The Sims Unleashed
    The Sims Vacation
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB910437)
    Windows Backup Utility
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Installer 3.1 (KB893803)
    Windows XP Application Compatibility Update[Q319580]
    Windows XP Hotfix - KB834707
    Windows XP Hotfix - KB867282
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890047
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    Windows XP Hotfix (SP1) [See Q309521 for more information]
    Windows XP Service Pack 2
    WinZip
    XEROX DocuMate 510
    Yazzle Sudoku by OIN
    Zango Toolbar



    Re-download and install avg antivirus, do a full system scan if it has problem's with any files do a scan while in safe mode.
    Done, no problems found.

    If Spysweeper is uninstalled have hiajckthis fix
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    Done



    Here is another HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 1:21:42 PM, on 1/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\DL\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploa...loadClient.cab
    O16 - DPF: {B3A37929-7FF7-4CBE-9579-AC1EF83080DF} (SystemChecker.CheckerCtrl) - http://seaz.fnismls.com/Paragon/Code...temChecker.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1477633B-377D-454F-95CA-AE8C95C1392D}: NameServer = 192.168.2.1
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Uninstall these programs via windows control panel addreomve programs

    elitemediagroup
    MediaTickets by OIN
    Network Monitor
    Yazzle Sudoku by OIN
    Zango Toolbar
    Quicklinks
    QuickScan 3.0

    SpyBot still detects cmdservice after checking for and fixing once ?
    Are you familur with regedit ?

  9. #9
    Member
    Join Date
    Jan 2006
    Posts
    41

    Default

    Uninstall these programs via windows control panel addreomve programs

    elitemediagroup
    MediaTickets by OIN
    Network Monitor
    Yazzle Sudoku by OIN
    Zango Toolbar
    Quicklinks
    QuickScan 3.0
    All of these uninstalled except for the Network Monitor, it gave me an error and said it could not be deleted.


    SpyBot still detects cmdservice after checking for and fixing once ?
    Are you familur with regedit ?
    Yes, should I just go in and delete these two entries

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Yes if your comfortable with it
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Servicees\cmdService
    HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Servicees\cmdService

    Let me know if you have to change permision's on them before they can be deleted, to do so in regedit once at the cmdservice key rightclick > permisions > place a check next to [x] full control, click apply then ok.
    dont get carried away and try finding cmdservice in other areas of the registry please

    Delete these files and folders if present
    C:\Program Files\Zango Programs
    C:\Program Files\Common Files\VCClient
    C:\Program Files\wate
    C:\Program Files\EQTraffic
    C:\Program Files\Network Monitor
    C:\Program Files\Yazzle Sudoku
    C:\Program Files\Zango Toolbar
    C:\Program Files\Quicklinks
    C:\WINDOWS\msbk32.dll
    C:\windows\winsysupd.exe
    C:\WINDOWS\system32\yhnhm.dll
    C:\WINDOWS\system32\ltdxml.exe
    C:\WINDOWS\system32\rwinksap.exe
    C:\WINDOWS\system32\rjdsregs.exe

    Can you tell me what this program is ?
    Network Play System (Patching)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •