Can anyone read Hijackthis and tell me what to get rid of or fix

By smazz
Feb 9, 2006
Topic Status:
Not open for further replies.
  1. did a virus and spyware scan.I ran them in normal and in safe mode.They all found plenty of infections or problems .But I still have annoying pop ups about 1 every couple of minutes.I nevr had this problem until about 2 weeks ago.I use slimbrowser ,or Ie and I still get the pop ups in slimbrowser.
    But they pop up as IE browser .I also get wierd pop ups that just look like a small picture animated advertisments.I did a system restore .Here is the log from Hijackthis.I am new to this site hello to all.When I ran trojan remover it tells me the winlogon notify file is locked and it cannot clean it. line 20 on hijack this I fixed it restarted comes back as a new dll file.

    Thank You, Sal

    Logfile of HijackThis v1.99.1
    Scan saved at 4:40:10 PM, on 2/6/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Weather Watcher\ww.exe
    C:\SABRE\Apps\ATS\SSSClnt.EXE
    C:\Program Files\WordWeb\wweb32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\wspan\swgw\FilterAgent.exe
    C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
    C:\WINDOWS\system32\DllHost.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Documents and Settings\Linda M\My Documents\downsave\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.netzero.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.netzero.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www-secure.symantec.com/cus...r_consumer.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
    O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
    O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
    O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
    O8 - Extra context menu item: Html To Image - C:\Program Files\Html To Image\menu.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: PopStop - {20988EDF-4CB5-4083-9829-262BBFD0CD52} - E:\programs reinstall\PopStop\PopStop.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://*.worldspan.com
    O15 - Trusted Zone: http://*.wspan.com
    O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/D...Information.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} (TMinReq Class) - https://my.sabre.com/jars/TMinReqX.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1132339616323
    O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.82.downloads.esta...166250OneCC.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-euro...ivex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/...nfo/webscan.cab
    O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
    O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go10f.wspan.com/secure/DLLs/WSFileIO2.cab
    O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10f.wspan.com/secure/DLLs/WSBrowserConfig.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
    O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
    O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\ir0ul5d91.dll
    O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  2. Smell the Glove

    Smell the Glove Newcomer, in training Posts: 35

    Wow you're PC is a mess! I don't know where to even start. Hopefully Howard might be able to help?

    Sorry. :(
  3. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

  4. smazz

    smazz Newcomer, in training Topic Starter Posts: 17

    everything ok

    I was looking at some ideas on how to fix the pop ups,I found that I had the look2me malware .I downloaded the fix l2me.exe and it worked fine .It fixed it and then I had to remove line 20 from hijackthis . That was the problem it was in the winlogon .everrytime i fixed it it would return as a diffrent dll file on line 20 .after i ran the fix it then ran hijack this it was able to delete line 20.
    Thanks
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That`s excellent news. However, there are still a few more things you need to fix in your HJT log.

    Follow the above instructions, then post a fresh HJT log.

    Regards Howard :)
  6. smazz

    smazz Newcomer, in training Topic Starter Posts: 17

    repost HJT after instructions

    Here is a repost ,I ran alot of trojan anti virus spyware maleware ,and it did remove alot ,Now i do the edwio,trojan remover and avg .everthing is ok not found problems. Here is HjT.can you let me know if any of these lines can be fixed.
    Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 9:00:57 PM, on 2/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Weather Watcher\ww.exe
    C:\SABRE\Apps\ATS\SSSClnt.EXE
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\Program Files\WordWeb\wweb32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\System32\svchost.exe
    C:\wspan\swgw\FilterAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
    C:\WINDOWS\system32\DllHost.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\SlimBrowser\sbrowser.exe
    C:\Documents and Settings\Linda M\My Documents\downsave\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.netzero.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.netzero.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www-secure.symantec.com/custserv/cs_register_consumer.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
    O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.EXE
    O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Worldspan Filter Agent.lnk = C:\wspan\swgw\FilterAgent.exe
    O4 - Global Startup: Ashampoo Magic Defrag.lnk = C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragCtrl.exe
    O8 - Extra context menu item: Html To Image - C:\Program Files\Html To Image\menu.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: PopStop - {20988EDF-4CB5-4083-9829-262BBFD0CD52} - E:\programs reinstall\PopStop\PopStop.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
    O15 - Trusted Zone: http://*.worldspan.com
    O15 - Trusted Zone: http://*.wspan.com
    O16 - DPF: {03DF0933-6E10-4D32-9835-B9A815622831} (WSSystemInfo Class) - https://gopublic.wspan.com/secure/DLLs/WSSystemInformation.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} (TMinReq Class) - https://my.sabre.com/jars/TMinReqX.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132339616323
    O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.69.25.47.82.downloads.esta...9.25.47.82_58102&=&req=1136841166250OneCC.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {7B72C3FC-34B5-4504-B4BE-EB38971A0888} (WSFileIO Class 3) - http://go.worldspan.com/Dlls/WSFileIO3.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37600.cab
    O16 - DPF: {8D33B6F0-1E74-419C-BBEF-D00E976A3A5D} (WSFileIO Class 2) - https://go10f.wspan.com/secure/DLLs/WSFileIO2.cab
    O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go10f.wspan.com/secure/DLLs/WSBrowserConfig.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {D4233B6D-88A0-11D3-BC29-400011500032} (WspGoCal Class) - https://gopublic.wspan.com/scripts/us/bin/WSCAL.CAB
    O16 - DPF: {F2C74EB6-1E7C-44A1-8EBA-CEDB52D47108} - https://gopublic.wspan.com/Secure/Dlls/WSClient.cab
    O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magic Defrag\bin\aDefragService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  7. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Boot into safe mode. See how HERE

    Turn off system restore.(XP/ME only) See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open, and have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.netzero.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.netzero.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www-secure.symantec.com/cus...r_consumer.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O9 - Extra button: PopStop - {20988EDF-4CB5-4083-9829-262BBFD0CD52} - E:\programs reinstall\PopStop\PopStop.dll (file missing)
    O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

    O15 - Trusted Zone: http://*.worldspan.com
    O15 - Trusted Zone: http://*.wspan.com

    Fix all 016 DPF entries.

    Now click on the fix checked button.

    Close HJT.

    Reboot into normal mode, and turn system restore back on.

    Regards Howard :)
  8. smazz

    smazz Newcomer, in training Topic Starter Posts: 17

    know anything about CMDSERVICE

    Hi,
    Just fixed all the lines in HJT in safe mode ,turned off restore .I turned back restore and went into normal mode .I forgot to tell you .when I ran spybot and edwio malware later .It found 3 entries 2 could not be fix,I even ran them in safe mode everything is clean and good .the 2 problems were CMDSERVICE which was in .
    HKEY_LOCAL_MACHINE/system/current controlset/services/cmdservice


    HKEY_LOCAL_MACHINE/system/controlset1/services/cmdservice



    and the one it repaired :

    HKEY_LOCAL_MACHINE/system/controlset3/services/cmdservice

    Everytime I run the spybot or any other malware ,adware. it will find the 3 and only repair the one .Maybe it is not so important ,if you know anything about this let me know.I know you must be busy answering alot of members ,so if its not that important you will naot have to reply.Thanks for all the help.the important thing was getting rid of the popups.I will always run all the spyware programs adware malware and anti virus .once a week.Hopefully I will not nedd anymore help .But if I doo i know who to turn to.

    Thanks,Sal
  9. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    It seems that the detection could be a false positive.

    Take a look HERE for further info.

    Regards Howard :)
  10. smazz

    smazz Newcomer, in training Topic Starter Posts: 17

    It looks like it really isn't anything ,I read the threads .Seems to be a small problem for alot of people ,I am sure someone will come up with a fix,Just so everyone will feel better after running spybot it will be remove cmdservice from the registry.

    Thanks
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.