View Full Version : Command Service /Network Monitor
kobayashimaru1979
2006-02-16, 15:59
Hi there, thankyou very much for helping with this problem. I'm afraid this is all new to me (though very interesting!).
My computer runs Windows 2000, and recently it started getting loads of pop ups. I've used Spybot for the last year or so, so I just ran that.
It detected something called Network Monitor and something called Command Service, but couldn't get rid of them.
I also had problems with SurfSidekick, but I managed to get rid of that using the Symantec website.
I saw lots of similar threads on this forum, and installed HJT and l2mefix. Nothing seems to have worked though, so I guess my problems are slightly different from the others.
Here's the HJT log, I hope that's what you need, otherwise let me know.
Thanks again
K
Logfile of HijackThis v1.99.1
Scan saved at 1:13:06 PM, on 2/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\VGlt\command.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\nav32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\windows\winsysban9.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Tim\Local Settings\Temp\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames9.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140046040188
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\fpj6031se.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe
pskelley
2006-02-17, 18:20
Hello and welcome to the forum. Tim:scratch: where did you get this mess? Cleanup is going to be tough, you should read about these trojans so you can see the damage done to your system so you can repair what is needed and perhaps learn to prevent this from happening again. Here are what I can identity:
http://sophos.com/virusinfo/analyses/trojstartpani.html
http://sophos.com/virusinfo/analyses/trojclickercd.html
I also see this: C:\WINNT\nav32.exe: http://www.symantec.com/avcenter/venc/data/w32.atendo@mm.html if you wish to look at that item before removeal do so here and post the results for me:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
This: hXXp://searchbar.findthewebsiteyouneed.com
points to CoolWebSearch so we will run CWShredder first. Please proceed in the posted order following all directions carefully.
1) You are running HJT from a Temporary folder, this is not safe as we will have no backups if needed: C:\Documents and Settings\Tim\Local Settings\Temp\HijackThis.exe Move HJT here: C:\HJT\HijackThis.exe. If you need more instruction, use these: http://russelltexas.com/malware/createhjtfolder.htm
Please do this before proceeding further.
2) Download CWShredder from here: http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml Once you have the program, please update it then choose FIX not scan. Allow the program to remove anything it locates, stay in this same thread and post that information for me.
3) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.
4) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
5) Start > Control Panel . Add Remove Programs and uninstall: Network Monitor if there.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findth
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames9.exe
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\fpj6031se.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINNT\VGlt\ >>> folder (will probably be C:\Windows\VGlt\
C:\WINNT\nav32.exe >>> file (will probably be C:\Windows\nav32.exe)
C:\windows\gimmygames9.exe >>> file
C:\windows\winsysban9.exe >>> file
C:\windows\winsysupd9.exe >>> file
C:\Program Files\Network Monitor\ >>> folder
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the ewido scan results, a new HJT log, any information I requested above and your feedback. We will have more to do.
Thanks...pskelley
Safer Networking Forums
kobayashimaru1979
2006-02-17, 23:00
Hi pskelly, thank you very much for taking the time to look at my problem. The computr it's on is quite old, and the problem seems to have got worse. I tried getting the downloads you suggested, but the computer basically locks up after looking at the internet for a few minutes. Maybe because so many pop ups are opening? I can't open anything, and have to keep rebooting just to open a web page.
Anyway, I've got all my documents and things backed up on a USB stick, so I thought I would just reformat the harddrive? I haven't done it yet though, so I'll wait to hear from you.
On another note, I'm fascinated by all this business. Where should I look to find out more? Is there any kind of tutorial to look at spyware and stuff?
Thanks very much again, really appreciated.
pskelley
2006-02-18, 00:17
You are certainly welcome but it seems I have done nothing yet. You must be aware by now the computer is fairly infected. All of the tools I gave you will run on Windows2000. The choice to reformat is of course yours and we do need to try to run some of the tools and later when some of the junk is removed we may be able to run others. The order I posted the instructions is is the best way to do a good cleaning and removal of malware and clutter that builds up in time. We can adjust the order if you wish.
Please execute instruction number one to get HJT in a safe place to stores the backups if we should need them.
See if you can download and run ewido, it will clean out a lot of trash. in Add Remove programs..
Now finish 6, which is HJT down to the cleaner. Then instead of downloading the cleaner right now, run cleanmgr.
I believe it is the same on 2000 as XP: Start > Run > type "cleanmgr" without the quotes then OK. allow the program to run and delete what it finds.
If you can run ewido, post the ewido scan report, and a new HJT log. If you can not download and run ewido now, post just the new HJT log. Post exactly what you have been able to do, and any changes in the performance of the computer.
I will supply any information you want about HJT when we either have you clean or you opt for another method. Don't let me forget.
Thanks...Phil
kobayashimaru1979
2006-02-18, 13:04
Hi there, I had a very productive morning, marred only when I became engrossed in what Ewido was doing and allowed my breakfast to burn :mad:
I managed to download CWShredder this morning before the computer went mappit (Scot's word meaning crazy), and I already had Ewido, so I tried to do the things you said. I couldn't download Ad-Ware.
As soon as I started the computer, Ewido popped up with a few problems, so I allowed it to fix those.
Then I ran CWShredder, but it couldn't detect any problems. I updated and ran spybot, and, interestingly, it detected 9 entries for coolwwwsearch. Spybot requested to reboot after the fix, so I did that.
On rebooting, something called VCClient kept popping up, and Norton kept blocking it as it tried to update.
I ran Ewido, but it seemed to close before I could save the report. I assumed that this was ok, and carried on.
When I tried to remove Network Monitor using Add/Remove, it gave me an error message saying an error had occured, and Network Monitor had not been removed.
Then I ran HJT, selected the things you mentioned before, and fixed them. HJT requested a reboot, so I did this.
After I rebooted, Ewido warnings kept popping up, and I figured that the only way this could happen was if the Ewido scan had not been completed before. I ran Ewido again, much more successfully, and it fixed nearly 300 things, and gave me the report.
I ran HJT again, and the log I've included is this one. I noticed that
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe
is still there.
I then went through explorer and deleted the files and folders you mentioned. I could not find
C:\Windows\Prefetch\ >>>
Then I ran cleanmgr.
The computer seems calmer, the HDD isn't being acessed all the time. I haven't connected it to the web yet, not sure if I should just yet. (I'm writing all this on another computer).
Thanks
Dillon
kobayashimaru1979
2006-02-18, 13:05
Logfile of HijackThis v1.99.1
Scan saved at 10:16:19 AM, on 2/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140046040188
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\hymon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe (file missing)
kobayashimaru1979
2006-02-18, 13:07
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:10:14 AM, 2/18/2006
+ Report-Checksum: D51FC0D3
+ Scan result:
C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.a : Ignored
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
[1108] C:\WINNT\system32\mqsystem.dll -> Adware.Look2Me : Error during cleaning
[936] C:\WINNT\system32\mqsystem.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Default User\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\system@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\HGEKVLGU\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\HGEKVLGU\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\NFV83A8U\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\NFV83A8U\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\NFV83A8U\winsysban8[1].exe -> Hijacker.VB.lg : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PQ672I4H\winsysban8[1].exe -> Hijacker.VB.lg : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PQ672I4H\winsysupd8[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\X4Q9AQOY\winsysupd8[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\Tim\Local Settings\Temp\i5.tmp -> Adware.SurfSide : Cleaned with backup
C:\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
C:\install.exe -> Dropper.Agent.aed : Cleaned with backup
C:\Installer.exe -> Adware.Look2Me : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\VCClient\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
C:\Program Files\Lycos\IEagent\CSBIINST.DLL -> Adware.ClearSearch : Cleaned with backup
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Cleaned with backup
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\INSTALL.LOG -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\logo.ico -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0 -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\toolbar.cfg -> Adware.UCmore : Cleaned with backup
C:\Program Files\TheSearchAccelerator\UNWISE.EXE -> Adware.UCmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00000254.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\RECYCLER\NPROTECT\00000334.dll -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00000335.dll -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00000401.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000402.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000403.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000404.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000405.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000406.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000407.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000408.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000409.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000414.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000416.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000417.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000418.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000419.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000420.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000421.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000422.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000428.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000429.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000430.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000431.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000433.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000434.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000435.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000436.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000437.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000438.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000439.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000443.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000444.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000445.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000446.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000447.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000448.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000449.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000450.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000451.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000452.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000453.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000454.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000461.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000463.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000464.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000465.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000466.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000467.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000471.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000472.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000473.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000476.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00000477.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00000481.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000482.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000483.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000484.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000485.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000486.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000487.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000488.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000489.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000610.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000615.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000616.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000617.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000622.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000623.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000624.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000676.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000677.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000678.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000708.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000735.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000744.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000745.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000746.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000747.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000748.TXT ->
kobayashimaru1979
2006-02-18, 13:08
TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000749.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000750.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000751.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000752.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\NPROTECT\00000753.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\NPROTECT\00000754.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\NPROTECT\00000755.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\NPROTECT\00000756.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\NPROTECT\00000761.TXT -> TrackingCookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\00000762.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000767.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000768.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000769.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\NPROTECT\00000783.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000784.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000785.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000791.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000792.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000793.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000794.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000795.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000797.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000801.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000802.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000803.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000842.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000843.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000844.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000845.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000846.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000847.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000849.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000850.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000851.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000852.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000855.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000856.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000857.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000858.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000859.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000860.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000863.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000864.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000865.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000899.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00001051.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00001051.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00001155.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00001155.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00001157.EXE -> Hijacker.VB.lg : Cleaned with backup
C:\RECYCLER\NPROTECT\00001264.EXE -> Hijacker.VB.lg : Cleaned with backup
C:\RECYCLER\NPROTECT\00001265.EXE -> Hijacker.StartPage.ahg : Cleaned with backup
C:\RECYCLER\NPROTECT\00001368.EXE -> Hijacker.StartPage.ahg : Cleaned with backup
C:\RECYCLER\NPROTECT\00001492.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001493.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001494.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001495.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001496.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001497.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001498.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001499.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001500.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001501.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001502.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001503.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001504.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001518.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001522.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001523.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001524.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001525.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001526.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001527.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001531.TXT -> TrackingCookie.Burstnet : Cleaned with backup
C:\RECYCLER\NPROTECT\00001533.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001534.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001535.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001536.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001539.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001540.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001541.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001542.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001546.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001547.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001548.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001551.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00001552.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00001553.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00001555.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001556.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001557.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001567.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\NPROTECT\00001571.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001572.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001573.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001574.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001575.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001576.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001577.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001578.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001579.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001580.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00001581.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00001582.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00001586.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001587.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001588.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001589.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00001715.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\RECYCLER\NPROTECT\00001737.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00001737.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\NPROTECT\00001782.EXE -> Adware.SurfSide : Cleaned with backup
C:\RECYCLER\NPROTECT\00001793.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00001796.TXT -> TrackingCookie.Liveperson : Cleaned with backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\windows\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
C:\windows\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
C:\WINNT\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
C:\WINNT\system32\wuauclt.dll -> Downloader.Qoologic.at : Cleaned with backup
::Report End
pskelley
2006-02-18, 14:19
OK:bigthumb: you have made some progress, I first want to apologize as I work so many XP machines, and I knew this was 2000. There is no Prefetch folder on this system. Let me look over the logs you have provided and I will have a better idea of your progress.
I won't comment on each thing you mention unless I think you did not handle the situation correctly, so far you are doing great. I do suggest you keep this computer offline as much as possible, this junk does and has attracted more junk.
I will tell you we have our work cut out for us, this item: O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\hymon.dll was not in the the first log, and I can't identify it. Probably Look2me adware and hard to remove. I am very concerned about this item and will ask you to run a tool to hopefully remove it first.
ewido anti-malware - Scan report Created on: 10:10:14 AM, 2/18/2006
C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.a : Ignored
I believe this item is bad and should be removed. Email Yahoo tech support and ask about it if you are not sure.
[1108] C:\WINNT\system32\mqsystem.dll -> Adware.Look2Me : Error during <<< the infection that showed up in the new log. ewido can't remove it.
C:\RECYCLER\NPROTECT\ <<< Norton's version of the recycle bin that they add. You need to locate the bin highlited in red and delete the contents of the folder.
You will probably need these instructions: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Lot's of nasty cookies, I will give you this information now to help you control these and you can apply it once you are clean:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
The instructions start here When you have completed any above instructions.
1) Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/public-beta/Look2Me-Destroyer.exe
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. <<< we will do this later
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
2) We need to disable the bad services, this instruction is for XP but it should be much the safe for your OS. Once Disabled we can remove it later.
A) Disable the offending Service
Click Start < Run and type services.msc.
Scroll down to Command Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
B) Disable the offending Service
Click Start < Run and type services.msc.
Scroll down to windows virus scanner and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
3) Use this information to enter safe mode: http://www.computerhope.com/issues/chsafe.htm#02 Make sure you are looking at the info for your Operating System.
Once you are in Safe Mode, start ewido and choose scanner then complete system scan. Allow ewido to delete anything it finds unless you are sure it is not bad. Save that scan report I must see it.
4) Stay in safe mode and Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\hymon.dll (may be gone)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe (file missing)
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner -C:\WINNT\nav32.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\Common Files\VCClient\ >>> folder
(remember these may be listed as C:\Windows\) (was this an install of 2000 over another operating system?)
C:\WINNT\system32\hymon.dll >>> file (may be gone)
C:\WINNT\VGlt\ >>> folder
C:\WINNT\nav32.exe >>> file
Restart the computer and post the contents of C:\Look2Me-Destroyer.txt, the ewido scan results, a new HJT log, answers to any questions I asked and your feedback, let me know how the computer is running and how you are doing.
Thanks...Phil
kobayashimaru1979
2006-02-18, 16:52
Hi, thanks for getting back to me so fast.
This thing is ok, I think;
C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.
BT stands for British Telecom, and their Anytime Signup offer was my old dial up connection. I can certainly delete it though, should I just use explorer?
I deleted the contents of the NPROTECT folder.
Dowloaded and ran Look2Me-Destroyer.exe as you said, and I'll post the txt file.
Went into safe mode, no problems, and ran Ewido. Only found about 60 things this time, as opposed to 300 before. I'll post the report.
When I ran HJT, a few things were missing from the report, so i couldn't fix them. These were:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe (file missing)
O23 - Service: windows virus scanner (windows antivirus) - Unknown owner -C:\WINNT\nav32.exe (file missing)
When I went to delete the folders using explorer, these folders were not present:
C:\WINNT\system32\hymon.dll >>> file (may be gone)
C:\WINNT\VGlt\ >>> folder
C:\WINNT\nav32.exe >>> file
The computer seems to be running much better, seems much more stable.
Are we winning?!
Thanks
Dillon
kobayashimaru1979
2006-02-18, 16:53
Logfile of HijackThis v1.99.1
Scan saved at 2:32:31 PM, on 2/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O1 - Hosts: MZ@ !L!This program cannot be run in DOS mode.
O1 - Hosts: $A䎮A䎮A䎮A䏮t䎮H䎮A䎮{䎮RichA䎮PELH6hJ %Xrd.text2gh `.dataI*n@vvvvvvjvvvwsst
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140046040188
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
kobayashimaru1979
2006-02-18, 16:54
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 2:12:05 PM, 2/18/2006
+ Report-Checksum: 19D8D9B4
+ Scan result:
C:\Documents and Settings\Tim\Cookies\tim@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.a : Cleaned with backup
C:\RECYCLER\NPROTECT\00000012.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000013.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000014.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000015.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000016.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000017.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000018.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000019.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000020.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000021.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000022.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000023.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000024.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000033.DLL -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000034.DLL -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000035.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000036.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1277.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1278.TXT -> TrackingCookie.Adrevolver : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1279.TXT -> TrackingCookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1280.TXT -> TrackingCookie.Com : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1281.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1282.TXT -> TrackingCookie.Findwhat : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1283.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1284.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1285.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1286.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1287.TXT -> TrackingCookie.Adrevolver : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1288.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1289.TXT -> TrackingCookie.Burstnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1290.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1291.TXT -> TrackingCookie.Clickbank : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1292.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1293.TXT -> TrackingCookie.Findwhat : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1294.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1295.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1296.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1297.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1298.TXT -> TrackingCookie.Liveperson : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1299.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1300.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1301.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1302.TXT -> TrackingCookie.Trafic : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1303.EXE -> Downloader.VB.wd : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1304.exe -> Dropper.Agent.aed : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1305.EXE -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1306.EXE -> Downloader.Small.buy : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1307.exe -> Dropper.Small.qn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1308.DLL -> Adware.ClearSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1309.exe -> Adware.SurfSide : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1310.dll -> Adware.SurfSide : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1312.dll -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1317.EXE -> Downloader.TSUpdate.o : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1318.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1318.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1319.EXE -> Hijacker.VB.lg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1320.EXE -> Hijacker.StartPage.ahg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1321.DLL -> Adware.SurfSide : Cleaned with backup
::Report End
kobayashimaru1979
2006-02-18, 16:55
Look2Me-Destroyer V1.0.6
Scanning for infected files.....
Scan started at 2/18/2006 1:25:03 PM
Infected! C:\WINNT\system32\j8j60i1se8.dll
Infected! C:\RECYCLER\NPROTECT\00000000.dll
Infected! C:\WINNT\system32\g422lefo1h2c.dll
Infected! C:\WINNT\system32\j8j60i1se8.dll
Infected! C:\WINNT\system32\moafd.dll
Infected! C:\WINNT\system32\mqsystem.dll
Attempting to delete infected files...
Attempting to delete: C:\WINNT\system32\j8j60i1se8.dll
C:\WINNT\system32\j8j60i1se8.dll Deleted successfully!
Attempting to delete: C:\RECYCLER\NPROTECT\00000000.dll
C:\RECYCLER\NPROTECT\00000000.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\g422lefo1h2c.dll
C:\WINNT\system32\g422lefo1h2c.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\j8j60i1se8.dll
C:\WINNT\system32\j8j60i1se8.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\moafd.dll
C:\WINNT\system32\moafd.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\mqsystem.dll
C:\WINNT\system32\mqsystem.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0206D230-F139-489A-A96E-39F50539ACD3}"
HKCR\Clsid\{0206D230-F139-489A-A96E-39F50539ACD3}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
pskelley
2006-02-18, 17:23
Dillon, we are malware warriors fighting evil, of course we are winning. You may leave the Yahoo item alone if you believe it is safe, or delete it as you wish. I don't see that issue as the souce of the problem you had.
ewido anti-malware - Scan report Created on: 2:12:05 PM, 2/18/2006
You still have junk here: C:\RECYCLER\NPROTECT\ <<< delete the contents of that folder in red
C:\RECYCLER\ <<< this would be the Recycler for Windows, delete the contents of the folder in red. You may need to have hidded files and folder showing to do this for either, if it gives you a problem, move to safe mode and do it there.
ewido actually only displayed a few cookies on the system, I gave you information easlier to control those. The rest of the ewido scan report is junk that had been removed and you are storing it in trash bins...
Logfile of HijackThis v1.99.1 Scan saved at 2:32:31 PM, on 2/18/2006
Some kind of wierd results in your hosts file? I would like you to download this program: http://www.funkytoad.com/hoster.htm when you have it then use option #4 (four) to restore your original Hosts file.
Looks like they updated a little, the correct button is "Restore Microsoft's Original Hosts file.
The balance of the log looks great, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
I would also like to get this done if you did not do it yet:
If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Earlier programs we could not run, some computers just won't run every program, but I feel the ones I asked for are important in the overall routine of keeping junk off the computer. You will find this information in the messages from the experts I posted. What I would like you to do is, being careful of where you go until you have reviewed that information, run for 24 hours, then post a fresh HJT log along with any comments you have. I have a little more information for you and you should be good to go.
Thanks...Phil
kobayashimaru1979
2006-02-18, 18:57
Thanks for all this, I think this is all so fascinating. I think I'm starting to see what needs doing, and unusual results and things.
I have to leave what you asked for until tomorrow, I won't be able to do anymore until tomorrow night. I'll let you know how I get on, and then post you the HJT logs 24 hours after that.
Thanks again, this has been very helpful.
Dillon
kobayashimaru1979
2006-02-21, 21:41
Hi there.
No real problems with the computer over the last 24hours, no more pop ups when surfing, everything seems much smoother than it was.
I tried to empty C:\RECYCLER, but I could not delete this folder:
S-1-5-21-1177238915-688789844-1060284298-1000
The error message syas their is a sharing violation. I tried it in Safe Mode as well, with the same result.
I ran a SpyBot search, and it still detected:
Command Service (6 entries)
CoolWWWSearch (1 entry)
Network Monitor (6 entries)
UCmore (4 entries)
Web-Nexus (3 entries)
I didn't fix them, I thought I would ask you first.
Ran Ewido, nothing detected.
Ran HJT, and here is the log.
Hope all's well, thanks again for the help.
Dillon
kobayashimaru1979
2006-02-21, 21:42
Logfile of HijackThis v1.99.1
Scan saved at 6:19:31 PM, on 2/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140046040188
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
kobayashimaru1979
2006-02-21, 21:43
Oh, I forgot to mention that I installed and ran CCleaner, it cleaned up heaps of rubbish.
Dillon
pskelley
2006-02-21, 23:55
OK Dillon, glad to here you are running better, let's see what we can do with the rest of this junk:
I tried to empty C:\RECYCLER, but I could not delete this folder:
S-1-5-21-1177238915-688789844-1060284298-1000Don't fret about that one, as long as it is in C:\RECYCLER bin it is not on your computer.
I ran a SpyBot search, and it still detected:
Command Service (6 entries)
CoolWWWSearch (1 entry)
Network Monitor (6 entries)
UCmore (4 entries)
Web-Nexus (3 entries)Spybot puts a backup in the Recovery, I think you will find the Command item is a false positive, make sure you have the latest updates, but you can delete all of that junk. After a few days open the Recovery area and delete it from there.
Your HJT log is clean:bigthumb: you have worked hard to get it that way and here is some information to help you keep it like that. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
CCleaner is yours to keep, they update a lot so check it about once a month or so, ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Safe surfing...Phil:)
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.
kobayashimaru1979
2006-02-22, 00:05
Well, thanks very much for your help, I'm really pleased everything's worked. I'll do the last bits you said.
It's really opened my eyes to what goes on on the web, and i'll keep monitoring the forum to see what's going on.
Thanks again
Dillon
LonnyRJones
2006-02-24, 12:18
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.