Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Command Service /Network Monitor

  1. #1
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default Command Service /Network Monitor

    Hi there, thankyou very much for helping with this problem. I'm afraid this is all new to me (though very interesting!).
    My computer runs Windows 2000, and recently it started getting loads of pop ups. I've used Spybot for the last year or so, so I just ran that.
    It detected something called Network Monitor and something called Command Service, but couldn't get rid of them.

    I also had problems with SurfSidekick, but I managed to get rid of that using the Symantec website.

    I saw lots of similar threads on this forum, and installed HJT and l2mefix. Nothing seems to have worked though, so I guess my problems are slightly different from the others.
    Here's the HJT log, I hope that's what you need, otherwise let me know.
    Thanks again
    K

    Logfile of HijackThis v1.99.1
    Scan saved at 1:13:06 PM, on 2/16/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\VGlt\command.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\nav32.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\windows\winsysban9.exe
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Tim\Local Settings\Temp\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames9.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140046040188
    O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\fpj6031se.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Hello and welcome to the forum. Tim where did you get this mess? Cleanup is going to be tough, you should read about these trojans so you can see the damage done to your system so you can repair what is needed and perhaps learn to prevent this from happening again. Here are what I can identity:
    http://sophos.com/virusinfo/analyses/trojstartpani.html
    http://sophos.com/virusinfo/analyses/trojclickercd.html

    I also see this: C:\WINNT\nav32.exe: http://www.symantec.com/avcenter/ven...atendo@mm.html if you wish to look at that item before removeal do so here and post the results for me:
    http://virusscan.jotti.org/
    http://www.kaspersky.com/scanforvirus
    http://www.virustotal.com/flash/index_en.html

    This: hXXp://searchbar.findthewebsiteyouneed.com
    points to CoolWebSearch so we will run CWShredder first. Please proceed in the posted order following all directions carefully.

    1) You are running HJT from a Temporary folder, this is not safe as we will have no backups if needed: C:\Documents and Settings\Tim\Local Settings\Temp\HijackThis.exe Move HJT here: C:\HJT\HijackThis.exe. If you need more instruction, use these: http://russelltexas.com/malware/createhjtfolder.htm
    Please do this before proceeding further.

    2) Download CWShredder from here: http://www.softpedia.com/get/Interne...Shredder.shtml Once you have the program, please update it then choose FIX not scan. Allow the program to remove anything it locates, stay in this same thread and post that information for me.

    3) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
    The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

    4) ewido scan:
    Please download Ewido Security Suite it is a trial version of the program.
    • Install ewido security suite
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will now go to the main screen
    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Then click on Start Update
    The update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, you can use this link to manually update Ewido.
    Ewido manual updates

    Once the updates are installed do the following:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.**
      • You will need to step through the process of cleaning files one-by-one.
      • If ewido detects a file you KNOW to be legitimate, select none as the action.
      • DO NOT select "Perform action on all infections"
      • If you are unsure of any entry found select none for now.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop.
    Now close ewido security suite.
    **(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


    5) Start > Control Panel . Add Remove Programs and uninstall: Network Monitor if there.

    6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findth
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd9.exe
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban9.exe
    O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames9.exe
    O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\fpj6031se.dll (file missing)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Enable hidden files&folders..reverse the process when finished.
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\WINNT\VGlt\ >>> folder (will probably be C:\Windows\VGlt\

    C:\WINNT\nav32.exe >>> file (will probably be C:\Windows\nav32.exe)

    C:\windows\gimmygames9.exe >>> file

    C:\windows\winsysban9.exe >>> file

    C:\windows\winsysupd9.exe >>> file

    C:\Program Files\Network Monitor\ >>> folder

    C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
    Prefetch info: http://www.windowsnetworking.com/art...efetch-XP.html

    If you don't have a good cleaner, use this one with these instuctions:
    Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
    Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

    Restart the computer and post the ewido scan results, a new HJT log, any information I requested above and your feedback. We will have more to do.

    Thanks...pskelley
    Safer Networking Forums
    Last edited by pskelley; 2006-02-17 at 18:23.

  3. #3
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default

    Hi pskelly, thank you very much for taking the time to look at my problem. The computr it's on is quite old, and the problem seems to have got worse. I tried getting the downloads you suggested, but the computer basically locks up after looking at the internet for a few minutes. Maybe because so many pop ups are opening? I can't open anything, and have to keep rebooting just to open a web page.
    Anyway, I've got all my documents and things backed up on a USB stick, so I thought I would just reformat the harddrive? I haven't done it yet though, so I'll wait to hear from you.
    On another note, I'm fascinated by all this business. Where should I look to find out more? Is there any kind of tutorial to look at spyware and stuff?
    Thanks very much again, really appreciated.

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    You are certainly welcome but it seems I have done nothing yet. You must be aware by now the computer is fairly infected. All of the tools I gave you will run on Windows2000. The choice to reformat is of course yours and we do need to try to run some of the tools and later when some of the junk is removed we may be able to run others. The order I posted the instructions is is the best way to do a good cleaning and removal of malware and clutter that builds up in time. We can adjust the order if you wish.

    Please execute instruction number one to get HJT in a safe place to stores the backups if we should need them.

    See if you can download and run ewido, it will clean out a lot of trash. in Add Remove programs..

    Now finish 6, which is HJT down to the cleaner. Then instead of downloading the cleaner right now, run cleanmgr.
    I believe it is the same on 2000 as XP: Start > Run > type "cleanmgr" without the quotes then OK. allow the program to run and delete what it finds.

    If you can run ewido, post the ewido scan report, and a new HJT log. If you can not download and run ewido now, post just the new HJT log. Post exactly what you have been able to do, and any changes in the performance of the computer.

    I will supply any information you want about HJT when we either have you clean or you opt for another method. Don't let me forget.

    Thanks...Phil

  5. #5
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default

    Hi there, I had a very productive morning, marred only when I became engrossed in what Ewido was doing and allowed my breakfast to burn

    I managed to download CWShredder this morning before the computer went mappit (Scot's word meaning crazy), and I already had Ewido, so I tried to do the things you said. I couldn't download Ad-Ware.

    As soon as I started the computer, Ewido popped up with a few problems, so I allowed it to fix those.

    Then I ran CWShredder, but it couldn't detect any problems. I updated and ran spybot, and, interestingly, it detected 9 entries for coolwwwsearch. Spybot requested to reboot after the fix, so I did that.

    On rebooting, something called VCClient kept popping up, and Norton kept blocking it as it tried to update.

    I ran Ewido, but it seemed to close before I could save the report. I assumed that this was ok, and carried on.

    When I tried to remove Network Monitor using Add/Remove, it gave me an error message saying an error had occured, and Network Monitor had not been removed.

    Then I ran HJT, selected the things you mentioned before, and fixed them. HJT requested a reboot, so I did this.

    After I rebooted, Ewido warnings kept popping up, and I figured that the only way this could happen was if the Ewido scan had not been completed before. I ran Ewido again, much more successfully, and it fixed nearly 300 things, and gave me the report.
    I ran HJT again, and the log I've included is this one. I noticed that
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe
    is still there.

    I then went through explorer and deleted the files and folders you mentioned. I could not find
    C:\Windows\Prefetch\ >>>

    Then I ran cleanmgr.
    The computer seems calmer, the HDD isn't being acessed all the time. I haven't connected it to the web yet, not sure if I should just yet. (I'm writing all this on another computer).

    Thanks
    Dillon

  6. #6
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default

    Logfile of HijackThis v1.99.1
    Scan saved at 10:16:19 AM, on 2/18/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140046040188
    O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\hymon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: windows virus scanner (windows antivirus) - Unknown owner - C:\WINNT\nav32.exe (file missing)

  7. #7
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 10:10:14 AM, 2/18/2006
    + Report-Checksum: D51FC0D3

    + Scan result:

    C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.a : Ignored
    HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Adware.SurfSide : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup
    HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
    HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
    HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup
    HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
    HKU\S-1-5-21-1177238915-688789844-1060284298-1000\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
    [1108] C:\WINNT\system32\mqsystem.dll -> Adware.Look2Me : Error during cleaning
    [936] C:\WINNT\system32\mqsystem.dll -> Adware.Look2Me : Error during cleaning
    C:\Documents and Settings\Default User\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Default User\Cookies\system@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\HGEKVLGU\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\HGEKVLGU\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\NFV83A8U\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\NFV83A8U\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\NFV83A8U\winsysban8[1].exe -> Hijacker.VB.lg : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PQ672I4H\winsysban8[1].exe -> Hijacker.VB.lg : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PQ672I4H\winsysupd8[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\X4Q9AQOY\winsysupd8[1].exe -> Hijacker.StartPage.ahg : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Tim\Cookies\tim@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
    C:\Documents and Settings\Tim\Local Settings\Temp\i5.tmp -> Adware.SurfSide : Cleaned with backup
    C:\gimmygames.exe -> Downloader.VB.wd : Cleaned with backup
    C:\install.exe -> Dropper.Agent.aed : Cleaned with backup
    C:\Installer.exe -> Adware.Look2Me : Cleaned with backup
    C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
    C:\Program Files\Common Files\VCClient\SS1001.exe -> Dropper.Small.qn : Cleaned with backup
    C:\Program Files\Lycos\IEagent\CSBIINST.DLL -> Adware.ClearSearch : Cleaned with backup
    C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Cleaned with backup
    C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : Cleaned with backup
    C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Cleaned with backup
    C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned with backup
    C:\Program Files\TheSearchAccelerator\INSTALL.LOG -> Adware.UCmore : Cleaned with backup
    C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Adware.UCmore : Cleaned with backup
    C:\Program Files\TheSearchAccelerator\logo.ico -> Adware.UCmore : Cleaned with backup
    C:\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0 -> Adware.UCmore : Cleaned with backup
    C:\Program Files\TheSearchAccelerator\toolbar.cfg -> Adware.UCmore : Cleaned with backup
    C:\Program Files\TheSearchAccelerator\UNWISE.EXE -> Adware.UCmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000254.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000334.dll -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000335.dll -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000401.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000402.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000403.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000404.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000405.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000406.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000407.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000408.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000409.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000414.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000416.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000417.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000418.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000419.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000420.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000421.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000422.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000428.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000429.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000430.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000431.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000433.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000434.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000435.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000436.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000437.TXT -> TrackingCookie.Starware : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000438.TXT -> TrackingCookie.Starware : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000439.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000443.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000444.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000445.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000446.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000447.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000448.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000449.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000450.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000451.TXT -> TrackingCookie.Starware : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000452.TXT -> TrackingCookie.Starware : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000453.TXT -> TrackingCookie.Starware : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000454.TXT -> TrackingCookie.Starware : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000461.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000463.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000464.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000465.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000466.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000467.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000471.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000472.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000473.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000476.TXT -> TrackingCookie.Overture : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000477.TXT -> TrackingCookie.Overture : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000481.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000482.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000483.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000484.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000485.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000486.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000487.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000488.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000489.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000610.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000615.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000616.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000617.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000622.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000623.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000624.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000676.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000677.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000678.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000708.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000735.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000744.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000745.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000746.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000747.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000748.TXT ->

  8. #8
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default

    TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000749.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000750.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000751.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000752.TXT -> TrackingCookie.Valuead : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000753.TXT -> TrackingCookie.Valuead : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000754.TXT -> TrackingCookie.Valuead : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000755.TXT -> TrackingCookie.Valuead : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000756.TXT -> TrackingCookie.Valuead : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000761.TXT -> TrackingCookie.Liveperson : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000762.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000767.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000768.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000769.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000783.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000784.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000785.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000791.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000792.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000793.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000794.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000795.TXT -> TrackingCookie.Paypopup : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000797.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000801.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000802.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000803.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000842.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000843.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000844.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000845.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000846.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000847.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000849.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000850.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000851.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000852.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000855.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000856.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000857.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000858.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000859.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000860.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000863.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000864.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000865.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00000899.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001051.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001051.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001155.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001155.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001157.EXE -> Hijacker.VB.lg : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001264.EXE -> Hijacker.VB.lg : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001265.EXE -> Hijacker.StartPage.ahg : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001368.EXE -> Hijacker.StartPage.ahg : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001492.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001493.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001494.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001495.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001496.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001497.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001498.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001499.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001500.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001501.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001502.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001503.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001504.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001518.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001522.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001523.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001524.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001525.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001526.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001527.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001531.TXT -> TrackingCookie.Burstnet : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001533.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001534.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001535.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001536.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001539.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001540.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001541.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001542.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001546.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001547.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001548.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001551.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001552.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001553.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001555.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001556.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001557.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001567.TXT -> TrackingCookie.Falkag : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001571.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001572.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001573.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001574.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001575.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001576.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001577.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001578.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001579.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001580.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001581.TXT -> TrackingCookie.2o7 : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001582.TXT -> TrackingCookie.2o7 : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001586.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001587.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001588.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001589.TXT -> TrackingCookie.Tacoda : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001715.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001737.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001737.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001782.EXE -> Adware.SurfSide : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001793.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\RECYCLER\NPROTECT\00001796.TXT -> TrackingCookie.Liveperson : Cleaned with backup
    C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
    C:\ucmoreiex.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\ucmoreiex.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
    C:\windows\winsysban8.exe -> Hijacker.VB.lg : Cleaned with backup
    C:\windows\winsysupd8.exe -> Hijacker.StartPage.ahg : Cleaned with backup
    C:\WINNT\system32\repairs302972994.dll -> Adware.SurfSide : Cleaned with backup
    C:\WINNT\system32\wuauclt.dll -> Downloader.Qoologic.at : Cleaned with backup


    ::Report End

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    OK you have made some progress, I first want to apologize as I work so many XP machines, and I knew this was 2000. There is no Prefetch folder on this system. Let me look over the logs you have provided and I will have a better idea of your progress.

    I won't comment on each thing you mention unless I think you did not handle the situation correctly, so far you are doing great. I do suggest you keep this computer offline as much as possible, this junk does and has attracted more junk.

    I will tell you we have our work cut out for us, this item: O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\hymon.dll was not in the the first log, and I can't identify it. Probably Look2me adware and hard to remove. I am very concerned about this item and will ask you to run a tool to hopefully remove it first.

    ewido anti-malware - Scan report Created on: 10:10:14 AM, 2/18/2006

    C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.a : Ignored
    I believe this item is bad and should be removed. Email Yahoo tech support and ask about it if you are not sure.

    [1108] C:\WINNT\system32\mqsystem.dll -> Adware.Look2Me : Error during <<< the infection that showed up in the new log. ewido can't remove it.

    C:\RECYCLER\NPROTECT\ <<< Norton's version of the recycle bin that they add. You need to locate the bin highlited in red and delete the contents of the folder.
    You will probably need these instructions: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Lot's of nasty cookies, I will give you this information now to help you control these and you can apply it once you are clean:
    http://www.mvps.org/winhelp2002/cookies.htm
    http://www.microsoft.com/windows/ie/...cy/config.mspx

    The instructions start here When you have completed any above instructions.

    1) Please download Look2Me-Destroyer.exe to your desktop.
    http://www.atribune.org/public-beta/...-Destroyer.exe
    Close all windows before continuing.
    Double-click Look2Me-Destroyer.exe to run it.
    Put a check next to Run this program as a task.
    You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    Once it's done scanning, click the Remove L2M button.
    You will receive a Done Scanning message, click OK.
    When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    Your computer will then shutdown.
    Turn your computer back on.
    Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. <<< we will do this later
    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new...b/MSWINSCK.OCX

    2) We need to disable the bad services, this instruction is for XP but it should be much the safe for your OS. Once Disabled we can remove it later.

    A) Disable the offending Service
    Click Start < Run and type services.msc.
    Scroll down to Command Service and right click on it.
    Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

    B) Disable the offending Service
    Click Start < Run and type services.msc.
    Scroll down to windows virus scanner and right click on it.
    Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

    3) Use this information to enter safe mode: http://www.computerhope.com/issues/chsafe.htm#02 Make sure you are looking at the info for your Operating System.
    Once you are in Safe Mode, start ewido and choose scanner then complete system scan. Allow ewido to delete anything it finds unless you are sure it is not bad. Save that scan report I must see it.

    4) Stay in safe mode and Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll (file missing
    O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
    O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
    O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\hymon.dll (may be gone)
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe (file missing)
    O23 - Service: windows virus scanner (windows antivirus) - Unknown owner -C:\WINNT\nav32.exe (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Enable hidden files&folders..reverse the process when finished.
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    RIGHT Click on Start then click on Explore. Locate and delete these items:

    C:\Program Files\Common Files\VCClient\ >>> folder

    (remember these may be listed as C:\Windows\) (was this an install of 2000 over another operating system?)

    C:\WINNT\system32\hymon.dll >>> file (may be gone)

    C:\WINNT\VGlt\ >>> folder

    C:\WINNT\nav32.exe >>> file

    Restart the computer and post the contents of C:\Look2Me-Destroyer.txt, the ewido scan results, a new HJT log, answers to any questions I asked and your feedback, let me know how the computer is running and how you are doing.

    Thanks...Phil
    Last edited by pskelley; 2006-02-18 at 14:22.

  10. #10
    Junior Member
    Join Date
    Feb 2006
    Posts
    21

    Default

    Hi, thanks for getting back to me so fast.

    This thing is ok, I think;
    C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.
    BT stands for British Telecom, and their Anytime Signup offer was my old dial up connection. I can certainly delete it though, should I just use explorer?

    I deleted the contents of the NPROTECT folder.

    Dowloaded and ran Look2Me-Destroyer.exe as you said, and I'll post the txt file.

    Went into safe mode, no problems, and ran Ewido. Only found about 60 things this time, as opposed to 300 before. I'll post the report.

    When I ran HJT, a few things were missing from the report, so i couldn't fix them. These were:

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\VGlt\command.exe (file missing)
    O23 - Service: windows virus scanner (windows antivirus) - Unknown owner -C:\WINNT\nav32.exe (file missing)

    When I went to delete the folders using explorer, these folders were not present:

    C:\WINNT\system32\hymon.dll >>> file (may be gone)

    C:\WINNT\VGlt\ >>> folder

    C:\WINNT\nav32.exe >>> file

    The computer seems to be running much better, seems much more stable.
    Are we winning?!
    Thanks
    Dillon

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •