Command Service /Network Monitor

**kobayashimaru1979** · 2006-02-18, 15:53

Logfile of HijackThis v1.99.1
Scan saved at 2:32:31 PM, on 2/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O1 - Hosts: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode.
O1 - Hosts: $…àýAäŽ®AäŽ®AäŽ®Aä®täŽ®™û®HäŽ®AäŽ®{äŽ®RichAäŽ®PELHÚÅ6àhJ %€ÐXrdðä.text2gh `.dataI€*n@À¶vÌvœv†vvvjvüvävwàsþst
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140046040188
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**kobayashimaru1979** · 2006-02-18, 15:54

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:12:05 PM, 2/18/2006
+ Report-Checksum: 19D8D9B4

+ Scan result:

C:\Documents and Settings\Tim\Cookies\tim@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Tim\Cookies\tim@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Program Files\Internet Explorer\BT Yahoo! Anytime SignUp\btwebcontrol.dll -> Dialer.BT.a : Cleaned with backup
C:\RECYCLER\NPROTECT\00000012.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000013.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000014.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000015.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00000016.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000017.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\NPROTECT\00000018.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\NPROTECT\00000019.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000020.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000021.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000022.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000023.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000024.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\NPROTECT\00000033.DLL -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000034.DLL -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000035.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00000036.dll -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1277.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1278.TXT -> TrackingCookie.Adrevolver : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1279.TXT -> TrackingCookie.Addynamix : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1280.TXT -> TrackingCookie.Com : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1281.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1282.TXT -> TrackingCookie.Findwhat : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1283.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1284.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1285.TXT -> TrackingCookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1286.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1287.TXT -> TrackingCookie.Adrevolver : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1288.TXT -> TrackingCookie.Falkag : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1289.TXT -> TrackingCookie.Burstnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1290.TXT -> TrackingCookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1291.TXT -> TrackingCookie.Clickbank : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1292.TXT -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1293.TXT -> TrackingCookie.Findwhat : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1294.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1295.TXT -> TrackingCookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1296.TXT -> TrackingCookie.Paypopup : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1297.TXT -> TrackingCookie.Valuead : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1298.TXT -> TrackingCookie.Liveperson : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1299.TXT -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1300.TXT -> TrackingCookie.Reliablestats : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1301.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1302.TXT -> TrackingCookie.Trafic : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1303.EXE -> Downloader.VB.wd : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1304.exe -> Dropper.Agent.aed : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1305.EXE -> Adware.Look2Me : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1306.EXE -> Downloader.Small.buy : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1307.exe -> Dropper.Small.qn : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1308.DLL -> Adware.ClearSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1309.exe -> Adware.SurfSide : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1310.dll -> Adware.SurfSide : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1312.dll -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1317.EXE -> Downloader.TSUpdate.o : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1318.EXE/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1318.EXE/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1319.EXE -> Hijacker.VB.lg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1320.EXE -> Hijacker.StartPage.ahg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1177238915-688789844-1060284298-1000\Dc1321.DLL -> Adware.SurfSide : Cleaned with backup

::Report End

**kobayashimaru1979** · 2006-02-18, 15:55

Look2Me-Destroyer V1.0.6

Scanning for infected files.....
Scan started at 2/18/2006 1:25:03 PM

Infected! C:\WINNT\system32\j8j60i1se8.dll
Infected! C:\RECYCLER\NPROTECT\00000000.dll
Infected! C:\WINNT\system32\g422lefo1h2c.dll
Infected! C:\WINNT\system32\j8j60i1se8.dll
Infected! C:\WINNT\system32\moafd.dll
Infected! C:\WINNT\system32\mqsystem.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\j8j60i1se8.dll
C:\WINNT\system32\j8j60i1se8.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\NPROTECT\00000000.dll
C:\RECYCLER\NPROTECT\00000000.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\g422lefo1h2c.dll
C:\WINNT\system32\g422lefo1h2c.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\j8j60i1se8.dll
C:\WINNT\system32\j8j60i1se8.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\moafd.dll
C:\WINNT\system32\moafd.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mqsystem.dll
C:\WINNT\system32\mqsystem.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0206D230-F139-489A-A96E-39F50539ACD3}"
HKCR\Clsid\{0206D230-F139-489A-A96E-39F50539ACD3}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

**pskelley** · 2006-02-18, 16:23

Dillon, we are malware warriors fighting evil, of course we are winning. You may leave the Yahoo item alone if you believe it is safe, or delete it as you wish. I don't see that issue as the souce of the problem you had.

ewido anti-malware - Scan report Created on: 2:12:05 PM, 2/18/2006

You still have junk here: C:\RECYCLER\NPROTECT\ <<< delete the contents of that folder in red

C:\RECYCLER\ <<< this would be the Recycler for Windows, delete the contents of the folder in red. You may need to have hidded files and folder showing to do this for either, if it gives you a problem, move to safe mode and do it there.
ewido actually only displayed a few cookies on the system, I gave you information easlier to control those. The rest of the ewido scan report is junk that had been removed and you are storing it in trash bins...

Logfile of HijackThis v1.99.1 Scan saved at 2:32:31 PM, on 2/18/2006

Some kind of wierd results in your hosts file? I would like you to download this program: http://www.funkytoad.com/hoster.htm when you have it then use option #4 (four) to restore your original Hosts file.

Looks like they updated a little, the correct button is "Restore Microsoft's Original Hosts file.

The balance of the log looks great, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

I would also like to get this done if you did not do it yet:
If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Earlier programs we could not run, some computers just won't run every program, but I feel the ones I asked for are important in the overall routine of keeping junk off the computer. You will find this information in the messages from the experts I posted. What I would like you to do is, being careful of where you go until you have reviewed that information, run for 24 hours, then post a fresh HJT log along with any comments you have. I have a little more information for you and you should be good to go.

Thanks...Phil

**kobayashimaru1979** · 2006-02-18, 17:57

Thanks for all this, I think this is all so fascinating. I think I'm starting to see what needs doing, and unusual results and things.
I have to leave what you asked for until tomorrow, I won't be able to do anymore until tomorrow night. I'll let you know how I get on, and then post you the HJT logs 24 hours after that.
Thanks again, this has been very helpful.
Dillon

**kobayashimaru1979** · 2006-02-21, 20:41

Hi there.

No real problems with the computer over the last 24hours, no more pop ups when surfing, everything seems much smoother than it was.

I tried to empty C:\RECYCLER, but I could not delete this folder:
S-1-5-21-1177238915-688789844-1060284298-1000
The error message syas their is a sharing violation. I tried it in Safe Mode as well, with the same result.

I ran a SpyBot search, and it still detected:
Command Service (6 entries)
CoolWWWSearch (1 entry)
Network Monitor (6 entries)
UCmore (4 entries)
Web-Nexus (3 entries)

I didn't fix them, I thought I would ask you first.

Ran Ewido, nothing detected.

Ran HJT, and here is the log.

Hope all's well, thanks again for the help.
Dillon

**kobayashimaru1979** · 2006-02-21, 20:42

Logfile of HijackThis v1.99.1
Scan saved at 6:19:31 PM, on 2/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1140046040188
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

**kobayashimaru1979** · 2006-02-21, 20:43

Oh, I forgot to mention that I installed and ran CCleaner, it cleaned up heaps of rubbish.

Dillon

**pskelley** · 2006-02-21, 22:55

OK Dillon, glad to here you are running better, let's see what we can do with the rest of this junk:

I tried to empty C:\RECYCLER, but I could not delete this folder:
S-1-5-21-1177238915-688789844-1060284298-1000

Don't fret about that one, as long as it is in C:\RECYCLER bin it is not on your computer.

I ran a SpyBot search, and it still detected:
Command Service (6 entries)
CoolWWWSearch (1 entry)
Network Monitor (6 entries)
UCmore (4 entries)
Web-Nexus (3 entries)

Spybot puts a backup in the Recovery, I think you will find the Command item is a false positive, make sure you have the latest updates, but you can delete all of that junk. After a few days open the Recovery area and delete it from there.

Your HJT log is clean

you have worked hard to get it that way and here is some information to help you keep it like that. Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

CCleaner is yours to keep, they update a lot so check it about once a month or so, ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

Safe surfing...Phil

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher, If you are reading it in English...thank a soldier.

**kobayashimaru1979** · 2006-02-21, 23:05

Well, thanks very much for your help, I'm really pleased everything's worked. I'll do the last bits you said.
It's really opened my eyes to what goes on on the web, and i'll keep monitoring the forum to see what's going on.
Thanks again
Dillon

Thread: Command Service /Network Monitor

Thread Tools

Display

Posting Permissions