anything abnormal.....

Status
Not open for further replies.
S

s_beckerle

Solid State Member
Messages
17
Logfile of HijackThis v1.99.1
Scan saved at 4:59:34 AM, on 12/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
C:\Program Files\1114_Fiberlink\Fgrd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINNT\system32\taskmgr.exe
D:\firefox.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\ctfmon.exe
D:\Documents and Settings\CXUser.BKLOSTERMAN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=082405 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [4F6S34O] wmnpmon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [ruqm] C:\PROGRA~1\COMMON~1\ruqm\ruqmm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon] C:\WINNT\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124703362344
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1114_Fiberlink\Fgrd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
 
Hi and Welcome to TF

Yup....bad guys present.

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install Cleanup but DO NOT run it yet!

Download, install, and update Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [4F6S34O] wmnpmon.exe
O4 - HKCU\..\Run: [ruqm] C:\PROGRA~1\COMMON~1\ruqm\ruqmm.exe

C:\PROGRA~1\COMMON~1\ruqm <--delete that folder

wmnpmon.exe <--locate and delete that file

Run Ewido:
  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop
Close Ewido

Reboot back to normal mode...

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
    [*] Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
    [*] Click on see report. Then click Save report

Please post that log in your next reply along with the Ewido log and a new hijackthis log.

*Note* I also need the following info...

Please visit this website - http://virusscan.jotti.org/
Submit these file(s) for a comprehensive scan & then post the results back here

C:\WINNT\ctfmon.exe
 
PANDA...
Incident Status Location

Adware:adware/sqwire Not disinfected C:\PROGRAM FILES\COMMON FILES\tsa
Adware:adware/dealhelper Not disinfected
C:\WINNT\SYSTEM32\Newmsrdk
Adware:adware/cws Not disinfected D:\Documents and Settings\CXUser.BKLOSTERMAN\Favorites\Fun & Games
Adware:adware/savenow Not disinfected Windows Registry
Spyware:Spyware/Apropos Not disinfected D:\Yahoo!\YPSR\Quarantine\ppq4D.tmp\ace.dll
Spyware:Spyware/Apropos Not disinfected D:\Yahoo!\YPSR\Quarantine\ppq4D.tmp\CxtPls.exe
Spyware:Spyware/Apropos Not disinfected D:\Yahoo!\YPSR\Quarantine\ppq4D.tmp\plg0\cxtpls.dll
Spyware:Spyware/Apropos Not disinfected D:\Yahoo!\YPSR\Quarantine\ppq4D.tmp\WinGenerics.dll


EWIDO...
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:44:35 AM, 1/3/2006
+ Report-Checksum: CE5F680D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Rotue -> Spyware.InternetOptimizer : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S4PLUGIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq103.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1F.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB8.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBA.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBB.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBC.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBD.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
C:\WINNT\Downloaded Program Files\UWFX5_0001_N57M2112NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.b : Cleaned with backup
D:\bklosterman\Local Settings\Temporary Internet Files\Content.IE5\9RHOD2MN\weather[1].htm -> Spyware.BookedSpace : Cleaned with backup
D:\bklosterman\Local Settings\Temporary Internet Files\Content.IE5\CTIZ81IJ\today_aries[1].htm -> Spyware.BookedSpace : Cleaned with backup
D:\bklosterman\Local Settings\Temporary Internet Files\Content.IE5\DH4H3JVQ\plusone_aries[1].htm -> Spyware.BookedSpace : Cleaned with backup
D:\bklosterman\Local Settings\Temporary Internet Files\Content.IE5\OXQNK1Q7\jobs[1].htm -> Spyware.BookedSpace : Cleaned with backup
D:\bklosterman\Local Settings\Temporary Internet Files\Content.IE5\RYVV6EYH\index[1].htm -> Spyware.BookedSpace : Cleaned with backup
D:\Documents and Settings\CXUser.BKLOSTERMAN\Desktop\backups\backup-20051115-011810-478.dll -> Spyware.MySearch : Cleaned with backup
D:\Documents and Settings\CXUser.BKLOSTERMAN\My Documents\hijackthis\backup files\backup-20050608-055145-350.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
D:\plugins\NPMySrch.dll -> Spyware.MyWebSearch : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq11A.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq11D.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq11E.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq11F.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq120.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq121.tmp -> Spyware.Cookie.Burstnet : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq122.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq123.tmp -> Spyware.Cookie.Clickagents : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq125.tmp -> Spyware.Cookie.Com : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq126.tmp -> Spyware.Cookie.Pro-market : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq127.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq129.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq12A.tmp -> Spyware.Cookie.Findwhat : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq12C.tmp -> Spyware.Cookie.Linksynergy : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq12E.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq12F.tmp -> Spyware.Cookie.Qksrv : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq130.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq132.tmp -> Spyware.Cookie.Realtracker : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq133.tmp -> Spyware.Cookie.Revenue : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq135.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq136.tmp -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq137.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq138.tmp -> Spyware.Cookie.Tradedoubler : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq13A.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq13B.tmp -> Spyware.Cookie.Valueclick : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq13C.tmp -> Spyware.Cookie.Webtrendslive : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq13E.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq9C.tmp -> Spyware.AproposMedia : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppq9E.tmp\AutoUpdate.exe -> Downloader.Apropo.g : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppqAF.tmp -> Spyware.AproposMedia : Cleaned with backup
D:\Yahoo!\YPSR\Quarantine\ppqB0.tmp -> Downloader.Apropo.g : Cleaned with backup


::Report End

HIJACK.....
Logfile of HijackThis v1.99.1
Scan saved at 3:15:29 AM, on 1/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\1114_Fiberlink\Fgrd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\STOPzilla!\STOPzilla.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\taskmgr.exe
D:\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\CXUser.BKLOSTERMAN\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=082405 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon] C:\WINNT\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124703362344
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1114_Fiberlink\Fgrd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe
 
Now what........and by the way....that panda one...took for ever....but thank you for all your help so far.....whats the next move
 
Open the Yahoo program and empty the Quarantine folder.

Delete these folders.

C:\PROGRAM FILES\COMMON FILES\tsa

C:\WINNT\SYSTEM32\Newmsrdk

D:\Documents and Settings\CXUser.BKLOSTERMAN\Favorites\Fun & Games

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.


Question:

Are these entrys related to your ISP provider??

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
 
Question:

Are these entrys related to your ISP provider??

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = noam.cemexnet.com


The noam and cemexnet are company names of some sort.....this was a company laptop....my ISP im not 100 % sure of due to me being at work on my personal laptop going through there broadband.....but noam and cemexnet are im either the person b4 me who ran this laptop, or the company. Also im not sure how to empty the quarantine folder from yahoo.....where is it located
 
New HIJACK.....
Logfile of HijackThis v1.99.1
Scan saved at 5:17:59 AM, on 1/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\Program Files\Common Files\STOPzilla!\SZServer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DWRCS.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\1114_Fiberlink\Fgrd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\CCM\CcmExec.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\msiexec.exe
D:\firefox.exe
C:\WINNT\system32\taskmgr.exe
D:\Documents and Settings\CXUser.BKLOSTERMAN\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - D:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - D:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Picasa Media Detector] D:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=082405 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] D:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon] C:\WINNT\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124703362344
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = noam.cemexnet.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: STOPzilla - C:\WINNT\SYSTEM32\IS3WLHandler.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FGR Service - Fiberlink Communications Corporation - C:\Program Files\1114_Fiberlink\Fgrd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe

APROPOSFIX....I dont think this came out right.....
Log of AproposFix v1

************

Running from directory:
D:\Documents and Settings\CXUser.BKLOSTERMAN\Desktop\aproposfix

************

Registry entries found:
 
Doesn't look like you did it right. Do it again...make sure your in "Safe Mode" when it's run and shut down all other programs and windows. The tool removes a rootkit infection.

No clue about Yahoo...as it's junk and I've never used it. Just delete all files in this folder...D:\Yahoo!\YPSR\Quarantine
 
Log of AproposFix v1

************

Running from directory:
D:\Documents and Settings\CXUser.BKLOSTERMAN\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C6PW3AHEgTmD]
@="l4t\\6wtFGGFGGHGfliwt8xFGGFVIGpbggmG7D78x1MLGw6\\Ax67G2w4w0vH7D7"
"Device"="\\\\.\\MSPdate"
"DriverPath"="C:\\WINNT\\system32\\drivers\\ndpdlc.sys"
"DriverName"="Spairda"
"HideUninstallerName"="C:\\Program Files\\Intpoint\\drwmshta.exe"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="WB.OLD"
"InstallationId"="{X71bd0a4-9009-5dc0-05e9-f5ce159f84d5}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Intpoint\\dtccalui.exe"
"AutoUpdater"="C:\\WINNT\\system32\\srvicore.exe"
"Version"="2.0.131"
"LastAURestoreMsgTS"="2006:01:03-09:50:36:655"
"CrMnTmt"=dword:0036ee80

************

Removing hidden service:
Service Spairda removed.

Removing hidden folder:
Deletion of folder Intpoint succeeded!

Deleting files:
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
2K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
Back
Top Bottom