PDA

View Full Version : HiJackThis Log Help (Torpig & Spybot Freeze)



DEWbEATZ
2006-05-05, 10:25
I went through the tutorial Tashi gave me so here is my hijackthis log. I'm an newb at this type of stuff so any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:24 AM, on 5/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\DEWbEATZ\Desktop\BiTTorrent Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [62028833.exe] C:\WINDOWS\System32\62028833.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - HKCU\..\Run: [62028833.exe] C:\Documents and Settings\DEWbEATZ\Local Settings\Application Data\62028833.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/31da42815c2ee6edfe17/netzip/RdxIE601.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\jeiebclj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

DEWbEATZ
2006-05-06, 21:05
???bump???

pskelley
2006-05-11, 00:07
Hello and welcome to the forum. You have a bunch of nasties here, if you are still waiting for help and not being helped elsewhere. follow these directions.

1) You have called the HJT folder BiTTorrent Files and I can live with that if you do not intend to store anything other than HJT related in that folder. If you do, then move HJT to here: C:\HJT\HijackThis.exe

2) Looks like this log was created while in safe mode. That being the case I need to see all logs in Normal Mode with everything enabled in MSConfig unless I request otherwise.

3) If you still need help, post a new HJT log and I will respond as soon as possible after that with directions.
Thanks...pskelley
Safer Networking Forums

DEWbEATZ
2006-05-12, 17:15
Logfile of HijackThis v1.99.1
Scan saved at 7:13:56 AM, on 5/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [62028833.exe] C:\WINDOWS\System32\62028833.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\System32\winmuse.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - HKCU\..\Run: [62028833.exe] C:\Documents and Settings\DEWbEATZ\Local Settings\Application Data\62028833.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/31da42815c2ee6edfe17/netzip/RdxIE601.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\jeiebclj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

pskelley
2006-05-12, 19:31
Thanks for returning a new HJT log, here is what I see.

1) C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe See these links:
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
I suggest you use Add Remove programs to uninstall that junk.

2) None of those R1/R0 lines look healthy to me, I suggest you remove the clutter and set whatever homepage you want in IE. If you need instructions for doing this, let me know.

3) Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK. (you will want to reverse that when you are finished with this repair)

4) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
(do Not run it yet)

4) Restart the computer in safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - HKLM\..\Run: [62028833.exe] C:\WINDOWS\System32\62028833.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\System32\winmuse.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [62028833.exe] C:\Documents and Settings\DEWbEATZ\Local Settings\Application Data\62028833.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/31da4281...p/RdxIE601.cab
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\jeiebclj.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\62028833.exe >>> File

C:\WINDOWS\System32\jeiebclj.dll >>> file

C:\WINDOWS\System32\0mcamcap.exe >>> file

C:\WINDOWS\SYSTEM32\xptptt.dll >>> file (this looks like Haxdoor and may be a real problem)

C:\WINDOWS\System32\winmuse.exe >>> file

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe >>> file

C:\Documents and Settings\DEWbEATZ\Local Settings\Application Data\62028833.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

6) Open the ewido program and follow these directions:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
[/list]Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


Restart your computer to Normal Mode and post the ewido scan results, a new HJT log and any comments you think will help.


Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Thanks and we will no doubt have more to do. I was not aware this was there and it can be tough to remove. It was not showing in safe mode. You want to view this information as this one has severely compromised your security.
http://www.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

DEWbEATZ
2006-05-13, 00:04
Here is the ewido and hijackthis log. After I did ewido in safe mode and made a svae log, I restarted and ewido had found more (or the same) issures on startup. I selected "none" for fixing problems, should I have "cleaned". Thanks for you help again. I just recieved a phone call from Road Runner/Time Warner (my isp), so I got to get rid of this asap.

Logfile of HijackThis v1.99.1
Scan saved at 2:03:57 PM, on 5/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_15.dll
O21 - SSODL: BfgdnqzIOjP - {14AAB72C-BE00-1D86-2940-9A1853EB5E68} - C:\WINDOWS\System32\bnaen.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:57:12 PM, 5/12/2006
+ Report-Checksum: 9B1F44F8

+ Scan result:

[1392] C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00010.dll -> Trojan.Sinowal.m : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Application Data\62028833.exe -> Downloader.Small.csn : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\010N83A070\216.tmp -> Trojan.Sinowal.n : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\010N83A070\2480.tmp -> Dropper.Agent.ail : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\czlqtdsa.exe -> Dropper.Agent.ail : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\rsysinit.exe -> Trojan.ExitWin.z : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\wqpzidss.exe -> Hijacker.Small.cc : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\A5832LE5\dlteqco[1].txt -> Hijacker.StartPage.adi : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\A5832LE5\lgonvkw[1].txt -> Hijacker.Small.kr : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\A5832LE5\runfile[1].exe -> Hijacker.Small.cc : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\CH4PANK1\ckflieqxm[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\CH4PANK1\ponvgqnxql[1].txt -> Trojan.Sinowal.n : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\E3YR2HIJ\jemhgfdcb[1].txt -> Adware.BHO : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\E3YR2HIJ\loader[1].exe -> Downloader.Agent.akj : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\K507SNCV\3338[1].exe -> Dropper.Agent.ail : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\K507SNCV\krab02[1].exe -> Dropper.Agent.ol : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\MR4N2NU5\ksemkwvucn[1].txt -> Proxy.Small.bo : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\Z84SFXAF\mazedlwi[1].txt -> Downloader.Small.csn : Ignored
C:\Documents and Settings\DEWbEATZ\My Documents\Downloads\gozilla.exe -> Adware.EZula : Ignored
C:\kl1.exe -> Trojan.Sinowal.n : Ignored
C:\Program Files\aobeghl.exe -> Hijacker.StartPage.adi : Ignored
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.dll -> Trojan.Sinowal.m : Ignored
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00010.dll -> Trojan.Sinowal.m : Ignored
C:\Program Files\hgalrufn.exe -> Hijacker.StartPage.adi : Ignored
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Ignored
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> TrackingCookie.Advertising : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.Bfast : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> TrackingCookie.Bluestreak : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.Serving-sys : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> TrackingCookie.Coremetrics : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Falkag : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Realtracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Serving-sys : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Tribalfusion : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Statcounter : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Targetnet : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Casalemedia : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> TrackingCookie.Cj : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> TrackingCookie.Qksrv : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> TrackingCookie.Advertising : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> TrackingCookie.Sextracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Sextracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> TrackingCookie.Tradedoubler : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Trafficmp : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> TrackingCookie.Valueclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2A.tmp -> TrackingCookie.Webtrendslive : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp/clientax.dll -> Adware.180Solutions : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp/clientax.dll -> Adware.180Solutions : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> Adware.BargainBuddy : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp -> TrackingCookie.Zedo : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> TrackingCookie.Ru4 : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Revenue : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> Downloader.Dyfuca.ei : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.2o7 : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Advertising : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp -> TrackingCookie.Atdmt : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3F.tmp -> TrackingCookie.Burstnet : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> TrackingCookie.Casalemedia : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> TrackingCookie.Bridgetrack : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> TrackingCookie.Com : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq43.tmp -> TrackingCookie.Doubleclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq44.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq45.tmp -> TrackingCookie.Falkag : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq46.tmp -> TrackingCookie.Fastclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq47.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq48.tmp -> TrackingCookie.Linksynergy : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4A.tmp -> TrackingCookie.Mediaplex : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4B.tmp -> TrackingCookie.Questionmarket : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Advertising : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> TrackingCookie.Sexlist : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F.tmp -> TrackingCookie.Statcounter : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Revenue : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp -> TrackingCookie.Trafficmp : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51.tmp -> TrackingCookie.Tribalfusion : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Webtrendslive : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq54.tmp -> TrackingCookie.Adserver : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Zedo : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> Adware.180Solutions : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5A.tmp\sais.exe -> Adware.180Solutions : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Centrport : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq65.tmp -> TrackingCookie.Ru4 : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Hitslink : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6D.tmp -> TrackingCookie.Internetfuel : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> TrackingCookie.Mediaplex : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Findwhat : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq72.tmp -> Adware.BargainBuddy : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp -> Adware.BargainBuddy : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp -> TrackingCookie.Qksrv : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp -> TrackingCookie.Questionmarket : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp -> Downloader.Dyfuca.ei : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp -> Downloader.Dyfuca : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp -> TrackingCookie.Tradedoubler : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7A.tmp\ysb.dll -> Downloader.IstBar.ms : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7B.tmp -> TrackingCookie.Valueclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq87.tmp -> TrackingCookie.Adserver : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq89.tmp -> TrackingCookie.Bfast : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Burstnet : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq91.tmp -> TrackingCookie.Commission-junction : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq94.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq96.tmp -> TrackingCookie.Hitslink : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9A.tmp -> TrackingCookie.Valueclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9E.tmp -> Downloader.Delf.zw : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> TrackingCookie.Doubleclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA0.tmp -> Downloader.Delf.zw : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA5.tmp -> TrackingCookie.Clickbank : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA8.tmp -> TrackingCookie.Coremetrics : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA9.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAA.tmp -> TrackingCookie.Valuead : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB0.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp -> TrackingCookie.Hitslink : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB3.tmp -> TrackingCookie.2o7 : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB4.tmp -> TrackingCookie.Atdmt : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB5.tmp -> TrackingCookie.Bluestreak : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp -> TrackingCookie.Centrport : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB7.tmp -> TrackingCookie.Bridgetrack : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBB.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBC.tmp -> TrackingCookie.Fastclick : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBD.tmp -> TrackingCookie.Hitbox : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBE.tmp -> TrackingCookie.Internetfuel : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC0.tmp -> TrackingCookie.Linksynergy : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC2.tmp -> TrackingCookie.Serving-sys : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp -> TrackingCookie.Sexlist : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC4.tmp -> TrackingCookie.Sextracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC5.tmp -> TrackingCookie.Spylog : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC6.tmp -> TrackingCookie.Targetnet : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC7.tmp -> TrackingCookie.Xxxcounter : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC8.tmp -> TrackingCookie.Falkag : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC9.tmp -> TrackingCookie.Hotlog : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCD.tmp -> TrackingCookie.Sextracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCE.tmp -> TrackingCookie.Falkag : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> TrackingCookie.Sextracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD7.tmp -> TrackingCookie.Onestat : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD8.tmp -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDD.tmp -> TrackingCookie.Ad-flow : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqDF.tmp -> Adware.BHO : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp -> TrackingCookie.Sextracker : Ignored
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqF0.tmp -> TrackingCookie.Tacoda : Ignored
C:\RECYCLER\S-1-5-21-1993962763-1417001333-725345543-1003\Dc1.exe -> Downloader.Small.csn : Ignored
C:\RECYCLER\S-1-5-21-1993962763-1417001333-725345543-1003\Dc2.dll -> Proxy.Wopla.s : Ignored
C:\RECYCLER\S-1-5-21-1993962763-1417001333-725345543-1003\Dc3.exe -> Proxy.Small.bo : Ignored
C:\RECYCLER\S-1-5-21-1993962763-1417001333-725345543-1003\Dc4.exe -> Downloader.Agent.akj : Ignored
C:\tool1.exe -> Downloader.Small.csn : Ignored
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored
C:\tool4.exe -> Adware.BHO : Ignored
C:\tool5.exe -> Hijacker.Small.kr : Ignored
C:\WINDOWS\system32\bnaen.dll -> Proxy.Agent.df : Ignored
C:\WINDOWS\system32\dcom_15.dll -> Proxy.Xmiler.a : Ignored
C:\WINDOWS\system32\gmihnofm.exe -> Proxy.Wopla.r : Ignored
C:\WINDOWS\system32\jkohjkpi.exe -> Proxy.Wopla.r : Ignored
C:\WINDOWS\system32\k40d2x.dll -> Trojan.Kolweb.f : Ignored
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Ignored


::Report End

pskelley
2006-05-13, 00:27
I selected "none" for fixing problems, should I have "cleaned". Yes, of course. how can ewido remove the stuff if you tell it to ignore it. Before you run ewido again,

Open this: C:\Program Files\Yahoo!\YPSR\Quarantine\ <<< quarantine folder and delete all of the stuff in it[/BYou have also picked up another infection. You must keep this computer offline until it is fixed. You also still have the Haxdoor trojan so I will provide the start of the fix for it, this fix will not work if you do not follow directions. Read the instructions and follow them carefully.

Please follow these directions and in the posted order.

1) Download [b]haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe)
and save it to your Desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix


Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
Copy the contents of that logfile and paste it into this thread.



(make sure files and folder are still unhidden)


2) Boot to safe mode, Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_15.dll
O21 - SSODL: BfgdnqzIOjP - {14AAB72C-BE00-1D86-2940-9A1853EB5E68} - C:\WINDOWS\System32\bnaen.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Look for these files and delete them:

C:\WINDOWS\SYSTEM32\xptptt.dll

C:\WINDOWS\System32\dcom_15.dll

C:\WINDOWS\System32\bnaen.dll

3) Now run ewido, make sure you deleted those Yahoo quarantined items before you do this, we do not need to see them again.

restart to normal mode and post the Haxfix log, ewido scan report and a new HJT log.

Thanks...

DEWbEATZ
2006-05-13, 02:39
Thanks again for your help...This "xptptt" file shows up repetitively by ewido and won't go away even without pressing clean.

HaxLog

HAXFIX logfile - by Marckie
--------------
version 2.41
Fri 05/12/2006 15:41:05.93

checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
xptp

checking for matching services....
matching services found
xptptt
xptpmm

checking for matching safeboot services....
matching safeboot services found
xptptt.sys
xptpmm.sys


HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 2:03:57 PM, on 5/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_15.dll
O21 - SSODL: BfgdnqzIOjP - {14AAB72C-BE00-1D86-2940-9A1853EB5E68} - C:\WINDOWS\System32\bnaen.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Ewido

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:31:37 PM, 5/12/2006
+ Report-Checksum: FFE93DE1

+ Scan result:

C:\Documents and Settings\DEWbEATZ\Local Settings\Application Data\62028833.exe -> Downloader.Small.csn : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\010N83A070\216.tmp -> Trojan.Sinowal.n : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\czlqtdsa.exe -> Dropper.Agent.ail : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\rsysinit.exe -> Trojan.ExitWin.z : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temp\wqpzidss.exe -> Hijacker.Small.cc : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\A5832LE5\dlteqco[1].txt -> Hijacker.StartPage.adi : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\A5832LE5\lgonvkw[1].txt -> Hijacker.Small.kr : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\A5832LE5\runfile[1].exe -> Hijacker.Small.cc : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\CH4PANK1\ckflieqxm[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\CH4PANK1\ponvgqnxql[1].txt -> Trojan.Sinowal.n : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\E3YR2HIJ\jemhgfdcb[1].txt -> Adware.BHO : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\E3YR2HIJ\loader[1].exe -> Downloader.Agent.akj : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\K507SNCV\3338[1].exe -> Dropper.Agent.ail : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\K507SNCV\krab02[1].exe -> Dropper.Agent.ol : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\MR4N2NU5\ksemkwvucn[1].txt -> Proxy.Small.bo : Ignored
C:\Documents and Settings\DEWbEATZ\Local Settings\Temporary Internet Files\Content.IE5\Z84SFXAF\mazedlwi[1].txt -> Downloader.Small.csn : Ignored
C:\Documents and Settings\DEWbEATZ\My Documents\Downloads\gozilla.exe -> Adware.EZula : Ignored
C:\kl1.exe -> Trojan.Sinowal.n : Ignored
C:\Program Files\aobeghl.exe -> Hijacker.StartPage.adi : Ignored
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.dll -> Trojan.Sinowal.m : Ignored
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00010.dll -> Trojan.Sinowal.m : Ignored
C:\Program Files\hgalrufn.exe -> Hijacker.StartPage.adi : Ignored
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Ignored
C:\Program Files\paytime.exe -> Hijacker.StartPage.adi : Ignored
C:\tool1.exe -> Downloader.Small.csn : Ignored
C:\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored
C:\tool4.exe -> Adware.BHO : Ignored
C:\tool5.exe -> Hijacker.Small.kr : Ignored
C:\WINDOWS\system32\gmihnofm.exe -> Proxy.Wopla.r : Ignored
C:\WINDOWS\system32\jkohjkpi.exe -> Proxy.Wopla.r : Ignored
C:\WINDOWS\system32\k40d2x.dll -> Trojan.Kolweb.f : Ignored
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Ignored


::Report End

DEWbEATZ
2006-05-13, 02:41
Also, I did the search and delete (in safe mode) for files bnaen.dll and xptptt.dll and could not locate them even with a search

pskelley
2006-05-13, 02:49
What I need to know is why you once again choose to ignore all of the bad junk ewido located??? Please run that scan again and PLEASE have ewido DELETE anything it finds. Post that ewido report showing you have deleted the junk before you follow any other directions I post.
:confused:

pskelley
2006-05-13, 02:56
Please do not follow start instructions until you have finally had ewido delete whatever it found and posted a new ewido scan report showing that.

This Auto fix must be done exactly and the instructions say.


Option 2 autofix
Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.


Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.

Thanks

DEWbEATZ
2006-05-13, 02:56
"You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now."

I missread read that part.:( I'll be back in a couple.

DEWbEATZ
2006-05-13, 22:02
HAXFIX logfile - by Marckie
--------------
version 2.41
Sat 05/13/2006 11:09:01.42

checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
no matching services found

checking for matching safeboot services....
no matching safeboot services found


Logfile of HijackThis v1.99.1
Scan saved at 11:13:26 AM, on 5/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:55:22 AM, 5/13/2006
+ Report-Checksum: D637218F

+ Scan result:

No infected objects found.


::Report End

pskelley
2006-05-13, 22:37
This last log was posted in safe mode. Post a new HJT log in normal mode.

DEWbEATZ
2006-05-14, 00:00
Logfile of HijackThis v1.99.1
Scan saved at 1:58:45 PM, on 5/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICROS~2\wcescomm.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\GetRight\getright.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~2\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.ritzpix.com/upload/FujifilmUploadClient.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

pskelley
2006-05-14, 00:21
Thanks for the new log and good job with the Haxdoor removal tool:bigthumb: Your HJT log is clean of malware, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is a link that might come in handy: http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx

Safe surfing...tashi will be along to close you up in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

tashi
2006-05-18, 10:50
Thank you pskelley.

This topic is now closed.