Blaster worm?

utahmom · Aug 9, 2006

I was getting a pop-up balloon saying that my computer was infected and I needed to use new anti-spyware software to fix it. Also, my desktop was changed to blank and I couldn't put it back the way I had it. I had something like this before, but couldn't remember how I took care of it.

So I googled and it appeared that what I had was a blaster worm. I found and followed the instructions in your thread: http://forums.spybot.info/showthread.php?t=4015

This took care of the problem, but I wanted to post my logs here in case there is anything else I should do to clean up my machine. I was shocked at how many things were found by the Ewido program. Is this worth buying and running regularly? How can I have so many trojans, droppers, proxies, etc., when I use ZoneAlarm (albeit the free version) as well as Spybot 1.2 and Ad-Aware 6.0?

Anyway, logs to follow.

utahmom · Aug 9, 2006

c:/rapport.txt

SmitFraudFix v2.81

Scan done at 13:14:37.76, Tue 08/08/2006
Run from C:\Documents and Settings\Lori Watson\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\secure32.html Deleted
C:\uniq Deleted
C:\WINDOWS\toolbar.exe Deleted
C:\WINDOWS\system32\0mcamcap.exe Deleted
Problem while deleting C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\system32\TheMatrixHasYou.exe Deleted
C:\WINDOWS\system32\winbrume.dll Deleted
C:\Documents and Settings\Lori Watson\Application Data\Install.dat Deleted
C:\Program Files\paytime.exe Deleted
C:\Program Files\secure32.html Deleted
C:\Program Files\PestTrap\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll

C:\WINDOWS\system32\wininet.dll infected !

Searching wininet.dll backup file...
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\dllcache\WININET.DLL
C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
C:\WINDOWS\ServicePackFiles\i386\wininet.dll

File Found : C:\WINDOWS\system32\dllcache\\wininet.dll
System Version : 6.0.2800.1405
BackUp Version : 6.0.2800.1405

Wininet.dll Remplacement (reboot necessary)

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\oleext.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» End

utahmom · Aug 9, 2006

Ewido log, part 1

I had to do this in 2 parts as I had to be interrupted the first time to work. Here is the log of the first scan:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:14:52 PM 8/8/2006

+ Scan result:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\63CTOXI7\jemhgfdcb[1].txt -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255257.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255296.DLL -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255348.DLL -> Adware.BHO : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DSI -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-891307005-429115175-1203367206-1005\Software\DSI -> Adware.Delfin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\relatedlinks -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\110354.exe -> Dialer.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Application Data\f0a938af.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\63CTOXI7\bmlgjeg[1].txt -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255294.EXE -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255295.EXE -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255346.EXE -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255347.EXE -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\WINDOWS\system32\f0a938af.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Application Data\ddf30f0a.exe -> Downloader.Small.csn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPWXGZ6P\mazedlwi[1].txt -> Downloader.Small.csn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ddf30f0a.exe -> Downloader.Small.csn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPWXGZ6P\bwitsrqbw[1].txt -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\phpxi[1].txt -> Downloader.Small.cux : Cleaned with backup (quarantined).
C:\Program Files\Internet Explorer\Iesearch.exe -> Dropper.Small.gd : Cleaned with backup (quarantined).
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Temporary Internet Files\Content.IE5\9LCUJFHX\cVhsVXJrVXl0Sm9BQUd0YVRMOEFBQUJt[1].wmf -> Exploit.MS05-053-WMF : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPWXGZ6P\lgonvkw[1].txt -> Hijacker.Small.kr : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\63CTOXI7\dlteqco[1].txt -> Hijacker.StartPage.adi : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\upbwlxiu[1].txt -> Hijacker.StartPage.adi : Cleaned with backup (quarantined).
C:\Program Files\ryads.exe -> Hijacker.StartPage.adi : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\ckflieqxm[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\plfeqcamh[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255254.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255293.EXE -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255345.EXE -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4J6ZAN4J\ksemkwvucn[1].txt -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4J6ZAN4J\kwvgb[1].txt -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255255.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255256.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.40:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.42:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.14:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@www.burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@casalemedia[3].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@com[2].txt -> TrackingCookie.Com : Cleaned.
:mozilla.13:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@e-2dj6wfk4uhcpceo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@e-2dj6wfk4ukdpibo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@e-2dj6wjkoupdjgcp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@e-2dj6wjkyckcpwao.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@e-2dj6wjlioidzslp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@e-2dj6wjnyopdjigp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4kidpacoqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyeiajglpwudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4cocpmdqq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliwoc5whpwsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyugazgfpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmicmc5aapgqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@server.iad.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.43:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.44:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.15:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.16:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.17:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.18:C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@statcounter[3].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Cookies\lori watson@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Lori Watson\Local Settings\Temp\Temporary Internet Files\Content.IE5\2PG3KNYF\runapl[1].exe -> Trojan.LowZones.df : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4J6ZAN4J\jrdpnmyk[1].htm -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPWXGZ6P\rzutsdcx[1].htm -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\dlgsq[1].txt -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\dpkjvts[1].txt -> Trojan.Regger.s : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\rzhtsdpb[1].txt -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00010.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe -> Trojan.Sinowal.ai : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255251.exe -> Trojan.Sinowal.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255252.dll -> Trojan.Sinowal.m : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\63CTOXI7\ponvgqnxql[1].txt -> Trojan.Sinowal.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255291.DLL -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255292.DLL -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255343.dll -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255344.dll -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\WINDOWS\system32\restore.exe -> Trojan.SubSearch.d : Cleaned with backup (quarantined).

::Report end

utahmom · Aug 9, 2006

Ewido log, part 2

Here are the results of the second scan, done a few hours later:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:42:51 AM 8/9/2006

+ Scan result:

C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262063.exe -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264667.dll -> Adware.BHO : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DSI -> Adware.Delfin : Cleaned with backup (quarantined).
HKU\S-1-5-21-891307005-429115175-1203367206-1005\Software\DSI -> Adware.Delfin : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264669.dll -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262065.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264693.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264694.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0263088.exe -> Downloader.Small.air : Cleaned with backup (quarantined).
C:\ann.exe -> Downloader.Small.cpg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262061.exe -> Downloader.Small.csn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264690.exe -> Downloader.Small.csn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264691.exe -> Downloader.Small.csn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262051.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264699.exe -> Dropper.Small.gd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262064.exe -> Hijacker.Small.kr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264597.exe -> Hijacker.StartPage.adi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264668.exe -> Hijacker.StartPage.adi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264695.exe -> Hijacker.StartPage.adi : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\ckflieqxm[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LFRNNMQ2\plfeqcamh[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255254.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1206\A0255293.EXE -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1208\A0255345.EXE -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262052.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262062.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262074.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264658.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\awuakqbw.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Ignored.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264665.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264666.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\Lori Watson\Cookies\lori watson@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Lori Watson\Cookies\lori watson@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Cookies\lori watson@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Lori Watson\Cookies\lori watson@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Lori Watson\Cookies\lori watson@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262075.exe -> Trojan.LowZones.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264657.exe -> Trojan.LowZones.df : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262053.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262054.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262057.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\fshvfgai.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262055.exe -> Trojan.Regger.s : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264696.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264697.dll -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\splp.exe -> Trojan.Sinowal.ae : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264698.exe -> Trojan.Sinowal.ai : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262056.exe -> Trojan.Sinowal.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1240\A0262059.exe -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264593.dll -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264594.dll -> Trojan.Sinowal.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3516953C-55A1-48BF-94AE-4D0884B964C6}\RP1246\A0264692.exe -> Trojan.SubSearch.d : Cleaned with backup (quarantined).

::Report end

utahmom · Aug 9, 2006

HTJ log

Logfile of HijackThis v1.99.1
Scan saved at 6:56:29 AM, on 8/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.splor.com/slc/
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.miox.com/CFIDE/classes/CFJava.cab
O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} - http://216.93.172.116/sub2bc.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142177776515
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://tumalo.dyndns.org:6402/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} - http://pak01.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujicolor.com.au/en/feeders/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv3fd.pav3.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://costco.internetimagingnetwork.com/activex/PCAXSetup.cab?
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = +s
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\winvnc.exe" -service (file missing)

LonnyRJones · Aug 14, 2006

Hi utahmom

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O16 - DPF: {1D870C86-AA3C-4451-81E4-71D480A1A652} - http://216.93.172.116/sub2bc.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.

utahmom · Aug 14, 2006

Thank you - I did that and here is my updated log. I am not currently having any more problems that I know of. Everything seems to be running as it should.

Logfile of HijackThis v1.99.1
Scan saved at 1:53:52 PM, on 8/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WPN311\wlancfg5.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents

and Settings\Lori Watson\Application Data\Mozilla\Profiles\default\jwhqzzsb.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");

(C:\Documents and Settings\Lori Watson\Application

Data\Mozilla\Profiles\default\jwhqzzsb.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan

Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft

Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program

Files\NETGEAR\WPN311\wlancfg5.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program

Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.splor.com/slc/
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) -

http://www.miox.com/CFIDE/classes/CFJava.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142177776

515
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) -

http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) -

http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -

http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) -

http://autos.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -

http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) -

http://tumalo.dyndns.org:6402/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -

http://www.live365.com/players/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) -

http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} -

http://pak01.pictures.aol.com/ygp/aol/plugin/download/YGPPicDownload.en-US.9.1.6.18.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) -

http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -

http://www.fujicolor.com.au/en/feeders/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://pv3fd.pav3.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) -

http://costco.internetimagingnetwork.com/activex/PCAXSetup.cab?
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program

Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -

http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = +s
O17 - HKLM\Software\..\Telephony: DomainName = +s
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = +s
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner -

C:\WINDOWS\system32\acs.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program

Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program

Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network

Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program

Files\RealVNC\WinVNC\winvnc.exe" -service (file missing)

LonnyRJones · Aug 15, 2006

Looks good

I would love to see another log after you visit windows update a couple times.
Get all critical updates, always reboot when its suggested.

tashi · Aug 20, 2006

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Blaster worm?

utahmom

New member

utahmom

New member

utahmom

New member

utahmom

New member

utahmom

New member

LonnyRJones

Security Expert-Emeritus

utahmom

New member

LonnyRJones

Security Expert-Emeritus

tashi

Member of Team Spybot