TheTechGuide Forum

General Category => Tech Clinic => Topic started by: josh_rowe_hccc on July 09, 2005, 10:24:53 AM

Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 09, 2005, 10:24:53 AM: I got this off limewire and i cannot get ride of. My ad aware detects this and it keeps coming back every time. Here is my Hijack this scan.

Logfile of HijackThis v1.99.1
Scan saved at 11:20:14 AM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\Program Files\winupdates\winupdates.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\Program Files\Command Software\Command AntiVirus\dvprpt.exe
C:\Program Files\Command Software\Command AntiVirus\avtray.exe
C:\Documents and Settings\Owner\My Documents\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS\")
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c1\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab\")
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096041344343 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096041344343\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab\")
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab (http://\"http://hotsearchbar.com/toolbar2/winhot32.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.dailywinner.net/svcmm32.cab (http://\"http://www.dailywinner.net/svcmm32.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{E69B4E5B-538A-4353-8FBF-1882D81031C4}: NameServer = 204.117.214.10,65.174.170.16
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: Command AntiVirus Download - Command AntiVirus Download.dll (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any help would be greatly appreciated Thanks.
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 10, 2005, 01:20:36 AM: Seems like a lot of people have this worm. Anyone got a fix?
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 10, 2005, 12:41:50 PM: I also noticed you cant use Ctrl + Alt + Dlt to bring up task manager.
Title: win32.p2p-worm.alcan.a
Post by: Muku6 on July 10, 2005, 05:21:15 PM: Yeah, with this worm, CTRL+ALT+DLT is disabled. Very frustrating. It also disables some other things, like if I go to START > RUN and then type in ipconfig, it pops up the DOS window for half a second, then disappears. I think there a few commands that done that way have the same reaction.

Made installing my router stuff yesterday a bit of a pain. This worm seems to disable a few things for irritation. /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 13, 2005, 03:30:17 PM: even my anti virus picks it up but says unable to disinfect lol
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 13, 2005, 06:29:25 PM: Sorry for the delay Josh, can you please post a fresh Hijackthis log to this thread
Let's make sure nothing has changed
Also, let me know what tools you have tried to kill this bad guy
And what versions
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 19, 2005, 09:42:27 AM: Logfile of HijackThis v1.99.1
Scan saved at 10:49:02 AM, on 7/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS\")
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab\")
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096041344343 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096041344343\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab\")
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab (http://\"http://hotsearchbar.com/toolbar2/winhot32.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.dailywinner.net/svcmm32.cab (http://\"http://www.dailywinner.net/svcmm32.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{E69B4E5B-538A-4353-8FBF-1882D81031C4}: NameServer = 204.117.214.10,65.174.170.16
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: Command AntiVirus Download - Command AntiVirus Download.dll (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

To try and remove it ive used
CrapCleaner
Microsoft antispyware beta
adaware se personal definiton file "se1r55 19.07.05"
also i have command antivirus with the newest definiton files.
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 22, 2005, 11:38:41 AM: still cant get ride of it /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 22, 2005, 11:21:37 PM: Can you do the following please, I want to check on something

Download L2mfix from here

http://www.atribune.org/downloads/l2mfix.exe (http://\"http://www.atribune.org/downloads/l2mfix.exe\")

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 23, 2005, 10:49:16 AM: L2MFIX find log 1.03
These are the registry keys present
********************************************************************************
**
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Command AntiVirus Download]
"DllName"="Command AntiVirus Download.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="Lock"
"Logoff"="Logoff"
"Logon"="Logon"
"Shutdown"="Shutdown"
"StartScreenSaver"="StartScreenSaver"
"Startup"="Startup"
"StopScreenSaver"="StopScreenSaver"
"Unlock"="Unlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

********************************************************************************
**
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{56B9E5D0-1679-4F4C-BC4F-FCF1DCC3A826}"=""

********************************************************************************
**
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{52630B50-7A06-4320-A7A3-6B24F051614A}"=""
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

********************************************************************************
**
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{52630B50-7A06-4320-A7A3-6B24F051614A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52630B50-7A06-4320-A7A3-6B24F051614A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52630B50-7A06-4320-A7A3-6B24F051614A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{52630B50-7A06-4320-A7A3-6B24F051614A}\InprocServer32]
"ThreadingModel"="Apartment"

********************************************************************************
**
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
gcmd5q~1.dll Sat Jun 11 2005 12:44:14p A.... 10,752 10.50 K
msgplu~1.dll Wed Jun 1 2005 4:29:26p A.... 45,192 44.13 K
ole32.dll Thu Apr 28 2005 3:33:54p A.... 1,190,400 1.13 M
olecli32.dll Thu Apr 28 2005 3:33:54p A.... 68,608 67.00 K
olecnv32.dll Thu Apr 28 2005 3:33:54p A.... 35,328 34.50 K
rpcss.dll Thu Apr 28 2005 3:33:54p A.... 275,456 269.00 K

6 items found: 6 files, 0 directories.
Total of file sizes: 1,625,736 bytes 1.55 M
Locate .tmp files:

No matches found.
********************************************************************************
**
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is DC9F-F894

Directory of C:\WINDOWS\System32

07/23/2005 11:52 AM <DIR> ..
07/23/2005 11:52 AM <DIR> .
07/09/2005 01:39 AM 11,738,436 Command AntiVirus Download.txt
06/11/2005 04:00 PM <DIR> dllcache
01/03/2005 07:47 PM 223,824 q2rq0c95ef.dll
10/08/2004 03:16 PM 512 Djp9g.y89
10/03/2004 07:40 PM 848 KGyGaAvL.sys
09/15/2004 10:26 PM <DIR> Microsoft
04/05/2001 01:43 PM 94,208 msstkprp.dll
5 File(s) 12,057,828 bytes
4 Dir(s) 61,950,160,896 bytes free
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 23, 2005, 10:58:01 AM: Let's try some cleaning now
I'm going to post some more instructions
But I'll get you started cleaning one infection

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread.

[color=\"red\"]IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so![/color]

NOTE:After restart and L2MFIX finishes scanning for files>>give this time to finish
If a text doesn't open, run the "second.bat" located inside the L2mfix folder
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 23, 2005, 11:08:31 AM: Once you have posted the above log
Can you do the following please

Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
This could take some time as it will scan your drive
Once the Scan is Complete
1. Go to the WinPFind folder
2. Locate WinPFind.txt
I'll need to see those results
Reboot back to Normal mode

Post the results of the WindPFind.txt

Could you also redownload HIJackthis from my signature below and save it too a folder on your computer
Run another scan with Hijackthis from that new location and post a fresh log too
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 23, 2005, 01:57:00 PM: L2Mfix 1.03a

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C-------    BUILTIN\Administrators
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Owner\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Owner\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 444 'explorer.exe'
Killing PID 444 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\q2rq0c95ef.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\q2rq0c95ef.dll
Successfully Deleted: C:\WINDOWS\system32\q2rq0c95ef.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: q2rq0c95ef.dll (140 bytes security) (deflated 4%)
adding: clear.reg (140 bytes security) (deflated 22%)
adding: echo.reg (140 bytes security) (deflated 9%)
adding: desktop.ini (140 bytes security) (deflated 14%)
adding: direct.txt (140 bytes security) (stored 0%)
adding: lo2.txt (140 bytes security) (deflated 70%)
adding: readme.txt (140 bytes security) (deflated 49%)
adding: report.txt (140 bytes security) (deflated 64%)
adding: test.txt (140 bytes security) (stored 0%)
adding: test2.txt (140 bytes security) (stored 0%)
adding: test3.txt (140 bytes security) (stored 0%)
adding: test5.txt (140 bytes security) (stored 0%)
adding: xfind.txt (140 bytes security) (stored 0%)
adding: backregs/52630B50-7A06-4320-A7A3-6B24F051614A.reg (140 bytes security) (deflated 71%)
adding: backregs/shell.reg (140 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read     BUILTIN\Users
(ID-IO) ALLOW Read     BUILTIN\Users
(ID-NI) ALLOW Full access    BUILTIN\Administrators
(ID-IO) ALLOW Full access    BUILTIN\Administrators
(ID-NI) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access    CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: q2rq0c95ef.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Command AntiVirus Download]
"DllName"="Command AntiVirus Download.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Lock"="Lock"
"Logoff"="Logoff"
"Logon"="Logon"
"Shutdown"="Shutdown"
"StartScreenSaver"="StartScreenSaver"
"Startup"="Startup"
"StopScreenSaver"="StopScreenSaver"
"Unlock"="Unlock"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\q2rq0c95ef.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{52630B50-7A06-4320-A7A3-6B24F051614A}"=-
[-HKEY_CLASSES_ROOT\CLSID\{52630B50-7A06-4320-A7A3-6B24F051614A}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{56B9E5D0-1679-4F4C-BC4F-FCF1DCC3A826}</IDone>
<IDtwo>TDb05</IDtwo>
<VERSION>200</VERSION>
****************************************************************************
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 23, 2005, 03:59:07 PM: OK, that's great
Now if you can carry on with the rest of the instructions I posted
We'll carry on /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Quote
Once you have posted the above log
Can you do the following please

Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
This could take some time as it will scan your drive
Once the Scan is Complete
1. Go to the WinPFind folder
2. Locate WinPFind.txt
I'll need to see those results
Reboot back to Normal mode

Post the results of the WindPFind.txt

Could you also redownload HIJackthis from my signature below and save it too a folder on your computer
Run another scan with Hijackthis from that new location and post a fresh log too
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 23, 2005, 05:04:32 PM: Here is my winpfind scan

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
qoologic 1/24/2005 10:18:02 AM 3125 C:\WINDOWS\nochgo.dll
abetterinternet.com 1/24/2005 10:18:02 AM 3125 C:\WINDOWS\nochgo.dll

Checking %System% folder...
PEC2 3/18/2003 11:05:48 PM 2052096 C:\WINDOWS\SYSTEM32\atl71.pdb
PEC2 7/16/2003 4:26:44 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 10/8/2004 3:10:12 PM 180224 C:\WINDOWS\SYSTEM32\in10b6s.dll
UPX! 6/27/2004 8:19:32 PM 7168 C:\WINDOWS\SYSTEM32\Internet Explorerr.exe
PEC2 3/19/2003 1:20:00 AM 10357760 C:\WINDOWS\SYSTEM32\mfc71.pdb
PEC2 3/19/2003 12:28:40 AM 8252416 C:\WINDOWS\SYSTEM32\MFC71d.pdb
PEC2 3/19/2003 1:12:12 AM 10333184 C:\WINDOWS\SYSTEM32\mfc71u.pdb
PEC2 3/19/2003 12:31:58 AM 8293376 C:\WINDOWS\SYSTEM32\mfc71ud.pdb
Umonitor 7/16/2003 4:42:42 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 6/27/2004 8:47:30 PM 7168 C:\WINDOWS\SYSTEM32\rinst.exe
winsync 7/16/2003 4:50:38 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
aspack 6/14/2005 12:28:54 PM 768712 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/9/2005 1:39:02 AM 11738436 C:\WINDOWS\system32\Command AntiVirus Download.txt
7/23/2005 2:51:08 PM 892 C:\WINDOWS\system32\vsconfig.xml
7/23/2005 5:10:14 PM 8192 C:\WINDOWS\system32\config\default.LOG
7/23/2005 5:11:14 PM 1024 C:\WINDOWS\system32\config\SAM.LOG
7/23/2005 5:10:24 PM 16384 C:\WINDOWS\system32\config\SECURITY.LOG
7/23/2005 5:53:14 PM 438272 C:\WINDOWS\system32\config\software.LOG
7/23/2005 5:10:26 PM 909312 C:\WINDOWS\system32\config\system.LOG
6/14/2005 7:22:26 AM 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e3866ee3-774f-4339-b557-72abc5a4c618
6/14/2005 7:22:26 AM 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/23/2005 5:08:38 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/10/2005 11:19:36 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
2/10/2005 11:17:56 PM 877 C:\Documents and Settings\Owner\Application Data\AdobeDLM.log
2/10/2005 11:17:56 PM 0 C:\Documents and Settings\Owner\Application Data\dm.ini
9/29/2004 7:55:02 PM 12358 C:\Documents and Settings\Owner\Application Data\PFP120JCM.{PB
9/29/2004 7:55:02 PM 61678 C:\Documents and Settings\Owner\Application Data\PFP120JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
   SV1    =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\FProtMenu
   {4a479be0-3333-11d0-b519-00400519153f}    = C:\Program Files\Command Software\Command AntiVirus\avshext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxyfqx
   {2f588107-4898-4ed4-b14c-6f3050d9cd7b}    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\FProtMenu
   {4A479BE0-3333-11D0-B519-00400519153F}    = C:\Program Files\Command Software\Command AntiVirus\avshext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   IgfxTray   C:\WINDOWS\System32\igfxtray.exe
   HotKeysCmds   C:\WINDOWS\System32\hkcmd.exe
   ccApp   "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
   Zone Labs Client   C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
   CSAV_CheckViruses   C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
   untray   C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
   avtray   C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
   dvprpt   C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
   winupdates   C:\Program Files\winupdates\winupdates.exe /auto
   KernelFaultCheck   %systemroot%\system32\dumprep 0 -k

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
   IMAIL
   MAPI
   MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
    = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\msonsext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   SpecifyDefaultButtons   0
   Btn_Search   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   UserInit   C:\WINDOWS\system32\userinit.exe,
   Shell      Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Command AntiVirus Download
    = Command AntiVirus Download.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
   {7849596a-48ea-486e-8937-a2a3009f31a9}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
   {fbeb8a05-beee-4442-804e-409d6c4515e9}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
   {E6FB5E20-DE35-11CF-9C87-00AA005127ED}    = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
   {35CEC8A3-2BE6-11D2-8773-92E220524153}    = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
   AppInit_DLLs   MsgPlusLoader.dll

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.3   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 23, 2005, 05:11:01 PM: Logfile of HijackThis v1.99.1
Scan saved at 6:05:49 PM, on 7/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\hijack this new\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS\")
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab\")
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096041344343 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096041344343\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab\")
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab (http://\"http://hotsearchbar.com/toolbar2/winhot32.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.dailywinner.net/svcmm32.cab (http://\"http://www.dailywinner.net/svcmm32.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{E69B4E5B-538A-4353-8FBF-1882D81031C4}: NameServer = 204.117.214.10,65.174.170.16
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: Command AntiVirus Download - Command AntiVirus Download.dll (file missing)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 24, 2005, 10:50:45 AM: Well I would like to thank you very much for the help you have given me so far /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> now my CTRL+ALT+DEL works and my CMD line work i would run ad aware to see if the worm is gone but i am waiting on your note to do anything /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 24, 2005, 12:45:05 PM: I want to check on a few files please
I'm sure a couple are old bad files, but let's take a look at them

Also, let me know if you still have Messenger Plus installed

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Can you go to this link
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\Internet Explorerr.exe <-file
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results which includes name of file

Do the same with this file name
C:\WINDOWS\SYSTEM32\rinst.exe <-file

Can you also manually navigate to this folder
C:\Documents and Settings\Owner
In the Owner folder do you see a "Complete" folder?
Is so, open the complete folder, any zip files inside of it, any you recognize

NOTE: You appear to be running 2 anti-virus software on your computer
This is not a good idea as it will cause conflicts with each other and instability
I would choose which one your happiest with and remove the other
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 24, 2005, 01:52:51 PM: File: Internet_Explorerr.exe
Status: INFECTED/MALWARE
MD5 ca1179a4b2450f44064a47f251ee325d
Packers detected: UPX
Scanner results
AntiVir Found TR/Spy.Perfloger.O
ArcaVir Found Trojan.Spy.Perfloger.O
Avast Found Win32:Perfloger-D
AVG Antivirus Found nothing
BitDefender Found Trojan.Keylogger.RT.A
ClamAV Found Trojan.Perflog-11
Dr.Web Found Trojan.DownLoader.2605
F-Prot Antivirus Found nothing
Fortinet Found Keylog/Perfect
Kaspersky Anti-Virus Found Trojan-Spy.Win32.Perfloger.o
NOD32 Found Win32/Spy.PerfKey.N
Norman Virus Control Found nothing
UNA Found Trojan.Spy.Win32.Perfloger
VBA32 Found Trojan.Perflog

File: rinst.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 ca1179a4b2450f44064a47f251ee325d
Packers detected: UPX
Scanner results
AntiVir Found TR/Spy.Perfloger.O
ArcaVir Found Trojan.Spy.Perfloger.O
Avast Found Win32:Perfloger-D
AVG Antivirus Found nothing
BitDefender Found Trojan.Keylogger.RT.A
ClamAV Found Trojan.Perflog-11
Dr.Web Found Trojan.DownLoader.2605
F-Prot Antivirus Found nothing
Fortinet Found Keylog/Perfect
Kaspersky Anti-Virus Found Trojan-Spy.Win32.Perfloger.o
NOD32 Found Win32/Spy.PerfKey.N
Norman Virus Control Found nothing
UNA Found Trojan.Spy.Win32.Perfloger
VBA32 Found Trojan.Perflog

as for the "Complete" folder i didnt download any of the programs or music that was in any of them zip files so i didnt open any.

And i will remove norton because it is expired anyways /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

ooh and yes i still do have messenger + installed for AIM and MSN
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 24, 2005, 06:33:57 PM: Sorry for the delay Josh
Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Code: [Select]
REGEDIT4 [-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mxyfqx] [-HKEY_CLASSES_ROOT\CLSID\{2f588107-4898-4ed4-b14c-6f3050d9cd7b}]Save this too the desktop, we'll need it later

Next:
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

==Ensure your running Ad-Aware Se 1.06
Check for updates with it to make sure it's right up to date
We'll scan with it later

====Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions too a Notepad file on the desktop for reference
and/or Print this out

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
C:\WINDOWS\nochgo.dll
C:\WINDOWS\SYSTEM32\in10b6s.dll
C:\WINDOWS\SYSTEM32\Internet Explorerr.exe
C:\WINDOWS\SYSTEM32\rinst.exe
C:\Program Files\winupdates\winupdates.exe
c:\counter.cab

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart
Please Restart it now manually

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

Find and delete these folders
C:\Program Files\winupdates <-this folder
C:\Program Files\Toolbar <-folder
Also navigate to this folder
C:\Documents and Settings\Owner\Complete <-this folder
Delete the contents then the "Complete" folder itself

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

==Double click on fix.reg and allow to add or Merge to the registry

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101BBUS\")

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab\")
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab (http://\"http://hotsearchbar.com/toolbar2/winhot32.cab\")
O16 - DPF: {E66A5764-212B-40EC-8FB8-16949F6A82CD} - http://www.dailywinner.net/svcmm32.cab (http://\"http://www.dailywinner.net/svcmm32.cab\")

O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

When it's done
==Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back to Normal mode

Post a fresh Hijackthis log and the Report from Ewidos
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 24, 2005, 09:15:42 PM: MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijack this new\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\COMMAN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\dvprpt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096041344343 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096041344343\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab (http://\"http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab\")
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab (http://\"http://www.live365.com/players/play365.cab\")
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab (http://\"http://fdl.msn.com/zone/datafiles/heartbeat.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{E69B4E5B-538A-4353-8FBF-1882D81031C4}: NameServer = 204.117.214.10,65.174.170.16
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: Command AntiVirus Download - Command AntiVirus Download.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avinitnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\avinitnt.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: schscnt - Command Software Systems, Inc. - C:\Program Files\Command Software\Command AntiVirus\schscnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         9:42:39 PM, 7/24/2005
+ Report-Checksum:      9EC00CFA

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{99802379-7362-40E2-9D28-8A3B9AF880B7} -> Spyware.iLookup : Cleaned with backup
   HKU\S-1-5-21-1957994488-1035525444-682003330-1003\Software\hsb -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1957994488-1035525444-682003330-1003\Software\hsb\ccc -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1957994488-1035525444-682003330-1003\Software\hsb\eee -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1957994488-1035525444-682003330-1003\Software\hsb\rrr -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1957994488-1035525444-682003330-1003\Software\hsb\ttt -> Spyware.Hotsearchbar : Cleaned with backup
   HKU\S-1-5-21-1957994488-1035525444-682003330-1003\Software\hsb\www -> Spyware.Hotsearchbar : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\Cache\4B58DE3Bd01 -> Spyware.MyWebSearch : Cleaned with backup
   :mozilla.9:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.10:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.11:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.12:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.14:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.18:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.19:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.38:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.52:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.70:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
   :mozilla.72:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
   :mozilla.96:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.97:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.102:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.103:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.104:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.105:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.106:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.107:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.108:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.109:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.110:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.111:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.112:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.113:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.114:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.115:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.116:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.133:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.134:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.135:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.136:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
   :mozilla.137:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.138:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.139:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.140:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.141:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.142:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.143:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.144:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.145:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.146:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.147:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.148:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.149:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.150:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.151:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.152:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.153:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.154:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.155:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.156:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.157:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.158:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.159:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.160:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.161:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.162:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.163:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.164:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.165:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.166:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.169:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.170:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.171:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.172:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.173:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.174:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
   :mozilla.190:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.191:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.198:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
   :mozilla.199:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.200:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.201:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.202:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
   :mozilla.230:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.231:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.232:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.233:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.234:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.246:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.262:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.263:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.274:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.277:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.278:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.279:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.280:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.281:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.282:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.283:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.284:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.289:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
   :mozilla.326:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   :mozilla.381:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
   :mozilla.382:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
   :mozilla.397:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adengage : Cleaned with backup
   :mozilla.398:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adengage : Cleaned with backup
   :mozilla.399:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Adengage : Cleaned with backup
   :mozilla.403:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
   :mozilla.408:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.409:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.410:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.411:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.412:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.413:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.414:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.417:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
   :mozilla.418:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.419:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.518:C:\Documents and Settings\Meg Brooke\Application Data\Mozilla\Firefox\Profiles\rb8x82ih.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-30219d0a-68968de6.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Cookies\meg brooke@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Cookies\meg brooke@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Cookies\meg brooke@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Cookies\meg [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\#1 Dvd Ripper 1.3.47.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\#1 Video Converter 3.8.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\123 Flash Menu 1.50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\185-ScreenSavers-Collection.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\1Click DVD Copy 4.1.1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\1st Desktop Guard v1.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\2 Blonde Teens [censored] a Huge Cock.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\2 Scoops Double Dipped XXX DVD Rip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\2G Poster Works v1.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\2Pac - The Way He Wanted It.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\3D Canyon Flight Screensaver 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\3d Studio Max 7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\3D-Album Commercial Suite 3.0 + 3.27.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\50 Cent - Get Rich Or Die Tryin.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\50 First Dates (2004).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\7 Seconds DVD Rip Xvid.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\7-Zip 4.24.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\700 Flash Games - Easy Instal.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\A Plus PopUp Blocker v2.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ability Office v4.9.000.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Absolute Video Converter v2.5.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Absolute Video Converter v2.5.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ACD Systems ACDSee v7.0.61 PowerPack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ACD Systems Canvas X 898.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ACD Systems Canvas X 898.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AceBackup 2004 2.1.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AceBackup 2004 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AceHTML Pro 6.05.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Acoo Browser 1.19 Build 226.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Acoustica CD DVD Label Maker 2.39.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Acronis Disk Director Suite 9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Acronis Power Utilities 2005.614.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Acronis Privacy Expert Suite 8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Acronis True Imagetrue Image Server 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ad-Aware SE Personal.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ad-aware Se Pro 1.03.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Acrobat 7 Professional.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Creative Suite 2 iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe GoLive CS2 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe GoLive CS2 8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Photoshop CS 2 9.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Photoshop CS2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Photoshop Digital.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Photoshop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adobe Premier Pro 7.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Advanced Link Catalog 1.07.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Advanced MP3WMA Recorder 5.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Advanced Security Administrator 10.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Advanced Uninstaller Pro 2005 7.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AdvancedPicHunter 20.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Adware Away 2.2.86.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AdwareX Eliminator 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Age of Empires 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Agnitum Outpost Firewall Pro 2.5.369.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ahead.DVD.Ripper.v1.1.2.Incl.GOLD.Crack-TE.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Alcohol 120% 1.95.3105 Retail.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Alicia Rhodes & Her Big Perfect Tits.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AlienAbduction 1200.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\All In one Paswords Utilities 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\All Maximizer 8.0 Enterprise Products.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\All My Movies 3.5 Build 1193.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\All Nero Products.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\All Starwars movies.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ALO Audio CD Ripper 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ALO Audio CD Ripper v1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Alone In The Dark.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\amac address change 1.0.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Annihilator - Never Neverl.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Antenna - Web Design Studio 2.5.105.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Anti Tracks 5.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Anti-Porn .v7.0.6.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Anti-Virus 3.94 for Windows NT2KXP2K3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AntiVir Personal Edition 6.31.00.03.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Antiy Ghostbusters StdProAdvanced 4.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Any Password 1.44.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AnyDVD 4.0.4.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ApBackUp 2.5.1591.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Apollo DVD Copy SE v4.0.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Apollo DVD Copy v4.3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Apycom Java Menus and Buttons v5.00.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Are We There Yet (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Area 51 - XBOXDVD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Arial Audio Converter 2.3.5.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Army Men RTS.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ashampoo Media.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ashampoo Photo Commander v3.50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ashampoo WinOptimizer Platinum Suite 2 1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Ashampoo WinOptimizer Platinum Suite 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AstroCalendar 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Audiograbber 1.83 SE.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Austin PowersInternational.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AutoFTP Premium v4.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Automize 6.19 for Windows.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AutoPlay Menu Builder v5.0.918.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Avant Browser 10.1 b8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Avant Browser 10.1 Beta 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Avast Professional 4.5.546.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Avast Professional Edition 4.6.665.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\AVI-GIF 2.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Avid Xpress Pro 4.35.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Azureus 2.3.0.5 Beta 4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Baby Album - Basic Edition.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Baby ASP Web Server 2.6.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bad CD Repair Pro 3.05.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BarCodeWiz Barcode ActiveX Control 1.67.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Batch Script Processor 3.08 for AutoCAD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BatchRename 2 v2.64.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Batman Begins (2005) DVDRip.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\batman begins.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battle Realms Winter of the W.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battle Realms Winter of the Wolf.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battlefield 2 (DVD).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battlefield 2 Reloaded iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battlefield 2 Reloaded.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battlefield 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battlefield Vietnam.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\battlefield2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Battles In Normandy.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Be Cool.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BeFaster 3.55.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BeFaster v3.54.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Best CD To MP3 Ripper v1.00.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bigger.Longer.Uncut.(2002).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Billie Holiday-Complete Decca Records.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Birth 2004.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BitDefender Pro Plus 8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Black Eyed Peas-Monkey Busine.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Black Sabbath.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Blaze Media Pro 6.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Blaze VideoMagic 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BlazeDVD 3 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Blindwrite 5.2.10.142.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BlindWrite 5.2.9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Boilsoft AVI to VCDDVD Converter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Borland C++ Compiler 5.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bps Spyware & Adware Remover 9.2.0.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Brave Dwarves Back for Treasu.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bridge.Construction.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Britney Spears - Baby One More Time.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Britney Spears - I love rock n roll.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Brothers in Arms Road to Hill 30 - Hoo.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Brothers in Arms Road to Hill 30 iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bruce Springsteen - Darkness on the edge.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bruce Springsteen - Devils And Dust.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Buddy Guy - Buddy Guy.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Bunbury - Freak Show.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\BVRP FaxTools Expert Network v8.03.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CA eTrust EZ Antivir.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Cafe Del Mar - 25th Anniversary CD1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Cafe Del Mar - 25th Anniversary CD2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Cafe Del Mar - 25th Anniversary CD3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Cake - Fashion Nugget Album.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Camtasia Studio 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Camtasia Studio 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CaptureWizPro v3.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Carmen Electra- Playboy DVD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Carnivores City Scape.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Casino Europa 2005 Full CD [BiT].zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CD Menu Author 2.0.0.11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CDCheck 3.1.5.1b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CDMenuPro Business Edition 4.100.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Celine Dion - Miracle.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\cFos v6.00.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Championship Manager 5 ISO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Chat Watch 4.2.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ChatBlocker v2.22.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Chessmaster 8000.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CHM2HTML Pilot 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Chris PC-Lock.v1.00.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Cinderella Man (Good Quality).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Circuitmaker 2000.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Civilization III.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Clean Space 9.1 pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Clean Space v9.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CleanCenter 1.34.60.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ClipCollect 1.62.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ClipMate 6.5.09.542.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CloneCD 5.0.3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CloneCD 5.2.4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CloneDVD 2.7.5.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Clonedvd 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\clonedvd 3.5.40.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Clubland X-Treme Hardcore.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CodeStuff Starter 5.6.1.45.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\CoffeeCup HTML Editor 2005G.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Coldplay - Live at Live8, London.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ComdevOne Admin Suite 3.1 - 15 Component.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Command & Conquer Renegade.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Con Air (200).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\ConceptDraw Project v1.3.6.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Conflict Vietnam.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Meg Brooke\Shared\Constantine Xbox.zip/Setup.exe -> Worm.VB.an : Cleaned with b
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 24, 2005, 10:18:32 PM: Looking better, how's everything on your end?

Can you do the following
Download and save this File
[attachment=299:attachment]
UNZIP it to your desktop

Double click to run the .vbs script
Allow this to run
A text file will be placed on your desktop
Copy and paste the contents back here
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 25, 2005, 09:17:27 PM: Things are gettin better /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> when i scanned ad aware there were only 2 aclan things there instead of the normal 7 or how ever many there were

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"CSAV_CheckViruses"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\vchk.exe"
"untray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\untray.exe"
"avtray"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\avtray.exe"
"dvprpt"="C:\\PROGRA~1\\COMMAN~1\\COMMAN~1\\dvprpt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- FProtMenu
{4a479be0-3333-11d0-b519-00400519153f}
C:\Program Files\Command Software\Command AntiVirus\avshext.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
==============================
C:\Documents and Settings\Owner\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk
desktop.ini
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

ac3filter.cpl
access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bdeadmin.cpl Borland Software Corporation
desk.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 25, 2005, 09:28:00 PM: Can you do me one more favor please /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Open ad-aware and run a full system scan
When the scan's complete

Click the Show Logfile button
Highlight the whole logfile and copy and paste it back here
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 25, 2005, 09:45:14 PM: Ad-Aware SE Build 1.05
Logfile Created on:Monday, July 25, 2005 10:30:12 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R55 19.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):17 total references
Tracking Cookie(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

7-25-2005 10:30:12 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Owner\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : C:\Documents and Settings\Owner\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : S-1-5-21-1957994488-1035525444-682003330-1008\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 644
ThreadCreationTime : 7-25-2005 2:07:35 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 7-25-2005 2:07:36 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 716
ThreadCreationTime : 7-25-2005 2:07:37 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 760
ThreadCreationTime : 7-25-2005 2:07:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 772
ThreadCreationTime : 7-25-2005 2:07:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 940
ThreadCreationTime : 7-25-2005 2:07:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1032
ThreadCreationTime : 7-25-2005 2:07:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1244
ThreadCreationTime : 7-25-2005 2:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1276
ThreadCreationTime : 7-25-2005 2:07:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [brsvc01a.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1396
ThreadCreationTime : 7-25-2005 2:07:40 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : brother Industries Ltd brsvc01a
CompanyName : brother Industries Ltd
FileDescription : brsvc01a
InternalName : brsvc01a
LegalCopyright : Copyright © Brother Industries, Ltd 2001
OriginalFilename : brsvc01a.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1408
ThreadCreationTime : 7-25-2005 2:07:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [brss01a.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1424
ThreadCreationTime : 7-25-2005 2:07:40 AM
BasePriority : Normal
FileVersion : 1.004
ProductVersion : 1, 0, 0, 4
ProductName : brother Industries Ltd brss01a.exe
CompanyName : brother Industries Ltd
FileDescription : brss01a.exe
InternalName : brss01a.exe
LegalCopyright : Copyright ? 2001
OriginalFilename : brss01a.exe
Comments : Brsplproc XP wrapper

#:13 [avinitnt.exe]
FilePath : C:\Program Files\Command Software\Command AntiVirus\
ProcessID : 2012
ThreadCreationTime : 7-25-2005 2:07:47 AM
BasePriority : Normal

#:14 [brmfrmps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2028
ThreadCreationTime : 7-25-2005 2:07:47 AM
BasePriority : Normal
FileVersion : 1.10.10.144
ProductVersion : 1.45.11.403
ProductName : Brother MFL Pro
CompanyName : Brother Industries, Ltd.
FileDescription : Brother Popup Suspend service ( for R/M )
InternalName : Brother Popup Suspend service for Brother MFL-PRO Resource Manager
LegalCopyright : Copyright © 2002 brother
OriginalFilename : BrmfRmps.exe

#:15 [dvpapi.exe]
FilePath : C:\Program Files\Common Files\Command Software\
ProcessID : 124
ThreadCreationTime : 7-25-2005 2:07:47 AM
BasePriority : Normal

#:16 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 216
ThreadCreationTime : 7-25-2005 2:07:47 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:17 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ProcessID : 244
ThreadCreationTime : 7-25-2005 2:07:48 AM
BasePriority : Normal
FileVersion : 7.10.3077
ProductVersion : 7.10.3077
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright© Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:18 [schscnt.exe]
FilePath : C:\Program Files\Command Software\Command AntiVirus\
ProcessID : 272
ThreadCreationTime : 7-25-2005 2:07:48 AM
BasePriority : Normal

#:19 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 328
ThreadCreationTime : 7-25-2005 2:07:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 424
ThreadCreationTime : 7-25-2005 2:07:48 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:21 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 560
ThreadCreationTime : 7-25-2005 2:07:51 AM
BasePriority : Normal
FileVersion : 5.5.094.000
ProductVersion : 5.5.094.000
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : vsmon.exe

#:22 [brmfrsmg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 596
ThreadCreationTime : 7-25-2005 2:07:51 AM
BasePriority : Normal
FileVersion : 1.45.15.340
ProductVersion : 1.45.15.340
ProductName : Brother MFL Pro
CompanyName : Brother Industries, Ltd.
FileDescription : Brother MFL Pro Resource Manager
InternalName : BrmfRsmg for Windows2000
LegalCopyright : Copyright © 1996-2001 Brother Industries, Ltd.
OriginalFilename : BrmfRsmg.exe

#:23 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2360
ThreadCreationTime : 7-25-2005 2:44:39 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:24 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2692
ThreadCreationTime : 7-25-2005 2:44:42 AM
BasePriority : Normal
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:25 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 2640
ThreadCreationTime : 7-25-2005 2:44:42 AM
BasePriority : Normal
FileVersion : 5.5.094.000
ProductVersion : 5.5.094.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:26 [untray.exe]
FilePath : C:\PROGRA~1\COMMAN~1\COMMAN~1\
ProcessID : 372
ThreadCreationTime : 7-25-2005 2:44:42 AM
BasePriority : Normal

#:27 [avtray.exe]
FilePath : C:\PROGRA~1\COMMAN~1\COMMAN~1\
ProcessID : 1312
ThreadCreationTime : 7-25-2005 2:44:42 AM
BasePriority : Normal

#:28 [dvprpt.exe]
FilePath : C:\PROGRA~1\COMMAN~1\COMMAN~1\
ProcessID : 2724
ThreadCreationTime : 7-25-2005 2:44:43 AM
BasePriority : Normal

#:29 [aim.exe]
FilePath : C:\Program Files\AIM\
ProcessID : 2844
ThreadCreationTime : 7-25-2005 2:44:43 AM
BasePriority : Normal
FileVersion : 5.9.3690
ProductVersion : 5.9.3690
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2004 America Online, Inc.
OriginalFilename : AIM.EXE

#:30 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1200
ThreadCreationTime : 7-25-2005 8:42:50 PM
BasePriority : Normal

#:31 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1692
ThreadCreationTime : 7-25-2005 8:42:50 PM
BasePriority : High

#:32 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2588
ThreadCreationTime : 7-25-2005 8:42:59 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:33 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2312
ThreadCreationTime : 7-25-2005 8:43:00 PM
BasePriority : Normal
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:34 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 2288
ThreadCreationTime : 7-25-2005 8:43:00 PM
BasePriority : Normal
FileVersion : 5.5.094.000
ProductVersion : 5.5.094.000
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : zlclient.exe

#:35 [untray.exe]
FilePath : C:\PROGRA~1\COMMAN~1\COMMAN~1\
ProcessID : 2664
ThreadCreationTime : 7-25-2005 8:43:01 PM
BasePriority : Normal

#:36 [avtray.exe]
FilePath : C:\PROGRA~1\COMMAN~1\COMMAN~1\
ProcessID : 2392
ThreadCreationTime : 7-25-2005 8:43:02 PM
BasePriority : Normal

#:37 [dvprpt.exe]
FilePath : C:\PROGRA~1\COMMAN~1\COMMAN~1\
ProcessID : 488
ThreadCreationTime : 7-25-2005 8:43:02 PM
BasePriority : Normal

#:38 [aim+.exe]
FilePath : C:\Program Files\AIM+\
ProcessID : 2412
ThreadCreationTime : 7-25-2005 8:45:32 PM
BasePriority : Normal
FileVersion : 2, 2, 1, 65
ProductVersion : 2, 2, 1, 65
ProductName : AIM+
CompanyName : Big-O Software
FileDescription : AIM+
InternalName : AIM+
LegalCopyright : Copyright © 2001
OriginalFilename : AIM+.exe
Comments : [ 06.10.2002 ]

#:39 [aim.exe]
FilePath : C:\Program Files\AIM\
ProcessID : 2836
ThreadCreationTime : 7-25-2005 8:45:32 PM
BasePriority : Normal
FileVersion : 5.9.3690
ProductVersion : 5.9.3690
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright © 1996-2004 America Online, Inc.
OriginalFilename : AIM.EXE

#:40 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3812
ThreadCreationTime : 7-26-2005 2:15:21 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:41 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 1240
ThreadCreationTime : 7-26-2005 2:21:25 AM
BasePriority : Normal
FileVersion : 7.0.0777
ProductVersion : 7.0.0777
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:42 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 952
ThreadCreationTime : 7-26-2005 2:23:02 AM
BasePriority : Normal

#:43 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2376
ThreadCreationTime : 7-26-2005 2:30:05 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@atdmt[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:[email protected]/
Expires : 7-24-2010 8:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : owner@mediaplex[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 6-21-2009 8:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 19

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : meg brooke@2o7[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Meg Brooke\Cookies\meg brooke@2o7[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : meg brooke@advertising[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Meg Brooke\Cookies\meg brooke@advertising[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : meg brooke@atdmt[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Meg Brooke\Cookies\meg brooke@atdmt[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : meg [email protected][2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Meg Brooke\Cookies\meg [email protected][2].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
11 entries scanned.
New critical objects:0
Objects found so far: 23

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 23

10:42:43 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:12:30.625
Objects scanned:144807
Objects identified:6
Objects ignored:0
New critical objects:6

This time no sign of the worm /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> thx greatly appreciated!!!!!!!!!
Title: win32.p2p-worm.alcan.a
Post by: guestolo on July 25, 2005, 10:07:02 PM: Yup, looks good except for some bad cookies
We should update you to the latest version of Ad-Aware
Personally I like to uninstall the old version from Add/Remove programs and then install the latest version
Others have no problems allowing the new version installation take care of the old version when installing

Here's a direct link to Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")

You should make sure it's updated and run another scan with it

After that,
If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

You should also consider updating Windows to Service Pack 2
This is important in keeping your system secure
Please see these links
http://www.microsoft.com/windowsxp/sp2/topten.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/topten.mspx\")
http://www.microsoft.com/windowsxp/sp2/default.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/default.mspx\")
Title: win32.p2p-worm.alcan.a
Post by: josh_rowe_hccc on July 26, 2005, 02:31:04 PM: K i did all of the above. Is there any of the programs i should remove or keep from deleteing the worm?
Title: win32.p2p-worm.alcan.a
Post by: guestolo on August 01, 2005, 10:45:34 PM: Sorry for the delay, had a busy weekend

Optional for you to keep
Ewido>>Yours for free, you may consider hanging onto it
CleanUp!>>Again, you may want to hang onto it

You can manually remove Killbox, WpFind and L2Mfix

Any others let me know