TheTechGuide Forum

General Category => Tech Clinic => Topic started by: wormit on March 04, 2006, 03:00:37 AM

Title: win 32 p2p worm alcan a
Post by: wormit on March 04, 2006, 03:00:37 AM: Hi all,

I downloaded limewire software a couple of days ago and then i blocked a firewall setting asking me to let p2p networking acess the internet.The limewire software also kept restarting every 15 mins. I uninstalled limewire and I removed the worm using Adaware SE Personal and AVG Free softwares.... BUT yesterday when i tried to login to my email account the error page started showing up (cannot find server-the page cannot be displayed).
I had trojan horse dialer 16 bh also but removed this and the worm like i said earlier.
And something that also bothered me was when i ran avg free and scanned the computer it showed the results saying the boot sector has changed.

Can someone plz help me /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> ty /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Title: win 32 p2p worm alcan a
Post by: guestolo on March 04, 2006, 10:58:36 AM: Can you post a Hijackthis log please
Here's the Instructions (http://\"http://www.thetechguide.com/forum/index.php?showtopic=22942\")

Post the log back to this thread
Title: win 32 p2p worm alcan a
Post by: wormit on March 04, 2006, 03:11:15 PM: Hi /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I read a thread with a similar problem concerning this worm and i followed the steps as you have given but still the problem seems to be there.
So here goes my log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:45 AM, on 3/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\PROGRA~1\DAP\DAP.EXE
D:\Program Files\WildTangent\Apps\GameChannel.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html\")
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WT GameChannel] D:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab (http://\"http://www.betfred.com/company/gamessections/common/betfredlauncher.cab\")
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://nucleus.name/exp/chm//x.chm::/open.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab (http://\"http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab\")
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab (http://\"http://activex.microgaming.com/DLHelper/version7/DLHelper.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab (http://\"http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab\")
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab (http://\"http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{20347BB5-A569-4778-A440-78C699E153CE}: NameServer = 203.115.0.47 203.115.0.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Title: win 32 p2p worm alcan a
Post by: guestolo on March 04, 2006, 06:50:39 PM: I'm not sure what steps you tried, can you link me too what you did please
You appear to be running Norton Anti-Virus and AVG anti-virus
It's not recommended to run more that one active AV at the same time
They will conflict with each other!
I suggest that you uninstall one or the other
Reboot the computer

Back in windows, your way behind on windows updates
Go to this link and download and install Service pack 1a
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")
Reboot when prompted

Go back to Windows updates, accessed thru Internet Explorer in TOOLS>>Windows Updates
Get all other Critical (High Priority) updates
DON'T install Service pack 2 right now, you can do this after you are clean and is highly NOT recommended to install SP2 until you are clear of malware

Come back here after and post a fresh hijackthis log
Title: win 32 p2p worm alcan a
Post by: wormit on March 05, 2006, 03:34:00 AM: I uninstalled norton antivirus.I tried to install windows service pack 1a but half way through the process the following error showed up so couldnt install the service pack.

SERVICE PACK 1 SETUP ERROR
"The Product key used to install windows is invalid. Please contact your system administrator or retailer immediately to obtain a valid Product key. You may also contact Microsoft Corporation's Anti Privacy Team by emailing [email protected] if you think you have purchased pirated Microsoft software. Please be ensured that any personal information you send to Microsoft Anti privacy Team will be kept in strict confidence."

The steps I said I used earlier are from the following The link (http://\"http://www.thetechguide.com/forum/index.php?showtopic=26680&hl=\")

The HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:30:47 PM, on 3/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\Program Files\WildTangent\Apps\GameChannel.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html\")
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WT GameChannel] D:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab (http://\"http://www.betfred.com/company/gamessections/common/betfredlauncher.cab\")
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://nucleus.name/exp/chm//x.chm::/open.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/CursorManiaFWBInitialSetup1.0.0.8-2.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab (http://\"http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab\")
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab (http://\"http://activex.microgaming.com/DLHelper/version7/DLHelper.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab (http://\"http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab\")
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab (http://\"http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{20347BB5-A569-4778-A440-78C699E153CE}: NameServer = 203.115.0.47 203.115.0.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Title: win 32 p2p worm alcan a
Post by: wormit on March 05, 2006, 07:29:37 AM: Can any1 help?
Title: win 32 p2p worm alcan a
Post by: guestolo on March 05, 2006, 11:36:17 AM: I'll help as much as I can, but your version of Windows is apparently an illegal copy
Chances are in the near future you will be reinfected with something else, maybe far worse than what you have right now

Do the following please
Make sure that your firewall is running
Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe

Click START SCAN
Let this finish, a log will open so you will know it's done
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

Where did you save p2pnetwork.bfu and bfu.exe?
To your C: or D: drive?
Title: win 32 p2p worm alcan a
Post by: wormit on March 05, 2006, 01:08:00 PM: I saved the p2pnetwork.bfu and bfu.exe in the C: drive

Results of the WindPFind.txt:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 6/17/2000 2:41:10 AM 48640 D:\WINDOWS\SYSTEM32\DC_KDC265.apl
PEC2 8/23/2001 5:00:00 PM 41397 D:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 2/8/2006 11:23:40 AM 4513120 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/8/2006 11:23:40 AM 4513120 D:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/23/2001 5:00:00 PM 630784 D:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 5:00:00 PM 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/5/2006 11:38:48 PM S 2048 D:\WINDOWS\bootstat.dat
3/5/2006 1:28:20 PM H 0 D:\WINDOWS\LastGood\INF\oem11.inf
3/5/2006 1:28:20 PM H 0 D:\WINDOWS\LastGood\INF\oem11.PNF
3/5/2006 11:38:38 PM H 8192 D:\WINDOWS\system32\config\default.LOG
3/5/2006 11:39:30 PM H 1024 D:\WINDOWS\system32\config\SAM.LOG
3/5/2006 11:38:52 PM H 12288 D:\WINDOWS\system32\config\SECURITY.LOG
3/5/2006 11:42:20 PM H 102400 D:\WINDOWS\system32\config\software.LOG
3/5/2006 11:38:56 PM H 860160 D:\WINDOWS\system32\config\system.LOG
2/18/2006 12:32:00 PM H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
3/5/2006 11:36:26 PM H 6 D:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 5:00:00 PM 66048 D:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 3/21/2002 8:41:28 AM 544768 D:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/23/2001 5:00:00 PM 558592 D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 130048 D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 150016 D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 294912 D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 119808 D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 8/26/2005 6:14:42 PM 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 187904 D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 559616 D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 256000 D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 4/28/2000 10:17:16 AM 24660 D:\WINDOWS\SYSTEM32\plugincpl.cpl
Sun Microsystems 5/16/2001 9:10:08 AM 24663 D:\WINDOWS\SYSTEM32\plugincpl140.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 109056 D:\WINDOWS\SYSTEM32\powercfg.cpl
STMicroelectronics 8/17/2004 9:59:32 AM R 352256 D:\WINDOWS\SYSTEM32\stmadsl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 270848 D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 28160 D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 90112 D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 66048 D:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 558592 D:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 130048 D:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 150016 D:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 294912 D:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 119808 D:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 D:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 187904 D:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 559616 D:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 35840 D:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 256000 D:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 109056 D:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 147456 D:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 270848 D:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 28160 D:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 90112 D:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/16/2005 7:13:48 PM 986 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
12/17/2002 5:52:24 AM 1034 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon LBP-810 Status Window.LNK
12/12/2002 4:43:52 AM HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/12/2002 5:24:06 AM 1725 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/11/2002 8:30:50 PM HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/12/2002 4:43:52 AM HS 84 D:\Documents and Settings\MEGAPAQ\Start Menu\Programs\Startup\desktop.ini
2/23/2003 1:21:24 AM 1510 D:\Documents and Settings\MEGAPAQ\Start Menu\Programs\Startup\MP3 Dancer.lnk
8/4/2005 2:44:14 PM 680 D:\Documents and Settings\MEGAPAQ\Start Menu\Programs\Startup\Webshots.lnk

Checking files in %USERPROFILE%\Application Data folder...
12/11/2002 8:30:50 PM HS 62 D:\Documents and Settings\MEGAPAQ\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}
   DAPHelper Class = D:\Program Files\DAP\DAPBHO.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}    =    :
   {62999427-33FC-4baf-9C9C-BCE6BD127F08}    = DAP Bar   : D:\Program Files\DAP\DAPIEBar.dll
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : D:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}
   ButtonText    = Run DAP   : D:\PROGRA~1\DAP\DAP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6FDD5236-C9F0-49ef-935D-385F5E21991A}
   ButtonText    = Poker.com   : D:\Program Files\Poker.com\poker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
   ButtonText    = PartyPoker.com   : D:\Program Files\PartyPoker\PartyPoker.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
   Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    :
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   SoundMan   SOUNDMAN.EXE
   CAPON   D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
   DownloadAccelerator   D:\PROGRA~1\DAP\DAP.EXE /STARTUP
   WT GameChannel   D:\Program Files\WildTangent\Apps\GameChannel.exe
   NeroCheck   D:\WINDOWS\system32\NeroCheck.exe
   AdslTaskBar   rundll32.exe stmctrl.dll,TaskBar
   Symantec NetDriver Monitor   D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
   SunJavaUpdateSched   D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
      p2pnetworking.exe
   SSC_UserPrompt   D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
   AVG7_CC   D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
      p2pnetworking.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Yahoo! Pager   D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = D:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/5/2006 11:50:31 PM
Title: win 32 p2p worm alcan a
Post by: guestolo on March 05, 2006, 01:15:10 PM: Can you check out one file for me please
It may be legit, I just want a better look at it

Go to either of these links
http://virusscan.jotti.org/ (http://\"http://virusscan.jotti.org/\")
or
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")

Use the browse button and navigate to this file on your hard disk
D:\WINDOWS\SYSTEM32\DC_KDC265.apl <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you copy and paste back the results of the scan back here please
Title: win 32 p2p worm alcan a
Post by: wormit on March 05, 2006, 01:35:36 PM: File: DC_KDC265.apl_
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 ea8dfb2e0604ec4b037418097aef8c29
Packers detected: ASPACK

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
Title: win 32 p2p worm alcan a
Post by: guestolo on March 05, 2006, 01:50:10 PM: Can you do the following please, let's try saving bfu.exe and p2pnetwork to the d: drive
It looks like most of the associated files are gone
This is just for a double check

Can you open "MyComputer"
Double click to open Local Disk D: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the D: folder , name it BFU
So you now have D:\BFU

Please download Brute Force Uninstaller (http://\"http://www.merijn.org/files/bfu.zip\")
Reminder, choose SAVE rather than OPEN
Then Extract (UNZIP) the contents to the (D:\BFU) folder you just made

[color=\"#CC0000\"]RIGHT CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/p2pnetwork.bfu\")
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (d:\BFU)

Also:Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WT GameChannel"=- "p2pnetworking.exe"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "p2pnetworking.exe"=-
Open the D:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the D:\BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

Double click on fix.reg and allow to add/merge to the registry

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://nucleus.name/exp/chm//x.chm::/open.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab (http://\"http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab\")

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows
==Open Ewido anti-malware
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

When it's done
Post back the following
1. Run a "Scan and Save logfile" with Hijackthis and post the fresh log
2. Post the whole report you saved earlier from Ewido's

Could you also right click on
D:\WINDOWS\SYSTEM32\DC_KDC265.apl <-this file
Left click properties, if a version tab, open it and let me know what it's related too please
Title: win 32 p2p worm alcan a
Post by: wormit on March 05, 2006, 08:53:22 PM: The D:\WINDOWS\SYSTEM32\DC_KDC265.apl properties:

Opens with :Adobe Photoshop
File version:1.0.0.1
Description:DC_KDC265
Copyright:Copyright © 1999 ACD Systems, Ltd.

New report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         7:33:01 AM, 3/6/2006
+ Report-Checksum:      ED14F6FB

+ Scan result:

   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup

::Report End

Earlier report

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         11:19:03 PM, 3/4/2006
+ Report-Checksum:      46661151

+ Scan result:

   HKLM\SOFTWARE\Hotbar -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\Install -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\MachineInfo -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\PI -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\PI\3.2 -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar\Install -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar\options -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar\UserInfo -> Adware.HotBar : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@a-1shz2prbmdj6wvny-1sez2pra2dj6wfkikidjseoq-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Goclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Gamingpromo : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@cj[1].txt -> TrackingCookie.Cj : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@com[1].txt -> TrackingCookie.Com : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@gamingpromo[1].txt -> TrackingCookie.Gamingpromo : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Itrack : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Masterstats : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlywpcjmboa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Local Settings\Temp\Cookies\megapaq@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
   D:\Program Files\Hotbar -> Adware.HotBar : Cleaned with backup
   D:\Program Files\Hotbar\bin -> Adware.HotBar : Cleaned with backup
   D:\Program Files\Hotbar\Hotbar.log -> Adware.HotBar : Cleaned with backup
   D:\System Volume Information\_restore{34FCC7E2-024D-43A8-8903-42DE892DDBEB}\RP200\A0372637.exe -> Adware.Casino : Cleaned with backup
   D:\System Volume Information\_restore{34FCC7E2-024D-43A8-8903-42DE892DDBEB}\RP200\A0372676.exe -> Adware.Casino : Cleaned with backup
   D:\System Volume Information\_restore{34FCC7E2-024D-43A8-8903-42DE892DDBEB}\RP200\A0424643.exe -> Adware.Casino : Cleaned with backup

::Report End

/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

And iv also noticed that my yahoo messenger starts as soon i log on to the computer. It usually wasn't like this. Could this be a trace of the worm?
Title: win 32 p2p worm alcan a
Post by: guestolo on March 05, 2006, 09:21:58 PM: If you have an older version of Spybot installed please uninstall it from Add/Remove programs
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, the boxes and then download all updates
After update is complete
Close Spybot for now as we will need it later

==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet

Download and save too your desktop FxHotbar.exe (http://\"http://securityresponse.symantec.com/avcenter/FxHotbar.exe\")
by Symantec's
Close down all other windows

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

Double click on FxHotbar.exe
Then click on Start
Let it finish scanning your computer
Follow any prompts and exit when it's done

Reboot your computer

Back in Windows
Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX ALL selected promblems in RED
RESTART your computer once again

Back in Windows
Can you post a new Hijackthis log please

Do you see an option in Yahoo to disable it from running on startup?
If not we can disable it on startup with hijackthis
Title: win 32 p2p worm alcan a
Post by: wormit on March 06, 2006, 03:24:30 AM: I did the cleanup and the scanning with Fxhotbar.exe BUT I can't seem to update or do the search and destroying process with spybot /sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />

When i try to update it spybot says: error retrieving update info file, Socket error 10061 connection refused
when i try to scan it says i need to install detection updates first by using the integrated or manual updator.
Title: win 32 p2p worm alcan a
Post by: wormit on March 06, 2006, 03:48:07 AM: I wonder wether it was because i blocked p2p network from accessing the internet after I downloaded limewire (had to do this because the message asking to acess the internet keep popping up).

Could this be the cause of this whole problem
Title: win 32 p2p worm alcan a
Post by: wormit on March 06, 2006, 05:04:13 AM: Heres the HJT logfile without spybot scan: and by the way i noticed that a URL hook is missing in this log file (i have bold it) Does this mean anything (just wondering /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />)

Logfile of HijackThis v1.99.1
Scan saved at 3:57:31 PM, on 3/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html\")
R3 - Default URLSearchHook is missingO2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab (http://\"http://www.betfred.com/company/gamessections/common/betfredlauncher.cab\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab (http://\"http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab\")
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab (http://\"http://activex.microgaming.com/DLHelper/version7/DLHelper.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab (http://\"http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab\")
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab (http://\"http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Title: win 32 p2p worm alcan a
Post by: guestolo on March 06, 2006, 08:58:29 PM: Which firewall are you running?
The one from Norton's?
It's possible that Spybot won't update because of the firewall or DAP
Can you disable DAP and try checking for updates again
OR if that won't work
Close down Spybot completely
Go to THIS LINK (http://\"http://www.safer-networking.org/en/download/index.html\")
Download and save to desktop
Detection updates 2006-03-03 - product description
Double click to install the updates
After the updates are installed, reopen Spybot
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX ALL selected promblems in RED
RESTART your computer

Back in Windows
Can you also do the following please
From below, download and UNZIP to desktop
Run_Keys.zip so you now have Run_Keys.bat extracted

Double click on Run_Keys.bat
A text file will open, copy and paste back here the whole contents please
Title: win 32 p2p worm alcan a
Post by: wormit on March 07, 2006, 02:30:04 AM: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
@="p2pnetworking.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
@="p2pnetworking.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"CAPON"="D:\\WINDOWS\\System32\\Spool\\Drivers\\w32x86\\3\\CAPONN.EXE"
"DownloadAccelerator"="D:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"NeroCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"AdslTaskBar"="rundll32.exe stmctrl.dll,TaskBar"
"Symantec NetDriver Monitor"="D:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
@="p2pnetworking.exe"
"SSC_UserPrompt"="D:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"UserFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,75,00,\
00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]
"NoExplorer"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Title: win 32 p2p worm alcan a
Post by: guestolo on March 08, 2006, 12:03:14 AM: Can you do the following
Download and UNZIP from the bottom of this reply box to desktop
"Repair2.zip
so you now have repair2.reg extracted

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html (http://\"http://red.clientapps.yahoo.com/customize/.../search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com (http://\"http://red.clientapps.yahoo.com/customize/...//www.yahoo.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html (http://\"http://red.clientapps.yahoo.com/customize/...rch/search.html\")
R3 - Default URLSearchHook is missing

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on repair2.reg and allow to add/merge to the registry

REBOOT the computer

Back In windows, post back a fresh hijackthis log
So what Firewall are you using??????
Title: win 32 p2p worm alcan a
Post by: wormit on March 08, 2006, 12:49:33 AM: Logfile of HijackThis v1.99.1
Scan saved at 11:42:35 AM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\JavaSoft\JRE\1.4\bin\npjpi140.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\JavaSoft\JRE\1.4\bin\npjpi140.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab (http://\"http://www.betfred.com/company/gamessections/common/betfredlauncher.cab\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab (http://\"http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab\")
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab (http://\"http://activex.microgaming.com/DLHelper/version7/DLHelper.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab (http://\"http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab\")
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab (http://\"http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I used nortons firewall.... but since you asked me to uninstall either norton or avg free i uninstalled norton so im not sure wether the norton firewall is still there.... i dont have the avg free firewall feature. (I installed avg free after i found this worm....couple of days after i installed limewire)
Title: win 32 p2p worm alcan a
Post by: guestolo on March 08, 2006, 01:21:01 AM: Can you open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save the list to desktop then copy and paste back here the whole contents please

Do you know what version of Norton's Internet Security you have installed and are you willing to try and uninstall it?
Title: win 32 p2p worm alcan a
Post by: wormit on March 08, 2006, 02:20:12 AM: ACDSee
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
AV301P Camera
Avance AC'97 Audio
AVG Free Edition
Britney Spears
Canon CAPT printers
CleanUp!
Cricket '97 Ashes Tour Edition
Download Accelerator Plus Beta
DVDSound
ewido anti-malware
FlashToolset
FTP Commander
Full Tilt Poker
HijackThis 1.99.1
iPIX ActiveX Viewer
Java 2 Runtime Environment Standard Edition v1.4
Java 2 SDK Standard Edition v1.4.0
Java Web Start
Lets Play active
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash 5
Macromedia Flash Player 8
MailWasher
Microsoft Driver Compatibility Database
Microsoft Encarta 96 Encyclopedia
Microsoft Encarta World Atlas 1998 Edition
Microsoft Office 2000 Premium
Microsoft Visual Basic 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Microsoft Windows Application Compatibility Message Database
MP3 Dancer
MSN Messenger 7.5
Need For Speed II SE
Nero - Burning Rom (Web installer)
Norton Internet Security
Norton WMI Update
Poker Superstars
PokerChamps
PowerDVD
Prolink H8600 ADSL Modem
Quake III Arena
Shockwave
Sinhala Word 2000
Spec Ops Ranger Team Bravo (RAZOR 1911)
SpeedOptimizer
Spybot - Search & Destroy 1.4
Webshots!
WildTangent GameChannel (remove only)
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinRAR archiver
WinZip
WinZip Self-Extractor
XingMPEG Player
Yahoo! Install Manager
Yahoo! Messenger

The version is 2002.... the functions seem to be disabled though... Will i have to get a new firewall if i uninstall this?

Im willing to uninstall it if it will solve this problem... still can't seem to login to any of my email accounts
Title: win 32 p2p worm alcan a
Post by: wormit on March 08, 2006, 11:15:22 PM: So shall i uninstall the norton internet security???

Can some1 help?
Title: win 32 p2p worm alcan a
Post by: guestolo on March 09, 2006, 12:50:14 AM: I would hate to leave you without a firewall
Go to THIS LINK (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
Look under Software firewalls
All have a free version
ONLY download one please, more than one software firewall can cause conflicts
I have not used all the firewalls, but all have been recommended
Check the program help files if you need setup information

Save the installer to your desktop
Don't install it yet
Remove Norton internet security 2002 thru your add/remove programs, you can remove Liveupdate as well if it's not needed
Reboot the computer

Then install your new Firewall
I personally still have Sygates' on this comp.
But it no longer has support which was ended a couple months ago
It will still work however

come back here and post a fresh hijackthis log
Title: win 32 p2p worm alcan a
Post by: wormit on March 09, 2006, 01:59:07 AM: Ok so i uninstalled norton internet security and the live update; and installed the Agnitum firewall.
Heres the HJTlogfile

Logfile of HijackThis v1.99.1
Scan saved at 12:54:29 PM, on 3/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Outpost Firewall] "D:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\JavaSoft\JRE\1.4\bin\npjpi140.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\JavaSoft\JRE\1.4\bin\npjpi140.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab (http://\"http://www.betfred.com/company/gamessections/common/betfredlauncher.cab\")
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab (http://\"http://www.ipix.com/viewers/ipixx.cab\")
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll (http://\"http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab (http://\"http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab\")
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab (http://\"http://activex.microgaming.com/DLHelper/version7/DLHelper.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab (http://\"http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab\")
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab (http://\"http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_1_0.cab\")
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab (http://\"http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - D:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Title: win 32 p2p worm alcan a
Post by: wormit on March 09, 2006, 02:12:08 AM: OMG OMG its working!!!!!

Can access my email now Can't believe it /laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Thanks a billion /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

One more thing the agnitum firewall said its outdated and had to update it with a 30 day trial or something so can i use it still? (I updated it)
Title: win 32 p2p worm alcan a
Post by: wormit on March 09, 2006, 04:26:14 PM: In the agnitum auto post fire wall,an application asking for internet access saying "generic host process for win32 services requesting an incoming connection" appears. Is it safe to let it access the internet?
The given option is "stop all activities for this application"
but after i click ok i cant go to any sites.
The other two options are
1) allow all activites for this application
2) create rules using preset

What should i do?
Should it always be the given option by the agnitum auto post fire wall that i should choose? /huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />