Show Posts

1

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 24, 2006, 01:40:51 AM »

hey guestolo

I'd like to donate a small amount for your help.
I don't trust paypal anymore, they keep sending me spam and I've put my account on hold.
Give me an address and I'd like to send it to you.

Thanks again for all the help.

2

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 19, 2006, 04:27:25 AM »

Got spywareBlaster adaware n spybot all running, system seems very clean now, can you repost the sp2 update link? Its not working. Thanks again for all your help. Very much appreciated. I've always thought if I avoided porn sites and clicking on pop ups my comp would be free of crap. Didn't know that it was so weighed down by crap. Please post the link for the other firewall you speak of, I will read up on it, though I think the xp one is doing an ok job. Funny all this virus crap is really making me considering buying a mac. Hope you had a wonderful wkend and have a good week.

merci beacoup

francis

3

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 16, 2006, 02:05:40 AM »

I haven't really had time to work on my comp at home this week yet, but opened photoshop just now and it seems a bit faster opening files. Its been running smoother that's for sure, less lag when starting/opening stuff.

About those sys restore folders (C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}). Can I delete them?

Here's the log...

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/28/2002 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 7/12/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/28/2002 2:00:00 PM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 1/9/2006 10:36:00 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:00 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/28/2002 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
UPX! 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 6/13/2006 11:37:18 PM 776096 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/15/2006 11:51:02 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
6/15/2006 11:49:46 PM S 64 C:\WINDOWS\CSC\00000001
6/11/2006 12:45:12 PM S 64 C:\WINDOWS\CSC\00000002
6/7/2006 7:12:18 PM S 64 C:\WINDOWS\CSC\csc1.tmp
4/28/2006 9:29:22 PM HS 848 C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
6/15/2006 11:50:50 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
6/15/2006 11:51:10 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
6/15/2006 11:51:06 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
6/15/2006 11:52:26 PM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
6/15/2006 11:51:08 PM H 1159168 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2006 1:24:22 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\153d4519-394e-4c7c-8095-25fe2cf4e79a
5/2/2006 12:52:20 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\25859ce9-92ac-45ac-8b06-5d887a65dca2
6/30/2006 1:22:34 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\3781809c-f2bc-4296-ad5e-0799756c3c62
5/2/2006 12:52:20 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
6/15/2006 11:49:54 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/28/2002 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
11/11/1999 9:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Logitech Inc. 7/28/2005 2:01:56 PM 360448 C:\WINDOWS\SYSTEM32\camcpl.cpl
5/23/2002 8:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
11/19/1999 2:54:12 PM 155648 C:\WINDOWS\SYSTEM32\PPPoEService.cpl
RealNetworks, Inc. 1/13/2003 1:47:04 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Wacom Technology, Corp. 11/25/2002 1:55:00 PM 921600 C:\WINDOWS\SYSTEM32\Tablet.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/11/2006 7:45:30 PM 409 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACS.lnk
1/29/2006 6:13:00 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
1/11/2006 7:45:30 PM 533 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
1/11/2006 7:45:30 PM 513 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
5/5/2006 11:38:46 PM 1782 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
4/29/2006 1:44:20 AM 988 C:\Documents and Settings\francis\Start Menu\Programs\Startup\Adobe Gamma.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\francis\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\francis\Application Data\DESKTOP.INI
2/7/2003 12:49:28 AM 12358 C:\Documents and Settings\francis\Application Data\PFP100JCM.{PB
2/7/2003 12:49:28 AM 61678 C:\Documents and Settings\francis\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   DVDSentry   C:\WINDOWS\System32\DSentry.exe
   ATIModeChange   Ati2mdxx.exe
   zBrowser Launcher   C:\Program Files\Logitech\iTouch\iTouch.exe
   PCTVOICE   pctspk.exe
   LogitechCameraAssistant   C:\Program Files\Logitech\Video\CameraAssistant.exe
   iTunesHelper   C:\Program Files\iTunes\iTunesHelper.exe
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   MSConfig   C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
   YBrowser   C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
   StorageGuard   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   Share-to-Web Namespace Daemon   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   RegKillTray   "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
   RegKillElbyCheck   "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
   RealTray   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   PRISMSVR.EXE   "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
   mmtask   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
   LVCOMSX   C:\WINDOWS\System32\LVCOMSX.EXE
   LogitechVideo[inspector]   C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
   LogitechCameraService(E)   C:\WINDOWS\System32\ElkCtrl.exe /automation
   Logitech Utility   Logi_MwX.Exe
   Apoint   C:\Program Files\Apoint\Apoint.exe
   AVG7_CC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   PopUpStopperFreeEdition   "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
   Yahoo! Pager   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background
   LogitechSoftwareUpdate   "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   2
   services   0
   startup   0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
   NoBackButton   0
   NoFileMru   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoStartMenuMyMusic   1
   NoSMMyPictures   1
   NoRecentDocsMenu   1
   ClearRecentDocsOnExit   1
   NoRecentDocsHistory   1
   NoTaskGrouping   1
   NoRecentDocsNetHood   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/15/2006 11:59:51 PM

4

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 15, 2006, 02:41:10 AM »

Everything under startup was enabled, Enable all botton was greyed out. BUt I also enabled all System.ini, Win.ini, and Services with this reboot and Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:30 AM, on 6/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

5

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 14, 2006, 09:32:15 PM »

sorry about the goof up, didn't mention that the hijack log is done after I enabled it all, but I did it again. both avenger n hijack, here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 7:30:43 PM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

_____________________________________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bvqmayav

*******************

Script file located at: \??\C:\WINDOWS\gfaplsgn.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\francis\Cookies\francis@go[1].txt not found!
Deletion of file C:\Documents and Settings\francis\Cookies\francis@go[1].txt failed!

Could not process line:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Status: 0xc0000034

File C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log not found!
Deletion of file C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log failed!

Could not process line:
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Status: 0xc0000034

File C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe not found!
Deletion of file C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe failed!

Could not process line:
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Status: 0xc0000034

File C:\Documents and Settings\francis\My not found!
Deletion of file C:\Documents and Settings\francis\My failed!

Could not process line:
C:\Documents and Settings\francis\My
Status: 0xc0000034

Could not open file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe for deletion
Deletion of file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe failed!

Could not process line:
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Status: 0xc000003a

File C:\Program Files\Internet Explorer\winbrume.dat not found!
Deletion of file C:\Program Files\Internet Explorer\winbrume.dat failed!

Could not process line:
C:\Program Files\Internet Explorer\winbrume.dat
Status: 0xc0000034

File C:\WINDOWS\alchem.ini not found!
Deletion of file C:\WINDOWS\alchem.ini failed!

Could not process line:
C:\WINDOWS\alchem.ini
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\azesearch.inf not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\azesearch.inf failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\azesearch.inf
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\test.INF not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\test.INF failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\test.INF
Status: 0xc0000034

File C:\WINDOWS\drsmartload2.dat not found!
Deletion of file C:\WINDOWS\drsmartload2.dat failed!

Could not process line:
C:\WINDOWS\drsmartload2.dat
Status: 0xc0000034

File C:\WINDOWS\INF\alchem.inf not found!
Deletion of file C:\WINDOWS\INF\alchem.inf failed!

Could not process line:
C:\WINDOWS\INF\alchem.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biC.inf not found!
Deletion of file C:\WINDOWS\INF\biC.inf failed!

Could not process line:
C:\WINDOWS\INF\biC.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biini.inf not found!
Deletion of file C:\WINDOWS\INF\biini.inf failed!

Could not process line:
C:\WINDOWS\INF\biini.inf
Status: 0xc0000034

File C:\WINDOWS\INF\polmx2.inf not found!
Deletion of file C:\WINDOWS\INF\polmx2.inf failed!

Could not process line:
C:\WINDOWS\INF\polmx2.inf
Status: 0xc0000034

File C:\WINDOWS\INF\twaintec.inf not found!
Deletion of file C:\WINDOWS\INF\twaintec.inf failed!

Could not process line:
C:\WINDOWS\INF\twaintec.inf
Status: 0xc0000034

File C:\WINDOWS\msbb.log not found!
Deletion of file C:\WINDOWS\msbb.log failed!

Could not process line:
C:\WINDOWS\msbb.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho not found!
Deletion of file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\oins.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\oins.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\oins.exe
Status: 0xc0000034

File C:\WINDOWS\msbb_kyf.dat not found!
Deletion of file C:\WINDOWS\msbb_kyf.dat failed!

Could not process line:
C:\WINDOWS\msbb_kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kyf.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\kyf.dat failed!

Could not process line:
C:\WINDOWS\SYSTEM32\kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\SrchSTS.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\SrchSTS.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SrchSTS.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cf063a0d.exe not found!
Deletion of file C:\WINDOWS\System32\cf063a0d.exe failed!

Could not process line:
C:\WINDOWS\System32\cf063a0d.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SCFGWMIT.exe not found!
Deletion of file C:\WINDOWS\System32\SCFGWMIT.exe failed!

Could not process line:
C:\WINDOWS\System32\SCFGWMIT.exe
Status: 0xc0000034

File C:\WINDOWS\System32\DIGESTW.exe not found!
Deletion of file C:\WINDOWS\System32\DIGESTW.exe failed!

Could not process line:
C:\WINDOWS\System32\DIGESTW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\0dc14acb.exe not found!
Deletion of file C:\WINDOWS\System32\0dc14acb.exe failed!

Could not process line:
C:\WINDOWS\System32\0dc14acb.exe
Status: 0xc0000034

File C:\WINDOWS\System32\IASCRW.exe not found!
Deletion of file C:\WINDOWS\System32\IASCRW.exe failed!

Could not process line:
C:\WINDOWS\System32\IASCRW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\xkefyp.exe not found!
Deletion of file C:\WINDOWS\System32\xkefyp.exe failed!

Could not process line:
C:\WINDOWS\System32\xkefyp.exe
Status: 0xc0000034

File C:\WINDOWS\System32\UDIOSRVA.exe not found!
Deletion of file C:\WINDOWS\System32\UDIOSRVA.exe failed!

Could not process line:
C:\WINDOWS\System32\UDIOSRVA.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SMARQUES.exe not found!
Deletion of file C:\WINDOWS\System32\SMARQUES.exe failed!

Could not process line:
C:\WINDOWS\System32\SMARQUES.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

6

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 14, 2006, 10:24:50 AM »

Thanks for the help, did what you said, the scan took a long time.

There are a bunch of A01#####.exe's in the system restore folders (C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}). Do I need to keep these folders or can I just delete them? I think they all were done when the comp was infected. I should just do a clean restore now.

Here are the logs. Posted 2 avenger logs, first one I think I did in selective startup, forgot to uncheck them again...

Logfile of HijackThis v1.99.1
Scan saved at 8:20:08 AM, on 6/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

_____________________________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qolnaqau

*******************

Script file located at: \??\C:\Documents and Settings\hwkkxfls.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\francis\Cookies\francis@go[1].txt not found!
Deletion of file C:\Documents and Settings\francis\Cookies\francis@go[1].txt failed!

Could not process line:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Status: 0xc0000034

File C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log not found!
Deletion of file C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log failed!

Could not process line:
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Status: 0xc0000034

File C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe not found!
Deletion of file C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe failed!

Could not process line:
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Status: 0xc0000034

File C:\Documents and Settings\francis\My not found!
Deletion of file C:\Documents and Settings\francis\My failed!

Could not process line:
C:\Documents and Settings\francis\My
Status: 0xc0000034

Could not open file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe for deletion
Deletion of file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe failed!

Could not process line:
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Status: 0xc000003a

File C:\Program Files\Internet Explorer\winbrume.dat not found!
Deletion of file C:\Program Files\Internet Explorer\winbrume.dat failed!

Could not process line:
C:\Program Files\Internet Explorer\winbrume.dat
Status: 0xc0000034

File C:\WINDOWS\alchem.ini not found!
Deletion of file C:\WINDOWS\alchem.ini failed!

Could not process line:
C:\WINDOWS\alchem.ini
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\azesearch.inf not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\azesearch.inf failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\azesearch.inf
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\test.INF not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\test.INF failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\test.INF
Status: 0xc0000034

File C:\WINDOWS\drsmartload2.dat not found!
Deletion of file C:\WINDOWS\drsmartload2.dat failed!

Could not process line:
C:\WINDOWS\drsmartload2.dat
Status: 0xc0000034

File C:\WINDOWS\INF\alchem.inf not found!
Deletion of file C:\WINDOWS\INF\alchem.inf failed!

Could not process line:
C:\WINDOWS\INF\alchem.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biC.inf not found!
Deletion of file C:\WINDOWS\INF\biC.inf failed!

Could not process line:
C:\WINDOWS\INF\biC.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biini.inf not found!
Deletion of file C:\WINDOWS\INF\biini.inf failed!

Could not process line:
C:\WINDOWS\INF\biini.inf
Status: 0xc0000034

File C:\WINDOWS\INF\polmx2.inf not found!
Deletion of file C:\WINDOWS\INF\polmx2.inf failed!

Could not process line:
C:\WINDOWS\INF\polmx2.inf
Status: 0xc0000034

File C:\WINDOWS\INF\twaintec.inf not found!
Deletion of file C:\WINDOWS\INF\twaintec.inf failed!

Could not process line:
C:\WINDOWS\INF\twaintec.inf
Status: 0xc0000034

File C:\WINDOWS\msbb.log not found!
Deletion of file C:\WINDOWS\msbb.log failed!

Could not process line:
C:\WINDOWS\msbb.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho not found!
Deletion of file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\oins.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\oins.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\oins.exe
Status: 0xc0000034

File C:\WINDOWS\msbb_kyf.dat not found!
Deletion of file C:\WINDOWS\msbb_kyf.dat failed!

Could not process line:
C:\WINDOWS\msbb_kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kyf.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\kyf.dat failed!

Could not process line:
C:\WINDOWS\SYSTEM32\kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\SrchSTS.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\SrchSTS.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SrchSTS.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cf063a0d.exe not found!
Deletion of file C:\WINDOWS\System32\cf063a0d.exe failed!

Could not process line:
C:\WINDOWS\System32\cf063a0d.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SCFGWMIT.exe not found!
Deletion of file C:\WINDOWS\System32\SCFGWMIT.exe failed!

Could not process line:
C:\WINDOWS\System32\SCFGWMIT.exe
Status: 0xc0000034

File C:\WINDOWS\System32\DIGESTW.exe not found!
Deletion of file C:\WINDOWS\System32\DIGESTW.exe failed!

Could not process line:
C:\WINDOWS\System32\DIGESTW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\0dc14acb.exe not found!
Deletion of file C:\WINDOWS\System32\0dc14acb.exe failed!

Could not process line:
C:\WINDOWS\System32\0dc14acb.exe
Status: 0xc0000034

File C:\WINDOWS\System32\IASCRW.exe not found!
Deletion of file C:\WINDOWS\System32\IASCRW.exe failed!

Could not process line:
C:\WINDOWS\System32\IASCRW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\xkefyp.exe not found!
Deletion of file C:\WINDOWS\System32\xkefyp.exe failed!

Could not process line:
C:\WINDOWS\System32\xkefyp.exe
Status: 0xc0000034

File C:\WINDOWS\System32\UDIOSRVA.exe not found!
Deletion of file C:\WINDOWS\System32\UDIOSRVA.exe failed!

Could not process line:
C:\WINDOWS\System32\UDIOSRVA.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SMARQUES.exe not found!
Deletion of file C:\WINDOWS\System32\SMARQUES.exe failed!

Could not process line:
C:\WINDOWS\System32\SMARQUES.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

_____________________________

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qolnaqau

*******************

Script file located at: \??\C:\Documents and Settings\hwkkxfls.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\francis\Cookies\francis@go[1].txt not found!
Deletion of file C:\Documents and Settings\francis\Cookies\francis@go[1].txt failed!

Could not process line:
C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Status: 0xc0000034

File C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log not found!
Deletion of file C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log failed!

Could not process line:
C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Status: 0xc0000034

File C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe not found!
Deletion of file C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe failed!

Could not process line:
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Status: 0xc0000034

File C:\Documents and Settings\francis\My not found!
Deletion of file C:\Documents and Settings\francis\My failed!

Could not process line:
C:\Documents and Settings\francis\My
Status: 0xc0000034

Could not open file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe for deletion
Deletion of file Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe failed!

Could not process line:
Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Status: 0xc000003a

File C:\Program Files\Internet Explorer\winbrume.dat not found!
Deletion of file C:\Program Files\Internet Explorer\winbrume.dat failed!

Could not process line:
C:\Program Files\Internet Explorer\winbrume.dat
Status: 0xc0000034

File C:\WINDOWS\alchem.ini not found!
Deletion of file C:\WINDOWS\alchem.ini failed!

Could not process line:
C:\WINDOWS\alchem.ini
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\azesearch.inf not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\azesearch.inf failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\azesearch.inf
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Status: 0xc0000034

File C:\WINDOWS\Downloaded Program Files\test.INF not found!
Deletion of file C:\WINDOWS\Downloaded Program Files\test.INF failed!

Could not process line:
C:\WINDOWS\Downloaded Program Files\test.INF
Status: 0xc0000034

File C:\WINDOWS\drsmartload2.dat not found!
Deletion of file C:\WINDOWS\drsmartload2.dat failed!

Could not process line:
C:\WINDOWS\drsmartload2.dat
Status: 0xc0000034

File C:\WINDOWS\INF\alchem.inf not found!
Deletion of file C:\WINDOWS\INF\alchem.inf failed!

Could not process line:
C:\WINDOWS\INF\alchem.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biC.inf not found!
Deletion of file C:\WINDOWS\INF\biC.inf failed!

Could not process line:
C:\WINDOWS\INF\biC.inf
Status: 0xc0000034

File C:\WINDOWS\INF\biini.inf not found!
Deletion of file C:\WINDOWS\INF\biini.inf failed!

Could not process line:
C:\WINDOWS\INF\biini.inf
Status: 0xc0000034

File C:\WINDOWS\INF\polmx2.inf not found!
Deletion of file C:\WINDOWS\INF\polmx2.inf failed!

Could not process line:
C:\WINDOWS\INF\polmx2.inf
Status: 0xc0000034

File C:\WINDOWS\INF\twaintec.inf not found!
Deletion of file C:\WINDOWS\INF\twaintec.inf failed!

Could not process line:
C:\WINDOWS\INF\twaintec.inf
Status: 0xc0000034

File C:\WINDOWS\msbb.log not found!
Deletion of file C:\WINDOWS\msbb.log failed!

Could not process line:
C:\WINDOWS\msbb.log
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho not found!
Deletion of file C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho failed!

Could not process line:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\oins.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\oins.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\oins.exe
Status: 0xc0000034

File C:\WINDOWS\msbb_kyf.dat not found!
Deletion of file C:\WINDOWS\msbb_kyf.dat failed!

Could not process line:
C:\WINDOWS\msbb_kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\kyf.dat not found!
Deletion of file C:\WINDOWS\SYSTEM32\kyf.dat failed!

Could not process line:
C:\WINDOWS\SYSTEM32\kyf.dat
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\SrchSTS.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\SrchSTS.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\SrchSTS.exe
Status: 0xc0000034

File C:\WINDOWS\System32\cf063a0d.exe not found!
Deletion of file C:\WINDOWS\System32\cf063a0d.exe failed!

Could not process line:
C:\WINDOWS\System32\cf063a0d.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SCFGWMIT.exe not found!
Deletion of file C:\WINDOWS\System32\SCFGWMIT.exe failed!

Could not process line:
C:\WINDOWS\System32\SCFGWMIT.exe
Status: 0xc0000034

File C:\WINDOWS\System32\DIGESTW.exe not found!
Deletion of file C:\WINDOWS\System32\DIGESTW.exe failed!

Could not process line:
C:\WINDOWS\System32\DIGESTW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\0dc14acb.exe not found!
Deletion of file C:\WINDOWS\System32\0dc14acb.exe failed!

Could not process line:
C:\WINDOWS\System32\0dc14acb.exe
Status: 0xc0000034

File C:\WINDOWS\System32\IASCRW.exe not found!
Deletion of file C:\WINDOWS\System32\IASCRW.exe failed!

Could not process line:
C:\WINDOWS\System32\IASCRW.exe
Status: 0xc0000034

File C:\WINDOWS\System32\xkefyp.exe not found!
Deletion of file C:\WINDOWS\System32\xkefyp.exe failed!

Could not process line:
C:\WINDOWS\System32\xkefyp.exe
Status: 0xc0000034

File C:\WINDOWS\System32\UDIOSRVA.exe not found!
Deletion of file C:\WINDOWS\System32\UDIOSRVA.exe failed!

Could not process line:
C:\WINDOWS\System32\UDIOSRVA.exe
Status: 0xc0000034

File C:\WINDOWS\System32\SMARQUES.exe not found!
Deletion of file C:\WINDOWS\System32\SMARQUES.exe failed!

Could not process line:
C:\WINDOWS\System32\SMARQUES.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Thanks for the help.

7

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 13, 2006, 02:48:12 AM »

wow activeScan found 17 problems... Can I just delete them from their directories?

Incident Status Location

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\francis\Cookies\francis@go[1].txt
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\francis\Local Settings\Temporary Internet Files\Ssk.log
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\SmitfraudFix\Process.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\0dc14acb.exe
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\system32BU\cf063a0d.exe
Adware:adware/vog Not disinfected C:\Program Files\Internet Explorer\winbrume.dat
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\alchem.ini
Adware:Adware/AzeSearch Not disinfected C:\WINDOWS\Downloaded Program Files\azesearch.inf
Dialer:dialer.avv Not disinfected C:\WINDOWS\Downloaded Program Files\gdnUS2338.exe
Dialer:dialer.no Not disinfected C:\WINDOWS\Downloaded Program Files\rdgUS2405.exe
Adware:Adware Program Not disinfected C:\WINDOWS\Downloaded Program Files\test.INF
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload2.dat
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\alchem.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biC.inf
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
Adware:Adware/Twain-Tech Not disinfected C:\WINDOWS\INF\twaintec.inf
Adware:adware/ncase Not disinfected C:\WINDOWS\msbb.log
Virus:Trj/Qhost.B Disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20040627-025658.backup
Adware:adware/keenvalue Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/mediatickets Not disinfected C:\WINDOWS\SYSTEM32\oins.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe

_________________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 AM, on 6/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\ElkCtrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zwjixxbjwlku] C:\WINDOWS\System32\xkefyp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UDIOSRVA] C:\WINDOWS\System32\UDIOSRVA.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SMARQUES] C:\WINDOWS\System32\SMARQUES.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SCFGWMIT] C:\WINDOWS\System32\SCFGWMIT.exe
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IASCRW] C:\WINDOWS\System32\IASCRW.exe
O4 - HKLM\..\Run: [DIGESTW] C:\WINDOWS\System32\DIGESTW.exe
O4 - HKLM\..\Run: [cf063a0d.exe] C:\WINDOWS\System32\cf063a0d.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [0dc14acb.exe] C:\WINDOWS\System32\0dc14acb.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Yppin] C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ACS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

8

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 11, 2006, 03:43:17 PM »

guestolo, thanks for the reply.

Here's the log from WinPFind

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in C:\WINDOWS\hosts

PTech 7/1/2004 2:00:54 AM H 2873716 C:\WINDOWS\msbb_kyf.dat

Checking %System% folder...
aspack 3/18/2005 5:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/28/2002 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/28/2005 2:29:14 PM 693248 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 7/3/2004 7:51:56 PM H 3164631 C:\WINDOWS\SYSTEM32\kyf.dat
PTech 7/12/2005 7:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 8:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 6/9/2006 12:34:46 AM 156672 C:\WINDOWS\SYSTEM32\oins.exe
Umonitor 8/28/2002 2:00:00 PM 631808 C:\WINDOWS\SYSTEM32\RASDLG.DLL
UPX! 4/27/2006 5:49:00 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 1/9/2006 10:36:00 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 1/9/2006 10:36:00 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 8/28/2002 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\HOSTS

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/11/2006 1:05:02 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
6/11/2006 1:04:00 PM S 64 C:\WINDOWS\CSC\00000001
6/11/2006 12:45:12 PM S 64 C:\WINDOWS\CSC\00000002
6/7/2006 7:12:18 PM S 64 C:\WINDOWS\CSC\csc1.tmp
4/28/2006 9:29:22 PM HS 848 C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
4/16/2006 1:04:56 AM HS 0 C:\WINDOWS\SYSTEM32\wupdmgr.tmp
6/11/2006 1:04:50 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
6/11/2006 1:05:10 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
6/11/2006 1:05:04 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
6/11/2006 1:06:12 PM H 86016 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
6/11/2006 1:05:08 PM H 1167360 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2006 1:24:22 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\153d4519-394e-4c7c-8095-25fe2cf4e79a
5/2/2006 12:52:20 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\25859ce9-92ac-45ac-8b06-5d887a65dca2
6/30/2006 1:22:34 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\3781809c-f2bc-4296-ad5e-0799756c3c62
5/2/2006 12:52:20 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
6/11/2006 1:04:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/28/2002 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 578560 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
11/11/1999 9:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Logitech Inc. 7/28/2005 2:01:56 PM 360448 C:\WINDOWS\SYSTEM32\camcpl.cpl
5/23/2002 8:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 129024 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 292352 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 121856 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\NWC.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
11/19/1999 2:54:12 PM 155648 C:\WINDOWS\SYSTEM32\PPPoEService.cpl
RealNetworks, Inc. 1/13/2003 1:47:04 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 268288 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Wacom Technology, Corp. 11/25/2002 1:55:00 PM 921600 C:\WINDOWS\SYSTEM32\Tablet.cpl
Microsoft Corporation 8/28/2002 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/28/2002 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 5/26/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/29/2006 6:13:00 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
5/5/2006 11:38:46 PM 1782 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
4/29/2006 1:44:20 AM 988 C:\Documents and Settings\francis\Start Menu\Programs\Startup\Adobe Gamma.lnk
9/2/2002 10:36:04 PM HS 84 C:\Documents and Settings\francis\Start Menu\Programs\Startup\DESKTOP.INI
4/3/2004 7:14:02 PM 243200 C:\Documents and Settings\francis\Start Menu\Programs\Startup\PowerReg Scheduler.exe

Checking files in %USERPROFILE%\Application Data folder...
9/2/2002 10:26:20 PM HS 62 C:\Documents and Settings\francis\Application Data\DESKTOP.INI
2/7/2003 12:49:28 AM 12358 C:\Documents and Settings\francis\Application Data\PFP100JCM.{PB
2/7/2003 12:49:28 AM 61678 C:\Documents and Settings\francis\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar1.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   DVDSentry   C:\WINDOWS\System32\DSentry.exe
   ATIModeChange   Ati2mdxx.exe
   zBrowser Launcher   C:\Program Files\Logitech\iTouch\iTouch.exe
   PCTVOICE   pctspk.exe
   LogitechCameraAssistant   C:\Program Files\Logitech\Video\CameraAssistant.exe
   LogitechVideo[inspector]   C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
   iTunesHelper   "C:\Program Files\iTunes\iTunesHelper.exe"
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   PopUpStopperFreeEdition   "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
   License Management Service ESD   3
   ImapiService   3
   IDriverT   3
   Adobe LM Service   3
   ACS   2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACS.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACS.lnk
   backup   C:\WINDOWS\pss\ACS.lnkCommon Startup
   location   Common Startup
   command   C:\WINDOWS\SYSTEM32\ACS.BAT
   item   ACS
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ACS.lnk
   backup   C:\WINDOWS\pss\ACS.lnkCommon Startup
   location   Common Startup
   command   C:\WINDOWS\SYSTEM32\ACS.BAT
   item   ACS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus Xtreme G Configuration Utility.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
   backup   C:\WINDOWS\pss\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\AirPlus.exe
   item   D-Link AirPlus Xtreme G Configuration Utility
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
   backup   C:\WINDOWS\pss\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\AirPlus.exe
   item   D-Link AirPlus Xtreme G Configuration Utility

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk
   backup   C:\WINDOWS\pss\D-Link REG Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\Reg.exe
   item   D-Link REG Utility
   path   C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link REG Utility.lnk
   backup   C:\WINDOWS\pss\D-Link REG Utility.lnkCommon Startup
   location   Common Startup
   command   C:\PROGRA~1\D-LINK~1\Reg.exe
   item   D-Link REG Utility

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\0dc14acb.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   0dc14acb
   hkey   HKLM
   command   C:\WINDOWS\System32\0dc14acb.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   0dc14acb
   hkey   HKLM
   command   C:\WINDOWS\System32\0dc14acb.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DirectCD
   hkey   HKLM
   command   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DirectCD
   hkey   HKLM
   command   "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Apoint
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Apoint
   hkey   HKLM
   command   C:\Program Files\Apoint\Apoint.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Apoint
   hkey   HKLM
   command   C:\Program Files\Apoint\Apoint.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cf063a0d.exe
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   cf063a0d
   hkey   HKLM
   command   C:\WINDOWS\System32\cf063a0d.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   cf063a0d
   hkey   HKLM
   command   C:\WINDOWS\System32\cf063a0d.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DIGESTW
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DIGESTW
   hkey   HKLM
   command   C:\WINDOWS\System32\DIGESTW.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   DIGESTW
   hkey   HKLM
   command   C:\WINDOWS\System32\DIGESTW.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IASCRW
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   IASCRW
   hkey   HKLM
   command   C:\WINDOWS\System32\IASCRW.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   IASCRW
   hkey   HKLM
   command   C:\WINDOWS\System32\IASCRW.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   iTunesHelper
   hkey   HKLM
   command   C:\Program Files\iTunes\iTunesHelper.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   iTunesHelper
   hkey   HKLM
   command   C:\Program Files\iTunes\iTunesHelper.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   dumprep 0 -k
   hkey   HKLM
   command   %systemroot%\system32\dumprep 0 -k
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   dumprep 0 -k
   hkey   HKLM
   command   %systemroot%\system32\dumprep 0 -k
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Logitech Utility
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Logi_MwX
   hkey   HKLM
   command   Logi_MwX.Exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   Logi_MwX
   hkey   HKLM
   command   Logi_MwX.Exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechCameraService(E)
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElkCtrl
   hkey   HKLM
   command   C:\WINDOWS\System32\ElkCtrl.exe /automation
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElkCtrl
   hkey   HKLM
   command   C:\WINDOWS\System32\ElkCtrl.exe /automation
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LogitechSoftwareUpdate
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ManifestEngine
   hkey   HKCU
   command   "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ManifestEngine
   hkey   HKCU
   command   "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LVCOMSX
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   LVCOMSX
   hkey   HKLM
   command   C:\WINDOWS\System32\LVCOMSX.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   LVCOMSX
   hkey   HKLM
   command   C:\WINDOWS\System32\LVCOMSX.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   mmtask
   hkey   HKLM
   command   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   mmtask
   hkey   HKLM
   command   C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   msmsgs
   hkey   HKCU
   command   "C:\Program Files\Messenger\msmsgs.exe" /background
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   msmsgs
   hkey   HKCU
   command   "C:\Program Files\Messenger\msmsgs.exe" /background
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ncao
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   chkdsk
   hkey   HKCU
   command   "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   chkdsk
   hkey   HKCU
   command   "C:\DOCUME~1\francis\MYDOCU~1\STEM32~1\chkdsk.exe" -vt yax
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PRISMSVR.EXE
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PRISMSVR
   hkey   HKLM
   command   "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   PRISMSVR
   hkey   HKLM
   command   "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   qttask
   hkey   HKLM
   command   "C:\Program Files\QuickTime\qttask.exe" -atboottime
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RealPlay
   hkey   HKLM
   command   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RealPlay
   hkey   HKLM
   command   C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RegKillElbyCheck
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElbyCheck
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ElbyCheck
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RegKillTray
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RegKillTray
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   RegKillTray
   hkey   HKLM
   command   "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SCFGWMIT
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SCFGWMIT
   hkey   HKLM
   command   C:\WINDOWS\System32\SCFGWMIT.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SCFGWMIT
   hkey   HKLM
   command   C:\WINDOWS\System32\SCFGWMIT.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Share-to-Web Namespace Daemon
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   hpgs2wnd
   hkey   HKLM
   command   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   hpgs2wnd
   hkey   HKLM
   command   C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SMARQUES
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SMARQUES
   hkey   HKLM
   command   C:\WINDOWS\System32\SMARQUES.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   SMARQUES
   hkey   HKLM
   command   C:\WINDOWS\System32\SMARQUES.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\StorageGuard
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   sgtray
   hkey   HKLM
   command   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   sgtray
   hkey   HKLM
   command   "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\UDIOSRVA
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   UDIOSRVA
   hkey   HKLM
   command   C:\WINDOWS\System32\UDIOSRVA.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   UDIOSRVA
   hkey   HKLM
   command   C:\WINDOWS\System32\UDIOSRVA.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ViewMgr
   hkey   HKLM
   command   C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ViewMgr
   hkey   HKLM
   command   C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ypager
   hkey   HKCU
   command   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ypager
   hkey   HKCU
   command   "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YBrowser
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ybrwicon
   hkey   HKLM
   command   C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   ybrwicon
   hkey   HKLM
   command   C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yppin
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NPDB~1
   hkey   HKCU
   command   C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   NPDB~1
   hkey   HKCU
   command   C:\WINDOWS\SYSTEM32\PPPATC~1\NPDB~1.EXE
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\zwjixxbjwlku
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   xkefyp
   hkey   HKLM
   command   C:\WINDOWS\System32\xkefyp.exe
   inimapping   0
   key   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   item   xkefyp
   hkey   HKLM
   command   C:\WINDOWS\System32\xkefyp.exe
   inimapping   0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   2
   bootini   2
   services   2
   startup   2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\comdlg32
   NoBackButton   0
   NoFileMru   0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145
   NoStartMenuMyMusic   1
   NoSMMyPictures   1
   NoRecentDocsMenu   1
   ClearRecentDocsOnExit   1
   NoRecentDocsHistory   1
   NoTaskGrouping   1
   NoRecentDocsNetHood   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/11/2006 1:15:05 PM

ITS a long one, whew.

Quick question on some c:windows folders.

I have all these folders in blue called something like this

$NtUninstallKB873339$

Are they restore point backups or what? And can I delete them?

HOpe you're having a good sunday.

9

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 10, 2006, 05:33:02 PM »

I've done some work here are the latest reports, think I got rid of it... but please take a look if you have time so I can know for sure.

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:56:31 PM, 6/10/2006
+ Report-Checksum:      B8D2FE6F

+ Scan result:

   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP674\A0189635.dll -> Adware.PurityScan : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP674\A0189638.dll -> Trojan.Agent.vg : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:32:22 PM, on 6/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\francis\My Documents\francis_stuf\Programs\Antivirus_PutonDesktop\hijackthis.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Thanks

10

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 10, 2006, 04:07:56 AM »

Latest hijcakthis log

Logfile of HijackThis v1.99.1
Scan saved at 2:05:30 AM, on 6/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\francis\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by [censored] happens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O20 - Winlogon Notify: winhmc32 - C:\WINDOWS\SYSTEM32\winhmc32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

and SmitFraudFix

SmitFraudFix v2.56

Scan done at 2:06:51.32, Sat 06/10/2006
Run from C:\Documents and Settings\francis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\francis\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\francis\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

11

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 10, 2006, 03:55:00 AM »

rebooted, the your computer have been infected sign is gone...

but 2 windows keeps popping up

ULWindowSeek
ULWindowUrl

and a warning about activex config prohibiting these from running. At least now task manager is back.

Going through uninstalling suspect programs, there's one calle Web Savings from Ebates that won't uninstall. ERROR: could not execute Main: The system cannot find the file specified. Does that mean its not there anymore?

12

Tech Clinic / need help with win32.p2p worm alcan.a

« on: June 10, 2006, 03:32:23 AM »

Hi, First off I'd like to thank you guys for taking your time to help people like me who have this annoying bug on their comps... I don't understand why a fellow human being would build viuses or worms...

I was trying to install Xp home on my desktop (I bought it for my laptop) and it said my product key was no good so I downloaded a program called kf141.zip to identify my product key. I dl'ed 2 versions, one of them gave me this worm. So any help on getting XP to work on my desktop would be greatly appreciated as well. Now on to the issue at hand.

I've read through some of the posts here and did some self help but would like to get someone to look through my logs and see if my comp's clean.

I downloaded a AlcanFix.zip from another site and also ran SmitfraudFix from this site. Here are the logs.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:10 AM, on 6/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\lvcomsx.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\francis\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.Email Removed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by [censored] happens
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\msdtc.dll
O20 - Winlogon Notify: winhmc32 - C:\WINDOWS\SYSTEM32\winhmc32.dll
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

SmitFraudFix v2.56

Scan done at 1:22:14.07, Sat 06/10/2006
Run from C:\Documents and Settings\francis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{5aaf6542-f4ba-4df4-873d-4902ecbe794c}"="antitragus"

[HKEY_CLASSES_ROOT\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{5aaf6542-f4ba-4df4-873d-4902ecbe794c}\InProcServer32]
@="C:\WINDOWS\System32\asxbbx.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\exit Deleted
C:\secure32.html Deleted
C:\uniq Deleted
C:\WINDOWS\azesearch.bmp Deleted
C:\WINDOWS\blue-bg.gif Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\remove-spyware-btn.gif Deleted
C:\WINDOWS\teller2.chk Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win-sec-center-logo.gif Deleted
Problem while deleting C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\bin29a.log Deleted
Problem while deleting C:\WINDOWS\system32\dcomcfg.exe
Problem while deleting C:\WINDOWS\system32\hp???.tmp
Problem while deleting C:\WINDOWS\system32\hp?

.tmp
Problem while deleting C:\WINDOWS\system32\ld?

.tmp
C:\WINDOWS\system32\ot.ico Deleted
Problem while deleting C:\WINDOWS\system32\regperf.exe
C:\WINDOWS\system32\simpole.tlb Deleted
Problem while deleting C:\WINDOWS\system32\stdole3.tlb
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Documents and Settings\francis\Application Data\Install.dat Deleted
C:\DOCUME~1\francis\FAVORI~1\Antivirus Test Online.url Deleted
C:\Program Files\secure32.html Deleted
C:\Program Files\SpywareQuake.com\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\asxbbx.dll -> Hoax.Win32.Renos.gen
C:\WINDOWS\System32\asxbbx.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted

Again, I appreciate the help, hope to hear from you soon.

Thank you,

sincerely,

francis

TheTechGuide Forum

News:

Messages - purepremium2006

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a

Tech Clinic / need help with win32.p2p worm alcan.a