1
Tech Clinic / WIN32.P2P-WORM.ALCAN.A
« on: July 25, 2005, 09:49:32 PM »
I used to have Norton but it expired some time ago. Can you reccomend a free one?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Tech Clinic / WIN32.P2P-WORM.ALCAN.A
« on: July 25, 2005, 07:56:43 PM »
Everything is working like it used to. My Ctrl+Alt+Del works again, among other things. I have only one question, and that is; what is your opinion about reinstalling Limewire? Is that asking for more trouble? Either way, thank you very much for your help.
Rob
Rob
3
Tech Clinic / WIN32.P2P-WORM.ALCAN.A
« on: July 25, 2005, 04:48:27 PM »
Here are the HJT and Ewidos logs:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 6:25:32 AM, 7/25/2005
+ Report-Checksum: 891E320
+ Scan result:
HKLM\SOFTWARE\DelFin -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1653462319-3277439761-822851105-1006\Software\DelFin -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1653462319-3277439761-822851105-1006\Software\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041005-130039-410.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041015-020816-344.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041105-114000-300.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041216-161136-549.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20050626-182427-510.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.77:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.83:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.89:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.98:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.107:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.117:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.118:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.119:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.120:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.125:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.140:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.145:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.147:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.148:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.94:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.103:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.110:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.111:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.112:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.121:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.143:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.144:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.6:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.94:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.103:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.110:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.111:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.112:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.121:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.143:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.144:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP493\A0068264.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP500\A0068461.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP500\A0068462.exe -> Worm.VB.an : Cleaned with backup
C:\WINDOWS\SYSTEM32\chktrust.exe -> Spyware.BargainBuddy : Cleaned with backup
::Report End
and the HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:48:01 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
Thanks again.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 6:25:32 AM, 7/25/2005
+ Report-Checksum: 891E320
+ Scan result:
HKLM\SOFTWARE\DelFin -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1653462319-3277439761-822851105-1006\Software\DelFin -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1653462319-3277439761-822851105-1006\Software\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041005-130039-410.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041015-020816-344.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041105-114000-300.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041216-161136-549.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20050626-182427-510.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.45:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.57:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.58:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.59:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.65:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.66:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.77:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.83:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.89:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.98:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.107:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.117:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.118:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.119:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.120:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.125:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.139:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.140:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.145:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.147:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.148:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.41:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.51:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.53:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.55:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.94:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.103:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.110:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.111:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.112:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.121:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.143:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.144:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.6:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.44:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.54:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.61:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.62:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.73:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.75:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.79:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.85:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.94:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.103:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.110:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.111:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.112:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.113:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.114:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.115:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.116:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.121:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.135:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.136:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.137:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.143:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.144:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP493\A0068264.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP500\A0068461.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP500\A0068462.exe -> Worm.VB.an : Cleaned with backup
C:\WINDOWS\SYSTEM32\chktrust.exe -> Spyware.BargainBuddy : Cleaned with backup
::Report End
and the HJT:
Logfile of HijackThis v1.99.1
Scan saved at 5:48:01 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
Thanks again.
4
Tech Clinic / WIN32.P2P-WORM.ALCAN.A
« on: July 24, 2005, 10:58:06 PM »
I found I "Complete" folder which was hidden. There is a ton of zip files in there, 353 to be exact, and a lot of it looks strange to me. A lot of it has to do with video games, etc. but there are pleanty of files I have no recollection of putting on my computer. I'm the only user for this computer, by the way.
Thank you.
Thank you.
5
Tech Clinic / WIN32.P2P-WORM.ALCAN.A
« on: July 24, 2005, 09:55:13 PM »
So I really appriciate the help with this. Thank you, and here are the log files for WinPFind and HJT, respectivley.
-Rob
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe
PECompact2 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
qoologic 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
SAHAgent 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 4/18/2005 2:39:12 PM 58368 C:\WINDOWS\Unwash6.exe
UPX! 3/9/2003 6:42:44 PM 47104 C:\WINDOWS\uscscsi.dll
PECompact2 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
qoologic 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
SAHAgent 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 11/24/2001 2:31:48 PM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 11/24/2001 2:28:14 PM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/3/2004 11:07:14 PM 74240 C:\WINDOWS\SYSTEM32\unrar.dll
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Checking the Windows folder for system and hidden files within the last 60 days...
6/28/2005 11:20:06 AM 0 C:\WINDOWS\INF\oem36.inf
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\cmd.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\netstat.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\ping.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\regedit.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\taskkill.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\tasklist.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\tracert.com
7/23/2005 9:23:14 PM 892 C:\WINDOWS\SYSTEM32\vsconfig.xml
7/24/2005 10:28:44 PM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/24/2005 10:29:14 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/24/2005 10:28:56 PM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/24/2005 10:30:18 PM 53248 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/24/2005 10:29:06 PM 1101824 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2005 5:44:26 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
7/18/2005 10:33:44 AM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\79ab226c-0987-416b-b41e-c885232cfbc4
7/18/2005 10:33:44 AM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/24/2005 10:27:54 PM 6 C:\WINDOWS\Tasks\SA.DAT
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
8/3/2004 6:38:52 PM 646 C:\Documents and Settings\Rob Schwerdt\Start Menu\Programs\Startup\SpywareGuard.lnk
Checking files in %USERPROFILE%\Application Data folder...
1/30/2005 10:32:56 PM 865 C:\Documents and Settings\Rob Schwerdt\Application Data\AdobeDLM.log
1/30/2005 10:32:56 PM 0 C:\Documents and Settings\Rob Schwerdt\Application Data\dm.ini
11/7/2003 5:00:28 PM 70424 C:\Documents and Settings\Rob Schwerdt\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{81559C35-8464-49F7-BB0E-07A383BEF910}
= C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\spywareguard.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
POINTER point32.exe
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Zone Labs Client "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D-Link Air USB Utility C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AntiWindowsMessenger C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Logfile of HijackThis v1.99.1
Scan saved at 10:41:58 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
Thanks again
-Rob
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe
PECompact2 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
qoologic 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
SAHAgent 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 4/18/2005 2:39:12 PM 58368 C:\WINDOWS\Unwash6.exe
UPX! 3/9/2003 6:42:44 PM 47104 C:\WINDOWS\uscscsi.dll
PECompact2 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
qoologic 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
SAHAgent 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 11/24/2001 2:31:48 PM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 11/24/2001 2:28:14 PM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/3/2004 11:07:14 PM 74240 C:\WINDOWS\SYSTEM32\unrar.dll
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Checking the Windows folder for system and hidden files within the last 60 days...
6/28/2005 11:20:06 AM 0 C:\WINDOWS\INF\oem36.inf
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\cmd.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\netstat.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\ping.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\regedit.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\taskkill.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\tasklist.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\tracert.com
7/23/2005 9:23:14 PM 892 C:\WINDOWS\SYSTEM32\vsconfig.xml
7/24/2005 10:28:44 PM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/24/2005 10:29:14 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/24/2005 10:28:56 PM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/24/2005 10:30:18 PM 53248 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/24/2005 10:29:06 PM 1101824 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2005 5:44:26 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
7/18/2005 10:33:44 AM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\79ab226c-0987-416b-b41e-c885232cfbc4
7/18/2005 10:33:44 AM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/24/2005 10:27:54 PM 6 C:\WINDOWS\Tasks\SA.DAT
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
8/3/2004 6:38:52 PM 646 C:\Documents and Settings\Rob Schwerdt\Start Menu\Programs\Startup\SpywareGuard.lnk
Checking files in %USERPROFILE%\Application Data folder...
1/30/2005 10:32:56 PM 865 C:\Documents and Settings\Rob Schwerdt\Application Data\AdobeDLM.log
1/30/2005 10:32:56 PM 0 C:\Documents and Settings\Rob Schwerdt\Application Data\dm.ini
11/7/2003 5:00:28 PM 70424 C:\Documents and Settings\Rob Schwerdt\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{81559C35-8464-49F7-BB0E-07A383BEF910}
= C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\spywareguard.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
POINTER point32.exe
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Zone Labs Client "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D-Link Air USB Utility C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AntiWindowsMessenger C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
Microsoft Works Update Detection C:\Program Files\Microsoft Works\WkDetect.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Logfile of HijackThis v1.99.1
Scan saved at 10:41:58 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
Thanks again
6
Tech Clinic / WIN32.P2P-WORM.ALCAN.A
« on: July 21, 2005, 09:11:50 PM »
The last few times I've ran Ad-Aware, it's come up with WIN32.P2P-WORM.ALCAN.A
It doesn't matter if I delete it with Ad-Aware because it always comes back. As far as I can tell, it's not doing anything besides slowing my system down and causing Limewire to launch on its own. Does anyone know how to get rid of this worm?
Thanks
It doesn't matter if I delete it with Ad-Aware because it always comes back. As far as I can tell, it's not doing anything besides slowing my system down and causing Limewire to launch on its own. Does anyone know how to get rid of this worm?
Thanks
Pages: [1]