win32.p2p-worm.alcan.a

[Eminent]

I really need help removing this, it's the second time in 3days I've got it, had done a full/clean install of XP twice in 3days to get rid of it...I keep getting it, I think it might be coming from this LimeWire Pro file. Anyways, I need some serious help of ridding of this from my computer I really do not want to install everything over again, lol .....so I'll wait and whoever can help just let me know what I need to do to get rid of it and I'll be more then happy to follow your instructions, thanks for the help to anyone who helps! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />  Oh and from what I've read, everyone requests a HiJackThis log file of a scan, so here is mine.
One more thing! Before I did a clean install this last time, I followed someones instructions to rid of the worm, but when I did my XP Style theme was deleted..so I'd really REALLY like to prevent that from happening again if possible.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />


Logfile of HijackThis v1.99.1
Scan saved at 4:07:29 PM, on 8/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\PROGRA~1\avgemc.exe
C:\WINDOWS\system32\Atiptaxx.exe
F:\PROGRA~1\avgamsvr.exe
F:\PROGRA~1\avgupsvc.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
F:\Program Files\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\The Folder\Programs\hijackthis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/296e160e9b8228...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125313731693
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\avgupsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[guestolo]

Hi Eminent


==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

==Download and Install Ad-Aware SE Personal 1.06
Ensure you have the latest version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
When installing, you may be prompted to update, allow it but don't run a scan yet

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions too a Notepad file on the desktop for reference
and/or Print this out

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\winupdate\winupdate.exe


===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart
Please Restart it now manually into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode

Find and delete this folder
C:\Program Files\winupdates <-this folder
~Removed partial instructions~

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/296e160e9b8228...ip/RdxIE601.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back to Normal mode

Run Hijackthis again and  post a fresh Hijackthis log and the report from Ewidos

[Eminent]

Okay I followed what you said up until this point..
Find and delete this folder
C:\Program Files\winupdates <-this folder
Navigate to the "Complete" folder you found earlier
Delete the whole contents then the Complete folder itself

I dont even see a winupdates folder at all, but I did notice an Autoupdate folder which was empty, but I havent deleted or done anything to anything yet, so what should I do now? Ignore it and move on or what? I left my computer running am on my brothers now so haste reply would be really appreciated, thank you.

[guestolo]

Sorry about that
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Then look for
C:\Program Files\winupdates <-folder

Don't worry about the Complete folder as of yet
That was instructions too another user
It may be needed for removal in your case too, but you can skip removing the Complete folder for now

Do what you can, I may not see the results until tomorrow

[Eminent]

Okay thanks a bunch I really appreciate you getting back to me tonight, lol or else I was going to leave my computer in safe mode all night, I'll do that the rest of the stuff now.

[Eminent]

Okay scanned with Adaware before doing a normal startup had 0 critical, but after I booted back into normal mode, the fear I was having happened...I dont have my XP Style theme anymore, I tried figuring out how to get it back before, but that was to no success which is why I just did a clean instal 2days ago, I hope I can get it back, but here is a fresh hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:57 AM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\PROGRA~1\avgemc.exe
C:\WINDOWS\system32\Atiptaxx.exe
F:\PROGRA~1\avgamsvr.exe
F:\PROGRA~1\avgupsvc.exe
F:\Program Files\security suite\ewidoctrl.exe
C:\WINDOWS\system32\spupdsvc.exe
C:\WINDOWS\system32\spnpinst.exe
C:\WINDOWS\system32\Sysocmgr.exe
C:\WINDOWS\system32\wuauclt.exe
F:\The Folder\Programs\hijackthis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125313731693
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\security suite\ewidoctrl.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[guestolo]

You forgot to post something

When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Run Hijackthis again and post a fresh Hijackthis log and the report from Ewidos

Could I see the Report from Ewidos please

Also
Can you do the following
Download the Zip file I attached below and UNZIP the contents too desktop

Double click on Find.bat and post the contents
Do the Same with Find1.bat

Also, Can you do a SEARCH on your computer for

Luna.msstyles

Make sure you type that in properly or copy and paste it
Also in Search under the Advanced options ensure the top 3 entries are selected which includes Search Hidden Files and folders

If Luna.msstyles is found
Let me know the exact location and size
In case I must send you the file, I just want to double check
Are you running the English Version of Windows XP?

[Guest]

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         12:17:41 AM, 8/31/2005
 + Report-Checksum:      1CF4A3F9

 + Scan result:

   C:\Documents and Settings\SurReaL\Complete\19 2Pac Videos.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\7-Zip 4.18.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Adobe Photoshop CS2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\AIR - Premiers Symptomes.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\AirStrike II Gulf Thunder 2.52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\AnyDVD 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\APSW Budget Planner 3.0.1.35.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Ashampoo Burning Studio 5.0.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Ashampoo Photo Commander 3.02.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Bogart 5.30.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\CHM2HTML Pilot 1.00.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\CloneCD 5.2.0.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Dangerous Google - Searching for Secrets.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\EditPro 1.57.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\FIFA 2005 SoundTracks.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\FileRecoveryAngel 1.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\FinePrint 5.41 Enterprise.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Insane 4x4 Offroad Racing.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Invision Community Blog 1.1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Jay-Z - The Argyle Album (The Black Albu.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\K-Lite Mega Codec Pack 1.29.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Kelis - Tasty.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Maxthon 1.2.3 Combo.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Motion Studio 3.0.921.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Nero Burning ROM 6.6.0.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Nero CD-DVD Speed 3.80.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Norton Antivirus 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Opera 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Power Phone Book Enterprise 1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Remote Administrator 2.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Road Rush 1.7.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Scorched3D 38.1b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\South Park Episodes.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\SPAMfighter Standard 3.5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Super DVD Creator 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\The Passion Of The Christ OST.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\UltraEdit-32 11.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Virtual CD 7.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Winferno PC Confidential 2005.2.212.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\SurReaL\Complete\Zoner Barcode Studio 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\winupdates\winupdates.exe -> Worm.VB.an : Cleaned with backup


::Report End

[Eminent]

Oops forgot to log in....that was my post as guest above, lol...sorry.



Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"WCreatedUser"="1"
"ThemeActive"="0"



 Volume in drive C has no label.
 Volume Serial Number is 34CC-7C68

 Directory of C:\WINDOWS\Resources\Themes

08/28/2005  05:27 PM    <DIR>          .
08/28/2005  05:27 PM    <DIR>          ..
08/30/2005  10:38 PM    <DIR>          Luna
11/08/2003  06:00 AM             1,222 Luna.theme
11/08/2003  06:00 AM             3,025 Windows Classic.theme
               2 File(s)          4,247 bytes

 Directory of C:\WINDOWS\Resources\Themes\Luna

08/30/2005  10:38 PM    <DIR>          .
08/30/2005  10:38 PM    <DIR>          ..
08/28/2005  05:25 PM    <DIR>          Shell
               0 File(s)              0 bytes

 Directory of C:\WINDOWS\Resources\Themes\Luna\Shell

08/28/2005  05:25 PM    <DIR>          .
08/28/2005  05:25 PM    <DIR>          ..
08/28/2005  05:27 PM    <DIR>          Homestead
08/28/2005  05:27 PM    <DIR>          Metallic
08/28/2005  05:26 PM    <DIR>          NormalColor
               0 File(s)              0 bytes

 Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead

08/28/2005  05:27 PM    <DIR>          .
08/28/2005  05:27 PM    <DIR>          ..
11/08/2003  06:00 AM           362,496 shellstyle.dll
               1 File(s)        362,496 bytes

 Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic

08/28/2005  05:27 PM    <DIR>          .
08/28/2005  05:27 PM    <DIR>          ..
11/08/2003  06:00 AM           362,496 shellstyle.dll
               1 File(s)        362,496 bytes

 Directory of C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor

08/28/2005  05:26 PM    <DIR>          .
08/28/2005  05:26 PM    <DIR>          ..
11/08/2003  06:00 AM           361,472 shellstyle.dll
               1 File(s)        361,472 bytes

     Total Files Listed:
               5 File(s)      1,090,711 bytes
              17 Dir(s)   1,999,085,568 bytes free

[Eminent]

Found the Luna it's directory is C:\Windows\$NTServicePackUninstall$ and the size is 4,089KB

P.S. Yes my XP is the English version. Thanks x9,383 for your help with all of this.

[guestolo]

You should be able to remove the following folder if empty, if it's not empty do you recognize any file names inside it
 C:\Documents and Settings\SurReaL\Complete <-this folder

Afterwards
Download and Unzip to desktop
Fix.zip, so you now have Fix.reg on the desktop

Double click on Fix.reg and allow to add or merge to the registry

Restart your computer back in Windows

Can you navigate to the following file please
You must have Windows set to show hidden files and folders
C:\Windows\$NTServicePackUninstall$\Luna.msstyles
Right click on Luna.msstyles and Select Copy

Now navigate to this folder
C:\WINDOWS\Resources\Themes\Luna
Open the Luna folder and right click and Paste
Luna.msstyles to the open Luna folder

Now open your Display Properties and see if you can change to Windows XP Under the Themes and Appearance tabs

[Eminent]

Didnt see the Complete folder in the directory you said and sorry if I'm just being dumb...where do I get this Fix.zip from?

[guestolo]

Woops, forgot to add it  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Here it is at the bottom of this reply box

[Eminent]

Lol, sweet, cause I was like...uh oh, did I entirely miss something earlier? And should of downloaded something I didnt, lol ...okay doing that now.

[Eminent]

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' /> SWEEET my PC is back to normal! You have no idea how happy I am now, thank you so much for your time and your help, I really really appreciate it!! ...Hate to be a mooch, but the files you had me download to desktop, the Find.zip and Fix.zip are these safe to delete? I like to try and keep my desktop clean and simple  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />  Also is there a known program or source that this virus comes from? I mean so I can pretty much steer away from it in the future, lol..I'm not positive but I think it's embedded in this file downloadable from LimeWire, file is LimeWire Pro 4.9.23, maybe knowing that can help track it down or something?

[guestolo]

Let's do some final cleanup
You can go back and hide hidden files and folders now

Go ahead and delete find.bat and find1.bat and the zip files I had you download

If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

About that worm
I'm about 99.5% sure you got it from Limewire
Please keep your AV always up to date and Scan everything you download