« previous next »
Pages: [1]

Author Topic: Win32.P2P-Worm.Alcan.a  (Read 5970 times)

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« on: July 09, 2005, 08:23:29 PM »
Hello. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I guess I should introduce myself as also being a recent victim of the Win32.P2P-Worm.Alcan.a problem.  Done some looking around, and it seems that a lot think it came from Limewire.  Which I had until I tossed a few minutes ago, before reading the thoughts behind it being Limewire.  (Would make sense, I suppose, since it did bring up Limewire on startup and continuously bring it up each time I closed it.)

Anyways, enough of my blabbering. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  Here is my HJACKTHIS log file:

-----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:16:24 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and

Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%

20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and

Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} -

http://config.skillcheck.com/onlinetesting...1050/wficat.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common

Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe

-----------------------------------------------------

I hope someone will be able to help me soon.  This is a most annoying worm. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Thank you... and I appreciate any and all help I get with this. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />


-Muku
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Win32.P2P-Worm.Alcan.a
« Reply #1 on: July 10, 2005, 12:30:37 PM »
Hi muku,  If you still need a hand
can you repost a fresh hijackthis log,
Don't include any spaces in the log, leave it "as is"

Could you also navigate to the following folder
C:\Documents and Settings\<user account>
It won't be named <user account>
But will have the name of the user logged in

Open the <user account> folder
Let me know if you find a "Complete" folder
« Last Edit: July 10, 2005, 12:39:51 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« Reply #2 on: July 10, 2005, 05:11:51 PM »
Actually, all spaces in the log were that way when I copied and pasted it.  I'd read somewhere before, before posting, you telling someone the same thing, so I made sure not to do anything with the file before hand.  Just a simple copy/paste into the forum.

Here is the current log as of a few moments ago...


-----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:05:41 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://config.skillcheck.com/onlinetesting...1050/wficat.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
-----------------------------------------


I navigated into the C:\Documents and Settings\<user account>, of course with the user account being my account.  There is no folder named Complete.  There is however a folder named Incomplete and a .limewire folder that I don't recall being there before.
« Last Edit: July 10, 2005, 05:12:28 PM by Muku6 »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Win32.P2P-Worm.Alcan.a
« Reply #3 on: July 10, 2005, 10:44:31 PM »
Can you do the following please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

Download and Install the free version of Ad-Aware SE Personal 1.06
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Exit Ad-Aware for now, we'll need this later

====Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions too a Notepad file on the desktop for reference
and/or Print this out

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\winupdate\winupdate.exe
C:\Program Files\winupdates\a.zip[Setup.exe]
C:\WINDOWS\System32\bt.exe
C:\WINDOWS\System32\z.tmp
C:\WINDOWS\System32\temp.zip
C:\WINDOWS\System32\bszip.dll

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart
Please Restart it now manually

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

Find and delete this folder
C:\Program Files\winupdates <-this folder

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

When the scan is done
Let's also run Ad-Aware in safe mode
It won't take as long as Ewido

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Go to START>>RUN>>type in msconfig
Under the General tab Select NORMAL STARTUP
OK it and close out
Not that there's anything wrong with controlling startup entries with msconfig
But let's ensure no other malware is hiding
Restart back to Normal mode

Run another scan with Hijackthis and post a fresh log
Can you also include the report from Ewidos

EDIT>>I changed the file names to remove with Killbox
I had has an example
C:\WINNT\system32\netstat.com
I changed to
C:\WINDOWS\system32\netstat.com
Which is correct
Sorry if you tried killbox with the previous filenames, if you did can you redo this step
« Last Edit: July 11, 2005, 01:33:50 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« Reply #4 on: July 11, 2005, 12:43:34 AM »
Downloaded Windows Cleanup! 4.0 and have that installed.  Got Ad-Aware on July 09, and incidentally is how I found out I had the worm to begin with. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  So, covered on that, but did check for updates just to make sure, but nothing.

I can't, however, at this time get the Ewido Security Suite link to come up.  It times out every time I try to go to it.  I'll try it in the morning I suppose.  Then continue on with the rest of the instructions.
Logged

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« Reply #5 on: July 11, 2005, 10:13:47 AM »
Okay, well, got the Ewido program.  Also got Killbox.  I do have a question before preceding with this, because I'm unsure of something.  (Don't wanna mess it up.)

Quote below on what I have a question about:

Quote
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINNT\system32\p2pnetwork.exe
C:\WINNT\system32\CMD.COM
C:\WINNT\system32\netstat.com
C:\WINNT\system32\ping.com
C:\WINNT\system32\regedit.com
C:\WINNT\system32\tasklist.com
C:\WINNT\system32\taskkill.com
C:\WINNT\system32\taskmgr.com
C:\WINNT\system32\tracert.com
C:\Program Files\winupdate\winupdate.exe
C:\Program Files\winupdates\a.zip[Setup.exe]C:\WINNT\System32\bt.exe
C:\WINNT\System32\z.tmp
C:\WINNT\System32\temp.zip
C:\WINNT\System32\bszip.dll

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

You said to highlight the files, copy and then go to File > Paste from Clipboard.  Is it that you want all pasted at once, or is this a one by one type thing?  I assume one by one, but I want to make sure.  Mainly because you didn't specify, but also because I don't wanna botch this up. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

I also wanna ask this because it sounds like after saying "Yes" then "No", respectively, that there's a chance to restart.  (Of course, if it doesn't then a manual restart is in order.)  So, wanting to check on this.  Don't want just one file done at restart if I'm suppose to do them all.

Many thanks for your time so far, and any additional time you take to respond to my thread. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

-Muku




EDIT:  Forgot to mention why I ask this --

I tried using the Paste from Clipboard option in Killbox, but it won't paste.  So when I tried to hit CTL+V or right mouse click and then go to Paste.  Course in doing that, only one file shows up.  (Guess it makes sense for only one since there's only enough space for one.  But don't wanna proceed if there's possible restart after doing first one.)  Just unsure and want to clairify.  Thanks! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
« Last Edit: July 11, 2005, 10:17:31 AM by Muku6 »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Win32.P2P-Worm.Alcan.a
« Reply #6 on: July 11, 2005, 06:18:12 PM »
I guess you never seen my Edit in my last reply
Sorry, I gave you the wrong directory to delete some of the files

Here's what you do on the killbox step

The files below
To copy them to your clipboard
Left click to Highlight all of them and then use
Ctrl + C keys on your keyboard to Copy them
Then
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\winupdate\winupdate.exe
C:\Program Files\winupdates\a.zip[Setup.exe]
C:\WINDOWS\System32\bt.exe
C:\WINDOWS\System32\z.tmp
C:\WINDOWS\System32\temp.zip
C:\WINDOWS\System32\bszip.dll

If that doesn't work for you, please do the following
Enter this path to the file name into Killbox and then select the Delete on Reboot option
C:\Program Files\MsConfigs\MsConfigs.exe

At the prompt to delete on reboot say Yes
At the prompt to reboot now say NO

Don't allow to Reboot until you have entered the last path of file into killbox
You will carry on with these ones

C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\winupdate\winupdate.exe
C:\Program Files\winupdates\a.zip[Setup.exe]
C:\WINDOWS\System32\bt.exe
C:\WINDOWS\System32\z.tmp
C:\WINDOWS\System32\temp.zip
C:\WINDOWS\System32\bszip.dll

Other instructions are all the same
But ensure you use these paths to the file names I Posted in this reply
« Last Edit: July 11, 2005, 06:19:33 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« Reply #7 on: July 11, 2005, 10:19:03 PM »
I will say that while running Ewido, it found in my Documents and Settings/<user name> a folder named Complete.  Strangely enough, I never saw one there, at all.  And still don't.  (Assuming only files are deleted in it and nothing else.)  Not sure about that.

Anyways, here is my Ewido report:


---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:         9:46:13 PM, 7/11/2005
 + Report-Checksum:      B7461E3D

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKU\S-1-5-21-1409082233-152049171-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-1409082233-152049171-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
   HKU\S-1-5-21-1409082233-152049171-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
   HKU\S-1-5-21-1409082233-152049171-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-1409082233-152049171-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.25:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.26:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.27:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.30:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.31:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.32:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.33:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.34:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Garv\Application Data\Mozilla\Firefox\Profiles\jsis4mxe.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.11:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.14:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.15:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.16:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.17:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.26:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.39:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.40:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.41:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.42:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.43:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.55:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.56:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.57:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.58:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.59:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.60:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.61:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
   :mozilla.75:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.76:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.77:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.79:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
   :mozilla.93:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.98:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.106:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.107:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.108:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.109:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.112:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.113:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.115:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.116:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.122:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
   :mozilla.123:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.125:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
   :mozilla.126:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
   :mozilla.127:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
   :mozilla.128:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
   :mozilla.129:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
   :mozilla.130:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Clickagents : Cleaned with backup
   :mozilla.131:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.132:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.143:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.144:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.145:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.146:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
   :mozilla.154:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.155:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.156:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.174:C:\Documents and Settings\Garv\Application Data\Mozilla\Profiles\default\olx8h9ym.slt\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ Advanced Uninstaller Pro 2004 6.73.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ PC Repair 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\2G Poster Works v1.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\3D Canyon Flight Screensaver 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\3D Mark 2005 Pro + Keygen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\3DS MAX 7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\7-Zip 4.24.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\AceHTML Pro 6.05.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Acronis Disk Director Suite 9.0.534.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Acronis Disk Director Suite 9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Actual Search Replace V2.63.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\AddRemove Plus! 2004 5.0.0.100.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Adobe Creative Suite 2 iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Advanced Security Administrator 10.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Alcohol 120% 1.9.2.1705.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\All In one Paswords Utilities 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Anti Tracks 5.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\AntiVir Personal Edition 6.31.00.03.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ANYDVD 5.2.7.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Apollo 37zp.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Apollo DVD Copy v4.3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Articulate Spelling v1.24.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\AudioJack 1.42.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Avant Browser 10.1 Beta 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Batman Begins.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Battlefield 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Bewitched.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Boilsoft AVI to VCDDVD Converter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Brothers in Arms Road to Hill 30.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Ca Etrust Ez Antivirus 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Camtasia Studio 2.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\CaptureWiz Pro 3.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Carmageddon TDR 2000.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Catch 3D v6.51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Clean Space v9.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\CloneCD 5.2.4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\CloneDVD 2.5.3.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Crazy.N.The.City.2005.DVDSCR.XviD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Dangerous Waters - HOODLUM.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Demonstration Screen v1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Desktop Search 2.02.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DirWatcher Pro 2.3.181.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Disk Clean Wizard 1.26.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Disk Space Inspector 2.9.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DKMessenger 3.9.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Dragon Naturallyspeaking 8 Professional.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DVD Profiler v2.4.0.868.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DVDFab Express 2.62.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DVDFab Platinum 2.62.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DVDFab Platinum Edition 2.70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\DVDIdle Pro 5.62.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\easy media creator 7.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Easyrecovery Pro V6.10.07.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\eDonkey Accelerator 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\F-Secure Anti-Virus Client Security 6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\FairStars Recorder 2.60.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Fantastic 4 The Game.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Fantastic 4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\FastStone Image Viewer 2.15.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\File Info v2.90.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\File Securer v3.53.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\FlashPaste 3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Flatout.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\FlipAlbum® Professional v6.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ForecastFox 0.8.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\FotoPrint 3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\FunPhotor v3.61.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\GameJack v5.0.3.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\GcMail 3.0.1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\GetRight 5.2b Regged.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Glarysoft DVD Ripper 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\God of War USA PS2DVD5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Google Earth 3.0.036.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Google Toolbar Beta for Firefox.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Gutterball 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\HALO 2 USA XboX.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\HandyRec Professional 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Haunting Ground PS2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Herbie Fully Loaded.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\HiDownload v6.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\High Power Encryption 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Hostage (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Ice Princess (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\IEWatch v2.2.0.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Imperial Glory (Pc) iSO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\IncrediMail Xe Premium 4.00 Build 1930.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\InstallAWARE 2005 Studio Edition 3.1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Internet Download Accelerator 4.02.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\InterVideo DVD Copy GoldPlatinum 3.0.B016.43C00.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\IPCheck Server Monitor 5.0.1.309.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Jasc Paint Shop Pro 9.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\JetAudio 6.1.3.6224.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Juiced.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Land of the Dead (2005), hurry.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Lasersoft Silverfast SFE-6.4.0r3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\LimeWire Pro 4.6.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Longman Dictionary of Contemporary Engli.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Madagascar TC SVCD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Madagascar, 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Man of the House (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ManageDesk 2.30.17.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ManageDesk 2.30.18.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Mass Downloader 3.0 SR1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Maxx PDFMailer 3.0.23.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\McAfee ePO 109mb Full Version.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\MediaCam AV v4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Microsoft AntiSpyware 1.0.614.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Microsoft Office XP Standard 2003.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Microsoft Visio 2003 Standard.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\MindSoft Utilities XP 8.11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Modem Booster 5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Mp3 Doctor 5.11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Mystica 5.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Nero 6.6.0.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Nero 6.6.0.15 NEW DOWNLOAD Today.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\nero burning rom 6.6.0.14.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Network Mechanic v1.2c.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\No1 Screen Capture v3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\NOD32 2.000.11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Nokia PC Suite 6.6.16.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Norton Ghost 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\O&O Soft Great Products All-In-One.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Offline Explorer Enterprise 3.6.1950.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Ontrack PowerControls v3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Outpost Firewall Pro 2.7.485.412.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Panda Platinum 2005 Internet Security.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\PCMark 05 1.0.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Photo Pos Pro 1.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Photo2DVD Studio 3.8.3.2.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Photovista Panorama 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Pinnacle TitleDeko Pro 2.0.1634.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Planespotting.2005.DVDRip.XviD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Plato DVD Ripper 1.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Poker.Spy 1.8.8.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Pop.up.Blocker.Pro.Rich-Media.Ad.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Popup Assassin Pro 1.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Porn Movie Grabber 1.02.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Power DVD 6.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\PowerArchiver 2004 9.20.07.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Privacy Guardian 3.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Pro Evolution Soccer 4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Process Lasso Lite 2.05rc4a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ProjectArchitect v1.0.0.59.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ProShow Gold 2.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Ram Idle Pro 3.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Raxco PerfectDisk 7.0.31.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Raxco Power Pack for Workstation.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Recover My Files 3.22.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Recover My Files 3.26.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Reg Organizer 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ReGet Deluxe 4.1.232.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ReGet Deluxe 4.1.244.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Registry Mechanic 4.0.0.101.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Registry Mechanic 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Registry Mechanic v5.0.0.132.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Registry.Repair 1.44.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\RegSupreme 1.3.0.31 lite.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Salon Styler Pro ($973USD) - Working WC.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\SCARABAY 2.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Serial Viewer.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Show Your Emotions- Disco Park 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ShowMaker Professional 2.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Skype 1.3.0.55.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\SlySoft AnyDVD 4.5.8.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\SmartFTP v1.5.988.29.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Spam Defender Pro 5.0b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Spy Kill Deluxe Edition 2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Spy Kill Deluxe Edition v2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\SpyBlocker 8.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\StealthDisk 2005.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Steganos Internet Trace Destructor 7.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Stone.Cold.2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Style XP 3.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Summer of sam.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Super SpongeBob Collapse 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\SWF Max v1.3.645 (Flash Player).zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Symantec Client Security ver. 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Symantec Enterprise Firewall VPN 7.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\System Mechanic Professional 5.5a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\System Monitor 1.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\System Monitor v1.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\TechSmith Camtasia Studio V3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\TechSmith SnagIt 7.2.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\The Matrix Original Sountrack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\The Pacifier.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Time & Chaos v6.0.3.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Tiny Personal Firewall 6.5.50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Translator Internet 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Treasure Vault 3D Screensaver 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Trend micro antispyware.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Trojan Remover 6.3.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Tune up Utilities 2004.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\TuneUp Utilities 2004 4.1.231.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\TuneUp Utilities 2004 4.1.2316.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Turbo ZIP Cracker 0.1.2.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Video.Gif.Converter.1.3.02.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Visual Business Cards 4.07.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\VMware Workstation 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\War of the Worlds.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Warez P2P 2.8 .zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Webroot Spy Sweeper 4.0.3 Build 402.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\winamp 5.093.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Winamp Pro 5.08c.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\WinBoost 4.90.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Windows 98 SE.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Windows Vaccine v3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\WinDVD Platinum 6.0.6.56 + InterVideo DVD XPack Plus MP.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\WinPatrol 9.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\WinRAR 3.50 Beta 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Wintuneup Utilities 2004 1.02.621.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\WWW File Share Pro 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\XIII.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\XPepius 2.0.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Zend Studio 3.5.1Client.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\Zend Studio Client 3.5.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Heather\Complete\ZoneAlarm Pro 5.5.062.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Program Files\winupdates\winupdates.exe -> Worm.VB.an : Cleaned with backup


::Report End



And here is my HijackThis report:

-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:09:58 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Heather\LOCALS~1\Temp\sahagent.exe run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://config.skillcheck.com/onlinetesting...1050/wficat.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


-------------------------



I can now at least bring up my Window Task Manager, which is a relief.  I can't bring up ipconfig on Start > Run though.  It pops up for half a second, and still disappears.  Didn't happen until I got this worm, at least from what I noticed.

Hopefully things are looking better, from the logs.  I can say I'm happy right now at least having my Task Manager again. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />


-Muku
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Win32.P2P-Worm.Alcan.a
« Reply #8 on: July 11, 2005, 11:17:47 PM »
Can you do the following please
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Find and  remove this folder if found
 C:\Documents and Settings\Heather\Complete <-this folder
and this one
C:\Program Files\winupdates <-folder

Do another scan with Hijackthis and put a check next to these entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Heather\LOCALS~1\Temp\sahagent.exe run

The next ones you had disabled on startup, optionally, you can choose to fix the next ones too

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Access your Add/Remove programs and remove if found
ShopAtHomeSelect

Run Windows CleanUp! again, when it's done Restart your computer

Back in Windows
Can you run another Full system scan with Ad-Aware and ensure it comes out clean
Restart your computer if any Critical objects are found and removed

What Anti-Virus software are you running, if you don't have your own please download and install the free version of AVG 7
Go to this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5
Scroll down to
AVG Free Edition installation files
File   Version
avg70free_323a539.exe <-this link or similiar
Save the installer to desktop and then double click to install
Follow the prompts
After installation ensure that AVG is right up to date, run a Full system scan

Afterwards
Run another scan with Hijackthis and post a fresh log

When you go to start>>run>>and type in ipconfig
The prompt will flash for a half a second
What you want to do is go to Start>>Run>>type in cmd
At the command prompt type in ipconfig
Unless you meant msconfig
You can do that from the Start>>Run command
« Last Edit: July 12, 2005, 12:21:29 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« Reply #9 on: July 12, 2005, 11:08:51 AM »
Both the Complete folder and the winupdates were in fact hidden folders.  I wondered yesterday about that while posting, but it'd been so long since I'd revealed hidden stuff that I couldn't remember where the settings where to show them.

I could have sown you could do ipconfig from the Run without having to bring up the DOS Window in full.  But, maybe I'm losing my mind. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />  This worm has been driving me batty and I may have temporarily lost my mind with it. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />

Ad-Aware came up clean, as did AVG Anti-Virus.

Here is my current Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:31 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Heather\Application Data\Mozilla\Profiles\default\rhsa95z5.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://config.skillcheck.com/onlinetesting...1050/wficat.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Win32.P2P-Worm.Alcan.a
« Reply #10 on: July 12, 2005, 11:05:36 PM »
That looks good
Go back and hide hidden files and folders

Hold onto AVG, it's yours for free and will update for free for the life of the product
ipconfig on my XP and 98 machine flash for a split second from the run command  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />

If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well
« Last Edit: July 12, 2005, 11:06:36 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline Muku6

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Win32.P2P-Worm.Alcan.a
« Reply #11 on: July 13, 2005, 11:55:23 AM »
Awesome.  Thank you SOOOO very much for taking your time out to help me.  I really appreciate it.

I use FireFox as my main browser, so I downloaded the first program.  I am, however, gonna download the second program in case someone ever wants to use IE.  Better to be safe than sorry.

Again, thank you very much!


-Muku
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Win32.P2P-Worm.Alcan.a
« Reply #12 on: July 13, 2005, 07:30:09 PM »
Glad to help, I'll lock this topic as your problems appear resolved
If you need it reopened, please PM a Mod or the site Admin and supply a link to this thread

Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »