Author Topic: WIN32.P2P-WORM.ALCAN.A (Read 1897 times)

Standingranby · « **on:** July 21, 2005, 09:11:50 PM »

The last few times I've ran Ad-Aware, it's come up with WIN32.P2P-WORM.ALCAN.A

It doesn't matter if I delete it with Ad-Aware because it always comes back. As far as I can tell, it's not doing anything besides slowing my system down and causing Limewire to launch on its own. Does anyone know how to get rid of this worm?

Thanks

guestolo · « **Reply #1 on:** July 23, 2005, 04:33:18 PM »

Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
This could take some time as it will scan your drive
Once the Scan is Complete
1. Go to the WinPFind folder
2. Reboot back to Normal mode
3. Locate WinPFind.txt in the WinPfind folder
Post the results of the WindPFind.txt

Could you also Download HIJackthis from my signature below and save it too a folder on your computer
Run a Scan and Save logfile with Hijackthis and post the whole log that's produced

Standingranby · « **Reply #2 on:** July 24, 2005, 09:55:13 PM »

So I really appriciate the help with this. Thank you, and here are the log files for WinPFind and HJT, respectivley.

-Rob

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe
PECompact2 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
qoologic 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
SAHAgent 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\lpt$vpn.741
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
UPX! 4/18/2005 2:39:12 PM 58368 C:\WINDOWS\Unwash6.exe
UPX! 3/9/2003 6:42:44 PM 47104 C:\WINDOWS\uscscsi.dll
PECompact2 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
qoologic 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
SAHAgent 7/21/2005 10:16:24 AM 15400675 C:\WINDOWS\VPTNFILE.741
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/23/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 11/24/2001 2:31:48 PM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 11/24/2001 2:28:14 PM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 4/3/2004 11:07:14 PM 74240 C:\WINDOWS\SYSTEM32\unrar.dll
winsync 8/23/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
6/28/2005 11:20:06 AM 0 C:\WINDOWS\INF\oem36.inf
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\cmd.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\netstat.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\ping.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\regedit.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\taskkill.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\tasklist.com
7/21/2005 10:00:54 PM 2 C:\WINDOWS\SYSTEM32\tracert.com
7/23/2005 9:23:14 PM 892 C:\WINDOWS\SYSTEM32\vsconfig.xml
7/24/2005 10:28:44 PM 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/24/2005 10:29:14 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/24/2005 10:28:56 PM 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/24/2005 10:30:18 PM 53248 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/24/2005 10:29:06 PM 1101824 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/13/2005 5:44:26 PM 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
7/18/2005 10:33:44 AM 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\79ab226c-0987-416b-b41e-c885232cfbc4
7/18/2005 10:33:44 AM 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/24/2005 10:27:54 PM 6 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
8/3/2004 6:38:52 PM 646 C:\Documents and Settings\Rob Schwerdt\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
1/30/2005 10:32:56 PM 865 C:\Documents and Settings\Rob Schwerdt\Application Data\AdobeDLM.log
1/30/2005 10:32:56 PM 0 C:\Documents and Settings\Rob Schwerdt\Application Data\dm.ini
11/7/2003 5:00:28 PM 70424 C:\Documents and Settings\Rob Schwerdt\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
   SV1    =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{81559C35-8464-49F7-BB0E-07A383BEF910}
       = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\spywareguard.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
   {5464D816-CF16-4784-B9F3-75C0DB52B499}    = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   POINTER   point32.exe
   Jet Detection   "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
   NvCplDaemon   RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
   Zone Labs Client   "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
   SunJavaUpdateSched   C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
   D-Link Air USB Utility   C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
   IMAIL
   MAPI
   MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   AntiWindowsMessenger   C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
   Microsoft Works Update Detection   C:\Program Files\Microsoft Works\WkDetect.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
    = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
   {7849596a-48ea-486e-8937-a2a3009f31a9}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
   {fbeb8a05-beee-4442-804e-409d6c4515e9}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
   {E6FB5E20-DE35-11CF-9C87-00AA005127ED}    = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
   {35CEC8A3-2BE6-11D2-8773-92E220524153}    = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4   - Log file written to "WinPFind.Txt" in the WinPFind folder.

Logfile of HijackThis v1.99.1
Scan saved at 10:41:58 PM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

Thanks again

guestolo · « **Reply #3 on:** July 24, 2005, 10:21:20 PM »

Can you do me one more favor please
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Navigate to this folder
C:\Documents and Settings\Rob Schwerdt
Open this folder
Let me know if you see a "Complete" folder or a "Shared" folder
If so, can you open the folder and let me know if you see a bunch of zip files
Do you remember downloading any or all?
Check other user accounts too

Standingranby · « **Reply #4 on:** July 24, 2005, 10:58:06 PM »

I found I "Complete" folder which was hidden. There is a ton of zip files in there, 353 to be exact, and a lot of it looks strange to me. A lot of it has to do with video games, etc. but there are pleanty of files I have no recollection of putting on my computer. I'm the only user for this computer, by the way.

Thank you.

guestolo · « **Reply #5 on:** July 24, 2005, 11:19:13 PM »

Great, thanks for the info

Can you do the following please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

==Download and then Install
Ewido Security Suite
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

==Check for Updates with Ad-Aware, if any download them
But don't run a scan yet

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions too a Notepad file on the desktop for reference
and/or Print this out
Also, know how to start into safe mode ahead of time, if unsure I supplied a link below

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C on your keyboard

Killbox files to highlight between dotted lines
===================================================
C:\WINDOWS\SYSTEM32\cmd.com
C:\WINDOWS\SYSTEM32\netstat.com
C:\WINDOWS\SYSTEM32\ping.com
C:\WINDOWS\SYSTEM32\regedit.com
C:\WINDOWS\SYSTEM32\taskkill.com
C:\WINDOWS\SYSTEM32\tasklist.com
C:\WINDOWS\SYSTEM32\tracert.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\RMAgentOutput.dll

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart
Please Restart it now manually into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In Safe mode
Navigate to this folder
C:\Documents and Settings\Rob Schwerdt\Complete
Open the Complete folder and delete the contents then the Complete folder itself

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

When it's done
==Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back to Normal mode

Post a fresh Hijackthis log and the Report from Ewidos

Standingranby · « **Reply #6 on:** July 25, 2005, 04:48:27 PM »

Here are the HJT and Ewidos logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         6:25:32 AM, 7/25/2005
+ Report-Checksum:      891E320

+ Scan result:

   HKLM\SOFTWARE\DelFin -> Spyware.Delfin : Cleaned with backup
   HKLM\SOFTWARE\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
   HKU\S-1-5-21-1653462319-3277439761-822851105-1006\Software\DelFin -> Spyware.Delfin : Cleaned with backup
   HKU\S-1-5-21-1653462319-3277439761-822851105-1006\Software\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
   C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041005-130039-410.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
   C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041015-020816-344.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041105-114000-300.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20041216-161136-549.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\backups\backup-20050626-182427-510.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   :mozilla.12:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.13:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.15:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.22:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.32:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.33:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.34:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.45:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
   :mozilla.55:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
   :mozilla.57:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.58:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.59:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.65:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.66:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.77:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.79:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
   :mozilla.83:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.85:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.89:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
   :mozilla.98:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.107:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
   :mozilla.114:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.115:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.116:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.117:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.118:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.119:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.120:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.125:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.139:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.140:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.141:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.145:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
   :mozilla.147:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.148:C:\RECYCLER\NPROTECT\00012775.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.8:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.14:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.16:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.22:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.32:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.33:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.34:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.41:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
   :mozilla.51:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
   :mozilla.53:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.54:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.55:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.61:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.62:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.73:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.75:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
   :mozilla.79:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.81:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.85:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
   :mozilla.94:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.103:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
   :mozilla.110:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.111:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.112:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.113:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.114:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.115:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.116:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.121:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.135:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.136:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.137:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.141:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
   :mozilla.143:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.144:C:\RECYCLER\NPROTECT\00012776.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.6:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.7:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.8:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.9:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.17:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.19:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.25:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.35:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.36:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.37:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Centrport : Cleaned with backup
   :mozilla.44:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Bfast : Cleaned with backup
   :mozilla.54:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Googleadservices : Cleaned with backup
   :mozilla.61:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.62:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.73:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Specificclick : Cleaned with backup
   :mozilla.75:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Spylog : Cleaned with backup
   :mozilla.79:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Casalemedia : Cleaned with backup
   :mozilla.81:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Questionmarket : Cleaned with backup
   :mozilla.85:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Euniverseads : Cleaned with backup
   :mozilla.94:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.103:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Coremetrics : Cleaned with backup
   :mozilla.110:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.111:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.112:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.113:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.114:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.115:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.116:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Esomniture : Cleaned with backup
   :mozilla.121:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Webtrendslive : Cleaned with backup
   :mozilla.135:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.136:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.137:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.141:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.247realmedia : Cleaned with backup
   :mozilla.143:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
   :mozilla.144:C:\RECYCLER\NPROTECT\00012777.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP493\A0068264.exe -> Worm.VB.an : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP500\A0068461.exe -> Worm.VB.an : Cleaned with backup
   C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP500\A0068462.exe -> Worm.VB.an : Cleaned with backup
   C:\WINDOWS\SYSTEM32\chktrust.exe -> Spyware.BargainBuddy : Cleaned with backup

::Report End

and the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:48:01 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AntiWindowsMessenger] C:\Program Files\Bitsum Technologies\Anti-Windows Messenger\AntiMsMsg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Rob Schwerdt\Desktop\antispyware\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

Thanks again.

guestolo · « **Reply #7 on:** July 25, 2005, 07:23:15 PM »

How's everything on your end?

If everything is running better, please do the following
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks
I see you have SpywareGuard installed, another great program
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

Standingranby · « **Reply #8 on:** July 25, 2005, 07:56:43 PM »

Everything is working like it used to. My Ctrl+Alt+Del works again, among other things. I have only one question, and that is; what is your opinion about reinstalling Limewire? Is that asking for more trouble? Either way, thank you very much for your help.

Rob

guestolo · « **Reply #9 on:** July 25, 2005, 08:53:43 PM »

When using any P2P file sharing program, you MUST watch what you download and open
Scanning everything you download should come natural

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Stay safe Standingranby

EDIT>> I just noticed, do you have any Anti-Virus software you can install and run
If not, let me know and I'll link you to a free AV
Works great too......
I see you have Norton's protected recycle bin, is Norton's installed on your computer?
Why isn't the AV running, is it unsupported or outdated?

Standingranby · « **Reply #10 on:** July 25, 2005, 09:49:32 PM »

I used to have Norton but it expired some time ago. Can you reccomend a free one?

guestolo · « **Reply #11 on:** July 25, 2005, 09:56:00 PM »

Remember to only run one on your system
More than one can cause conflicts

I use AVG on this machine and Avast on another

If you go with AVG the free link is near the bottom page of the link
in this page
The free AV's are right at the top
http://www.thetechguide.com/forum/index.php?showtopic=15894

If you go with avast, it has 6 scanners, it's actually very good
You may not need all the scanners running, but you will have to decide what you need
on startup
Of course keep the Standard shield and the Internet Email scanner running

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: WIN32.P2P-WORM.ALCAN.A (Read 1897 times)

Standingranby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

Standingranby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

Standingranby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

Standingranby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

Standingranby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

Standingranby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A