Author Topic: alcan.a. help (Read 1234 times)

another_victim · « **on:** September 24, 2005, 06:11:30 AM »

Hi,

As with most ppl who have posted with regard to this worm, I was told by my usual adaware scan that I had the alcan.a. worm. My software at the time included AVG antivirus (version 7.0.344, virus base 267.11.6/111), and Spybot Search & Destroy. Have ZoneAlarm too, so probably stupidly let a bad file through myself. As per usual discovered had no CTL+ALT+DEL etc. Also the computer seemed to be running much slower.

I have read previous topics on this issue and have downloaded:
Windows Cleanup! 4.0
Ewido Security Suite
Killbox by Option^Explicit.
Hijackthis

Should I just follow the same instructions as for previous topics e.g. Stevie_d helped by questolo on the 14th September, or is the help specific to the logfile. Anyway, below is the Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:56, on 24/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Administrator\Desktop\antialcan\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lavasoftnews.com/ms/display_mai...2P-Worm.Alcan.a
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [FTN95 Update] "C:\Program Files\Salford Software\FTN95\FTN95 update checker.exe" /silent
O4 - HKLM\..\Run: [LVComs] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120262005515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Once again, I would really appreciate any help you can give, understand you're busy with all sorts of problems, but would ideally like to get this sorted b4 uni starts again on Monday.

Thanks

another_victim · « **Reply #1 on:** September 24, 2005, 07:04:48 AM »

Just to show I have registered

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Cretemonster · « **Reply #2 on:** September 24, 2005, 07:11:33 AM »

Hi another_victim and Welcome!

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Download and unzip BFUzip from
http://computercops.biz/zx/Merijn/bfu.zip

Right Click the Zip folder and select "Extract All"

Locate and double click BFU.exe

Now locate and click the Greenish Blue globe with the chord plugged into it!

When the next small window pops up-> Copy&Paste this URL into it and click OK!
http://metallica.geekstogo.com/p2pnetwork.bfu

Now click the execute button and let the script run!

Copy&Paste the bold text below into the blank notepad page and save it to your desktop as find.bat

dir \winlog.exe /a h /s > File.txt

Once the batch file runs-> File.txt will be produced on the desktop-> I will need to see that in the next post!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...torial=62#winxp

Once in Safe Mode-> Search for and delete is found

C:\WINDOWS\System32\winlog.exe<- File

C:\Program Files\winsupdater<- Folder

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto

O4 - HKLM\..\Run: [] winlog.exe

O4 - HKLM\..\RunServices: [] winlog.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Post back with a fresh HijackThis log and the reports from File,txt-> WinPFind and Panda!

another_victim · « **Reply #3 on:** September 24, 2005, 08:55:59 AM »

Sorry, I just wish to check something. I ran the BFU script as requested, and saved the text into a notepad file on the desktop.

Quote

"Once the batch file runs-> File.txt will be produced on the desktop-> I will need to see that in the next post!"

Does that mean I should double click on the find.bat icon i've created on the desktop? Please clarify!

The more I look at it the more I think you can't mean anything else by running the batch file.
Thanks

Cretemonster · « **Reply #4 on:** September 24, 2005, 09:15:52 AM »

Sorry about that,yes double click the batch file to run it!

It will search the entire system for that file and then display the results into a txt file!

Again,sorry for not including those instructions!

another_victim · « **Reply #5 on:** September 24, 2005, 09:46:19 AM »

Hi again,

I can't seem to find the winlog.exe and winsupdater files despite setting all folders to show hidden files. Maybe I deleted them before. I do know that when I was closing windows in normal mode yesterday I was getting the "Program is not responding" END TASK message with the apparent program "winsupdater" and so quite possible may have thought this was a folder associated with the worm and deleted it.

running the find.bat produced the following:

Volume in drive C has no label.
Volume Serial Number is 0CF3-B5E9

Does this mean the file is not present anymore?

Searching for winlog.exe, I have found it in my recycle bin, called "WINLOG.EXE-38E2F254.pf" and the same file under C:\RECYCLER-1-5-21...............
and D:\Recycled

However these are .pf files

Looking in the recycle bin it says the original location was C:\Windows\Prefetch. I think I put in in the recycle bin originally to see if it was to do with the alcan or not.

Similarly, the only winsupdater file I can find is WINSUPDATER.EXE-0707CC3B.pf under C:\WINDOWS\Prefetch, this is not a folder as described.

Would you suggest continuing with the other steps?

Cretemonster · « **Reply #6 on:** September 24, 2005, 10:34:29 AM »

I believe you are correct,that would mean the file\folder only exist in the recycle bin and archives which we will fix in a bit!

Please do go ahead with the rest of the steps and post the results!

We will go from there!

another_victim · « **Reply #7 on:** September 24, 2005, 12:27:00 PM »

Have done as you commanded, except for the line:
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto, as this was not present in the logfile when I ran HijackThis again.

Anyway, the new log files are as follows:-

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 17:43:56, on 24/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\twain_32\CIS600X\WATCH.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onetel.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [FTN95 Update] "C:\Program Files\Salford Software\FTN95\FTN95 update checker.exe" /silent
O4 - HKLM\..\Run: [LVComs] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120262005515
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 22/09/2005 13:45:14 15881841 C:\WINDOWS\lpt$vpn.855
qoologic 22/09/2005 13:45:14 15881841 C:\WINDOWS\lpt$vpn.855
SAHAgent 22/09/2005 13:45:14 15881841 C:\WINDOWS\lpt$vpn.855
UPX! 03/05/2005 11:44:44 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/01/2005 16:17:24 170053 C:\WINDOWS\tsc.exe
PECompact2 22/09/2005 13:45:14 15881841 C:\WINDOWS\VPTNFILE.855
qoologic 22/09/2005 13:45:14 15881841 C:\WINDOWS\VPTNFILE.855
SAHAgent 22/09/2005 13:45:14 15881841 C:\WINDOWS\VPTNFILE.855
UPX! 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dll
aspack 18/02/2005 18:40:14 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 23/08/2001 13:00:00 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 24/11/2001 20:31:48 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 24/11/2001 20:28:14 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PTech 29/08/2005 13:27:12 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 09/09/2005 04:08:28 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 09/09/2005 04:08:28 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 08:56:36 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 08:56:44 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 13:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 24/08/2005 22:41:20 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 24/08/2005 22:41:20 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 24/08/2005 22:41:20 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 24/08/2005 22:41:20 726016 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 04/08/2004 06:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
24/09/2005 16:47:24 S 2048 C:\WINDOWS\bootstat.dat
23/09/2005 19:21:40 H 54156 C:\WINDOWS\QTFont.qfn
24/09/2005 16:47:28 S 64 C:\WINDOWS\CSC\00000001
23/09/2005 16:48:44 S 64 C:\WINDOWS\CSC\00000002
16/09/2005 21:58:48 H 69584 C:\WINDOWS\Minidump\Mini091605-01.dmp
24/09/2005 14:36:56 H 31768 C:\WINDOWS\system32\vsconfig.xml
13/09/2005 20:40:58 H 4212 C:\WINDOWS\system32\zllictbl.dat
24/09/2005 16:51:52 H 12288 C:\WINDOWS\system32\config\default.LOG
24/09/2005 16:47:34 H 1024 C:\WINDOWS\system32\config\SAM.LOG
24/09/2005 16:47:26 H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
24/09/2005 16:53:28 H 139264 C:\WINDOWS\system32\config\software.LOG
24/09/2005 16:51:52 H 999424 C:\WINDOWS\system32\config\system.LOG
23/09/2005 11:27:44 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
24/09/2005 15:11:28 H 6 C:\WINDOWS\Tasks\SA.DAT
24/09/2005 15:11:36 HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
24/09/2005 15:11:36 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
24/09/2005 15:11:36 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\28D7K834\desktop.ini
24/09/2005 15:11:36 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\5PKPDLZ5\desktop.ini
24/09/2005 15:11:36 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9I9T7M4L\desktop.ini
24/09/2005 15:11:36 HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\AS7OV578\desktop.ini

Checking for CPL files...
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 08:56:58 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 08:56:58 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 08:56:58 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 08:56:58 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 25/04/2005 10:31:44 77824 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 04/08/2004 08:56:58 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 08:56:58 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 08:56:58 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04/08/2004 08:56:58 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 13/04/2005 03:48:52 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 08:56:58 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 08:56:58 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 08:56:58 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04/08/2004 08:56:58 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 08:56:58 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04/08/2004 08:56:58 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 08:56:58 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 08:56:58 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23/08/2001 13:00:00 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23/08/2001 13:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23/08/2001 13:00:00 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23/08/2001 13:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Intel Corporation 30/09/2004 16:39:50 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
14/02/2005 00:18:36 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
23/11/2004 14:47:02 HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
19/02/2005 02:34:20 533 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
06/03/2005 17:29:56 694 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
18/01/2005 22:56:24 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
19/02/2005 21:25:34 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
03/09/2005 22:12:12 1648 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
24/09/2005 11:35:42 1518 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
23/11/2004 14:37:10 HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
18/09/2005 23:32:06 1751 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
23/11/2004 14:47:02 HS 84 C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
23/11/2004 14:37:10 HS 62 C:\Documents and Settings\Administrator\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TheCleaner
   {2DE506B9-4320-11d3-8E42-002035221EDA}    = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TheCleaner
   {2DE506B9-4320-11D3-8E42-002035221EDA}    = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
   {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}    = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TheCleaner
   {2DE506B9-4320-11D3-8E42-002035221EDA}    = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
    = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}
   bho2gr Class = C:\Program Files\GetRight\xx2gr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9394EDE7-C8B5-483E-8773-474BF36AF6E4}
   ST = C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
   MSNToolBandBHO = C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
   Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}    = MSN   : C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
   ButtonText    = Real.com   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   DrvLsnr   C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
   BJCFD   C:\Program Files\BroadJump\Client Foundation\CFD.exe
   Pop-Up Stopper   "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
   IgfxTray   C:\WINDOWS\system32\igfxtray.exe
   HotKeysCmds   C:\WINDOWS\system32\hkcmd.exe
   tcactive   C:\Program Files\The Cleaner\tca.exe
   tcmonitor   C:\Program Files\The Cleaner\tcm.exe
   AVG7_CC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
   AVG7_EMC   C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
   FTN95 Update   "C:\Program Files\Salford Software\FTN95\FTN95 update checker.exe" /silent
   LVComs   C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
   NeroCheck   C:\WINDOWS\system32\NeroCheck.exe
   TkBellExe   "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
   smapp   C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
   Persistence   C:\WINDOWS\system32\igfxpers.exe
   ScanRegistry   C:\W
   Zone Labs Client   C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
   PCMService   "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
   iTunesHelper   "C:\Program Files\iTunes\iTunesHelper.exe"
   QuickTime Task   "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   CTFMON.EXE   C:\WINDOWS\System32\CTFMON.EXE

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxdev.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 24/09/2005 16:58:06

Panda:

Incident Status Location

Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ CWNA - Certified Wireless Network Admin.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ Exploring IBM eServer iSeries.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ Mastering UNIX Shell Scripting.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ Media Security Plus Exam Guide-TestTake.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\18 years old Lolita.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\18yr old Teen [censored] Hard.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\2 Blonde Teens [censored] a Huge Cock.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\246 Arcade Games!.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\311 - Dont Tread On Me.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\3D MP3 Sound Recorder v3.8.12.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\3D Sexvilla.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\3D Studio Max 7.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\3PlaneSoft Screensavers AIO, by warewo.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\7-Zip 4.20.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\7-Zip 4.27 Beta.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Abbyy FineReader v. 8.0.0.677 Professional.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ABBYY Lingvo 10.0.0.213 Multiligual.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ABBYY ScanTo Office 1.0 Multilingual.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Accent Word Password Recovery 2.30.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Acoo Browser 1.25 Build 870.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Acoustica MP3 Audio Mixer v2.471.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Acoustica MP3 CD Burner v4.01.111.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Acronis True Image v9.0.2245.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ActiveX Registration Manager.v3.7.7.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Adobe Audition 1.5.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AdSpy Eliminator 1.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AdwareX Eliminator 2.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Ahead NeroVision Express 3.0.1.27.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AIO Password Utilities 2005.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Aliens vs Predator 2 - (Gold Edition).zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\All Image v1.2.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Alone In The Dark Xvid.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\American Pie 1,2 & 3 Xvid.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Anacondas The Hunt For The Blood Orchid XviD.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AntiSpy 2.13.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AnyDVD 5.4.3.1.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AnyDVD v5.4.4.1.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Apollo DVD Label Maker 1.5.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Ashampoo Magic Defrag 1.01.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Ashampoo Magic Defrag v1.01.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Ashampoo Magic Security 1.52.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\ATI Catalyst 5.5.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Auto FX DreamSuite Series v1.31 Adobe PS.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AutoDWG DWGSee 2006 v1.8.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AVG Anti-Virus Professional Single Edition.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\AVG Free Edition 7.323.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Ballance v1.13.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Band of Brothers.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Batman Begins DVD Rip Xvid.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Becky! Internet Mail v2.21.01.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Belltech Greeting Cards Designer v2.1.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Belltech ScreenSmart v3.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Below DVD Rip Xvid.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Bewitched.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Biromsoft WebCam 4.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Blade 3 Trinity OST.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Blumentals iNet Protector v2.1 Retail.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Bob Dylan - No Direction Home The Sound.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Browse Anywhere 1.01.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Browser Hijack Retaliator 4.0.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Burnout Legends.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\Call of Duty.zip[Setup.exe]
Virus:W32/Sdbot.FCR.worm Disinfected C:\Documents and Settings\mo\Complete\CARCare Desktop Edition v2.0.079.zip[Setup.exe]

another_victim · « **Reply #8 on:** September 24, 2005, 12:37:50 PM »

As you can see, the dodgy files Panda found all came from the same place, namely the folder "complete." I believe the source to be a prog I had installed for all of 5 mins cos I wanted to listen to 1 song which I can't buy till next year. Will continue my previously upheld policy of not using such progs methinks, a moment of weakness can be a bit damn time-consuming

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Was quite surprising, keep my software up-to date and virus-checked (AVG) the file before installing it. Will evidently have to be more careful in future.

AVG had mentioned this SDBOT virus before, but it appears Panda has actually disposed of it, as running Panda again shows no infection from "viruses or malicious software."

I assume I should delete the folder "complete"?!

CTRL+ALT+DEL now works again under normal booting.

Should I rescan with adaware and spybot and/or other things?
Thanks for your help so far and I await further instructions!

Cretemonster · « **Reply #9 on:** September 24, 2005, 03:06:30 PM »

Well,I didnt quite expect that but the Panda Scan was worth its weight in gold obviously!

Go into Safe Mode and Delete the Complete folder and also look in C drive for a file or folder labeled W

Have HijackThis fix

O4 - HKLM\..\Run: [ScanRegistry] C:\W

Go ahead and Delete WinPFind and BFU if you like,it appears the PC is in much better shape!

If you like,update Ewido and AVG and Scan the System with both in Safe Mode after deleting the folders and Restarting the PC!

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

Made Easy
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Post back and let me know how things are?

another_victim · « **Reply #10 on:** September 25, 2005, 12:43:38 PM »

Hi again!

Couldn't find any file or folder simply labelled W, went ahead with the HijackThis fix anyway. Looking at previous topics, looks like the creation of the hidden "complete" folder is quite common.

Have run Panda, AVG, Adaware, Spybot, Ewido and none can find anything now so looks good!

Is the "hosts" file something that should be updated regularly?

Anything else I should do now? For example, should I empty the recycle bin of the winlog.exe .pf file I mentioned in a previous post?

Also, should I re-enable system restore now and run that system snapshot option in spyblaster?

Once again, many thanks for taking the time to help, you've undoubtedly saved me a lot of trouble and certainly time which might have been spent reformatting.

Cretemonster · « **Reply #11 on:** September 25, 2005, 05:42:25 PM »

As for the Hosts File,I would check about once a month for updates,WinHelp2002 is always collecting new entries and updates several times a year!

Spyware Blaster and Your AV along with Windows should be checked weekly!

Go ahead and renable system restore and if you wish,take a new system snapshot with SpywareBlaster.

They are 1 in the same and a backup cant hurt!

Read through those little black links in my signature for some other good ideas on how to avoid this in the future!

If you have any other questions,feel free to ask away!

guestolo · « **Reply #12 on:** September 30, 2005, 11:36:00 PM »

Problems appear resolved
I'll lock this topic
another_victim
If you need this topic reopened
Please PM myself or the site Admin and supply a link to this thread

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: alcan.a. help (Read 1234 times)

another_victim

alcan.a. help

another_victim

alcan.a. help

Cretemonster

alcan.a. help

another_victim

alcan.a. help

Cretemonster

alcan.a. help

another_victim

alcan.a. help

Cretemonster

alcan.a. help

another_victim

alcan.a. help

another_victim

alcan.a. help

Cretemonster

alcan.a. help

another_victim

alcan.a. help

Cretemonster

alcan.a. help

guestolo

alcan.a. help