Author Topic: Win32.P2P-Worm.Alcan.a (Read 1991 times)

Xandrino · « **on:** October 18, 2005, 09:05:46 AM »

Hello, could someone help me out with this Win32.P2P-Worm.Alcan.a worm? I will post my Hijackthis and Panda logs below.
Thanks in advance,

Xandrino

Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:31:01 AM, on 10/18/2005
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R3 - URLSearchHook: (no name) - {D8F1D472-D201-2297-8BD5-72CC290E4A82} - EXE32EXE.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [UserSp1] startman.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKCU\..\Run: [Dest068] SYSTRAV.exe
O4 - HKCU\..\Run: [CToolBar] StartCpl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B5FE67A-15BF-4A47-A256-65CBD1BB074E}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E27FB89E-8A71-492A-ABFB-A44132D0A21B}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B5FE67A-15BF-4A47-A256-65CBD1BB074E}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{5B5FE67A-15BF-4A47-A256-65CBD1BB074E}: NameServer = 69.50.176.158,85.255.112.8
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

my Panda log:

Incident Status Location

Virus:Trj/Downloader.EEV Disinfected C:\WINDOWS\q16333078_disk.dll
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\XANDER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-29893042-422de001.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\XANDER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-29893042-422de001.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\XANDER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-29893042-422de001.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\XANDER\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-29893042-422de001.zip[Installer.class]
Spyware:spyware/wareout No disinfected C:\Documents and Settings\XANDER\Application Data\wo.tmp
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Trojan Remover 6.3.5.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\FileRecoveryAngel 1.06.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\ImTOO Mpeg Encoder 2.1.55.1008b.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Default Printer 2.1.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Hitman 2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Moto GP 3.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\File Utilities.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Maxthon.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\TVolution 1.0.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Mcft Windows XP Scene Edition 1.6 INTER.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\DVD to AVI DivX MPEG Ripper converts 7gb.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Visual.CertExam.Suite 1.7.542.CHiCNCREA.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Boris RED 3GL incl Plugins.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\PHPMaker 3.02.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\HiDownload 6.4.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Download Tunnel Me 2.0.1 , set up tunne.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Simpsons hit and run.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Batman Begins.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\HTMLRunExe 2.0.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Clipboard Box 2.2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\MaxBulk Mailer 4.3.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\QuickTime Alternative 1.63.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Real Alternative 1.44.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\ArtMoney 7.14.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\I-Sound WMA MP3 Recorder Pro 6.57.3.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Cute CD DVD Burner 2.3.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\C-Organizer Professional 3.4.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\PowerGREP 3.2.0.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Foxy 1.0.4.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\UltraISO 7.65.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Reportizer 2.2.5.73.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Screen VidShot 2.1.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Macro Recorder 2.11.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\EditPlus V. 2.20.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\SMS Create Pro 5.5.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Panda Titanium Antivirus.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\CorelDRAW Graphics Suite 12.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\Ulead PhotoImpact 11.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\DZSoft PHP Editor 3.5.0.2.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Documents and Settings\XANDER\Complete\SQL Server Backup 4.01.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\Program Files\winupdates\winupdates.exe
Virus:W32/Alcan.A.worm Disinfected C:\Program Files\winupdates\a.tmp
Virus:W32/Alcan.A.worm Disinfected C:\Program Files\winupdates\a.zip[Setup.exe]
Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0009708.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0009716.exe
Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0010708.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0010721.exe
Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011708.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011720.exe
Virus:Trj/DelCache.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011746.exe
Virus:Trj/Troiram.A Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011759.exe
Virus:Trj/Qhost.BP Disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011762.EXE
Adware:Adware/Findspy No disinfected C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011763.exe

Could somebody help me with these results? I have no clue what to do...thanks!

guestolo · « **Reply #1 on:** October 18, 2005, 11:44:10 PM »

Can you do the following please

I need you to download a couple tools

==Download and Install
Windows Cleanup! 4.0
Don't run this yet, we'll need it in a bit
Alternate download location if having trouble with the first link

==Download and UNZIP to desktop
BFU.zip
So you now have BFU.exe extracted to desktop

Please Download and UNZIP to desktop
p2pnetwork.zip
Make sure you unzip this so you now have p2pnetwork.bfu extracted to desktop

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please print this out or save these instructions to notepad for reference

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Do a System Scan Only, and check the following items:

R3 - URLSearchHook: (no name) - {D8F1D472-D201-2297-8BD5-72CC290E4A82} - EXE32EXE.dll (file missing)
O1 - Hosts: localhost 127.0.0.1

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [UserSp1] startman.exe

O4 - HKCU\..\Run: [Dest068] SYSTRAV.exe
O4 - HKCU\..\Run: [CToolBar] StartCpl.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B5FE67A-15BF-4A47-A256-65CBD1BB074E}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{E27FB89E-8A71-492A-ABFB-A44132D0A21B}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{5B5FE67A-15BF-4A47-A256-65CBD1BB074E}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{5B5FE67A-15BF-4A47-A256-65CBD1BB074E}: NameServer = 69.50.176.158,85.255.112.8

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode

Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu on your desktop
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files
DECLINE to Log off or Restart when scan is done.

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Restart back to Normal mode
Back in Windows, I need to see a few logs

Run hijackthis again and post a fresh log, also include the Report from Ewido's
Could you also post the report.txt from fixwareout in the following location
C:\fixwareout\report.txt

NOTE: Only if you are having troubles connecting to the internet after doing any of the above, please do the following
Go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Xandrino · « **Reply #2 on:** October 28, 2005, 12:32:07 AM »

Hello there, tha ks for your help. I've followed your instructions, here are my logs...

Logfile of HijackThis v1.99.1
Scan saved at 7:18:55 AM, on 10/28/2005
Platform: Windows XP SP2, v.2055 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2055)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         7:11:52 AM, 10/28/2005
+ Report-Checksum:      6F0CC124

+ Scan result:

   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36600C37-FAC4-471E-90BB-FC7A9C979C24} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{49160F0D-6BE2-4F5F-BCDB-9256DA3BB120} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99410CDE-6F16-42CE-9D49-3807F78F0287} -> Spyware.Zango : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B10031B2-F184-4803-9A88-D239C0641D70} -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BF69DF00-2734-477F-8257-27CD04F88779} -> TrojanDownloader.Wareout : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-299502267-1592454029-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F0DC0CFE-D11A-489B-84C0-63748AFAABF3} -> Spyware.ZyncosMark : Cleaned with backup
   C:\WINDOWS\system32\cspzz.exe -> TrojanDropper.Vidro.u : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011763.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011764.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011819.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP40\A0011823.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP41\A0013872.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP41\A0013873.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP41\A0015866.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP41\A0015867.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0015892.EXE -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0015893.EXE -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0017954.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0017955.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0017982.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0017983.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP42\A0018292.dll -> Spyware.SBSoft : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP43\A0019334.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP43\A0019335.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP43\A0020495.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP43\A0020496.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP44\A0020515.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP44\A0020516.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP44\A0020575.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP44\A0020576.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP44\A0020623.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP44\A0020624.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP45\A0020762.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP45\A0020763.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP45\A0020782.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP45\A0020783.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP47\A0022059.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP47\A0022060.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP47\A0022089.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP47\A0022090.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP47\A0022135.EXE -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP47\A0022136.EXE -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP48\A0022154.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP48\A0022155.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP48\A0022185.EXE -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP48\A0022186.EXE -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP50\A0022223.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP50\A0022246.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP50\A0022311.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP50\A0022312.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP57\A0024274.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP57\A0024275.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024464.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024465.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024532.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024533.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024550.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024551.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024570.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP58\A0024571.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP59\A0024577.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP60\A0024587.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP61\A0024598.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP63\A0024690.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP63\A0024691.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP64\A0024724.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP64\A0024741.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP64\A0024742.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP65\A0025747.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP65\A0025748.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP66\A0025767.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP66\A0025768.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP67\A0025785.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP68\A0025802.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP69\A0025821.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP69\A0025822.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP69\A0026921.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP69\A0026922.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP70\A0026949.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP71\A0026960.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP71\A0026961.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP72\A0026973.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP72\A0026974.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP73\A0026985.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP73\A0026986.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP74\A0026993.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP74\A0026994.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0026997.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0027001.exe -> TrojanDropper.Vidro.u : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0027010.exe -> TrojanDropper.Vidro.u : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0027014.exe -> TrojanDropper.Vidro.u : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0027032.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0027033.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP75\A0027034.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP76\A0027035.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP77\A0027042.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP77\A0027043.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP78\A0027051.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP78\A0027074.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0027075.exe -> Trojan.Qhost.qr : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0027085.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0028014.exe -> TrojanDropper.Vidro.u : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0029014.exe -> TrojanDropper.Vidro.u : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0029185.EXE -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0029187.EXE -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{58931BB6-457C-40CE-9E49-56E1BAFAA524}\RP79\A0029188.EXE -> Trojan.Qhost.qr : Cleaned with backup

Fixwareout ver 1.002
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23naelch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\17
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\19
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\21
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\22
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\24
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\27
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\28
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\29
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\30
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\31
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\33
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\34
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\36
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\38
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\39
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\41
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\42
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\45
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\49
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\50
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\51
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\52
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\53
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\55
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\56
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\58
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\59
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\60
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\61
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\62
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\63
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\65
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\67
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\68
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\69
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\70
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\71
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\72
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\73
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\74
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\75
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\76
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\77
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\84
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\89
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\92
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\94
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\95
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\96
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\97
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\98
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\99
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\102
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\104
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\105
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\106
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\107
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\108
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\109
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\110
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\111
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\112
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\113
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\114
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\115
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\116
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\117
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\118
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\120
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\121
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\122
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\123
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\125
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\126
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\127
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\128
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\129
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\130
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\131
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\132
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\133
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\134
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\135
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\136
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\137
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\138
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\139
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\140
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\141
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\142
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\143
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\144
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\145
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\146
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\147
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\148
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\150
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\151
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\152
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\153
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\154
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\155
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\156
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\157
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\158
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\159
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\160
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\163
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\164
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\165
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\166
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\167

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSPZZ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

PS. There were 2 files you mentioned i should check to have fixed in HijackThis that i didn't see. I guess that's good but I will tell u the 2 files just in case it might help:

O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

guestolo · « **Reply #3 on:** October 28, 2005, 10:41:38 AM »

That looks good
Some final cleanup
Delete this file if found
C:\WINDOWS\rdt.ini <-file

Open Windows Control Panel and double click on the Java icon to open it
Under the General tab click the Delete files and then OK>>OK

If everything is running better, please do the following
You should disable system restore and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature

Once System Restore is reenabled

You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"
IE-Spyad is compatible with SP2 as well

TheTechGuide Forum

News:

Author Topic: Win32.P2P-Worm.Alcan.a (Read 1991 times)

Xandrino

Win32.P2P-Worm.Alcan.a

guestolo

Win32.P2P-Worm.Alcan.a

Xandrino

Win32.P2P-Worm.Alcan.a

guestolo

Win32.P2P-Worm.Alcan.a