Author Topic: win 32 p2p worm alcan a (Read 1386 times)

wormit · « **on:** March 04, 2006, 03:00:37 AM »

Hi all,

I downloaded limewire software a couple of days ago and then i blocked a firewall setting asking me to let p2p networking acess the internet.The limewire software also kept restarting every 15 mins. I uninstalled limewire and I removed the worm using Adaware SE Personal and AVG Free softwares.... BUT yesterday when i tried to login to my email account the error page started showing up (cannot find server-the page cannot be displayed).
I had trojan horse dialer 16 bh also but removed this and the worm like i said earlier.
And something that also bothered me was when i ran avg free and scanned the computer it showed the results saying the boot sector has changed.

Can someone plz help me

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ty

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />

guestolo · « **Reply #1 on:** March 04, 2006, 10:58:36 AM »

Can you post a Hijackthis log please
Here's the Instructions

Post the log back to this thread

wormit · « **Reply #2 on:** March 04, 2006, 03:11:15 PM »

Hi

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

I read a thread with a similar problem concerning this worm and i followed the steps as you have given but still the problem seems to be there.
So here goes my log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:45 AM, on 3/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\NORTON~1\navapw32.exe
D:\PROGRA~1\DAP\DAP.EXE
D:\Program Files\WildTangent\Apps\GameChannel.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WT GameChannel] D:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://nucleus.name/exp/chm//x.chm::/open.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool

- http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20347BB5-A569-4778-A440-78C699E153CE}: NameServer = 203.115.0.47 203.115.0.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #3 on:** March 04, 2006, 06:50:39 PM »

I'm not sure what steps you tried, can you link me too what you did please
You appear to be running Norton Anti-Virus and AVG anti-virus
It's not recommended to run more that one active AV at the same time
They will conflict with each other!
I suggest that you uninstall one or the other
Reboot the computer

Back in windows, your way behind on windows updates
Go to this link and download and install Service pack 1a
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx
Reboot when prompted

Go back to Windows updates, accessed thru Internet Explorer in TOOLS>>Windows Updates
Get all other Critical (High Priority) updates
DON'T install Service pack 2 right now, you can do this after you are clean and is highly NOT recommended to install SP2 until you are clear of malware

Come back here after and post a fresh hijackthis log

wormit · « **Reply #4 on:** March 05, 2006, 03:34:00 AM »

I uninstalled norton antivirus.I tried to install windows service pack 1a but half way through the process the following error showed up so couldnt install the service pack.

SERVICE PACK 1 SETUP ERROR
"The Product key used to install windows is invalid. Please contact your system administrator or retailer immediately to obtain a valid Product key. You may also contact Microsoft Corporation's Anti Privacy Team by emailing [email protected] if you think you have purchased pirated Microsoft software. Please be ensured that any personal information you send to Microsoft Anti privacy Team will be kept in strict confidence."

The steps I said I used earlier are from the following The link

The HJT log file:

Logfile of HijackThis v1.99.1
Scan saved at 2:30:47 PM, on 3/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\Program Files\WildTangent\Apps\GameChannel.exe
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [WT GameChannel] D:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://nucleus.name/exp/chm//x.chm::/open.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool

- http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20347BB5-A569-4778-A440-78C699E153CE}: NameServer = 203.115.0.47 203.115.0.46
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

wormit · « **Reply #5 on:** March 05, 2006, 07:29:37 AM »

Can any1 help?

guestolo · « **Reply #6 on:** March 05, 2006, 11:36:17 AM »

I'll help as much as I can, but your version of Windows is apparently an illegal copy
Chances are in the near future you will be reinfected with something else, maybe far worse than what you have right now

Do the following please
Make sure that your firewall is running
Download and save WinPFind.zip
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe

Click START SCAN
Let this finish, a log will open so you will know it's done
Close out after

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

Where did you save p2pnetwork.bfu and bfu.exe?
To your C: or D: drive?

wormit · « **Reply #7 on:** March 05, 2006, 01:08:00 PM »

I saved the p2pnetwork.bfu and bfu.exe in the C: drive

Results of the WindPFind.txt:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 6/17/2000 2:41:10 AM 48640 D:\WINDOWS\SYSTEM32\DC_KDC265.apl
PEC2 8/23/2001 5:00:00 PM 41397 D:\WINDOWS\SYSTEM32\dfrg.msc
PECompact2 2/8/2006 11:23:40 AM 4513120 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/8/2006 11:23:40 AM 4513120 D:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/23/2001 5:00:00 PM 630784 D:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 5:00:00 PM 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 3/1/2006 7:31:14 PM 752608 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/5/2006 11:38:48 PM S 2048 D:\WINDOWS\bootstat.dat
3/5/2006 1:28:20 PM H 0 D:\WINDOWS\LastGood\INF\oem11.inf
3/5/2006 1:28:20 PM H 0 D:\WINDOWS\LastGood\INF\oem11.PNF
3/5/2006 11:38:38 PM H 8192 D:\WINDOWS\system32\config\default.LOG
3/5/2006 11:39:30 PM H 1024 D:\WINDOWS\system32\config\SAM.LOG
3/5/2006 11:38:52 PM H 12288 D:\WINDOWS\system32\config\SECURITY.LOG
3/5/2006 11:42:20 PM H 102400 D:\WINDOWS\system32\config\software.LOG
3/5/2006 11:38:56 PM H 860160 D:\WINDOWS\system32\config\system.LOG
2/18/2006 12:32:00 PM H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
3/5/2006 11:36:26 PM H 6 D:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 5:00:00 PM 66048 D:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 3/21/2002 8:41:28 AM 544768 D:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/23/2001 5:00:00 PM 558592 D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 130048 D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 150016 D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 294912 D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 119808 D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 8/26/2005 6:14:42 PM 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 187904 D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 559616 D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 256000 D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\odbccp32.cpl
Sun Microsystems 4/28/2000 10:17:16 AM 24660 D:\WINDOWS\SYSTEM32\plugincpl.cpl
Sun Microsystems 5/16/2001 9:10:08 AM 24663 D:\WINDOWS\SYSTEM32\plugincpl140.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 109056 D:\WINDOWS\SYSTEM32\powercfg.cpl
STMicroelectronics 8/17/2004 9:59:32 AM R 352256 D:\WINDOWS\SYSTEM32\stmadsl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 270848 D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 28160 D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 90112 D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 66048 D:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 558592 D:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 130048 D:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 150016 D:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 294912 D:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 119808 D:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 D:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 187904 D:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 559616 D:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 35840 D:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 256000 D:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 36864 D:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 109056 D:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 147456 D:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 270848 D:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 28160 D:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 5:00:00 PM 90112 D:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/16/2005 7:13:48 PM 986 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
12/17/2002 5:52:24 AM 1034 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Canon LBP-810 Status Window.LNK
12/12/2002 4:43:52 AM HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/12/2002 5:24:06 AM 1725 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/11/2002 8:30:50 PM HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
12/12/2002 4:43:52 AM HS 84 D:\Documents and Settings\MEGAPAQ\Start Menu\Programs\Startup\desktop.ini
2/23/2003 1:21:24 AM 1510 D:\Documents and Settings\MEGAPAQ\Start Menu\Programs\Startup\MP3 Dancer.lnk
8/4/2005 2:44:14 PM 680 D:\Documents and Settings\MEGAPAQ\Start Menu\Programs\Startup\Webshots.lnk

Checking files in %USERPROFILE%\Application Data folder...
12/11/2002 8:30:50 PM HS 62 D:\Documents and Settings\MEGAPAQ\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
   {9F97547E-4609-42C5-AE0C-81C61FFAEBC3}    = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
   {85BBD920-42A0-1069-A2E4-08002B30309D}    = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
   {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}    =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
   {B41DB860-8EE4-11D2-9906-E49FADC173CA}    = D:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
   {E0D79304-84BE-11CE-9641-444553540000}    = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}
   DAPHelper Class = D:\Program Files\DAP\DAPBHO.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
   AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}    =    :
   {62999427-33FC-4baf-9C9C-BCE6BD127F08}    = DAP Bar   : D:\Program Files\DAP\DAPIEBar.dll
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : D:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}
   ButtonText    = Run DAP   : D:\PROGRA~1\DAP\DAP.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6FDD5236-C9F0-49ef-935D-385F5E21991A}
   ButtonText    = Poker.com   : D:\Program Files\Poker.com\poker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
   ButtonText    = PartyPoker.com   : D:\Program Files\PartyPoker\PartyPoker.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
   Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
   Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
   History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} =    :
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar   :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   SoundMan   SOUNDMAN.EXE
   CAPON   D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
   DownloadAccelerator   D:\PROGRA~1\DAP\DAP.EXE /STARTUP
   WT GameChannel   D:\Program Files\WildTangent\Apps\GameChannel.exe
   NeroCheck   D:\WINDOWS\system32\NeroCheck.exe
   AdslTaskBar   rundll32.exe stmctrl.dll,TaskBar
   Symantec NetDriver Monitor   D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
   SunJavaUpdateSched   D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
      p2pnetworking.exe
   SSC_UserPrompt   D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
   AVG7_CC   D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
      p2pnetworking.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   Yahoo! Pager   D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption
   legalnoticetext
   shutdownwithoutlogon   1
   undockwithoutlogon   1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder    {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn    {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck    {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray     {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = D:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/5/2006 11:50:31 PM

guestolo · « **Reply #8 on:** March 05, 2006, 01:15:10 PM »

Can you check out one file for me please
It may be legit, I just want a better look at it

Go to either of these links
http://virusscan.jotti.org/
or
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to this file on your hard disk
D:\WINDOWS\SYSTEM32\DC_KDC265.apl <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you copy and paste back the results of the scan back here please

wormit · « **Reply #9 on:** March 05, 2006, 01:35:36 PM »

File: DC_KDC265.apl_
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 ea8dfb2e0604ec4b037418097aef8c29
Packers detected: ASPACK

Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

guestolo · « **Reply #10 on:** March 05, 2006, 01:50:10 PM »

Can you do the following please, let's try saving bfu.exe and p2pnetwork to the d: drive
It looks like most of the associated files are gone
This is just for a double check

Can you open "MyComputer"
Double click to open Local Disk D: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the D: folder , name it BFU
So you now have D:\BFU

Please download Brute Force Uninstaller
Reminder, choose SAVE rather than OPEN
Then Extract (UNZIP) the contents to the (D:\BFU) folder you just made

[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (d:\BFU)

Also:Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WT GameChannel"=-
"p2pnetworking.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"p2pnetworking.exe"=-

Open the D:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the D:\BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

Double click on fix.reg and allow to add/merge to the registry

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://d:\foo.mht!http://nucleus.name/exp/chm//x.chm::/open.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows
==Open Ewido anti-malware
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

When it's done
Post back the following
1. Run a "Scan and Save logfile" with Hijackthis and post the fresh log
2. Post the whole report you saved earlier from Ewido's

Could you also right click on
D:\WINDOWS\SYSTEM32\DC_KDC265.apl <-this file
Left click properties, if a version tab, open it and let me know what it's related too please

wormit · « **Reply #11 on:** March 05, 2006, 08:53:22 PM »

The D:\WINDOWS\SYSTEM32\DC_KDC265.apl properties:

Opens with :Adobe Photoshop
File version:1.0.0.1
Description:DC_KDC265
Copyright:Copyright © 1999 ACD Systems, Ltd.

New report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         7:33:01 AM, 3/6/2006
+ Report-Checksum:      ED14F6FB

+ Scan result:

   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup

::Report End

Earlier report

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         11:19:03 PM, 3/4/2006
+ Report-Checksum:      46661151

+ Scan result:

   HKLM\SOFTWARE\Hotbar -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\Install -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\MachineInfo -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\PI -> Adware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Hotbar\Hotbar\PI\3.2 -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar\Install -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar\options -> Adware.HotBar : Cleaned with backup
   HKU\S-1-5-21-1202660629-789336058-725345543-1003\Software\Hotbar\hotbar\UserInfo -> Adware.HotBar : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@a-1shz2prbmdj6wvny-1sez2pra2dj6wfkikidjseoq-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Goclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Gamingpromo : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@cj[1].txt -> TrackingCookie.Cj : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@com[1].txt -> TrackingCookie.Com : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@gamingpromo[1].txt -> TrackingCookie.Gamingpromo : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Itrack : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Masterstats : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Clickzs : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\[email protected][1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlywpcjmboa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Cookies\megapaq@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
   D:\Documents and Settings\MEGAPAQ\Local Settings\Temp\Cookies\megapaq@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup
   D:\Program Files\Hotbar -> Adware.HotBar : Cleaned with backup
   D:\Program Files\Hotbar\bin -> Adware.HotBar : Cleaned with backup
   D:\Program Files\Hotbar\Hotbar.log -> Adware.HotBar : Cleaned with backup
   D:\System Volume Information\_restore{34FCC7E2-024D-43A8-8903-42DE892DDBEB}\RP200\A0372637.exe -> Adware.Casino : Cleaned with backup
   D:\System Volume Information\_restore{34FCC7E2-024D-43A8-8903-42DE892DDBEB}\RP200\A0372676.exe -> Adware.Casino : Cleaned with backup
   D:\System Volume Information\_restore{34FCC7E2-024D-43A8-8903-42DE892DDBEB}\RP200\A0424643.exe -> Adware.Casino : Cleaned with backup

::Report End

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />

And iv also noticed that my yahoo messenger starts as soon i log on to the computer. It usually wasn't like this. Could this be a trace of the worm?

guestolo · « **Reply #12 on:** March 05, 2006, 09:21:58 PM »

If you have an older version of Spybot installed please uninstall it from Add/Remove programs
Download and Install Spybot 1.4 from
HERE
or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, the boxes and then download all updates
After update is complete
Close Spybot for now as we will need it later

==Download and Install
Windows Cleanup! 4.0
Don't run it yet

Download and save too your desktop FxHotbar.exe
by Symantec's
Close down all other windows

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

Double click on FxHotbar.exe
Then click on Start
Let it finish scanning your computer
Follow any prompts and exit when it's done

Reboot your computer

Back in Windows
Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX ALL selected promblems in RED
RESTART your computer once again

Back in Windows
Can you post a new Hijackthis log please

Do you see an option in Yahoo to disable it from running on startup?
If not we can disable it on startup with hijackthis

wormit · « **Reply #13 on:** March 06, 2006, 03:24:30 AM »

I did the cleanup and the scanning with Fxhotbar.exe BUT I can't seem to update or do the search and destroying process with spybot

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

When i try to update it spybot says: error retrieving update info file, Socket error 10061 connection refused
when i try to scan it says i need to install detection updates first by using the integrated or manual updator.

wormit · « **Reply #14 on:** March 06, 2006, 03:48:07 AM »

I wonder wether it was because i blocked p2p network from accessing the internet after I downloaded limewire (had to do this because the message asking to acess the internet keep popping up).

Could this be the cause of this whole problem

wormit · « **Reply #15 on:** March 06, 2006, 05:04:13 AM »

Heres the HJT logfile without spybot scan: and by the way i noticed that a URL hook is missing in this log file (i have bold it) Does this mean anything (just wondering

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />)

Logfile of HijackThis v1.99.1
Scan saved at 3:57:31 PM, on 3/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R3 - Default URLSearchHook is missingO2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [] p2pnetworking.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [] p2pnetworking.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool

- http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #16 on:** March 06, 2006, 08:58:29 PM »

Which firewall are you running?
The one from Norton's?
It's possible that Spybot won't update because of the firewall or DAP
Can you disable DAP and try checking for updates again
OR if that won't work
Close down Spybot completely
Go to THIS LINK
Download and save to desktop
Detection updates 2006-03-03 - product description
Double click to install the updates
After the updates are installed, reopen Spybot
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX ALL selected promblems in RED
RESTART your computer

Back in Windows
Can you also do the following please
From below, download and UNZIP to desktop
Run_Keys.zip so you now have Run_Keys.bat extracted

Double click on Run_Keys.bat
A text file will open, copy and paste back here the whole contents please

wormit · « **Reply #17 on:** March 07, 2006, 02:30:04 AM »

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
@="p2pnetworking.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
@="p2pnetworking.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"CAPON"="D:\\WINDOWS\\System32\\Spool\\Drivers\\w32x86\\3\\CAPONN.EXE"
"DownloadAccelerator"="D:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"NeroCheck"="D:\\WINDOWS\\system32\\NeroCheck.exe"
"AdslTaskBar"="rundll32.exe stmctrl.dll,TaskBar"
"Symantec NetDriver Monitor"="D:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
@="p2pnetworking.exe"
"SSC_UserPrompt"="D:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"UserFaultCheck"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,64,00,75,00,6d,00,70,00,72,00,65,00,70,00,20,00,30,00,20,00,2d,00,75,00,\
00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="D:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852}]
"NoExplorer"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

guestolo · « **Reply #18 on:** March 08, 2006, 12:03:14 AM »

Can you do the following
Download and UNZIP from the bottom of this reply box to desktop
"Repair2.zip
so you now have repair2.reg extracted

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R3 - Default URLSearchHook is missing

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on repair2.reg and allow to add/merge to the registry

REBOOT the computer

Back In windows, post back a fresh hijackthis log
So what Firewall are you using?

??

wormit · « **Reply #19 on:** March 08, 2006, 12:49:33 AM »

Logfile of HijackThis v1.99.1
Scan saved at 11:42:35 AM, on 3/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\CAPRPCSK.EXE
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\Norton Internet Security\NISUM.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Norton Internet Security\NISSERV.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Norton Internet Security\SymProxySvc.exe
D:\PROGRA~1\DAP\DAP.EXE
D:\WINDOWS\System32\rundll32.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\WINDOWS\System32\spool\drivers\w32x86\3\CAPPSWK.EXE
D:\Program Files\MP3Dancer\MP3Dancer.exe
D:\Program Files\Webshots\WebshotsTray.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - D:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAPON] D:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [DownloadAccelerator] D:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: MP3 Dancer.lnk = D:\Program Files\MP3Dancer\MP3Dancer.exe
O4 - Startup: Webshots.lnk = D:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Canon LBP-810 Status Window.LNK = D:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\JavaSoft\JRE\1.4\bin\npjpi140.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\JavaSoft\JRE\1.4\bin\npjpi140.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - D:\Program Files\Poker.com\poker.exe (file missing)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessectio...redlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/mi...pGameLoader.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_22.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/eng/poker_2_0_0_38.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_38.cab
O16 - DPF: {BFA1F11D-3121-AFE1-4112-983219421AEF} (GameDesire 1Player Word Games) - http://67.15.101.3/g_bin/eng/wordssingle_2_0_0_34.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_1_0.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool

- http://67.15.101.3/g_bin/eng/billard8_2_0_0_23.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: JavaWebServer - Unknown owner - D:\JavaWebServer2.0\bin\jservsvc.exe (file missing)
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - D:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - D:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I used nortons firewall.... but since you asked me to uninstall either norton or avg free i uninstalled norton so im not sure wether the norton firewall is still there.... i dont have the avg free firewall feature. (I installed avg free after i found this worm....couple of days after i installed limewire)

News:

Author Topic: win 32 p2p worm alcan a (Read 1386 times)