Author Topic: I Have "win32.p2p-Worm.Alcan.a" -- please help if you can. (Read 3875 times)

bradfitz · « **Reply #20 on:** January 09, 2007, 12:41:08 PM »

here is my SDFix log report:

SDFix: Version 1.57

Tue 01/09/2007 - 12:07:10.04

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Owner\Desktop\SDFix

Safe Mode

Service Check:

Service Name:

File Path:

Starting Registry Repairs

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking Files:
--------------

C:\WINDOWS\system32\winsecurityxp\mswinup.exe

Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"%SystemDir%\\winsecurityxp\\mswinup.exe"="%SystemDir%\\winsecurityxp\\mswinup.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zip

Remaining files with hidden attributes:

C:\NTDETECT.COM
C:\Documents and Settings\Owner\My Documents\My Work\Clients\ActiveEdge\Active Edge_old_stuff\_FilesFromAE\Favorites\Business\The Quicken.com Channel\desktop.ini
C:\Documents and Settings\Owner\My Documents\My Work\Clients\ActiveEdge\Active Edge_old_stuff\_FilesFromAE\HappyTreeFriends\dvd.mondominishows.com\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\Clients\ActiveEdge\Active Edge_old_stuff\_FilesFromAE\HappyTreeFriends\happytee.mondominishows.com\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\Clients\ActiveEdge\Active Edge_old_stuff\_FilesFromAE\HappyTreeFriends\love.happytreefriends.com\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\Clients\ActiveEdge\Active Edge_old_stuff\_FilesFromAE\HappyTreeFriends\minibytes.mondominishows.com\eye\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\Clients\ActiveEdge\Active Edge_old_stuff\_FilesFromAE\HappyTreeFriends\spike.mondominishows.com\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\Inspiration\CARTOONS\Political\Ann Telnaes\www.anntelnaes.com\images\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\My Illustration\BlackRaiders.com\finals\Thumbs.db
C:\Documents and Settings\Owner\My Documents\My Work\My Illustration\Portfolios.com\Thumbs.db
C:\Documents and Settings\Owner\NetHood\bradfitzpatrick.com\Desktop.ini
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\hiberfil.sys
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\SMINST\HPCD.sys

Finished

bradfitz · « **Reply #21 on:** January 09, 2007, 12:42:47 PM »

my C:/Avenger.txt...

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bllbjfua

*******************

Script file located at: \??\C:\Program Files\aafbqlrj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver agony unloaded successfully.

Completed script processing.

*******************

Finished! Terminate.

bradfitz · « **Reply #22 on:** January 09, 2007, 12:43:55 PM »

and finally, the log from my second GMER scan:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-09 12:35:41
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-2194748585-1584497749-360572042-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System@[+000214001f58602c8d20ea3a6910a2d708002b30309d1400470002456e74697265
204e6574776f726b0033004600824d6963726f736f66742057696e646f7773204e6574776f726b00
4
d6963726f736f6674204e6574776f726b00020022004100824669747a686f6d65004d6963726f736
f
6674204e6574776f726b00020022004200825c5c4266776f726b004d6963726f736f6674204e6574
7
76f726b0002000000] 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-2194748585-1584497749-360572042-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System@[+000214001f58602c8d20ea3a6910a2d708002b30309d1400470002456e74697265
204e6574776f726b0033004600824d6963726f736f66742057696e646f7773204e6574776f726b00
4
d6963726f736f6674204e6574776f726b00020022004100824669747a686f6d65004d6963726f736
f
6674204e6574776f726b0002000000] 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-2194748585-1584497749-360572042-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System@[+000214001f58602c8d20ea3a6910a2d708002b30309d1400470002456e74697265
204e6574776f726b0033004600824d6963726f736f66742057696e646f7773204e6574776f726b00
4
d6963726f736f6674204e6574776f726b00020022004100824669747a686f6d65004d6963726f736
f
6674204e6574776f726b00020032004200c25c5c436f736d6f004d6963726f736f6674204e657477
6
f726b00427261642773205461626c65742050430002000000] 0x01 0x00 0x00 0x00 ...
Reg \Registry\USER\S-1-5-21-2194748585-1584497749-360572042-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System@[+000214001f58602c8d20ea3a6910a2d708002b30309d1400470002456e74697265
204e6574776f726b0033004600824d6963726f736f66742057696e646f7773204e6574776f726b00
4
d6963726f736f6674204e6574776f726b00020022004100824669747a686f6d65004d6963726f736
f
6674204e6574776f726b00020021004200825c5c436f736d6f004d6963726f736f6674204e657477
6
f726b0002000000] 0x04 0x00 0x00 0x00 ...

---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\Owner\Application Data\Macromedia\Dreamweaver 8\Configuration\SiteCache\If the Shoe FITZ..\dwSiteColumnsMe.xml
File C:\Documents and Settings\Owner\Application Data\Macromedia\Dreamweaver MX\Configuration\SiteCache\If the Shoe FITZ..\dwSiteColumnsMe.xml
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\Cade&Mom_004.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_01.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_02.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_03.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_04.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_05.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_hot_trunks_01.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\caden_siena_sasha_sweaters_.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\cheesman_scary.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\deer_01.jpg:Roxio EMC Stream
ADS C:\Documents and Settings\Owner\Desktop\SOME PICS\deer_02.jpg:Roxio EMC Stream
ADS ...

---- EOF - GMER 1.0.12 ----

bradfitz · « **Reply #23 on:** January 11, 2007, 09:50:00 AM »

So am I all set then or is there still work left to do?

Thank You!

guestolo · « **Reply #24 on:** January 11, 2007, 08:32:34 PM »

Sorry for the delay bradfitz
Can you do the following still please

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,

=============================================================
[color=\"#0000FF\"]
Folders to delete:
C:\WINDOWS\system32\winsecurityxp

Registry values to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | %SystemDir%\\winsecurityxp\\mswinup.exe
[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
OK the prompt

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows

Can I see the new log from Avenger please>>C:\Avenger.txt along with a fresh hijackthis log

Let me know how things are running please
Also, I see know AntiVirus software installed on this computer
Do you have your own to install or do you need a free solution?
It's not safe being without the proper protection online!

bradfitz · « **Reply #25 on:** January 15, 2007, 05:23:44 PM »

Thanks Questolo... my computer seems to be running a little better but it's still sluggish at times.

I do not have antivirus installed because I was under the impression that since I was behind a router, I was not at risk... guess I was wrong. I do not have an anti virus program currently and would like your best suggestions on what I should get. Free would of course be nice but I'm willing to pay if it means better protection certainly.

Thank You!

Here is my new avenger log file:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qahedryb

*******************

Script file located at: \??\C:\WINDOWS\kkcecyhi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder C:\WINDOWS\system32\winsecurityxp deleted successfully.

Could not delete registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|%SystemDir%\\winsecurityxp\\mswinup.exe
Deletion of registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|%SystemDir%\\winsecurityxp\\mswinup.exe failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List|%SystemDir%\\winsecurityxp\\mswinup.exe
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

guestolo · « **Reply #26 on:** January 17, 2007, 08:11:43 PM »

Very sorry for the delay

YES, you definitely need an AntiVirus software protections on your computer
Can you do the following please
Let's manually remove that entry from the registry please
Go to START>>RUN>>copy and paste the next command below in bold to the open field
regedit /e c:\registrybackup.reg
Hit OK
Let this finish, this will make a backup of the registry to the C: folder

Go to START>>RUN>>type in regedit
Hit OK
We're looking for this registry key in bold below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List

Expand(+) on the following
+HKEY_LOCAL_MACHINE
+SYSTEM
+CurrentControlSet
+Services
+SharedAccess
+Parameters
+FirewallPolicy
+StandardProfile+
+AuthorizedApplications
Highlight List

Look on the right hand side for the following entry
C:\WINDOWS\system32\winsecurityxp\mswinup.exe

RIGHT CLICK on ONLY that above entry and select DELETE
Exit the registry

Go to the following link
http://www.thetechguide.com/forum/index.php?showtopic=15894
At the top of the post are recommendations for free AV's
ONLY install one, they all have a free version
After installed, ensure it is updated, run a full system scan letting it clean any infected files
Reboot the computer afterwards

Post back a fresh hijackthis log and let me know how things are running please

bradfitz · « **Reply #27 on:** January 22, 2007, 11:50:11 AM »

Hi,

Are there any further actions I need to take on this problem?

Thank You!

guestolo · « **Reply #28 on:** January 29, 2007, 11:18:27 PM »

Sorry for the delay again

Quote

Are there any further actions I need to take on this problem?

Yes, let's ensure your log is clean, I asked this in my last post to you

Quote

Post back a fresh hijackthis log and let me know how things are running please

If you can still post the fresh hijackthis log that would be great, let me know how things are going also!

bradfitz · « **Reply #29 on:** January 30, 2007, 09:16:24 PM »

Thanks... sorry, i looks like I missed your previous message. I did as you suggested above. Here is my fresh HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:13 PM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\GPSoftware\Directory Opus\dopus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Macromedia\Flash MX 2004\Flash.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Owner\My Documents\My Work\downloads\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bradfitzpatrick.com/bookmarks/bookmarks.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Cleanup] ;
O4 - HKLM\..\Run: [Gateway Extended Warranty] ;
O4 - HKLM\..\Run: [msci] ;
O4 - HKLM\..\Run: [SSC_UserPrompt] ;
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [DOpus] C:\Program Files\GPSoftware\Directory Opus\dopus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

guestolo · « **Reply #30 on:** January 31, 2007, 11:11:00 PM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Cleanup] ;
O4 - HKLM\..\Run: [Gateway Extended Warranty] ;
O4 - HKLM\..\Run: [msci] ;
O4 - HKLM\..\Run: [SSC_UserPrompt] ;

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

What do you use for AntiVirus software???
Do you have your own to install or do you need a free solution?
It's not safe being online without proper protection!!!
PLEASE, take the time to download your OWN free AV and update it and run a Complete scan
Let it fix whatever it finds, reboot afterwards and post a fresh hijackthis log

ONLY use one AV please
Links found [color=\"#0000FF\"]HERE[/color]

bradfitz · « **Reply #31 on:** February 01, 2007, 02:09:30 PM »

Hi, I did as instructed and my fresh hi-jack this log is below.

I installed AVG's anti-virus agent, thanks for the recommendation.

Do I also need a firewall if I'm behind a router?

Thank You.

+++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 2:05:29 PM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\GPSoftware\Directory Opus\dopus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\My Work\downloads\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bradfitzpatrick.com/bookmarks/bookmarks.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [DOpus] C:\Program Files\GPSoftware\Directory Opus\dopus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

++++++++++

guestolo · « **Reply #32 on:** February 04, 2007, 11:37:41 AM »

Looks good, how's everything running on your end?

Quote

Do I also need a firewall if I'm behind a router?

A Nat router will filter incoming traffic, so you don't necessarily need a software Firewall
But a good firewall will also filter outgoing traffic
So it's totally up to you

bradfitz · « **Reply #33 on:** February 04, 2007, 12:57:28 PM »

Seems to be running great now. I noticed a boost in performance as soon as I completed the last set of instructions. Not sure if it's my imagination but it also feels like my internet connection got faster?

guestolo · « **Reply #34 on:** February 04, 2007, 01:33:24 PM »

Just as some final cleanup
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

You can go ahead and remove the following
Manually delete
Files:
C:/Avenger.txt
Avenger.zip
Avenger.exe
Gmer.zip
Gmer.exe
sreng2.zip
sreng.exe
SdFix.exe

Navigate to C:\Windows\gmer_uninstall.cmd
Double click on gmer_uninstall.cmd>>press any key to continue when prompted
Then manually delete
C:\Windows\gmer_uninstall.cmd <-file
C:\Windows\gmer.ini <-file

You can also delete that registry backup file we created earlier
Right click on
c:\registrybackup.reg <-this file and choose Delete

Folders:
C:\Avenger
C:\SDFix

If you want to remove Hijackthis, remove it from Add/remove programs then manually delete it's folder

I hope that helps
P.S. Be careful what you download from sites and filesharing programs
Have the files scanned first with AVG AntiVirus before opening them

bradfitz · « **Reply #35 on:** February 13, 2007, 11:08:49 PM »

Good advice.. I will certainly scan new files I'm unsure about in the future...

Thank You!

guestolo · « **Reply #36 on:** February 13, 2007, 11:26:34 PM »

I'll lock this topic as your problems are resolved
Take care bradfitz

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: I Have "win32.p2p-Worm.Alcan.a" -- please help if you can. (Read 3875 times)

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

bradfitz

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.

guestolo

I Have "win32.p2p-Worm.Alcan.a" -- please help if you can.