« previous next »
Pages: [1]

Author Topic: the win32.p2p-worm.alcon.a thing...  (Read 878 times)

Offline disheeki

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
the win32.p2p-worm.alcon.a thing...
« on: June 26, 2007, 06:18:24 PM »
i have been searching online over many sites for a couple hours now on how to get rid of this and i consider myself pretty understanding when it comes to things like this, but i just cant get rid of it. heres my logfile from hijackthis. any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 7:15:20 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESMART.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
the win32.p2p-worm.alcon.a thing...
« Reply #1 on: June 26, 2007, 08:47:34 PM »
Hi disheeki
Can you do the following for me please

Download and save [color=\"red\"]Brute Force Uninstaller[/color][/b] to the desktop
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to, click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
[color=\"red\"]RIGHT-CLICK HERE[/color][/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it then transfer to the
same folder you made earlier (C:\BFU).

Go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon
    and select alcanshorty.bfu
  • Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot your computer

Back in Windows

Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

I need to see back here all the following

1. Post the log from Combofix
2. Post a fresh hijackthis log
Let me know how things are running please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline disheeki

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
the win32.p2p-worm.alcon.a thing...
« Reply #2 on: June 27, 2007, 03:07:37 PM »
"Michael" - 2005-06-27 16:05:10 - ComboFix 07-06-27.7 - Service Pack 2  NTFS  


(((((((((((((((((((((((((   Files Created from 2005-05-27 to 2005-06-27  )))))))))))))))))))))))))))))))


2005-06-27 16:04   49,152   --a------   C:\WINDOWS\nircmd.exe
2005-06-27 16:02   <DIR>   d--------   C:\bintheredunthat
2005-06-27 15:59   <DIR>   d--------   C:\BFU
2005-06-26 16:44   <DIR>   d--------   C:\Program Files\Bazooka Scanner
2005-06-26 16:03   <DIR>   d--------   C:\Program Files\uTorrent
2005-06-26 16:03   <DIR>   d--------   C:\DOCUME~1\Michael\APPLIC~1\uTorrent
2005-06-24 19:51   <DIR>   d--------   C:\WINDOWS\Downloaded Installations


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-24 23:06:13   --------   d-----w   C:\Program Files\VstPlugins
2007-06-24 23:04:41   --------   d-----w   C:\Program Files\Image-Line
2007-06-24 16:40:25   --------   d-----w   C:\DOCUME~1\Michael\APPLIC~1\BitTorrent
2007-06-24 16:33:06   --------   d-----w   C:\Program Files\BitTorrent
2007-06-24 15:43:14   --------   d-----w   C:\DOCUME~1\Michael\APPLIC~1\LimeWire
2007-06-20 22:58:47   --------   d-----w   C:\DOCUME~1\Michael\APPLIC~1\Help
2007-06-20 21:34:05   --------   d-----w   C:\Program Files\Creative
2007-06-20 21:12:42   126,976   ----a-w   C:\WINDOWS\system32\unzdll.dll
2007-06-20 21:12:36   --------   d-----w   C:\Program Files\Gateway
2007-06-20 02:20:39   --------   d-----w   C:\Program Files\Lavasoft
2007-06-20 02:20:16   --------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-20 02:18:01   --------   d-----w   C:\Program Files\MSXML 6.0
2007-06-20 02:17:28   --------   d-----w   C:\Program Files\Windows Media Connect 2
2007-06-20 02:02:13   --------   d-----w   C:\Program Files\MSBuild
2007-06-20 01:59:06   --------   d-----w   C:\Program Files\Reference Assemblies
2007-06-20 01:35:50   --------   d-----w   C:\DOCUME~1\Michael\APPLIC~1\X-Setup Pro
2007-06-20 01:15:56   --------   d-----w   C:\Program Files\Messenger
2007-06-20 01:06:20   --------   d-----w   C:\Program Files\GameFace Messenger
2007-06-20 01:06:08   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-06-20 00:41:37   --------   d-----w   C:\DOCUME~1\Michael\APPLIC~1\acccore
2007-06-20 00:41:25   --------   d-----w   C:\Program Files\AIM6
2007-06-20 00:40:57   --------   d-----w   C:\Program Files\Viewpoint
2007-06-20 00:40:46   --------   d-----w   C:\Program Files\Common Files\AOL
2007-06-20 00:40:42   335   ----a-w   C:\WINDOWS\nsreg.dat
2007-06-20 00:36:15   1,280   ----a-w   C:\WINDOWS\checkip.dat
2007-06-20 00:33:11   21,035   ----a-w   C:\WINDOWS\system32\drivers\AegisP.sys
2007-06-20 00:33:04   --------   d-----w   C:\Program Files\NETGEAR
2007-06-20 00:29:32   737,280   ----a-w   C:\WINDOWS\iun6002.exe
2007-06-20 00:29:08   --------   d-----w   C:\Program Files\ASUSTeK
2007-06-20 00:28:04   --------   d-----w   C:\Program Files\Common Files\InstallShield
2007-06-20 00:27:12   --------   d-----w   C:\Program Files\ITE
2007-06-20 00:25:11   --------   d-----w   C:\Program Files\AMD
2007-06-20 00:24:16   --------   d-----w   C:\Program Files\Realtek AC97
2007-06-20 00:21:58   8   ----a-w   C:\DFIMB.DAT
2007-06-20 00:17:12   --------   d-----w   C:\Program Files\microsoft frontpage
2007-06-20 00:16:48   0   --sha-r   C:\MSDOS.SYS
2007-06-20 00:16:48   0   --sha-r   C:\IO.SYS
2007-06-20 00:16:48   0   ----a-w   C:\CONFIG.SYS
2007-06-20 00:16:48   0   ----a-w   C:\AUTOEXEC.BAT
2007-06-20 00:15:25   --------   d--h--w   C:\Program Files\WindowsUpdate
2007-06-20 00:14:45   --------   d-----w   C:\Program Files\Common Files\MSSoap
2007-06-20 00:14:37   --------   d-----w   C:\Program Files\Movie Maker
2007-06-20 00:13:02   21,640   ----a-w   C:\WINDOWS\system32\emptyregdb.dat
2007-06-20 00:12:44   --------   d-----w   C:\Program Files\Online Services
2007-06-20 00:12:26   --------   d-----w   C:\Program Files\Windows Plus
2007-06-20 00:11:00   --------   d-----w   C:\Program Files\MSN Gaming Zone
2007-06-20 00:10:53   --------   d-----w   C:\Program Files\Windows NT
2007-06-19 20:05:02   --------   d-----w   C:\Program Files\Common Files\ODBC
2007-06-19 20:04:59   --------   d-----w   C:\Program Files\Common Files\SpeechEngines
2007-06-04 19:18:48   9,344   ----a-w   C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 19:17:02   8,320   ----a-w   C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56   6,272   ----a-w   C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-30 12:10:42   10,872   ----a-w   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52   7,680   ----a-w   C:\WINDOWS\system32\lsdelete.exe
2007-03-23 10:07:56   1,683,280   ------w   C:\WINDOWS\system32\XpsSvcs.dll
2007-03-23 10:07:54   583,504   ------w   C:\WINDOWS\system32\XPSSHHDR.dll
2007-03-23 00:25:02   124,928   ------w   C:\WINDOWS\system32\prntvpt.dll
2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28   577,536   ----a-w   C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28   40,960   ----a-w   C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28   281,600   ----a-w   C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48   1,843,584   ----a-w   C:\WINDOWS\system32\win32k.sys
2007-02-09 11:10:35   574,464   ----a-w   C:\WINDOWS\system32\drivers\ntfs.sys
2007-02-07 09:22:24   194,304   ----a-w   C:\WINDOWS\system32\drivers\wg111v2.sys
2007-02-05 20:17:02   185,344   ----a-w   C:\WINDOWS\system32\upnphost.dll
2006-12-04 20:21:50   414,720   ----a-w   C:\WINDOWS\system32\msscp.dll
2006-12-04 18:37:58   1,317,648   ----a-w   C:\WINDOWS\system32\msxml6.dll
2006-11-13 06:02:58   36,352   ------w   C:\WINDOWS\system32\tsgqec.dll
2006-11-13 06:02:58   288,768   ------w   C:\WINDOWS\system32\rhttpaa.dll
2006-11-13 06:02:58   116,736   ------w   C:\WINDOWS\system32\aaclient.dll
2006-11-13 06:02:58   1,866,240   ----a-w   C:\WINDOWS\system32\mstscax.dll
2006-11-08 01:03:36   413,696   ----a-w   C:\WINDOWS\system32\vbscript.dll
2006-11-08 01:03:36   156,160   ----a-w   C:\WINDOWS\system32\msls31.dll
2006-11-07 08:06:47   600,576   ----a-w   C:\WINDOWS\system32\mstsc.exe
2006-11-07 07:26:44   71,680   ----a-w   C:\WINDOWS\system32\admparse.dll
2006-11-07 07:26:42   55,296   ----a-w   C:\WINDOWS\system32\iesetup.dll
2006-11-01 19:17:45   927,504   ----a-w   C:\WINDOWS\system32\mfc40u.dll
2006-10-30 07:33:58   9,480   ----a-w   C:\WINDOWS\system32\icardres.dll
2006-10-30 07:33:58   83,968   ----a-w   C:\WINDOWS\system32\infocardapi.dll
2006-10-30 07:33:58   556,296   ----a-w   C:\WINDOWS\system32\icardagt.exe
2006-10-24 16:30:20   412,160   ------w   C:\WINDOWS\system32\photometadatahandler.dll
2006-10-24 16:30:06   716,288   ------w   C:\WINDOWS\system32\WindowsCodecs.dll
2006-10-24 16:30:00   276,992   ------w   C:\WINDOWS\system32\WMPhoto.dll
2006-10-24 16:29:50   352,256   ------w   C:\WINDOWS\system32\WindowsCodecsExt.dll
2006-10-21 01:30:06   1,980,704   ----a-w   C:\WINDOWS\system32\milcore.dll
2006-10-21 01:30:02   769,312   ----a-w   C:\WINDOWS\system32\PresentationNative_v0300.dll
2006-10-21 01:30:00   478,496   ----a-w   C:\WINDOWS\system32\evr.dll
2006-10-21 01:29:58   344,352   ----a-w   C:\WINDOWS\system32\PresentationHost.exe
2006-10-21 01:29:54   159,008   ----a-w   C:\WINDOWS\system32\UIAutomationCore.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2005-12-09 15:06 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SmartGuardian"="C:\Program Files\ITE\Smart Guardian\ITESMART.exe" [2006-01-18 09:36]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 08:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"=1 (0x1)
"NoStartMenuEjectPC"=1 (0x1)
"StartMenuLogoff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edbdd5d-1e9f-11dc-b629-806d6172696f}]
AutoRun\command- D:\SetupWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edbdd5e-1e9f-11dc-b629-806d6172696f}]
AutoRun\command- E:\autorun.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\KB910393
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{407408d4-94ed-4d86-ab69-a7f649d112ee}
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2005-06-27 16:06:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2005-06-27 16:06:19

--- E O F ---
 
________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 4:21:24 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESMART.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

______________________________________________________________
  i just restarted after running combofix and hijackthis, and most everything seems to be back in order. i noticed after running bfu, it put the ie icon back on the desktop and made it my default search engine, and when it was done, brought up the "my documents" folder. task manager comes up again, and when i try to run regedit it now comes up again too. i just ran adaware 07' and it said i just had some cookies, however aim still doesnt connect, which usually tells me something is wrong. if you notice my date is wrong, i know, i have to tell it its 2005 to run fruity loops and get the producer edition being that the reg is from 2005, hope that helps somebody. this whole problem is from a bad fruity loops dl from limewire, the wal-mart of worms. thanks man.
« Last Edit: June 27, 2007, 03:29:36 PM by disheeki »
Logged

Offline disheeki

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
the win32.p2p-worm.alcon.a thing...
« Reply #3 on: June 27, 2007, 04:11:06 PM »
this is shortly after my previous post, after running bfu in safe mode, which i may should have done in the first place, then starting back up normal and running combofix and hijackthis. aim starts up now after running bfu in safe mode, and things seem a bit quicker overall.
_____________________________________________________________________________

"Michael" - 2007-06-27 17:06:17 - ComboFix 07-06-27.7 - Service Pack 2  NTFS  


(((((((((((((((((((((((((   Files Created from 2007-05-27 to 2007-06-27  )))))))))))))))))))))))))))))))


2007-06-26 19:14   <DIR>   d--------   C:\HJT
2007-06-26 18:32   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-26 18:17   <DIR>   d--------   C:\WINDOWS\CSC
2007-06-26 17:56   <DIR>   d--------   C:\WINDOWS\system32\ActiveScan
2007-06-26 17:29   524,288   --ah-----   C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-26 17:28   <DIR>   d--------   C:\WINDOWS\pss
2007-06-24 15:17   225,280   --a------   C:\WINDOWS\system32\rewire.dll
2007-06-24 15:17   <DIR>   d--------   C:\Program Files\VstPlugins
2007-06-24 15:17   <DIR>   d--------   C:\Program Files\Image-Line
2007-06-24 12:33   <DIR>   d--------   C:\Program Files\BitTorrent
2007-06-24 12:33   <DIR>   d--------   C:\DOCUME~1\Michael\APPLIC~1\BitTorrent
2007-06-20 18:58   <DIR>   d--------   C:\DOCUME~1\Michael\APPLIC~1\Help
2007-06-20 17:21   <DIR>   d--h-----   C:\WINDOWS\PIF
2007-06-20 17:19   57,856   --a------   C:\WINDOWS\system32\CTDetres.dll
2007-06-20 17:18   299,520   --a------   C:\WINDOWS\uninst.exe
2007-06-20 17:18   17,408   --a------   C:\WINDOWS\UnInstall.dll
2007-06-20 17:18   165,888   --a------   C:\WINDOWS\CTDelLau.exe
2007-06-20 17:18   <DIR>   d--------   C:\DOCUME~1\Michael\WINDOWS
2007-06-20 17:12   126,976   --a------   C:\WINDOWS\system32\unzdll.dll
2007-06-20 17:12   <DIR>   d--------   C:\Program Files\Gateway
2007-06-20 17:12   <DIR>   d--------   C:\cabs
2007-06-20 17:05   6,752   --a------   C:\WINDOWS\system32\PfModNT.sys
2007-06-20 17:05   306,688   --a------   C:\WINDOWS\IsUninst.exe
2007-06-20 17:05   <DIR>   d--------   C:\Program Files\Creative
2007-06-20 16:57   40,704   --a------   C:\WINDOWS\system32\drivers\es1371mp.sys
2007-06-20 16:57   10,624   --a------   C:\WINDOWS\system32\drivers\gameenum.sys
2007-06-19 22:20   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-19 22:20   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-19 22:20   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-19 22:18   <DIR>   d--------   C:\Program Files\MSXML 6.0
2007-06-19 22:17   <DIR>   d--------   C:\Program Files\Windows Media Connect 2
2007-06-19 22:16   <DIR>   d--------   C:\WINDOWS\system32\LogFiles
2007-06-19 22:16   <DIR>   d--------   C:\WINDOWS\system32\drivers\UMDF
2007-06-19 22:16   <DIR>   d--------   C:\49f887e5dd32d99ad237
2007-06-19 22:10   23,040   ---------   C:\WINDOWS\kb913800.exe
2007-06-19 22:07   <DIR>   d--------   C:\DOCUME~1\Michael\Incomplete
2007-06-19 22:06   <DIR>   d--------   C:\DOCUME~1\Michael\APPLIC~1\LimeWire
2007-06-19 22:05   1,234   --a------   C:\WINDOWS\mozver.dat
2007-06-19 22:02   <DIR>   d--------   C:\Program Files\MSBuild
2007-06-19 21:59   <DIR>   d--------   C:\WINDOWS\system32\XPSViewer
2007-06-19 21:59   <DIR>   d--------   C:\Program Files\Reference Assemblies
2007-06-19 21:58   14,048   ---------   C:\WINDOWS\system32\spmsg2.dll
2007-06-19 21:56   46,592   ---------   C:\WINDOWS\system32\drivers\irbus.sys
2007-06-19 21:56   19,200   ---------   C:\WINDOWS\system32\drivers\hidir.sys
2007-06-19 21:45   <DIR>   d--------   C:\WINDOWS\network diagnostic
2007-06-19 21:43   <DIR>   d--------   C:\WINDOWS\RegisteredPackages
2007-06-19 21:42   <DIR>   d--------   C:\WINDOWS\system32\URTTemp
2007-06-19 21:37   36,352   ---------   C:\WINDOWS\system32\tsgqec.dll
2007-06-19 21:37   288,768   ---------   C:\WINDOWS\system32\rhttpaa.dll
2007-06-19 21:37   116,736   ---------   C:\WINDOWS\system32\aaclient.dll
2007-06-19 21:35   <DIR>   d--------   C:\DOCUME~1\Michael\APPLIC~1\X-Setup Pro
2007-06-19 21:35   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\X-Setup Pro
2007-06-19 21:27   <DIR>   d--hs----   C:\DOCUME~1\Michael\UserData
2007-06-19 21:19   <DIR>   d--------   C:\WINDOWS\system32\Lang
2007-06-19 21:12   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-19 21:08   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-06-19 20:42   23,856   --a------   C:\WINDOWS\system32\spupdsvc.exe
2007-06-19 20:42   <DIR>   d--------   C:\WINDOWS\system32\PreInstall
2007-06-19 20:41   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-06-19 20:41   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-06-19 20:40   <DIR>   d--------   C:\Program Files\Viewpoint
2007-06-19 20:40   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-06-19 20:39   <DIR>   d--hs----   C:\RECYCLER
2007-06-19 20:39   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-06-19 20:38   <DIR>   d--------   C:\WINDOWS\system32\SoftwareDistribution
2007-06-19 20:37   335   --a------   C:\WINDOWS\nsreg.dat
2007-06-19 20:34   1,280   --a------   C:\WINDOWS\checkip.dat
2007-06-19 20:33   21,035   --a------   C:\WINDOWS\system32\drivers\AegisP.sys
2007-06-19 20:33   <DIR>   d--------   C:\Program Files\NETGEAR
2007-06-19 20:29   737,280   --a------   C:\WINDOWS\iun6002.exe
2007-06-19 20:29   46,592   --a------   C:\WINDOWS\system32\asfrench.dll
2007-06-19 20:29   46,080   --a------   C:\WINDOWS\system32\asrussian.dll
2007-06-19 20:29   46,080   --a------   C:\WINDOWS\system32\asgerman.dll
2007-06-19 20:29   46,080   --a------   C:\WINDOWS\system32\aseng.dll
2007-06-19 20:29   45,568   --a------   C:\WINDOWS\system32\askorean.dll
2007-06-19 20:29   45,568   --a------   C:\WINDOWS\system32\asjapan.dll
2007-06-19 20:29   45,568   --a------   C:\WINDOWS\system32\ASCHT.dll
2007-06-19 20:29   45,568   --a------   C:\WINDOWS\system32\aschs.dll
2007-06-19 20:29   37,888   --a------   C:\WINDOWS\system32\ATKOGL32.dll
2007-06-19 20:29   241,152   --a------   C:\WINDOWS\ATKKBService.exe
2007-06-19 20:29   228,224   --a------   C:\WINDOWS\system32\ATKDISP.dll
2007-06-19 20:29   2,032,640   --a------   C:\WINDOWS\system32\ATKOSDX32.dll
2007-06-19 20:29   11,008   --a------   C:\WINDOWS\system32\drivers\atkkbnt.sys
2007-06-19 20:29   10,496   --a------   C:\WINDOWS\system32\ATKOSDMini.DLL
2007-06-19 20:29   1,975,936   --a------   C:\WINDOWS\system32\drivers\Bravo.sys
2007-06-19 20:29   1,667,072   --a------   C:\WINDOWS\system32\ATKDispCPL.dll
2007-06-19 20:29   <DIR>   d--------   C:\Program Files\GameFace Messenger
2007-06-19 20:29   <DIR>   d--------   C:\Program Files\ASUSTeK
2007-06-19 20:28   180,224   --a------   C:\WINDOWS\system32\nvudisp.exe
2007-06-19 20:28   <DIR>   d--------   C:\WINDOWS\nview
2007-06-19 20:27   6,080   --a------   C:\WINDOWS\system32\drivers\zntport.sys
2007-06-19 20:27   46,080   -ra------   C:\WINDOWS\system32\itevio.dll
2007-06-19 20:27   118,784   -ra------   C:\WINDOWS\system32\Msstdfmt.dll
2007-06-19 20:27   102,912   -ra------   C:\WINDOWS\system32\Ntport.dll
2007-06-19 20:27   <DIR>   d--------   C:\Program Files\ITE
2007-06-19 20:25   36,352   --a------   C:\WINDOWS\system32\drivers\AmdK8.sys
2007-06-19 20:25   <DIR>   d--------   C:\Program Files\AMD
2007-06-19 20:24   864   -r-------   C:\WINDOWS\system32\drivers\alcxinit.dat
2007-06-19 20:24   82,944   --a------   C:\WINDOWS\system32\drivers\wdmaud.sys
2007-06-19 20:24   7,552   --a------   C:\WINDOWS\system32\drivers\MSKSSRV.sys


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 20:48:45   --------   d-----w   C:\Program Files\Bazooka Scanner
2007-04-25 14:21:15   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52   7,680   ----a-w   C:\WINDOWS\system32\lsdelete.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2005-12-09 15:06 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SmartGuardian"="C:\Program Files\ITE\Smart Guardian\ITESMART.exe" [2006-01-18 09:36]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 08:00]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoUserNameInStartMenu"=1 (0x1)
"NoStartMenuEjectPC"=1 (0x1)
"StartMenuLogoff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edbdd5d-1e9f-11dc-b629-806d6172696f}]
AutoRun\command- D:\SetupWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4edbdd5e-1e9f-11dc-b629-806d6172696f}]
AutoRun\command- E:\autorun.exe


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\KB910393
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\EasyCDBlock.inf,PerUserInstall

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{407408d4-94ed-4d86-ab69-a7f649d112ee}
%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection QuickLaunchShortcut 640 %systemroot%\inf\mcdftreg.inf

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 17:07:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 17:07:32
C:\ComboFix2.txt ... 2005-06-27 16:06

   --- E O F ---
______________________________________________________________________
Logfile of HijackThis v1.99.1
Scan saved at 5:10:39 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESMART.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
the win32.p2p-worm.alcon.a thing...
« Reply #4 on: June 27, 2007, 09:40:36 PM »
That looks good now
Can you reboot the computer and post one last hijackthis log and keep me informed how things are running
Just some final recommendations  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline disheeki

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
the win32.p2p-worm.alcon.a thing...
« Reply #5 on: June 28, 2007, 03:02:22 PM »
Logfile of HijackThis v1.99.1
Scan saved at 4:00:56 PM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michael\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESMART.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

__________________________________________________________________
  i have restarted a few times after the last post and everything seems to be back in order. thank you so much for being so helpful.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
the win32.p2p-worm.alcon.a thing...
« Reply #6 on: June 28, 2007, 06:57:48 PM »
It's great that you have Ad-aware and AVG Antispyware installed
But you also need your own AntiVirus software

I suggest that you do the following
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name and click Create
When that's done

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool  
    *Will block bad ActiveX Controls
    *Block Malevolent cookies in Internet Explorer and Firefox
    *Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

If you don't have your own AV to install I highly recommend you install one of these free AV software
AVG 7 by Grisoft
OR
Avast Home Edition by ALWIL
OR
Avira AntiVir Personal Edition Classic
OR
Active Virus Shield
Powered by Kaspersky's>"UNCheck Security toolbar during install"

ONLY install one, more than one active AV installed will cause conflicts
After it's installed, ensure it's updated and run a complete system scan

I hope that helps
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline disheeki

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
the win32.p2p-worm.alcon.a thing...
« Reply #7 on: June 29, 2007, 10:13:44 AM »
i already use an add on with firefox, noscript, which i the only browser i use except ie for automatic updates, then of course it doesnt go anywhere but microsoft.com. is that an okay solution to cookies, active-x, and script? which av program do you recommend most, or which one do you use most?
« Last Edit: June 29, 2007, 10:17:46 AM by disheeki »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
the win32.p2p-worm.alcon.a thing...
« Reply #8 on: June 30, 2007, 11:36:37 AM »
As mentioned, Spywareblaster won't run in the background and it will help to prevent
Malevolent cookies in Internet Explorer and Firefox
I'll leave this as an option to you to install it

I've used all the AV's at one time or another
They all have there good points

Lately I've got Active Virus shield installed on one computer I'm happy with
But I also have AVG and Avast on other computers I'm happy with too

Try Active virus shield, supply a legit email address
Save the installer to desktop
When installing UNCHECK "Security toolbar"

When prompted to activate by code
They will have email you the code, simply open the email and copy/paste the code

After installation it should auto update
ensure to reboot when prompted
Run a Scan of My Computer when prompted also

Check out Settings afterwards, I prefer to disable scanning of "Startup Objects" on Windows start
But leave the program itself running on startup
I'll leave that up to you
Let me know what you decide
« Last Edit: June 30, 2007, 11:42:03 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline disheeki

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
the win32.p2p-worm.alcon.a thing...
« Reply #9 on: July 03, 2007, 08:34:14 PM »
i was reluctant at first to try the active virus shield, especially being from aol, but its actually very thorough and runs all the time, even during startup and shutdown, and only comes up when it should, which i love. same with spywareblaster. its running constantly, and though it has not notified me of anything being stopped, maybe it doesnt, it just does it. i doubt its getting anything though because all i use is firefox and only allow exactly what i tell it to, using the noscript add-on. so im pretty happy with my current protection setup, thanks a lot, i have already told friends about your site.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
the win32.p2p-worm.alcon.a thing...
« Reply #10 on: July 03, 2007, 09:03:08 PM »
Quote
i was reluctant at first to try the active virus shield, especially being from aol
My Exact thoughts before I tried it  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
But since it was powered by Kaspersky's, I had to give it a try

Quote
same with spywareblaster. its running constantly
Remember, spywareblaster doesn't run in the background, it sets registry killbits to help protect you from the bad side of the Internet

I'll lock this topic as your problems are resolved disheeki, take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »