Win32.P2P-Worm.Alcan.a HELP PLEASE!(RESOLVED)

**rudimentaryfoot** · 26-11-2007

one problem!
everytime i reboot in safe mode, i start opening my hjt and then everything goes black and doesn't come back!! i've tried four times and the same thing keeps happening :S is there any way i can do this in normal mode or can you tell me what i need to do to get my safe mode to ...work right?
thanks
donovan

**Neal** · 26-11-2007

Just try normal mode for now. Thanks.

**rudimentaryfoot** · 27-11-2007

ok,
first, my hjt scan did not have these two entries:

O2 - BHO: (no name) - {B294D153-C3D9-4A85-ABD7-4D0512CD0155} - (no file)
O2 - BHO: (no name) - {C23B4682-A2DB-4AD9-9521-3C48B9EC40E5} - C:\WINNT\system32\pmkjk.dll

but the rest you had specified i deleted.

now, i don't know if it's just because i couldn't do it in safe mode or what, but it wouldn't allow me to delete C:\WINNT\system32\pmkjk.dll and the other two from the "files" list i believe are not there.
also i could not find a "Luxo" folder, but i got rid of the other two.

...below are my combofix and hjt logs:

ComboFix 07-11-19.4 - Owner 2007-11-26 19:05:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.83 [GMT -5:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\IA
C:\WINNT\system32\kjkmp.bak1
C:\WINNT\system32\kjkmp.bak2
C:\WINNT\system32\kjkmp.ini
C:\WINNT\system32\kjkmp.ini2
C:\WINNT\system32\kjkmp.tmp
C:\WINNT\system32\pmkjk.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-24 19:51 <DIR> d-------- C:\NoLopBackups
2007-11-24 18:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-24 18:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-24 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-23 23:11 <DIR> d-------- C:\VundoFix Backups
2007-11-23 22:07 <DIR> d-------- C:\WINNT\ERUNT
2007-11-23 20:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-11-23 20:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 20:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2007-11-23 00:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 10:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-11-22 08:19 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-22 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-22 00:48 <DIR> d-------- C:\WINNT\Internet Logs
2007-11-21 14:53 <DIR> d-------- C:\Temp
2007-11-21 14:53 <DIR> d--hs---- C:\Documents and Settings\Owner\Complete
2007-11-08 08:47 <DIR> d-------- C:\Program Files\Close Sixth Bird

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-26 23:51 --------- d-----w C:\Program Files\Java
2007-11-26 01:55 --------- d-----w C:\Program Files\LimeWire
2007-11-24 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 05:24 --------- d-----w C:\Program Files\Lavasoft
2007-11-22 18:41 --------- d-----w C:\Program Files\Network Associates
2007-11-22 02:57 5,761 ----a-w C:\Program Files\install.log
2007-11-08 13:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\city about store file
2007-11-06 06:19 --------- d-----w C:\Program Files\DivX
2007-10-16 03:54 --------- d-----w C:\Program Files\QuickTime
2007-10-16 03:35 --------- d-----w C:\Program Files\iPod
2007-10-16 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-16 03:32 --------- d-----w C:\Program Files\Apple Software Update
2007-10-16 03:31 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-16 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-15 17:03 --------- d-----w C:\Program Files\Microsoft Games
2007-10-15 17:01 --------- d-----w C:\Program Files\GameSpy Arcade
2007-10-15 15:59 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-09 03:22 --------- d-----w C:\Program Files\LexmarkX83
2007-10-03 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 15:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2005-02-12 21:18 56,600 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-06-20 21:19 40,960 -c--a-w C:\Program Files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft Works Update Detection"="???\WkDetect.exe" []
"AIM"="C:\Program Files\AIM95\aim.exe" [2004-09-01 11:26]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2003-07-10 04:25]
"iTunesHelper"="E:\New Folder (2)\iTunesHelper.exe" []
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 19:34]
"PrinTray"="C:\WINNT\System32\spool\DRIVERS\W32X86 \3\printray.exe" []
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-03-26 05:02]
"LWBMOUSE"="C:\Program Files\Gigaware\Gigaware Driver\4.06\MOUSE32A.EXE" [2001-11-09 01:47]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" []
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" []
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2003-07-10 04:13]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 19:12 C:\WINNT\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 08:47]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-23 20:43]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-23 20:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe [2003-05-24 15:52:24]

[hklm\software\microsoft\windows\currentversion\exp lorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\pmkjk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Store file readme bash]
C:\Documents and Settings\All Users\Application Data\city about store file\Aim Plus.exe

R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINNT\system32\Drivers\usbscan.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINNT\system32\DRIVERS\mr97310v.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 TLA13;TLA13;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\us er.bak
S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINNT\system32\DRIVERS\WMP11V27.sys

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMREDRV
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 12:03:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 19:17:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-26 19:20:55 - machine was rebooted
.
--- E O F ---

################################################## ##
################################################## #

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:18 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Gigaware\Gigaware Driver\4.06\MOUSE32A.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\FoolYou.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\New Folder (2)\iTunesHelper.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray. exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Gigaware\Gigaware Driver\4.06\MOUSE32A.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/compan.../bin/imvid.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.britneyspears.com/images/..._wp_3_1024.jpg

--
End of file - 7663 bytes

**Neal** · 27-11-2007

Are you still getting the alcan worm notifications? Never did see any indication of that in your hijackthis log.

What is this, it is new.

C:\Program Files\Close Sixth Bird

This is a LOP infection, wonder where that came from? Did you install any new programs?
Probably what the above is. LOP infection folders usually show up in application data folders, maybe a new variant.

C:\Documents and Settings\All Users\Application Data\city about store file

Strongly advise to uninstall this: from add/remove program: a good place to get infected

C:\Program Files\GameSpy Arcade

Delete these folders please:

C:\Documents and Settings\All Users\Application Data\city about store file
C:\Program Files\Close Sixth Bird if you don't know what that is

Reboot after deletion please

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3[list][*]First close any other programs you have running as this will require a reboot[*]Double click NoLop.exe to run it

Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

Then, Open notepad NOT WORDPAD and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

tell me how things are now please.

**rudimentaryfoot** · 27-11-2007

before you review my logs, i haven't really done much that you haven't told me to in the past couple of days, so it would be hard for me to give you a report of behavior... yesterday morning i was getting A LOT (446 out of 4669) of detections of a "worm/VB.SO" but it has not returned since i trashed it at the end of that scan. i have not seen the alcan version in TWO DAYS! other than the blacking out in safe mode i haven't been experiencing any problems. it wasn't so much that the computer was functioning poorly at the beginning, i just knew the worm was there and had tried to get rid of it for several days on my own, but to no avail. i figured it would only get worse and start some serious issues if not taken care of...i am appropriately labled "newbie" over there on the left

- anyways right after i post this i am going to do a full system scan with my AVG and i will get the results in here in the morning. since you asked, i have not downloaded any new programs unless you told me to, but in the course of this whole mission i have accumulated quite an arsenal against the onslaught of computer evils and would appreciate if you could help me whittle the list down to the more important items before you send me on my way. i really appreciate the help and have my fingers crossed about these scans i'm about to do.

....oh, and what is this brittney spears thing down at the bottom of my list? i don't know where that came from or what it is. i guess it's ok to check it and click "fix this" too?

ok
i deleted these as you instructed:
C:\Program Files\GameSpy Arcade
C:\Documents and Settings\All Users\Application Data\city about store file
C:\Program Files\Close Sixth Bird
...the last one was what i believe to be this from an earlier post of yours...
C:\DOCUME~1\Owner\APPLIC~1\CLOSES~1

My NoLop scan came up with NO INFECTIONS DETECTED!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:35 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\system32\sessmgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\FoolYou.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\New Folder (2)\iTunesHelper.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\3\printray. exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Gigaware\Gigaware Driver\4.06\MOUSE32A.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/compan.../bin/imvid.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.britneyspears.com/images/..._wp_3_1024.jpg

--
End of file - 7636 bytes

thanks again

**rudimentaryfoot** · 27-11-2007

in addition to the above, i don't know how i missed this from your last instructions but here is that other combofix scan-

ComboFix 07-11-19.4 - Owner 2007-11-26 21:46:16.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-26 20:50 106 --a------ C:\delete.bat
2007-11-26 19:44 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2007-11-26 19:39 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2007-11-24 19:51 <DIR> d-------- C:\NoLopBackups
2007-11-24 18:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-24 18:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-24 18:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-23 23:11 <DIR> d-------- C:\VundoFix Backups
2007-11-23 22:07 <DIR> d-------- C:\WINNT\ERUNT
2007-11-23 20:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-11-23 20:44 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-23 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-23 20:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2
2007-11-23 00:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 10:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TrojanHunter
2007-11-22 08:19 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-22 01:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-22 00:48 <DIR> d-------- C:\WINNT\Internet Logs
2007-11-21 14:53 <DIR> d-------- C:\Temp
2007-11-21 14:53 <DIR> d--hs---- C:\Documents and Settings\Owner\Complete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-27 00:39 --------- d-----w C:\Program Files\Java
2007-11-26 01:55 --------- d-----w C:\Program Files\LimeWire
2007-11-24 01:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 07:12 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-11-23 07:12 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-11-23 05:24 --------- d-----w C:\Program Files\Lavasoft
2007-11-22 18:41 --------- d-----w C:\Program Files\Network Associates
2007-11-22 02:57 5,761 ----a-w C:\Program Files\install.log
2007-11-21 19:57 147,456 ----a-w C:\WINNT\system32\vbzip10.dll
2007-11-06 06:19 --------- d-----w C:\Program Files\DivX
2007-10-16 03:54 --------- d-----w C:\Program Files\QuickTime
2007-10-16 03:35 --------- d-----w C:\Program Files\iPod
2007-10-16 03:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-16 03:32 --------- d-----w C:\Program Files\Apple Software Update
2007-10-16 03:31 --------- d-----w C:\Program Files\Common Files\Apple
2007-10-16 03:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-15 17:03 --------- d-----w C:\Program Files\Microsoft Games
2007-10-15 15:59 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-09 03:22 --------- d-----w C:\Program Files\LexmarkX83
2007-10-03 16:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-03 15:54 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-09-28 16:08 156,992 ----a-w C:\WINNT\system32\DivXCodecVersionChecker.exe
2007-09-28 16:07 524,288 ----a-w C:\WINNT\system32\DivXsm.exe
2007-09-28 16:07 3,596,288 ----a-w C:\WINNT\system32\qt-dx331.dll
2007-09-28 16:07 200,704 ----a-w C:\WINNT\system32\ssldivx.dll
2007-09-28 16:07 129,784 ------w C:\WINNT\system32\pxafs.dll
2007-09-28 16:07 120,056 ------w C:\WINNT\system32\pxcpyi64.exe
2007-09-28 16:07 118,520 ------w C:\WINNT\system32\pxinsi64.exe
2007-09-28 16:07 1,044,480 ----a-w C:\WINNT\system32\libdivx.dll
2007-09-28 16:05 823,296 ----a-w C:\WINNT\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINNT\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINNT\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINNT\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINNT\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINNT\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINNT\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINNT\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINNT\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINNT\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINNT\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINNT\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINNT\system32\DivXWMPExtType.dll
2005-02-12 21:18 56,600 -c--a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2001-06-20 21:19 40,960 -c--a-w C:\Program Files\ACMonitor_X83.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-26_19.19.57.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-25 03:30:28 135,168 ----a-w C:\WINNT\system32\java.exe
+ 2007-09-25 03:30:30 135,168 ----a-w C:\WINNT\system32\javaw.exe
+ 2007-09-25 04:31:42 139,264 ----a-w C:\WINNT\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Microsoft Works Update Detection"="???\WkDetect.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IgfxTray"="C:\WINNT\System32\igfxtray.exe" [2003-07-10 04:25]
"iTunesHelper"="E:\New Folder (2)\iTunesHelper.exe" []
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2001-10-05 19:34]
"PrinTray"="C:\WINNT\System32\spool\DRIVERS\W32X86 \3\printray.exe" []
"MoneyStartUp10.0"="C:\Program Files\Microsoft Money\System\Activation.exe" [2001-07-25 10:00]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2001-08-23 16:52]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-03-26 05:02]
"LWBMOUSE"="C:\Program Files\Gigaware\Gigaware Driver\4.06\MOUSE32A.EXE" [2001-11-09 01:47]
"Lexmark X83 Button Monitor"="C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe" []
"Lexmark X83 Button Manager"="C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe" []
"Keyboard Preload Check"="C:\OEMDRVRS\KEYB\Preload.exe" []
"HotKeysCmds"="C:\WINNT\System32\hkcmd.exe" [2003-07-10 04:13]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-05-06 19:12 C:\WINNT\GWMDMMSG.exe]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-02-28 08:47]
"THGuard"="C:\Program Files\TrojanHunter 5.0\THGuard.exe" [2007-09-09 09:31]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-23 20:43]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-23 20:44]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless PCI Card Configuration Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe [2003-05-24 15:52:24]

[hklm\software\microsoft\windows\currentversion\exp lorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Store file readme bash]
C:\Documents and Settings\All Users\Application Data\city about store file\Aim Plus.exe

S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINNT\system32\Drivers\usbscan.sys
S2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINNT\system32\DRIVERS\mr97310v.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 TLA13;TLA13;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\us er.bak
S3 WMP11V27;Instant Wireless PCI Card V2.7 Driver;C:\WINNT\system32\DRIVERS\WMP11V27.sys

*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMREDRV
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 12:03:01 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 21:50:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
Completion time: 2007-11-26 21:51:48
C:\ComboFix2.txt ... 2007-11-26 19:20
.
--- E O F ---

**Neal** · 27-11-2007

yes fix the brittney stuff, I figured you put that there on purpose.

Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Store file readme bash]

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. No need to post the combofix log.

Other then that one registry fix I don't see anything else.

If you feel things are ok you can delete all tools we used.

**rudimentaryfoot** · 27-11-2007

i did that registry change and thank you so much for your help. i actually learned a lot from this whole situation, but could never have figured it out on my own i don't think. thanks again and if i can ask, what do you suggest for a good anti virus program to always have on like i have AVG right now, or is it good enough? have a good one and know your help was very appreciated and i'm sure all the other newbies out there with similar problems are equally indebted-

**rudimentaryfoot** · 27-11-2007

well, i did a full scan with AVG and only came up with these two entries that were deleted:
C:|qoobox\Quarantine\catchme2007-11-26_191713.89.zip
C:\SystemVolumeInformation\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP2\A0000013.dll

after, i ran a complete scan with the Super AntiSpyware and no detections were found.
So thanks and i think we're good.

**Neal** · 27-11-2007

I use AVG free edition, runs in the back ground and scans emails also

Sunbelt personal firewall(paid for version)

Sunbelt Counterspy as a run all the time spyware protection(paid for version)

Spybot S&D 1.4 version, don't like the new version.

Excellent,

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
- Click Start. Open My Computer.
- Select the Tools menu and click Folder Options. Select the View Tab.
- Under the Hidden files and folders heading deselect "Show hidden files and folders".
- Check the "Hide protected operating system files (recommended)" option.
- Click Yes to confirm. Click OK.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"
Reboot your System

TO ENABLE SYSTEM RESTORE
1. Remove check mark from "Turn Off System Restore"
2. Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

good luck

Win32.P2P-Worm.Alcan.a HELP PLEASE!(RESOLVED)

Re: Win32.P2P-Worm.Alcan.a HELP PLEASE!

Similar Threads

worm.win32 shutdown

HELP I have win32.p2p-worm.alcan.a

HELP I have win32.p2p-worm.alcan.a

Help! Win32.P2P-Worm.Alcan.a worm.

Help!! Win32.P2P-Worm.Alcan.a virus