Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help With: WIN32.P2P-WORM.ALCAN.A [RESOLVED]


  • This topic is locked This topic is locked

#1
PM2008

PM2008

    New Member

  • Member
  • Pip
  • 5 posts
Hello, I have had this worm for quite some time and it is really annoying because I can't find the Win32 folder or open Ctrl+Alt+Del. Please help!

Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 02:06:33 PM, on 9/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\winupdates\winupdates.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\Main\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: @d:\Program Files\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - d:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - d:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.c.....AST SETUP.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: (no name) - {11359F4A-B191-42D7-905A-594F8CF0387B} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folder -

C:\Program Files\winupdates

Run CleanUp and delete all temp files including temporary internet files

Reboot the PC in Normal Mode.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.
  • 0

#3
PM2008

PM2008

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi, umm... when I searched for 'C:\Program Files\winupdates', it wasn't there, other than that everything went ok.
(P.S.:Now I can use Ctrl+Alt+Del, but there is still no Win32 folder.)

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:09:22 AM, on 10/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\Main\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: @d:\Program Files\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - d:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - d:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.c.....AST SETUP.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Panda Scan Report:


Incident Status Location

Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\msbb321.dll
Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\a95kfrhe.ini
Adware:adware/savenow No disinfected C:\WINDOWS\SYSTEM32\baur5s9q.dat
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\ritsacnk.dat
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\rtneg2.dll
Adware:adware/xplugin No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\file.exe
Adware:adware/sbsoft No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware/webdir No disinfected C:\WINDOWS\pxwma.dll
Spyware:spyware/betterinet No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\msbb321.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\SplWbr.dll
Virus:Trj/Clicker.CN Disinfected C:\WINDOWS\SYSTEM32\runsrv32.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM32\holldvc.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\a95kfrhe.ini
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM32\rtneg2.dll
Virus:Trj/Dropper.AE Disinfected C:\WINDOWS\Downloaded Program Files\file.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/TopRebates No disinfected C:\WINDOWS\iNetPal\ezTSetup.exe
Virus:W32/Alcan.A.worm Disinfected C:\Program Files\winupdates\winupdates.exe
Virus:W32/Alcan.A.worm Disinfected C:\Program Files\winupdates\a.zip[Setup.exe]
Virus:W32/Imagrayd.A.wom Disinfected C:\Documents and Settings\Main\My Documents\Morpheus Shared\Downloads\Torrent Microsoft Student 2006.zip[Setup.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Main\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-30ecbeac.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Main\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-30ecbeac.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Main\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-30ecbeac.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Main\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-30ecbeac.zip[Installer.class]
Virus:Trj/Clicker.CN Disinfected C:\System Volume Information\_restore{4A82B4F5-FE8E-4303-90B2-42F193C9824B}\RP339\A0092513.dll
Virus:W32/Alcan.A.worm Disinfected C:\System Volume Information\_restore{4A82B4F5-FE8E-4303-90B2-42F193C9824B}\RP339\A0092515.exe
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
If a virus scanner tells you that you have "WIN32.P2P-WORM.ALCAN.A" infection, it doesnt mean that you will find it in Win32 folder !!!!!!!!!

There is no win32 default system folder in Windows XP !!!!!!!!!!!



Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#5
PM2008

PM2008

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry, I meant System32 folder. :tazz:

Spy Sweeper Log:

********
12:41 PM: |··· Start of Session, Sunday, October 02, 2005 ···|
12:41 PM: Spy Sweeper started
12:41 PM: Sweep initiated using definitions version 547
12:41 PM: Starting Memory Sweep
12:50 PM: Memory Sweep Complete, Elapsed Time: 00:09:12
12:50 PM: Starting Registry Sweep
12:50 PM: Found Adware: exact cashback/bargain buddy
12:50 PM: HKCR\clsid\{c0ef89ee-eec7-4535-a041-f1ebf79560a7}\ (14 subtraces) (ID = 105370)
12:50 PM: HKLM\software\classes\clsid\{c0ef89ee-eec7-4535-a041-f1ebf79560a7}\ (14 subtraces) (ID = 105373)
12:50 PM: HKLM\software\classes\webinstaller.cexecute\ (5 subtraces) (ID = 105376)
12:50 PM: HKCR\webinstaller.cexecute\ (5 subtraces) (ID = 105385)
12:50 PM: Found Adware: coolwebsearch (cws)
12:50 PM: HKCR\interface\{cf021f3f-3e14-23a5-cba2-7173706d1316}\ (8 subtraces) (ID = 108399)
12:50 PM: HKLM\software\classes\interface\{cf021f3f-3e14-23a5-cba2-7173706d1316}\ (8 subtraces) (ID = 109777)
12:50 PM: HKLM\software\classes\spm1316.spm1316.1\ (3 subtraces) (ID = 109793)
12:50 PM: HKLM\software\classes\spm1316.spm1316\ (3 subtraces) (ID = 109794)
12:50 PM: HKLM\software\classes\typelib\{cf021f32-3e14-23a5-cba2-7173706d1316}\ (ID = 109804)
12:50 PM: HKCR\spm1316.spm1316.1\ (3 subtraces) (ID = 112498)
12:50 PM: HKCR\spm1316.spm1316\ (3 subtraces) (ID = 112499)
12:50 PM: HKCR\typelib\{cf021f32-3e14-23a5-cba2-7173706d1316}\ (ID = 112511)
12:50 PM: Found Adware: cws_ns3
12:50 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\webdlg32.dll (ID = 123378)
12:50 PM: Found Adware: ebates money maker
12:50 PM: HKU\S-1-5-21-1060284298-920026266-1957994488-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
12:50 PM: Found Adware: webrebates
12:50 PM: HKLM\software\microsoft\windows\currentversion\uninstall\unebmm350\ (3 subtraces) (ID = 125601)
12:50 PM: HKLM\software\microsoft\windows\currentversion\uninstall\unebmm350\ (3 subtraces) (ID = 125601)
12:50 PM: Found Adware: drsnsrch.com hijack
12:50 PM: HKU\S-1-5-21-1060284298-920026266-1957994488-1009\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
12:50 PM: Found Adware: rx toolbar
12:50 PM: HKU\S-1-5-21-1060284298-920026266-1957994488-1009\software\rx toolbar\ (1 subtraces) (ID = 140298)
12:50 PM: Found Adware: shopathomeselect
12:50 PM: HKLM\software\classes\webinstaller.cexecute.1\ (3 subtraces) (ID = 141687)
12:50 PM: HKCR\webinstaller.cexecute.1\ (3 subtraces) (ID = 141739)
12:50 PM: Found Trojan Horse: trojan-downloader-updateagent
12:50 PM: HKLM\software\winsysupdate\ (3 subtraces) (ID = 144817)
12:51 PM: Found Adware: begin2search
12:51 PM: HKU\S-1-5-21-1060284298-920026266-1957994488-1009\software\_rtneg2\ (4209 subtraces) (ID = 639270)
12:51 PM: Registry Sweep Complete, Elapsed Time:00:00:43
12:51 PM: Starting Cookie Sweep
12:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:51 PM: Starting File Sweep
12:51 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
12:51 PM: Found Adware: websearch toolbar
12:51 PM: tbps.ini (ID = 85907)
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
12:52 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
12:53 PM: c:\windows\system32\sahimages (3 subtraces) (ID = -2147480329)
12:53 PM: c:\windows\system32\cache32_rtneg2 (1 subtraces) (ID = -2147481388)
12:55 PM: Found Adware: webdir
12:55 PM: pxwma.dll (ID = 95143)
12:55 PM: 70tovmto.ini (ID = 75631)
12:55 PM: a95kfrhe.ini (ID = 75953)
12:55 PM: baur5s9q.dat (ID = 75676)
12:55 PM: q10pvbrv.dat (ID = 75851)
12:55 PM: ap2nqrd4.dat (ID = 75644)
12:55 PM: rtneg2.dll (ID = 51061)
12:56 PM: Found Adware: ez-finder toolbar
12:56 PM: webdlg32.inf (ID = 60327)
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\main\ntuser.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\main\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\main\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:58 PM: Warning: Failed to open file "c:\documents and settings\main\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:59 PM: File Sweep Complete, Elapsed Time: 00:08:35
12:59 PM: Full Sweep has completed. Elapsed time 00:18:36
12:59 PM: Traces Found: 4328
1:13 PM: Removal process initiated
1:13 PM: Quarantining All Traces: exact cashback/bargain buddy
1:13 PM: Quarantining All Traces: coolwebsearch (cws)
1:13 PM: Quarantining All Traces: cws_ns3
1:13 PM: Quarantining All Traces: ebates money maker
1:14 PM: Quarantining All Traces: webrebates
1:14 PM: Quarantining All Traces: drsnsrch.com hijack
1:14 PM: Quarantining All Traces: rx toolbar
1:14 PM: Quarantining All Traces: shopathomeselect
1:14 PM: Quarantining All Traces: trojan-downloader-updateagent
1:14 PM: Quarantining All Traces: begin2search
1:14 PM: Quarantining All Traces: websearch toolbar
1:14 PM: Quarantining All Traces: webdir
1:14 PM: Quarantining All Traces: ez-finder toolbar
1:14 PM: Removal process completed. Elapsed time 00:01:21
********
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
system32 folder is a windows system folder and is usually hidden.

To view hidden and system files and folders, please read this page - http://www.bleepingc...tutorial62.html

Delete the files -

C:\WINDOWS\SYSTEM32\msbb321.dll
C:\WINDOWS\SYSTEM32\a95kfrhe.ini
C:\WINDOWS\SYSTEM32\baur5s9q.dat
C:\WINDOWS\SYSTEM32\ritsacnk.dat
C:\WINDOWS\SYSTEM32\rtneg2.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\file.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\pxwma.dll
C:\WINDOWS\SYSTEM32\SplWbr.dll
C:\WINDOWS\SYSTEM32\runsrv32.dll
C:\WINDOWS\SYSTEM32\holldvc.exe
C:\WINDOWS\SYSTEM32\a95kfrhe.ini
C:\WINDOWS\iNetPal\ezTSetup.exe
C:\Documents and Settings\Main\My Documents\Morpheus Shared\Downloads\Torrent Microsoft Student 2006.zip


Delete the folder -

C:\Program Files\winupdates


Reboot the PC.

Post a fresh HJT log please
  • 0

#7
PM2008

PM2008

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, here are the files I could not find.

C:\WINDOWS\SYSTEM32\a95kfrhe.ini
C:\WINDOWS\SYSTEM32\baur5s9q.dat
C:\WINDOWS\SYSTEM32\rtneg2.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\file.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\pxwma.dll
C:\WINDOWS\SYSTEM32\SplWbr.dll
C:\WINDOWS\SYSTEM32\runsrv32.dll
C:\WINDOWS\SYSTEM32\holldvc.exe

My HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:21 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Main\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: @d:\Program Files\Messenger2\im2_ie_plugin.dll,-4 - {410C30C7-098A-4090-928E-F1D356D34C7F} - d:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra 'Tools' menuitem: Run IM2 Messenger - {410C30C7-098A-4090-928E-F1D356D34C7F} - d:\Program Files\Messenger2\im2_ie_plugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23....es/MsnPUpld.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.c.....AST SETUP.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Lexar SG20 (LxrSG20s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSG20s.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Your logs look fine.


Do you have any issues with your PC now ???
  • 0

#9
PM2008

PM2008

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for all of your help! You did a great job. :tazz:
And no, I don't have any problems with my computer as of now.
**Thanks**
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
hi,


CONGRATULATIONS !!!!!!!!!!! Your PC is clean now :tazz:



I would recommend the following steps to keep your PC clean (especially Step 1 to install critical Windows patches including Service Pack 2 or SP2 if not already installed and Step 8 now that your PC is clean) -

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.


Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.


Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm


Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.


Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.


Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.


Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.


System Restore Points
8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

A. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

B. Restart your computer.

C. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Go ahead and enjoy a clean PC !!!!!!!!!!!!!
  • 0

#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP