Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Alcan Worm


  • Please log in to reply

#1
Emers

Emers

    Member

  • Member
  • PipPip
  • 44 posts
I have followed the instructions from http://www.geekstogo...showtopic=98929 on how to stop and undo the effects of the Alcra aka Alcan Worm and my HijackThis log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 09:54:05, on 24/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\netddesrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\winupdates\winupdates.exe
C:\WINNT\system32\internat.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\Macromed\shockwave\Remote.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINNT\system32\Win32Root.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wythallchurch.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Microsoft Update Machine] Win32Root.exe
O4 - HKLM\..\Run: [Microsoft Windows Keyboard service] keyboard.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Win32Root.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Keyboard service] keyboard.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] Win32Root.exe
O4 - Startup: Shockwave Init.lnk = C:\WINNT\system32\Macromed\Shockwave\SwInit.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136669539095
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotb...ams/hbtools.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Can anyone give me some guidance? I have lost task manager and limewire starts on its own.

Cheers

Pete
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Hi Emers,

I will need to have a look at a file to be able to help you.

Can you surf to:
http://www.thespykil...x.php?topic=5.0
Follow the instructions there to upload:
C:\WINNT\system32\Win32Root.exe

Thanks in advance,
  • 0

#3
Emers

Emers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts

Hi Emers,

I will need to have a look at a file to be able to help you.

Can you surf to:
http://www.thespykil...x.php?topic=5.0
Follow the instructions there to upload:
C:\WINNT\system32\Win32Root.exe

Thanks in advance,


Just tried but don't have \System32. Searched hard drive and don't have the file either?
I have a \System and a \Twain_32 but no \System32
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Can you follow the instructions posted here:
http://www.geekstogo...orm-t98929.html

With any luck that should make your System32 folder visible.

Regards,
  • 0

#5
Emers

Emers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
I had already done that and have repeated the exercise but still no System32 folder
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Standard File Kill option.
*Copy & paste this path:
C:\WINNT\system32\Win32Root.exe
(You don't have to "see" the file. Killbox will find it if you feed it the complete path.)
*Click the red-and-white "Delete File" button.
*Click yes at the prompt if you want to Backup and Delete the file.
*Click OK
*Back in the killbox program, select the Delete on Reboot option.
*Copy & paste this path:
C:\Program Files\winupdates\winupdates.exe
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


In safe Mode run the alcanshorty.bfu with BFU

Then run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Microsoft Update Machine] Win32Root.exe
O4 - HKLM\..\Run: [Microsoft Windows Keyboard service] keyboard.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] Win32Root.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Keyboard service] keyboard.exe

O4 - HKCU\..\Run: [Microsoft Update Machine] Win32Root.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotb...ams/hbtools.cab

Boot back to normal and post a new HijackThis log.
Let me know if you can see your System32 folder now.

Regards,
  • 0

#7
Emers

Emers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
Fantastic - Can see System32 now.

04 - HKLM\..\Run: [winupdates]... wasn't in the HijackThis file to fix. Trust that isn't a problem.

In safe mode I got the progress bar with BFU which I didn't get previously.

How does the following look and can I prevent this happening again?

Cheers :-)

Logfile of HijackThis v1.99.1
Scan saved at 11:30:08, on 25/03/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\netddesrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\RF Wireless Mouse\cm20.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\Macromed\shockwave\Remote.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wythallchurch.net/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm20.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - Startup: Shockwave Init.lnk = C:\WINNT\system32\Macromed\Shockwave\SwInit.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1136669539095
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Your log looks good now. Nice work. :whistling:

If all went as planned Killbox created a folder called !Killbox which has a backup of Win32Root.exe inside.

Can you upload that to the SpyKiller forum like I described before?
It will make it easier for me to help others with the same problem.

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#9
Emers

Emers

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
http://www.thespykil...hp?topic=1305.0

I think that worked :whistling:

Let me know if not and thanks for all your help! :blink:
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Yup. Got it.

Thanks. :whistling:

If I find something of interest to you, I'll post back in this thread.

Take care out there, it's a jungle. :blink:
  • 0

#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,007 posts
Hi Emers,

Sorry to be a pain. But in my excitement to get rid of the Spybot variant I missed another virus in your log. :blink:
My friend Mike pointed it out to me. Thanks Crete. :whistling:

Click Start > Run type services.msc > OK
In the list of services find:
NetDDE Server (NetDDEsrv)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: NetDDEsrv

Then reboot and delete:
C:\WINNT\system32\netddesrv.exe

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP