Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Alcan worm [RESOLVED]

Started by icklemalc , Mar 27 2006 03:32 PM

This topic is locked

#1
icklemalc

Posted 27 March 2006 - 03:32 PM

New Member

Member
4 posts

Can someone help me oput a little please? i have this horrible Alcan worm and having problems removing it.
As suggested on here so har i have installed and run the BFU.
I have then run the HiJackthis tool and have the following log.
anyone know what i should do next?
Many thanks!

Logfile of HijackThis v1.99.1
Scan saved at 22:22:41, on 27/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\outlook\outlook.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eXentiasupport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elonex.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe -invisible
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eXentiasupport.com/
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125909620937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133293893092
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#2
Jag11

Posted 31 March 2006 - 04:27 AM

Visiting Staff

Member
2,210 posts

Hi and welcome to GTG Posted Image

I'm Jet Ian Posted Image

, and I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3
Jag11

Posted 31 March 2006 - 08:28 AM

Visiting Staff

Member
2,210 posts

1. Please download Ewido Anti-Malware

Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

2. Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. Once in Safe Mode, Open Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

#4
icklemalc

Posted 31 March 2006 - 02:21 PM

New Member

Topic Starter
Member
4 posts

Hello there and many thanks for taking the time out of your day to help me with my case. It is very much appreciatted.

Before id did what you said i had already done a couple of things to aid in the removal of this worm.
I had already run the ad-aware se and also used Avast to perform a pre boot scan. Both apps found parts of the worm and as such removed it.

I am now posting the new hijack log and the scan report as suggested.

Many thanks(oh and sorry for the delay but im in the uk so there is the time difference!)

Logfile of HijackThis v1.99.1
Scan saved at 21:16:58, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\slrundll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eXentiasupport.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.elonex.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe -invisible
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eXentiasupport.com/
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125909620937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133293893092
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

------------------------------------------------------------------------------------------------------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:05:32, 31/03/2006
+ Report-Checksum: 5705F943

+ Scan result:

C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Bpath : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Bpath : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@adtech[2].txt -> TrackingCookie.Adtech : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@advertising[1].txt -> TrackingCookie.Advertising : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@com[1].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Itrack : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned without backup
C:\m500\Resco Audio Recorder v3.20\keygen.exe -> Logger.ProAgent.t : Cleaned without backup
C:\m500\Resco Keyboard Pro v4.34\keygen.exe -> Logger.ProAgent.t : Cleaned without backup
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned without backup

::Report End

#5
Jag11

Posted 31 March 2006 - 09:44 PM

Visiting Staff

Member
2,210 posts

Ok, thanks for the logs icklemalc. Logs turned out to be clean, are you still experiencing any problems? Let's do an online scan to make sure nothing's left over.

Run an online scan at Panda's ActiveScan

Please go here and perform a full system scan. (use Internet Explorer)
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the big Check Now button.
Enter your Country.
Enter your State/Province.
Enter your Valid Email and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan.
Click on Local Disks to start the scan.
Once finished, click see report, then click Save report.

NOTE: Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

#6
icklemalc

Posted 01 April 2006 - 06:19 AM

New Member

Topic Starter
Member
4 posts

HI there, i think with your help i have managed to clear this worm. i have run the scan you suggested and have the following report.

Incident Status Location

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Malcolm\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Malcolm\Cookies\[email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@toplist[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Malcolm\Cookies\malcolm@xmts[1].txt
Virus:Bck/Haxdoor.HH Disinfected C:\Documents and Settings\Malcolm\Local Settings\Temporary Internet Files\Content.IE5\I8U1RP80\aswclnr[1].exe

Do i need to worry about the last entry and can it be removed?

Many thanks

#7
Jag11

Posted 01 April 2006 - 08:20 AM

Visiting Staff

Member
2,210 posts

Good. Those files found are just your cookies and a file inside your Temporary files, which are all harmless. Posted Image

Just do this to clean them..

Clear IE's Cookies

Open Internet Explorer.
Click Tools » Internet Options.
Click the Delete Cookies button, then click OK.
Then click OK to exit.

===================================================

Run Cleanmgr

Go to Start » Run » type: cleanmgr » OK
Choose (C:) and then click OK
Select the following options:
- Temporary Internet Files
- Recycle Bin
- Temporary Files
Click OK

===================================================

Other than that, you're clean! If you have any other questions, please post them back here. Posted Image

-------

Before I leave you with the steps to keep your computer clean and prevent re-infection, please post one more time to confirm that you don't have any more problems - so we can mark this thread as SOLVED. Posted Image

Have a good day!

==========================================================

1.) Re-Hide System Files and Folders:

Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View tab
Deselect the Show hidden files and folders option
Select the Hide protected operating system files option
Click Yes to confirm
Click OK

2.) Reset and Re-enable your System Restore

We need to do this to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

Click Start » Run » ( type: SYSDM.CPL ) » OK
Click the System Restore tab.
Check - Turn off System Restore.
Click Apply.
Uncheck - Turn off System Restore.
Click OK.

3.) How to Prevent Re-Infection

Please take your time reading on this list, it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Windows Updates (a must!) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this, open Internet Explorer, then and select Tools » Windows Update, and follow the online instructions from there.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Firewall (a must!) - It is definitely a must have. Two good free versions are Kerio and ZoneAlarm.
Anti-Virus (a must!) - It is also a must have. Two good programs are Avast and AVG, they're both free.
Note: You must only use 1 (one) AV because if you have 2 AVs, it will conflict with each other and will only make your system slow.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

#8
icklemalc

Posted 01 April 2006 - 08:32 AM

New Member

Topic Starter
Member
4 posts

Many thanks for all your help. im glad to say my system is now clean!

Warning for all the other folks out there......DO NOT USE LIMEWIRE!

If you want music then go buy it legally! (I only used it to download Lost series episodes from the states)

Once again thanks and im happy to say this is now solved!

#9
Jag11

Posted 01 April 2006 - 08:35 AM

Visiting Staff

Member
2,210 posts

Glad we could help icklemalc! :whistling:

#10
therock247uk

Posted 01 April 2006 - 09:50 AM

Expert

Expert
14,672 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.