Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[bleep] worm [RESOLVED]


  • This topic is locked This topic is locked

#1
ElojodeMordor

ElojodeMordor

    Member

  • Member
  • PipPip
  • 13 posts
Hi. A few days ago I downloaded tha Shareaza, and then I have a lot of troubles with virus and worms. I fixed a 90% of the problem, but a worm called Win32.P2P-Worm.Alcan.a is resident in my sistem. This is the log file:

WIN32.P2P-WORM.ALCAN.A
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=File : C:\WINDOWS\system32\bszip.dll
obj[1]=File : C:\WINDOWS\System32\cmd.com
obj[2]=File : C:\WINDOWS\System32\netstat.com
obj[3]=File : C:\WINDOWS\System32\ping.com
obj[4]=File : C:\WINDOWS\System32\regedit.com
obj[5]=File : C:\WINDOWS\System32\taskkill.com
obj[6]=File : C:\WINDOWS\System32\tasklist.com
obj[7]=File : C:\WINDOWS\System32\tracert.com

I ran the Ad-aware every day but the program can´t fix the trouble. Can you give me the solution?.

Thanks for all help.



Patricio.
  • 0

Advertisements


#2
guymontech

guymontech

    Member

  • Member
  • PipPip
  • 16 posts
Hi! Do you have an anti-virus program running on your computer? Ad-Aware will not be able to remove this bug, because it is a virus. If you do not have an anti-virus I recommend you go to www.grisoft.com or Cnet Downloads and grab AVG. It is free, and easy to use.

Here is the removal directions from Symantecs web site:


The following instructions pertain to all Symantec antivirus products that support security risk detection.


Update the definitions.
Run a full system scan.
Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. To run the scan
Start your Symantec antivirus program, and then run a full system scan.

If any files are detected, and depending on which software version you are using, you may see one or more of the following options:

Note: This applies only to versions of Norton AntiVirus that support security risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports security risk detection, and security risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.

Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.


Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.


Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.

To actually delete the security risk:
Click its file name (under the Filename column).
In the Item Information box that displays, write down the full path and file name.
Then use Windows Explorer to locate and delete the file.

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer. Restart the computer in Normal mode.


Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
If you see a message, "Delete Failed" (or similar message), manually delete the file.
Click the file name of the risk that is under the Filename column.
In the Item Information box that displays, write down the full path and file name.
Then use Windows Explorer to locate and delete the file.

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer. Restart the computer in Normal mode.

Important: If your Symantec antivirus product reports that it cannot delete a detected file, Windows may be using the file. To fix this, run the scan in Safe mode. For instructions, read the document: How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the risk may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [File path]
Message body: Windows cannot find [file name]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.


3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit

Then click OK.

Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"MsConfigs" = "MsConfigs.exe"


Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Lsa
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Ole
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\System\CurrentControlSet\Lsa


In the right pane, delete the value:

"p2pnetwork" = "p2pnetwork.exe"


Exit the Registry Editor.
  • 0

#3
phybyr0ptyk

phybyr0ptyk

    Member

  • Member
  • PipPipPip
  • 279 posts
Wouldn't it be easier and space saving to just paste the link to the page that symantec has issued on this worms removal, and let the infected meander over remove it that way? Just a thought, and will save much time dragging that dang mouse to copy and paste whats already out there to be accessed.
  • 0

#4
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Hello ElojodeMordor,

The instructions posted are quite advanced.

If you wish, you could post a full system scan logfile and I'll take a look

:tazz:
  • 0

#5
ElojodeMordor

ElojodeMordor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi again!.

Thanks Andy_veal, phybyr0ptyk and guymontech. I'll try to do my homework and I'll tell you tomorrow Saturday.

I'll we return with more news.

Thanks again and good night, see you.



Bye.
  • 0

#6
sdebank

sdebank

    New Member

  • Member
  • Pip
  • 4 posts

Hi. A few days ago I downloaded tha Shareaza, and then I have a lot of troubles with virus and worms. I fixed a 90% of the problem, but a worm called Win32.P2P-Worm.Alcan.a is resident in my sistem.


Just had trouble shifting this one myself. (via Shareaza too).

[Advice removed: Explaination below]

Edited by Andy_veal, 25 June 2005 - 07:59 AM.

  • 0

#7
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Hi sdebank,

I have edited your advice just because of the dangers.

If you turn off System restore, all previous restore dates are lost for good.

We try not to recommend disabling system restore unless there is no other method of removal...

Thank you for your time though and I hope you understand.

:tazz:
  • 0

#8
ElojodeMordor

ElojodeMordor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Good mornig everybody.

I did a lot of things you suggested but nothing happened, it's impossible to remove this virus o worm. I did the Norton scan in safe mode, modified the Ad-aware settings, tried to find p2pnetwork.exe, downloaded other programs like Spybot S&D and AVG.

I don't know waht to say, I'm not an expert and is difficult to me to do some of the things you suggested, for example "guymontech", you said me I should modify the Windows Registry, trying to find p2pnetwork.exe, but I don't know, maybe I can delete important information.

Thanks again you guys, I'll try again and again.




ElojodeMordor
  • 0

#9
sdebank

sdebank

    New Member

  • Member
  • Pip
  • 4 posts
I had much the same problem and the info posted wasn't relevent because the likes of p2pnetwork.exe weren't on my system.

I cleared it using Symantec's advice re: bszip.dll.
  • 0

#10
ElojodeMordor

ElojodeMordor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Good evening.

I found the instructions in Norton Security Response, but I can't find some subkeys in Regedit to fix the problem. I know I'm no an expert in this area, so be pacients.

Thanks and have a great weekend.



ElojodeMordor



:tazz:
  • 0

Advertisements


#11
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi ElojodeMordor and welcome,
Could you please post a log from Ad-aware please using the full scan as Andy requested,

We have had success in removing this without the need to go digging into the regitry.

If your not comfortable doing it and you make a mistake you could be left with an inoperable system.

Thanks
Don
  • 0

#12
ElojodeMordor

ElojodeMordor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi don77 and thanks for the welcome.
Yes, sorry Andy but I forgot to put the log, I was crazy yesterday and today with this problem.
Give me some minutes to do a new scan with Ad-aware.

Thanks you and the others who offered to help me.



ElojodeMordor.
  • 0

#13
ElojodeMordor

ElojodeMordor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
don77, here is the logfile created with the Ad-aware.

Thanks.



ElojodeMordor:

Attached Files


  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK Patricio,
Lets see if we can get this cleaned up for you,
I need you to do a couple things please,
First
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

 
 C:\WINDOWS\system32\bszip.dll
 C:\WINDOWS\System32\cmd.com
 C:\WINDOWS\System32\netstat.com
 C:\WINDOWS\System32\ping.com
 C:\WINDOWS\System32\regedit.com
 C:\WINDOWS\System32\taskkill.com
 C:\WINDOWS\System32\tasklist.com
 C:\WINDOWS\System32\tracert.com
C:\Archivos de programa\winupdates\winupdates.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Your computer should restart on its own, If it doesn't please restart it manually

Next


Ad-aware has found objects on your computer

If you chose to clean your computer from what Ad-aware found please follow these instructions below…

Please download Download CCleaner and install. Close out the program when it has completed set up (Don't run it yet we will use it later on)

Open Ad-aware click on the Check for updates now
Please make sure that you are using the * SE1R51 21.06.2005 * definition file.


Please launch Ad-Aware SE and click on the gear to access the Configuration Menu. Please make sure that this setting is applied.

Click on Tweak > Cleaning Engine > Uncheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.
Please then boot into Safe Mode,

Please see here if you need help on it Safe Mode


To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown in bold below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)

Click OK.

Please note that the path above is of the default installion location for Ad-aware SE, if this is different, please adjust it to the location that you have installed it to.

When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.

If problems are caused by deleting a family, please leave it.

Please shutdown/restart your computer after removal, run a new full scan and post the results as a reply. Do not launch any programs or connect to the internet at this time.


Please then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Please remember when posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Please post back here
  • 0

#15
ElojodeMordor

ElojodeMordor

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK, give again a few minutes to do this.

Thanks.



Patricio.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP