Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32 p2p worm and internet connectivity


  • Please log in to reply

#1
Regicide84

Regicide84

    New Member

  • Member
  • Pip
  • 1 posts
Today I had a run in with what an adaware and ewido scan identified as the win32 p2p-worm. While running Limewire on my windows xp media center to get Macromedia's shockwave flash player I accidently downloaded the aforementioned worm.

Limewire was still running when I executed it from my shared documents folder, watching in horror as the .zip files multiplied, I then immediately disconnected from livewire and exited the program so that I could delete the files from the shared folder before anyone else could start downloading any of them, All except for the original file (write protected, or in use error) fit neatly into the recycling bin. Now this is where it gets a little wierd:

I had exited limewire, disconnected from the limewire p2p servers, and the file was still coming up as "in use" and each attempt I made at moving or removing this file launched Limewire again. Again, not wanting to spread the worm to any other unfortunates i right clicked my LAN icon and disabled it, then uninstalled Limewire and rebooted.

After running adaware and detecting the win32 p2p-worm and removing it, I went to enable my connection, which as usual began blinking and displayed the tooltip pop-up explaining that everything was normal - however When I went to run IE I got a dns error, thinking its just IE being, well... IE, I tried running AOL Instant messenger to find that I was unable to connect to the internet despite what the LAN icon displayed.

I get ahold of my ISP's tech support and find that nothing is wrong on their side of it, and I know that for a fact, as I was able to plug my dsl into the computer im using to post this message, and look for a solution to my problem.

I looked up win32 p2p-worms on google, and found the description to match what I had seen earlier, but nothing about loss of internet connectivity, or anything remotely close to whats going on here. I understand that It could be a coincidence, but im relating the story unabridged since *I'm* not the expert here.

Usuing a usb cable, and a Playstation portable (a handheld gaming device which uses memory stick duo's to store data) I downloaded the programs reccomended on this forum for general maintenance as well as the worm. and installed them onto the malfunctioning PC through this usb connection. I ran Ewido in safe mode and found 627 infected files, most of which were from the Worm, I removed those, and ran CCwasher, then adaware, and found 0 infected files.

I'm fairly certain the worm itself is gone. The last thing I did before curling into the fetal position and sobbing quietly was running winsockxp fix to try and get my connection going again. Another odd thing happened here, As winsock was doing its thing, I get a /!\ on my LAN icon and a tooltip saying that there is little or no connectivity etc etc, and I tried the windows connection repair thing, which returned the LAN icon to its normal blinking state and the obligatory tool-tip pop up that says everything is hunky-dory (it still isn't). Ran winsock again, restarted the computer and still same problems.

here is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:43 PM, on 8/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Worm Anti-files\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\Worm Anti-files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...LocalUndeclared
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Worm Anti-files\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you very much in advance, I love the work you guys do, and I know if theres a solution to this problem it can be found here. Again, thank you!

Edited by Regicide84, 20 August 2005 - 09:28 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP