Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32.P2P-Worm.Alcan.a[RESOLVED]


  • This topic is locked This topic is locked

#1
miles goes rawr

miles goes rawr

    Member

  • Member
  • PipPip
  • 29 posts
Here is a log I used off of Kaspersky offline scanner, which was said to use in another thread I saw like this.
I just reformatted my computer about 2 days ago and surprised to see this worm, help please?

The Win32.P2P-Worm.Alcan.a may now show up because I removed it with adaware before hand, but it will most likely come back.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, November 11, 2005 00:32:24
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/11/2005
Kaspersky Anti-Virus database records: 159278
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 40053
Number of viruses found: 3
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 1676 sec

Infected Object Name - Virus Name
C:\Documents and Settings\oOoOo\Desktop\Extras\Installers\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\oOoOo\Desktop\Extras\Installers\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\AnimTransfer03.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\GeosetMerger.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\GeosetTranslation.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\ObjectIdInserter.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\RedistributeKeys.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\VertexModify.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\War3FileConverter\War3.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\War3FileConverter\War3FileConverter.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Desktop\Extras\Warcraft\War3ModelEditor\War3ModelEditor.exe Infected: Virus.Win32.Tenga.a
C:\Documents and Settings\oOoOo\Local Settings\Temp\VVSNInst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\winupdates\a.tmp Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\a.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\a.zip Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\winupdates.exe Infected: Worm.Win32.VB.an
C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc1.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc1.zip Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{32C9A8BB-A19C-4079-AFFB-FC13E3AC45A3}\RP27\A0007171.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{32C9A8BB-A19C-4079-AFFB-FC13E3AC45A3}\RP27\A0007171.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
D:\Extras\Warcraft Modding\AnimTransfer03.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\GeosetMerger.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\GeosetTranslation.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\ObjectIdInserter.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\RedistributeKeys.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\VertexModify.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\War3ModelEditor\War3ModelEditor.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\War3FileConverter\War3.exe Infected: Virus.Win32.Tenga.a
D:\Extras\Warcraft Modding\War3FileConverter\War3FileConverter.exe Infected: Virus.Win32.Tenga.a

Scan process completed.
  • 0

Advertisements


#2
miles goes rawr

miles goes rawr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Anyone?
  • 0

#3
jwbirdsong

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Make sure you read and follow the instructions Must read before posting a HijackThis log

Please download HijackThis version 1.99.1 from HERE. After the download completes unzip to it's own, permanent folder. (Don't open from the web) To run HijackThis click Scan and save log file, Post the new log in a reply to this thread. I would be happy to take a look at it.
  • 0

#4
miles goes rawr

miles goes rawr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:01:17 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\zlclient.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\zlclient.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131518524405
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#5
miles goes rawr

miles goes rawr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Any help please, I cant use ctrl alt delete and I need it.
  • 0

#6
jwbirdsong

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
I know the rules say no bumping, but I'm glad you did...I posted a reply to this about 12 hrs ago......it must be floating around the ether somewhere... here is another.

Firstly if you are using the FREE version of BearShare I strongly suggest you uninstall it Via Add/Remove and pick another choice for P2P use.. more info and clean options are HERE

First of all, you may want to print out this post or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Please run HijackThis and click "Scan." Place checks next to the following entries:

04 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause <<---- Only check if you uninstalled Via Add/Remove per notes above.

Close all browser and other windows except for HijackThis, and click "Fix Checked".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Next, delete the following folders (if they exist):
C:\Program Files\winupdates\ <<---- Entire Folder
C:\Program Files\BearShare\ <<---- Entire Folder Again Only delete if you removed Bearshare earlier

Click Start>Run>type %temp% (with the %) Delete any files/folder that come up

Restart your computer, not in Safe Mode and try another Online scan try ActiveScan

Then after reboot re-run HijackThis and post a new log along with the Panda ActiveScan log

Edited by jwbirdsong, 12 November 2005 - 07:52 AM.

  • 0

#7
miles goes rawr

miles goes rawr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:20:35 PM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\zlclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\zlclient.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1131518524405
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




and activescan

Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Documents and Settings\oOoOo\Application Data\Mozilla\Firefox\Profiles\k49it4yx.default\Cache\A2E96B69d01
Virus:W32/Alcan.A.worm Disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc2\a.tmp
Virus:W32/Alcan.A.worm Disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc2\a.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc2\winupdates.exe
Adware:Adware/ClockSync No disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc56.exe
  • 0

#8
jwbirdsong

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Log look good now how's the computer running??

Remove all of you TIF's (temporary internet files. Directions are HERE
Empty recycle bin.

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

If all is well, I'll post a few suggestions on keeping it that way.l
  • 0

#9
miles goes rawr

miles goes rawr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Thanks alot.

Does it matter about the adware activescan errors?
  • 0

#10
jwbirdsong

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
If you mean these

Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Documents and Settings\oOoOo\Application Data\Mozilla\Firefox\Profiles\k49it4yx.default\Cache\A2E96B69d01
Virus:W32/Alcan.A.worm Disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc2\a.tmp
Virus:W32/Alcan.A.worm Disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc2\a.zip[Setup.exe]
Virus:W32/Alcan.A.worm Disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc2\winupdates.exe
Adware:Adware/ClockSync No disinfected C:\RECYCLER\S-1-5-21-1085031214-1788223648-682003330-1004\Dc56.exe


No you took care of all of those when you emptied your TIF's and recycle bin

Congratulations, your log is clean.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
So how did I get infected in the first place?
  • 0

#11
miles goes rawr

miles goes rawr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Does the spyad work in firefox? or just ie.
  • 0

#12
jwbirdsong

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
That one happens to be for IE only..Spyware Guard works in FF and does basically same thing.

Edited by jwbirdsong, 12 November 2005 - 07:13 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP