TheTechGuide Forum

General Category => Tech Clinic => Topic started by: zekemorgan on December 18, 2005, 09:31:45 AM

Title: another alcan.a virus. help plz ^^;
Post by: zekemorgan on December 18, 2005, 09:31:45 AM

Ok I read the last thread with the alcan.a virus and tried following the steps with ad-aware and ewido but the one thing I didnt follow was:

Once in safe mode
Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

because I didnt have a p2pnetwork.bfu option. I wasnt sure how vital it was so I skipped over it. anyway the worm is still there.

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:47 AM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\NCLAUNCH.EXe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Zeke Morgan\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz (http://\"http://www.dell4me.com/mywaybiz\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz (http://\"http://www.dell4me.com/mywaybiz\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz (http://\"http://www.dell4me.com/mywaybiz\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz (http://\"http://www.dell4me.com/mywaybiz\")
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Zeke Morgan\Application Data\Mozilla\Profiles\default\1lqlqv7r.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\RunOnce: [AOLRebootNeeded] regsvr32.exe /s
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

If you need any other information please ask. Thank you for your time!

Title: another alcan.a virus. help plz ^^;
Post by: guestolo on December 18, 2005, 01:12:24 PM

Actually that's a very important step
It doesn't take long to run BFU with the steps I posted
But it has a big punch on this bad guy
It remove many bad registry settings and removes bad files and folders
All in under 10 seconds once Executed

Let's try this
When I ask you too download a zip file, make sure you choose SAVE TO DISK rather than Open

Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot  and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Download and save p2pnetwork.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=426\") (Credit to Metallica)
Then UNZIP it to the BFU Folder
So you now have p2pnetwork.bfu extracted

Download and save and then UNZIP to the BFU folder
BFU.zip (http://\"http://www.merijn.org/files/bfu.zip\")
So you now have BFU.exe extracted

Also, I want to check on something
Download and save too your Desktop AimFix.exe (http://\"http://www.jayloden.com/AIMFix.exe\")
Don't run it yet

Open Ewido
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link and install them
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Please  save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter


Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
 
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

After that is done
Double click on Aimfix.exe
and follow the prompts

Reboot back to Normal mode

Back in Windows
Can you post a few logs please

1. Post a fresh hijackthis log
2. Post the whole report from Ewido's
3. Post the contents of the log created from AimFix that should be on the desktop>>Aimfix.log