Hi i just found out that I (like a lot of other people on this site) have an Alcan worm on my computer. Can someone please help me get rid of it?
I've found that the files the worm is making are in C:\_Restore\TEMP. Anyway, Here's my hijackthis.log and my WinPFind log. I'm running Windows ME.
Logfile of HijackThis v1.99.1
Scan saved at 11:21:46 PM, on 7/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SECSRVRC.EXE
C:\WINDOWS\SYSTEM\SNDCFG16.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\WINUPDATES\WINUPDATES.EXE
C:\WINDOWS\SYSTEM\SNDCFG16.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.earthlink.netR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink.net/partner/more/msie...ton/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://start.earthlink.net/AL/SearchR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.Email Removed.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://start.earthlink.net/AL/SearchR3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [secsrvrc] C:\WINDOWS\SYSTEM\secsrvrc.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
and now for the WinPFind logfile.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
Checking %System%\Drivers folder and sub-folders...
Checking the Windows folder for system and hidden files within the last 60 days...
7/29/2005 11:16:40 PM 1052704 C:\WINDOWS\USER.DAT
7/29/2005 11:09:40 PM 4190240 C:\WINDOWS\CLASSES.DAT
6/28/2005 12:38:08 AM 352288 C:\WINDOWS\HWINFO.DAT
7/29/2005 11:14:16 PM 2002976 C:\WINDOWS\SYSTEM.DAT
6/28/2005 12:37:02 AM 23155 C:\WINDOWS\folder.htt
6/28/2005 12:37:02 AM 271 C:\WINDOWS\desktop.ini
7/29/2005 11:11:32 PM 1185584 C:\WINDOWS\ShellIconCache
7/24/2005 1:14:42 AM 6496 C:\WINDOWS\ttfCache
7/25/2005 3:04:34 PM 8628 C:\WINDOWS\SYSTEM\JAVAPERM.GID
7/6/2005 8:18:00 AM 30503 C:\WINDOWS\SYSTEM\secsrvrc.exe
6/28/2005 12:37:02 AM 23155 C:\WINDOWS\SYSTEM\folder.htt
6/28/2005 12:37:02 AM 271 C:\WINDOWS\SYSTEM\desktop.ini
7/6/2005 8:18:00 AM 14336 C:\WINDOWS\SYSTEM\secsrvrc.dll
7/29/2005 10:26:48 PM 890 C:\WINDOWS\SYSTEM\vsconfig.xml
7/29/2005 11:56:42 AM 4212 C:\WINDOWS\SYSTEM\zllictbl.dat
6/28/2005 12:35:58 AM 9793 C:\WINDOWS\HELP\windows.GID
6/28/2005 12:37:04 AM 9439 C:\WINDOWS\WEB\WVLOGO.GIF
6/28/2005 12:35:58 AM 2998 C:\WINDOWS\WEB\PICTURES.ICO
6/28/2005 12:37:02 AM 18163 C:\WINDOWS\WEB\CONTROLP.HTT
6/28/2005 12:37:04 AM 830 C:\WINDOWS\WEB\DESKMOVR.HTT
6/28/2005 12:37:02 AM 3191 C:\WINDOWS\WEB\FOLDER.HTT
6/28/2005 12:37:04 AM 11870 C:\WINDOWS\WEB\PRINTERS.HTT
6/28/2005 12:37:04 AM 3469 C:\WINDOWS\WEB\SAFEMODE.HTT
6/28/2005 12:35:58 AM 10134 C:\WINDOWS\WEB\CAMERA.ICO
6/28/2005 12:37:02 AM 1535 C:\WINDOWS\WEB\webview.css
6/28/2005 12:37:02 AM 4780 C:\WINDOWS\WEB\default.htt
6/28/2005 12:37:04 AM 16287 C:\WINDOWS\WEB\nethood.htt
6/28/2005 12:37:04 AM 11034 C:\WINDOWS\WEB\recycle.htt
6/28/2005 12:37:04 AM 6391 C:\WINDOWS\WEB\schedule.htt
6/28/2005 12:37:04 AM 9227 C:\WINDOWS\WEB\dialup.htt
6/28/2005 12:37:04 AM 8246 C:\WINDOWS\WEB\wvleft.bmp
6/28/2005 12:37:04 AM 54 C:\WINDOWS\WEB\wvline.gif
6/28/2005 12:37:06 AM 11083 C:\WINDOWS\WEB\ftp.htt
6/28/2005 12:35:58 AM 4753 C:\WINDOWS\WEB\wiadev.htt
6/28/2005 12:35:58 AM 18952 C:\WINDOWS\WEB\wiacam.htt
6/28/2005 12:35:58 AM 20150 C:\WINDOWS\WEB\wiastream.htt
6/28/2005 12:35:58 AM 1574 C:\WINDOWS\WEB\wiastyle.css
6/28/2005 12:36:00 AM 10134 C:\WINDOWS\WEB\STREAM.ICO
6/28/2005 12:37:06 AM 1749 C:\WINDOWS\WEB\wvleft.gif
6/28/2005 12:37:06 AM 90056 C:\WINDOWS\WEB\classic.bmp
6/28/2005 12:37:06 AM 641 C:\WINDOWS\WEB\classic.htt
6/28/2005 12:37:06 AM 18100 C:\WINDOWS\WEB\folder.bmp
6/28/2005 12:37:06 AM 1031 C:\WINDOWS\WEB\starter.htt
6/28/2005 12:37:06 AM 31080 C:\WINDOWS\WEB\starter.bmp
6/28/2005 12:37:06 AM 18100 C:\WINDOWS\WEB\preview.bmp
6/28/2005 12:37:06 AM 18276 C:\WINDOWS\WEB\imgview.htt
6/28/2005 12:37:06 AM 20510 C:\WINDOWS\WEB\fsresult.htt
6/28/2005 12:37:06 AM 29797 C:\WINDOWS\WEB\standard.htt
6/28/2005 12:37:06 AM 33916 C:\WINDOWS\WEB\webview.js
6/28/2005 12:37:06 AM 2642 C:\WINDOWS\WEB\exclam.gif
6/28/2005 12:37:06 AM 842 C:\WINDOWS\WEB\bullet.gif
6/28/2005 12:37:06 AM 80 C:\WINDOWS\WEB\plushot.gif
6/28/2005 12:37:06 AM 59 C:\WINDOWS\WEB\pluscold.gif
6/28/2005 12:37:06 AM 77 C:\WINDOWS\WEB\minhot.gif
6/28/2005 12:37:06 AM 56 C:\WINDOWS\WEB\mincold.gif
6/28/2005 12:37:06 AM 25217 C:\WINDOWS\WEB\sysroot.htt
6/28/2005 12:37:06 AM 2848 C:\WINDOWS\WEB\brfcase.htt
7/29/2005 10:26:24 PM 6 C:\WINDOWS\TASKS\SA.DAT
7/24/2005 1:07:54 AM 4096 C:\WINDOWS\All Users\DRM\drmv2.sst
6/30/2005 9:51:26 PM 48 C:\WINDOWS\All Users\DRM\v2ks.sec
6/30/2005 9:51:26 PM 312 C:\WINDOWS\All Users\DRM\v2ks.bla
6/30/2005 9:51:30 PM 4348 C:\WINDOWS\All Users\DRM\DRMv1.key
6/30/2005 9:51:30 PM 4348 C:\WINDOWS\All Users\DRM\DRMv1.bak
7/29/2005 10:19:28 PM 2138 C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Desktop.htt
7/24/2005 5:54:26 PM 118 C:\WINDOWS\Recent\Desktop.ini
6/28/2005 12:41:18 AM 131 C:\WINDOWS\Favorites\desktop.ini
6/28/2005 5:01:54 PM 67 C:\WINDOWS\Temporary Internet Files\desktop.ini
7/29/2005 10:18:52 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
7/29/2005 10:41:08 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8LMRCPIB\desktop.ini
7/29/2005 10:41:08 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\C5AB09UR\desktop.ini
7/29/2005 11:13:44 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\STUJ8LMB\desktop.ini
7/29/2005 11:13:44 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\ATWF6965\desktop.ini
7/29/2005 11:13:48 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8T27CPUB\desktop.ini
7/29/2005 11:13:54 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\2ZQRYT6F\desktop.ini
7/29/2005 11:13:54 PM 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\01YZ89QJ\desktop.ini
7/29/2005 11:14:00 PM 8 C:\WINDOWS\PCHEALTH\HELPCTR\Database\HelpSessionHistory.stream
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
4/3/2005 4:28:02 PM 544 C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
Checking files in %USERPROFILE%\Application Data folder...
7/29/2005 10:39:20 AM 1246 C:\WINDOWS\Application Data\dw.log
7/23/2005 7:09:58 AM 39 C:\WINDOWS\Application Data\Garendall License.lcs
7/20/2005 2:10:26 PM 12120 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{53C74826-AB99-4d33-ACA4-3117F51D3788}
= C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = C:\WINDOWS\SYSTEM\SHELL32.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
C-Media Mixer Mixer.exe /startup
QuickTime Task "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
PCHealth C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
winupdates C:\Program Files\winupdates\winupdates.exe /auto
WinProfile sndcfg16.exe
Zone Labs Client "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
AAW "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE" "+b1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SpySweeper
E6TaskPanel "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WinOldApp
NoRealMode 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Any and all help would be appreciated. Thanks!
