Author Topic: WIN32.P2P-WORM.ALCAN.A (Read 2978 times)

funbobby · « **on:** October 11, 2005, 12:33:23 AM »

Hey guys! Ad-aware picked up a worm and I found the file (C:\_RESTORE\TEMP\A0116164.1) and tried to delete it but couldn't as I got an error message: source may be in use.....Please help me!
I am also keen to make a donation, is their a postal address I can send to rather than using paypal?

Logfile of HijackThis v1.99.1
Scan saved at 6:27:49 p.m., on 11/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WUAUBOOT.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

THIS IS MY AD-AWARE QUARANTINE LOG:

ArchiveData(auto-quarantine- 2005-10-07 23-52-08.bckp)
Referencefile : SE1R69 05.10.2005
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\WINDOWS\Application Data\microsoft\office\recent\Desktop.LNK
obj[1]=MRU FileReference : C:\WINDOWS\Application Data\microsoft\office\recent\Yngwie Malmsteen farewell.LNK
obj[2]=MRU FileReference : C:\WINDOWS\Application Data\microsoft\office\recent\Pdfs.LNK
obj[3]=MRU FileReference : C:\WINDOWS\Application Data\microsoft\office\recent\Yngwie Malmsteen farewell 2.LNK
obj[4]=MRU FileReference : C:\WINDOWS\Application Data\microsoft\office\recent\Teaching practice - task one analysis.LNK
obj[5]=MRU FileReference : C:\WINDOWS\Application Data\microsoft\office\recent\Removable Disk (E).LNK
obj[7]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[8]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[9]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs\.DUN
obj[10]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs\.doc
obj[11]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[12]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs\.JPG
obj[13]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
obj[28]=MRU RegReference : .DEFAULT\software\realnetworks\realplayer\6.0\preferences\MostRecentSkins1
obj[60]=MRU RegReference : .DEFAULT\software\realnetworks\realplayer\6.0\preferences\MostRecentClips1
obj[61]=MRU RegReference : .DEFAULT\software\realnetworks\realplayer\6.0\preferences\MostRecentClips2
obj[53]=MRU RegReference : .DEFAULT\software\realnetworks\realplayer\6.0\preferences\LastSaveAsDir
obj[40]=MRU RegReference : .DEFAULT\software\realnetworks\realplayer\6.0\preferences\LastLoginTime
obj[65]=MRU RegReference : .DEFAULT\software\microsoft\windows media\wmsdk\general computername

WIN32.P2P-WORM.ALCAN.A
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[15]=File : C:\_RESTORE\TEMP\A0116164.1

guestolo · « **Reply #1 on:** October 11, 2005, 12:40:46 AM »

Your log looks good, but your not running any Anti-Virus software on your computer
That one file you can't remove is in your System Restore folder

Can you please Disable System Restore>>>Restart your computer
Then reenable System Restore
How to Disable and Re-enable System Restore feature

Back in windows and system restore reenabled
If you don't have your own AV to install
Download and install the free version of AVG from the following link
http://free.grisoft.com/doc/2/lng/us/tpl/v5

Scroll down and click on
AVG Free Edition installation files
File Version
avg70free_344a618.exe <-this link, or similiar

Save the installer to desktop and then double click to install
After installation restart the computer if prompted
Make sure AVG is right updated and run a Complete system scan

You should also visit Windows updates and install all latest critical updates and service packs to help keep secure
Don't install Recommended updates unless something preferred

Post a fresh hijackthis log back afterwards, let me know how things are running

funbobby · « **Reply #2 on:** October 11, 2005, 12:55:11 AM »

Thankyou for such a quick reply!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />
Heres my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:55:40 p.m., on 11/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

guestolo · « **Reply #3 on:** October 11, 2005, 12:57:10 AM »

Umm, ok, it still looks good

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />
Actually, it looks almost exactly the same as the last one

you didn't install AVG and do a scan and you didn't visit Windows udpates

I hope everything is well and stays that way

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' />

funbobby · « **Reply #4 on:** October 11, 2005, 01:04:58 AM »

Sorry I didn't realise you wanted me to download it straight away...
Ad-Aware still picks up the worm and a tracking cookie. Do I just ignore them?
heres my ad aware log:

Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, 11 October 2005 19:03:08
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R69 05.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):20 total references
Tracking Cookie(TAC index:3):1 total references
Win32.P2P-Worm.Alcan.a(TAC index:

:1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R69 05.10.2005
Internal build : 81
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 530649 Bytes
Total size : 1592247 Bytes
Signature data size : 1558894 Bytes
Reference data size : 32841 Bytes
Signatures total : 44240
CSI Fingerprints total : 1051
CSI data size : 37487 Bytes
Target categories : 15
Target families : 757

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium II
Memory available:40 %
Total physical memory:114120 kb
Available physical memory:15200 kb
Total page file size:1983028 kb
Available on page file:1925552 kb
Total virtual memory:2093056 kb
Available virtual memory:2046464 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

11-10-2005 19:03:08 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293870893
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294935421
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294845373
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294846969
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294840865
Threads : 18
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:6 [RNAAPP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Command Line : rnaapp.exe -l
ProcessID : 4294785873
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:7 [TAPISRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE
Command Line : tapisrv.exe
ProcessID : 4294774969
Threads : 5
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows(tm) Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:8 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4294767977
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:9 [IEXPLORE.EXE]
ModuleName : C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Command Line : "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
ProcessID : 4294829629
Threads : 6
Priority : Normal
FileVersion : 5.50.4134.600
ProductVersion : 5.50.4134.600
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : IEXPLORE.EXE

#:10 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293088109
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d

MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer

MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer

MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : last save as directory in realplayer

MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : hp authorized customer@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:hp authorized [email protected]/cgi-bin
Expires : 19-01-2009 12:00:00
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 21

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.P2P-Worm.Alcan.a Object Recognized!
Type : File
Data : A0116164.0
TAC Rating : 8
Category : Worm
Comment :
Object : C:\_RESTORE\TEMP\
FileVersion : 3.0.2.0
ProductVersion : 3.02
ProductName : BigSpeed Zip DLL
CompanyName : BigSpeedSoft
InternalName : bszip.dll
LegalCopyright : © BigSpeedSoft
LegalTrademarks : BigSpeed is a trademark of BigSpeedSoft
OriginalFilename : bszip.dll

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22

19:06:39 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:31.240
Objects scanned:73683
Objects identified:2
Objects ignored:0
New critical objects:2

TheTechGuide Forum

News:

Author Topic: WIN32.P2P-WORM.ALCAN.A (Read 2978 times)

funbobby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

funbobby

WIN32.P2P-WORM.ALCAN.A

guestolo

WIN32.P2P-WORM.ALCAN.A

funbobby

WIN32.P2P-WORM.ALCAN.A