« previous next »
Pages: [1]

Author Topic: I got the WIN32.P2P-WORM.ALCAN.A  (Read 922 times)

Offline SolidBladeSnake

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
I got the WIN32.P2P-WORM.ALCAN.A
« on: December 22, 2005, 08:23:37 PM »
i read in the previous post to download hijackthis so i did... here is my log file

Logfile of HijackThis v1.99.1
Scan saved at 8:17:28 PM, on 12/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\DOCUMENTS AND SETTINGS\DUSTIN\DESKTOP\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nelwb] C:\WINDOWS\nelwb.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [TCClient] C:\DOCUME~1\Dustin\LOCALS~1\Temp\Temporary Directory 2 for tcclient.zip\tcclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099430212995
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe




what step is next...?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
I got the WIN32.P2P-WORM.ALCAN.A
« Reply #1 on: December 22, 2005, 09:47:49 PM »
Hi SolidBladeSnake
Can you do the following please

When I ask you too download a zip file, make sure you choose SAVE TO DISK rather than Open
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot  and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Download and save p2pnetwork.zip
Then UNZIP it to the BFU Folder
So you now have p2pnetwork.bfu extracted to the BFU folder

Download and save and then UNZIP to the BFU folder
BFU.zip
So you now have BFU.exe extracted

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Don't run it yet

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

If you don't have Ad-Aware SE personal 1.06
Download and InstallAd-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

Download and save too your Desktop AimFix.exe

Please  save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

Once in safe mode
Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

Double click to run AimFix.exe, follow the prompts
Remain in safe mode

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
 
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [nelwb] C:\WINDOWS\nelwb.exe
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [TCClient] C:\DOCUME~1\Dustin\LOCALS~1\Temp\Temporary Directory 2 for tcclient.zip\tcclient.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer  back to Normal mode

Back in Windows
Can I see the following

1. Run another System scan and Save logfile with Hijackthis and post the log
2. Post the report you saved earlier with Ewidos
3. Post the Aimfix.log from your desktop
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline SolidBladeSnake

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
I got the WIN32.P2P-WORM.ALCAN.A
« Reply #2 on: December 23, 2005, 10:57:02 AM »
Thanks for the help...

Hijack This fresh log

Logfile of HijackThis v1.99.1
Scan saved at 10:55:00 AM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Dustin\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [TCClient] C:\DOCUME~1\Dustin\LOCALS~1\Temp\Temporary Directory 2 for tcclient.zip\tcclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099430212995
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe


Ewidos Report

 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         11:17:50 PM, 12/22/2005
 + Report-Checksum:      C50B167D

 + Scan result:

   HKLM\SOFTWARE\Classes\TypeLib\{7354662F-CAA3-448B-BC01-04F55A2DCA35} -> Spyware.CnsMin : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{F97E75A4-0103-4F27-A752-327B600B1130} -> Spyware.CnsMin : Cleaned with backup
   HKU\S-1-5-21-1547161642-764733703-854245398-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
   C:\at.exe -> Backdoor.Rbot.adx : Cleaned with backup
   :mozilla.6:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.7:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.8:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.9:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.10:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.13:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
   :mozilla.21:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
   :mozilla.22:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
   :mozilla.26:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   :mozilla.27:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.28:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.29:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.30:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
   :mozilla.44:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.45:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
   :mozilla.49:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
   :mozilla.50:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.51:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.52:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.53:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.54:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.55:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
   :mozilla.62:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.63:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.64:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   :mozilla.66:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.67:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
   :mozilla.79:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.80:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.81:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.82:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.83:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
   :mozilla.87:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
   :mozilla.88:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.89:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.90:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
   :mozilla.91:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.92:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
   :mozilla.95:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
   :mozilla.98:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
   :mozilla.99:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
   :mozilla.100:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
   :mozilla.101:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
   :mozilla.102:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
   :mozilla.119:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   :mozilla.120:C:\Documents and Settings\Dustin\Application Data\Mozilla\Firefox\Profiles\7bxtv2ip.Blade\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
   C:\Documents and Settings\Dustin\My Documents\Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Dustin\Shared\Adobe Photoshop CS 9 Crack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\im.exe -> Trojan.Crypt.d : Cleaned with backup
   C:\WINDOWS\system32\AutoLive.dll/assist\eheflash.dll -> Spyware.CnsMin : Cleaned with backup
   C:\WINDOWS\system32\AutoLive.dll/assist\eheflash.dll -> Spyware.CnsMin : Cleaned with backup
   C:\WINDOWS\system32\AutoLive.dll/assist\eheflash.dll -> Spyware.CnsMin : Cleaned with backup
   C:\WINDOWS\system32\AutoLive.dll/assist\eheflash.dll -> Spyware.CnsMin : Cleaned with backup


::Report End


Aim report

AIMFix version: 1.3.2212.1744
SetPrivilege successfully set SeDebug rights
SeDebug Privilege set successfully
First, closing any running copies of AOL Instant Messenger (aim.exe):
Process C:\Program Files\AIM\aim.exe found
Process C:\Program Files\AIM\aim.exe killed

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***


***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------


there you go! i think i destroyed it...
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
I got the WIN32.P2P-WORM.ALCAN.A
« Reply #3 on: December 23, 2005, 08:23:47 PM »
You did real good, we just have to get some leftovers

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [AOL Instant Messanger] aim.exe

O4 - HKLM\..\RunServices: [AOL Instant Messanger] aim.exe
O4 - HKCU\..\Run: [TCClient] C:\DOCUME~1\Dustin\LOCALS~1\Temp\Temporary Directory 2 for tcclient.zip\tcclient.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer and post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline SolidBladeSnake

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
I got the WIN32.P2P-WORM.ALCAN.A
« Reply #4 on: December 25, 2005, 11:53:37 PM »
Logfile of HijackThis v1.99.1
Scan saved at 11:52:27 PM, on 12/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Dustin\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1099430212995
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
I got the WIN32.P2P-WORM.ALCAN.A
« Reply #5 on: December 26, 2005, 02:19:57 PM »
Good work,
I'm not sure if you have this program, but if not you should run it

Download and Install Spybot 1.4 from
HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

Please Immunize after every update
Reboot the computer if anything was found and fixed

Final cleanup
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
I got the WIN32.P2P-WORM.ALCAN.A
« Reply #6 on: January 08, 2006, 02:59:15 PM »
Since the problems appear to be resolved, I'll lock this topic
Glad to help  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »