win32.p2p-worm.alcan.a

[Pebbles]

Hi,

I have found this virusy thing in my computer but do not know how to get rid of it http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> .  I have no real computer knowledge when it comes to the terminolgy and technical side of computers.  I have windows 2000 on my computer.  Could you please explain and walk me through what i have to do to exterminate this thing??  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />

Can I just add that I have seen others ask almost the same thing that I have, but I'm a bit daft and dont seem to follow it too well!!! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />  hehe!

[guestolo]

Just off to work, but in the meantime
So I get a better picture of what's going on

From my signature below, download and save too a permanent folder of it's own onto your harddrive
Hijackthis 1.99.1
Open Hijackthis.exe

Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log  here... Don't try and fix anything please with Hijackthis unless advised
All the information is important

[Pebbles]

Hi - Apologise for delay.  Log as is follows:


Logfile of HijackThis v1.99.1
Scan saved at 9:45:30 AM, on 4/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\oodag.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[guestolo]

Can you do the following please
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot  and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU

Please download Brute Force Uninstaller
Reminder, choose SAVE rather than OPEN
Save this too the desktop
Once you have it saved too desktop
Then Extract (UNZIP) the contents to the (C:\BFU) folder you just made
So you now have C:\Bfu\bfu.exe

[color=\"#CC0000\"]RIGHT CLICK HERE[/color]
 and choose "Save As" (in IE it's "Save Target As") in order to download  Alcra Remover.
Save it in the folder you made earlier (c:\BFU)
So you now have C:\Bfu\alcanshorty.bfu

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" UNCHECK
 

"Install background guard"
 "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work
Can you review the page to help with the Updater from this link
http://www.ewido.net/en/support/?AID=26

Download and install Windows CleanUp! 4.5.1
Don't run this yet

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

I need you too do the following
Spybot's TeaTimer is a great tool, but it may, and probably will interfere with any fixes we are to try
Open Spybot, click on MODE>>Advanced Mode>>Ok the prompt
Click on TOOLS in the bottom left
Then click on RESIDENT on the top left column
On the right hand side, uncheck ONLY Resident "TeaTimer"
Accept the change
Leave this disabled until we are sure we have you clean please

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done click Close
DECLINE to log off or restart the computer

=Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to alcanshorty.bfu in the C:\BFU folder
Right click alcanshorty.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.

=Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
    Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Reboot back to Normal mode

Post back the following please
1. Post a fresh Hijackthis log
2. Post the whole report from Ewido's

[Pebbles]

Hi There - the following are the logs requested  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />


Logfile of HijackThis v1.99.1
Scan saved at 3:45:13 PM, on 4/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\oodag.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe





---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         3:38:40 PM, 4/21/2006
 + Report-Checksum:      1AC4D0B7

 + Scan result:

   C:\backup\counter.cab/counter.exe -> Dropper.Agent.az : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@com[2].txt -> TrackingCookie.Com : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@com[3].txt -> TrackingCookie.Com : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
   C:\backup\Documents and Settings\Administrator\Cookies\administrator@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
   C:\Documents and Settings\Administrator\My Documents\CSI Crime Scene Investigation\Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\Documents and Settings\Administrator\My Documents\My Movies\Setup.exe -> Worm.VB.an : Cleaned with backup


::Report End





Thankyou http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[guestolo]

[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install  SpywareBlaster 3.5.1 by JavaCool  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates and then click the "Enable all protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
                   
*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure

*Make sure your Firewall is enabled and running
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission

I would opt to hold on to CleanUp! and Ewido
Ewido will become a Limited free version in a couple weeks after installation
Still a great scanner to update and run on a monthly basis

Go back and reenable the the TeaTimer in Spybot
Additionally. In Spybot 1.4
Click on the Immunize button>>OK>>Click Immunize at the top green cross
Please Immunize after every update
Stay safe  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

[Pebbles]

[font=\"Tahoma\"] [/font]THANKYOU!!!  Thankyou for all your time and knowledge with this matter, It is greatly appreciated!!!!!!!!!!! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

I hope you enjoy the rest of your day!  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

[guestolo]

You enjoy your day too  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />
I'll lock this topic as your problems appear resolved
Take care