« previous next »
Pages: [1] 2

Author Topic: win32.p2p-worm.alcon  (Read 2595 times)

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« on: July 07, 2007, 07:08:42 AM »
Hello!  My adware has found 2 of this win32.p2p-worm and I need help !  I have  a fairly new computer running Vista , which I'm still getting familiar with. I am not a computer whiz by any means but I can basic follow directions!  Any help would be appreciated!
I have attached my hijack this scan.  Thanks--- Carol http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Logfile of HijackThis v1.99.1
Scan saved at 7:59:42 AM, on 7/7/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Carol\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Windows\explorer.exe
C:\Users\Carol\Documents\Unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\Windows\System32\QuickTime\QuickTimeUpdateHelper.exe"              -destfullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe" -sourcefullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe.new00"  -haspost -uninstallwithapps -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} (Siebel Calendar) - https://wtiwebopt.axaonline.com/fins_enu/19...Ax_Calendar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - https://wtiwebopt.axaonline.com/fins_enu/19...x_HI_Client.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: SQL Server (ACT7) (MSSQL$ACT7) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sACT7 (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #1 on: July 07, 2007, 08:59:54 AM »
Which Adware scanner is showing you these results?
Whichever it is, after a scan you can usually view a report of what was found
Can you post the contents of that report

Also, since you are running Vista
Can you download Hijackthis 2.0.2 and post a fresh log
You can get it from HERE
« Last Edit: July 07, 2007, 09:40:10 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #2 on: July 07, 2007, 10:38:02 AM »
[quote name=\'guestolo\' post=\'351972\' date=\'Jul 7 2007, 08:59 AM\']Which Adware scanner is showing you these results?
Whichever it is, after a scan you can usually view a report of what was found
Can you post the contents of that report

Also, since you are running Vista
Can you download Hijackthis 2.0.2 and post a fresh log
You can get it from HERE[/quote]

Guestolo-
I used Ad-aware and have attached the scan.
I will post hijackthis next. Thanks for your help!
Carol http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, July 07, 2007 11:25:59 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R179 04.07.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.P2P-Worm.Alcan.a(TAC index:8):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-7-2007 11:25:59 AM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [taskeng.exe]
    FilePath           : C:\Windows\system32\
    ProcessID          : 3980
    ThreadCreationTime : 7-7-2007 12:34:02 PM
    BasePriority       : Normal
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 6.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Task Scheduler Engine
    InternalName       : TaskEng
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : taskeng.exe.mui

#:2 [dwm.exe]
    FilePath           : C:\Windows\system32\
    ProcessID          : 3044
    ThreadCreationTime : 7-7-2007 12:34:04 PM
    BasePriority       : High
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 6.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Desktop Window Manager
    InternalName       : dwm.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : dwm.exe.mui

#:3 [msascui.exe]
    FilePath           : C:\Program Files\Windows Defender\
    ProcessID          : 476
    ThreadCreationTime : 7-7-2007 12:34:07 PM
    BasePriority       : Normal
    FileVersion        : 1.1.1505.0
    ProductVersion     : 1.1.1505.0
    ProductName        : Windows Defender
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Defender User Interface
    InternalName       : MSASCUI
    LegalCopyright     : © Microsoft Corporation.  All rights reserved.
    OriginalFilename   : MSASCUI.exe

#:4 [rthdvcpl.exe]
    FilePath           : C:\Windows\
    ProcessID          : 1912
    ThreadCreationTime : 7-7-2007 12:34:08 PM
    BasePriority       : Normal
    FileVersion        : 1, 0, 0, 11
    ProductVersion     : 1, 0, 0, 11
    ProductName        : HD Audio Control Panel
    CompanyName        : Realtek Semiconductor
    FileDescription    : HD Audio Control Panel
    InternalName       : RtHDVCpl.exe
    LegalCopyright     : 2006 © Realtek Semiconductor.  All rights reserved.
    OriginalFilename   : RtHDVCpl.exe

#:5 [syntpenh.exe]
    FilePath           : C:\Program Files\Synaptics\SynTP\
    ProcessID          : 3512
    ThreadCreationTime : 7-7-2007 12:34:09 PM
    BasePriority       : Normal
    FileVersion        : 9.0.3 20Oct06
    ProductVersion     : 9.0.3 20Oct06
    ProductName        : Synaptics Pointing Device Driver
    CompanyName        : Synaptics, Inc.
    FileDescription    : Synaptics TouchPad Enhancements
    InternalName       : Synaptics Enhancements Application
    LegalCopyright     : Copyright © Synaptics, Inc. 1996-2006
    OriginalFilename   : SynTPEnh.exe

#:6 [igfxtray.exe]
    FilePath           : C:\Windows\System32\
    ProcessID          : 3588
    ThreadCreationTime : 7-7-2007 12:34:09 PM
    BasePriority       : Normal
    FileVersion        : 7.14.10.1114
    ProductVersion     : 7.14.10.1114
    ProductName        : Intel® Common User Interface
    CompanyName        : Intel Corporation
    FileDescription    : igfxTray Module
    InternalName       : IGFXTRAY
    LegalCopyright     : Copyright 1999-2006, Intel Corporation
    OriginalFilename   : IGFXTRAY.EXE

#:7 [hkcmd.exe]
    FilePath           : C:\Windows\System32\
    ProcessID          : 3820
    ThreadCreationTime : 7-7-2007 12:34:09 PM
    BasePriority       : Normal
    FileVersion        : 6.14.10.1114
    ProductVersion     : 6.14.10.1114
    ProductName        : Intel® Common User Interface
    CompanyName        : Intel Corporation
    FileDescription    : hkcmd Module
    InternalName       : HKCMD
    LegalCopyright     : Copyright 1999-2006, Intel Corporation
    OriginalFilename   : HKCMD.EXE

#:8 [igfxpers.exe]
    FilePath           : C:\Windows\System32\
    ProcessID          : 3940
    ThreadCreationTime : 7-7-2007 12:34:09 PM
    BasePriority       : Normal
    FileVersion        : 7.14.10.1114
    ProductVersion     : 7.14.10.1114
    ProductName        : Intel® Common User Interface
    CompanyName        : Intel Corporation
    FileDescription    : persistence Module
    InternalName       : PERSISTENCE
    LegalCopyright     : Copyright 1999-2006, Intel Corporation
    OriginalFilename   : IGFXPERS.EXE

#:9 [rundll32.exe]
    FilePath           : C:\Windows\System32\
    ProcessID          : 3832
    ThreadCreationTime : 7-7-2007 12:34:10 PM
    BasePriority       : Normal
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 6.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows host process (Rundll32)
    InternalName       : rundll
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : RUNDLL32.EXE.MUI

#:10 [lmanager.exe]
    FilePath           : C:\Program Files\Launch Manager\
    ProcessID          : 3460
    ThreadCreationTime : 7-7-2007 12:34:14 PM
    BasePriority       : Normal
    FileVersion        : 1, 0, 0, 1118
    ProductVersion     : 1, 0, 0, 1118
    ProductName        : Acer Launch Manager
    CompanyName        : Dritek System Inc.
    FileDescription    : Acer Launch Manager Keyboard Application
    InternalName       : Launch Manager
    LegalCopyright     : Copyright © 2001-2005 Dritek System Inc.
    OriginalFilename   : LManager.exe

#:11 [communications_helper.exe]
    FilePath           : C:\Program Files\Common Files\Logitech\LComMgr\
    ProcessID          : 1344
    ThreadCreationTime : 7-7-2007 12:34:14 PM
    BasePriority       : Normal
    FileVersion        : 1.4.0.1063
    ProductVersion     : 1.4.0.1063
    ProductName        : Acer
    CompanyName        : Acer Inc.
    FileDescription    : Communications Manager
    InternalName       : Communications_Helper.exe
    LegalCopyright     : © 1996-2007 Acer.  All rights reserved.
    OriginalFilename   : Communications_Helper.exe

#:12 [lvcomsx.exe]
    FilePath           : C:\Program Files\Common Files\Logitech\LComMgr\
    ProcessID          : 3760
    ThreadCreationTime : 7-7-2007 12:34:15 PM
    BasePriority       : Normal
    FileVersion        : 10.4.0.1315
    ProductVersion     : 10.4.0.1315
    ProductName        : Logitech
    CompanyName        : Logitech Inc.
    FileDescription    : LVCom Server
    InternalName       : LVComS.exe
    LegalCopyright     : © 1996-2007 Logitech.  All rights reserved.
    OriginalFilename   : LVComS.exe

#:13 [orbicam.exe]
    FilePath           : C:\Program Files\Acer\OrbiCam10\
    ProcessID          : 536
    ThreadCreationTime : 7-7-2007 12:34:15 PM
    BasePriority       : Normal


#:14 [jusched.exe]
    FilePath           : C:\Program Files\Java\jre1.6.0_01\bin\
    ProcessID          : 3352
    ThreadCreationTime : 7-7-2007 12:34:15 PM
    BasePriority       : Normal


#:15 [sdtrayapp.exe]
    FilePath           : C:\Program Files\Spyware Doctor\
    ProcessID          : 3964
    ThreadCreationTime : 7-7-2007 12:34:16 PM
    BasePriority       : Normal
    FileVersion        : 5.0.1.42
    ProductVersion     : 5.0
    CompanyName        : PC Tools
    FileDescription    : Spyware Doctor Tray
    LegalCopyright     : Copyright © 2007 PC Tools. All rights reserved.

#:16 [isuspm.exe]
    FilePath           : C:\Program Files\Common Files\InstallShield\UpdateService\
    ProcessID          : 3768
    ThreadCreationTime : 7-7-2007 12:34:17 PM
    BasePriority       : Normal
    FileVersion        : 6, 0, 100, 54472
    ProductVersion     : 6, 0
    ProductName        : Software Manager
    CompanyName        : Macrovision Corporation
    FileDescription    : Macrovision Software Manager
    InternalName       : ProgramManager
    LegalCopyright     : Copyright © 2005 Macrovision Corporation
    OriginalFilename   : ISUSPM.exe

#:17 [ehtray.exe]
    FilePath           : C:\Windows\ehome\
    ProcessID          : 2812
    ThreadCreationTime : 7-7-2007 12:34:17 PM
    BasePriority       : Normal
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 6.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Media Center Tray Applet
    InternalName       : ehtray.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : ehtray.exe

#:18 [sidebar.exe]
    FilePath           : C:\Program Files\Windows Sidebar\
    ProcessID          : 1124
    ThreadCreationTime : 7-7-2007 12:34:17 PM
    BasePriority       : Normal
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 1.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Sidebar
    InternalName       : Windows Sidebar
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : sidebar.EXE.MUI

#:19 [msnmsgr.exe]
    FilePath           : C:\Program Files\MSN Messenger\
    ProcessID          : 3896
    ThreadCreationTime : 7-7-2007 12:34:18 PM
    BasePriority       : Normal
    FileVersion        : 8.1.0178.00
    ProductVersion     : 8.1.0178
    ProductName        : Messenger
    CompanyName        : Microsoft Corporation
    FileDescription    : Messenger
    InternalName       : msnmsgr.exe
    LegalCopyright     : Copyright © Microsoft Corporation.  All rights reserved.
    OriginalFilename   : msnmsgr.exe

#:20 [enmtray.exe]
    FilePath           : C:\Acer\Empowering Technology\ENET\
    ProcessID          : 4120
    ThreadCreationTime : 7-7-2007 12:34:22 PM
    BasePriority       : Normal
    FileVersion        : 2, 6, 3, 1
    ProductVersion     : 2, 6, 3, 1
    ProductName        : Acer eNet Management
    CompanyName        : Acer Inc.
    FileDescription    : eNMTray
    InternalName       : eNMTray
    LegalCopyright     : Copyright © Acer Incorporated 2004 - 2006
    OriginalFilename   : eNMTray.exe

#:21 [epower_dmc.exe]
    FilePath           : C:\Acer\Empowering Technology\EPOWER\
    ProcessID          : 4228
    ThreadCreationTime : 7-7-2007 12:34:26 PM
    BasePriority       : Normal
    FileVersion        : 2, 5, 3005, 0
    ProductVersion     : 2, 5, 3005, 0
    ProductName        : Acer ePower Management
    CompanyName        : Acer Inc.
    FileDescription    : Acer ePower Management DMC
    InternalName       : ePower_DMC
    LegalCopyright     : Copyright © 2004 Acer Incorporated
    OriginalFilename   : ePower_DMC.exe

#:22 [acer.empowering.framework.supervisor.exe]
    FilePath           : C:\Acer\Empowering Technology\
    ProcessID          : 4260
    ThreadCreationTime : 7-7-2007 12:34:28 PM
    BasePriority       : Normal


#:23 [ehmsas.exe]
    FilePath           : C:\Windows\ehome\
    ProcessID          : 4292
    ThreadCreationTime : 7-7-2007 12:34:31 PM
    BasePriority       : Normal
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 6.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Media Center Media Status Aggregator Service
    InternalName       : eHMSAS.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : ehMSAS.exe.mui

#:24 [eragent.exe]
    FilePath           : C:\Acer\Empowering Technology\eRecovery\
    ProcessID          : 4312
    ThreadCreationTime : 7-7-2007 12:34:31 PM
    BasePriority       : Normal
    FileVersion        : 2.5.4.0
    ProductVersion     : 2.5.4.0
    ProductName        : Acer eRecovery Management
    CompanyName        : Acer Inc.
    FileDescription    : eRecovery agent
    InternalName       : eRAgent.exe
    LegalCopyright     : Acer Inc 2006.  All rights reserved.
    OriginalFilename   : eRAgent.exe

#:25 [igfxext.exe]
    FilePath           : C:\Windows\system32\
    ProcessID          : 5156
    ThreadCreationTime : 7-7-2007 12:35:31 PM
    BasePriority       : Normal
    FileVersion        : 7.14.10.1114
    ProductVersion     : 7.14.10.1114
    ProductName        : Intel® Common User Interface
    CompanyName        : Intel Corporation
    FileDescription    : igfxext Module
    InternalName       : IGFXEXT
    LegalCopyright     : Copyright 1999-2006, Intel Corporation
    OriginalFilename   : IGFXEXT.EXE

#:26 [rtkbtmnt.exe]
    FilePath           : C:\Users\Carol\AppData\Local\Temp\
    ProcessID          : 5176
    ThreadCreationTime : 7-7-2007 12:35:31 PM
    BasePriority       : Normal
    FileVersion        : 1.0.0.8
    ProductVersion     : 1.0.0.8
    ProductName        : Realtek HD Audio Data Rerouter
    CompanyName        : Realtek Semiconductor Corp.
    FileDescription    : Realtek HD Audio Data Rerouter
    InternalName       : RtkBtMnt
    LegalCopyright     : 2006 © Realtek Semiconductor.  All rights reserved.
    OriginalFilename   : RtkBtMnt.exe

#:27 [igfxsrvc.exe]
    FilePath           : C:\Windows\system32\
    ProcessID          : 5212
    ThreadCreationTime : 7-7-2007 12:35:32 PM
    BasePriority       : Normal
    FileVersion        : 7.14.10.1114
    ProductVersion     : 7.14.10.1114
    ProductName        : Intel® Common User Interface
    CompanyName        : Intel Corporation
    FileDescription    : igfxsrvc Module
    InternalName       : IGFXSRVC
    LegalCopyright     : Copyright 1999-2006, Intel Corporation
    OriginalFilename   : IGFXSRVC.EXE

#:28 [msn.exe]
    FilePath           : C:\Program Files\MSN\MSNCoreFiles\
    ProcessID          : 3772
    ThreadCreationTime : 7-7-2007 12:36:28 PM
    BasePriority       : Normal
    FileVersion        : 9.50.0034.2000
    ProductVersion     : 9.50.0034.2000
    ProductName        : Microsoft® MSN ® Communications System
    CompanyName        : Microsoft Corporation
    FileDescription    : msn
    InternalName       : msn
    LegalCopyright     : Copyright © Microsoft Corp. 1981-2007
    OriginalFilename   : msn.exe

#:29 [explorer.exe]
    FilePath           : C:\Windows\
    ProcessID          : 5920
    ThreadCreationTime : 7-7-2007 3:24:35 PM
    BasePriority       : Normal
    FileVersion        : 6.0.6000.16386 (vista_rtm.061101-2205)
    ProductVersion     : 6.0.6000.16386
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : EXPLORER.EXE.MUI

#:30 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID          : 988
    ThreadCreationTime : 7-7-2007 3:25:33 PM
    BasePriority       : Normal
    FileVersion        : 6.2.0.236
    ProductVersion     : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName       : Ad-Aware.exe
    LegalCopyright     : Copyright © Lavasoft AB Sweden
    OriginalFilename   : Ad-Aware.exe
    Comments           : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

 

Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\Windows
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

 Win32.P2P-Worm.Alcan.a Object Recognized!
    Type               : File
    Data               : bszip.dll
    TAC Rating         : 8
    Category           : Worm
    Comment            :
    Object             : C:\Windows\system32\
    FileVersion        : 3.0.2.0
    ProductVersion     : 3.02
    ProductName        : BigSpeed Zip DLL
    CompanyName        : BigSpeedSoft
    InternalName       : bszip.dll
    LegalCopyright     : © BigSpeedSoft
    LegalTrademarks    : BigSpeed is a trademark of BigSpeedSoft
    OriginalFilename   : bszip.dll


Disk Scan Result for C:\Windows\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Disk Scan Result for C:\Users\Carol\AppData\Local\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 Win32.P2P-Worm.Alcan.a Object Recognized!
    Type               : Regkey
    Data               :
    TAC Rating         : 8
    Category           : Worm
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object             : software\microsoft\downloadmanager

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 2

11:27:41 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:41.310
Objects scanned:101859
Objects identified:2
Objects ignored:0
New critical objects:2
Logged

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #3 on: July 07, 2007, 10:43:55 AM »
Guestolo-

Highjackthis scan attached-



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:04 AM, on 7/7/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\igfxext.exe
C:\Users\Carol\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Windows\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\Windows\System32\QuickTime\QuickTimeUpdateHelper.exe"              -destfullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe" -sourcefullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe.new00"  -haspost -uninstallwithapps -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} (Siebel Calendar) - https://wtiwebopt.axaonline.com/fins_enu/19...Ax_Calendar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - https://wtiwebopt.axaonline.com/fins_enu/19...x_HI_Client.cab
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11315 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #4 on: July 08, 2007, 11:05:11 AM »
Sorry for the delay
Are you fixing the entries with Ad-Aware?

They are not as critical as they appear
bszip.dll is a harmless file, you can delete it if you want

The other registry entry can be fixed with Adaware
It is harmless also if it has no value
Are you experiencing any problems?

I see you are disabling entries from running on startup, I assume with Windows Defender
Are you sure everything disabled is harmless

I don't have Vista yet, but I've played with it a few times
Can you do the following for me please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as export.bat

Save this file on the desktop

 
Code: [Select]
regedit /e Export.txt "HKEY_LOCAL_MACHINE\software\microsoft\downloadmanager"
Double click on export.bat>>Export.txt will appear on desktop
Copy>Paste back here the contents please
« Last Edit: July 08, 2007, 11:13:07 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #5 on: July 08, 2007, 12:07:16 PM »
Guestolo-

I am able to quarantine them with Ad-aware, but not delete them. When I try to delete , ad-aware freezes. When I scan again they are still there so I don't think it's letting me delete.

The problem I have is that my internet will stop working and all programs on computer will close. (internet windows and MS word for example) unless you think this could be caused by another issue.

I don't know what bszip.dll or other registry item is...I apologize for my lack of knowledge!!!

I am not sure if everything disabled is harmless. From day one the computer has blocked the programs. I have
not made any changes, with my extensive computer knowledge (hmmm) I thought it best to leave well enough alone!

I am running spyware doctor right now and it shows 1,742 infections (worm.alcra.f) , should I be concerned?!

I followed your directions but when I double click on export.bat on desktop,Vista asks permission to continue...I say ok and it closes the file.... !  

Help!

ps-  thanks for your patience!

Carol
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #6 on: July 08, 2007, 12:29:23 PM »
After the scan with SpywareDoctor

Can you disable these protections
deactivate Spyware Doctor's OnGuard Tools

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".

Window's Defender
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After you have done that
Can you create a new folder in your C:\ folder
Right click in the C:\folder and select NEW>>FOLDER
Call it BFU

Download and save [color=\"red\"]Brute Force Uninstaller[/color][/b] to the desktop
Right click on it and use Winzip to extract the contents to the C:\BFU folder

[color=\"red\"]RIGHT-CLICK HERE[/color][/b] and choose "Save As" (in IE it's "Save Target As") in order to download [color=\"red\"]Alcan worm remover[/color].
Save it to the
same folder you made earlier (C:\BFU).

Can you navigate to the C:\BFU folder
Ensure that you have Bfu.exe and alcanshorty.bfu
Ensure that alcanshorty.bfu does not also have a .txt entension, if it does right click on it and rename it too exactly
alcanshorty.bfu
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon
    and select alcanshorty.bfu
  • Press Execute and let it do it's job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot the computer

Come back here and post a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #7 on: July 08, 2007, 06:52:40 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:48 PM, on 7/8/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\Windows\System32\QuickTime\QuickTimeUpdateHelper.exe"              -destfullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe" -sourcefullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe.new00"  -haspost -uninstallwithapps -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} (Siebel Calendar) - https://wtiwebopt.axaonline.com/fins_enu/19...Ax_Calendar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - https://wtiwebopt.axaonline.com/fins_enu/19...x_HI_Client.cab
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8907 bytes

Computer keeps shutting off, had to run in safe mode. Am in safe mode while sending this.
Thanks-Carol
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #8 on: July 08, 2007, 07:01:04 PM »
I don't suggest that you run in Safe mode with Network support too long
After you run alcanshorty in safe mode then

Boot back into Normal Windows and post a fresh log

See if things are a bit back to Normal
« Last Edit: July 08, 2007, 07:01:41 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #9 on: July 08, 2007, 07:15:27 PM »
I ran alcanshorty in safe mode. That is the log I attached.
My computer won't stay on now unless in safe mode.  (I am sending this from my desktop computer, laptop is having the issues.)

Thanks- C
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #10 on: July 08, 2007, 07:26:06 PM »
One thing I noticed and I never thought of before
You must really be careful in what programs you install when running Vista
Not all are compatible with Vista yet

Take a look at this link related to Ad-Aware 2007
http://www.lavasoftusa.com/support/faq_aaw2007.php#4

I assume that if the newest version of Ad-Aware isn't Vista ready
I doubt the older version is
I would try and uninstall it from safe mode

Being able to run in safe mode and not normal windows tells me some other software may be having issues also
Anything else you recently installed?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #11 on: July 08, 2007, 07:38:37 PM »
I didn't even think about compatibility issues because of Vista. In the last couple days I downloaded Spyware Doctor and Winzip 11.1.  

Thanks C

ps-  not lovin Vista
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #12 on: July 08, 2007, 07:44:05 PM »
Can you not get to Normal windows since running Alcanshorty?
Or were you having problems earlier?

Edit>>Or it could be that Ad-Aware is trying to work in Normal mode and keeps causing the computer to reboot?
« Last Edit: July 08, 2007, 07:58:12 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #13 on: July 08, 2007, 07:57:11 PM »
[quote name=\'guestolo\' post=\'353109\' date=\'Jul 8 2007, 07:44 PM\']Can you not get to Normal windows since running Alcanshorty?
Or were you having problems earlier?[/quote]



I was running Spyware Doctor when I had to leave the house. When I returned my computer was off.
I rebooted to read your reply and while I was trying to print your instructions, it turned off.
 
I couldn't get the computer to stay on long enough to run Alcanshorty in regular mode, so I ran it in Safe Mode. I also ran ad-aware afterward in safe mode and the alcan worm (2) came up, but it did allow me to delete it.

~~C
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #14 on: July 08, 2007, 08:03:01 PM »
Let's try the following

Press the Windows + R keystrokes to open the Run command.

Type msconfig and click OK.

Under the STARTUP tab, disable everything
Under the Services tab, check to Hide all Microsoft services
Then disable all other services

Apply it
When prompted to reboot, try rebooting back to Normal Windows

Any luck?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #15 on: July 08, 2007, 08:14:07 PM »
The computer is still on (yeah!)...so far so good.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #16 on: July 08, 2007, 08:15:53 PM »
I'm just going for a bite to eat, but I'll check in later
Now can you go back to msconfig
Reenable everything, But DO NOT reboot the computer

Instead run hijackthis again
come back here and post a fresh hijackthis log
« Last Edit: July 08, 2007, 08:16:21 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #17 on: July 08, 2007, 08:25:28 PM »
Computer still on... I'm on it right now... hijackthis scan below ~~~ C

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:48 PM, on 7/8/2007
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir....&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [AcerOrbicamRibbon] "C:\Program Files\Acer\OrbiCam10\OrbiCam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Update Completion 0] "C:\Windows\System32\QuickTime\QuickTimeUpdateHelper.exe"              -destfullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe" -sourcefullpath "C:\Program Files\QuickTime\QuickTimeUpdater.exe.new00"  -haspost -uninstallwithapps -atboottime "QuickTime Update Completion 0"
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {00B28243-126B-4FFF-B346-6C3176E8296B} (Siebel Calendar) - https://wtiwebopt.axaonline.com/fins_enu/19...Ax_Calendar.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DE2C7216-C882-400E-BB47-EBB90237CAD1} (Siebel High Interactivity Framework) - https://wtiwebopt.axaonline.com/fins_enu/19...x_HI_Client.cab
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8907 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
win32.p2p-worm.alcon
« Reply #18 on: July 08, 2007, 08:28:43 PM »
You posted an old Hijackthis log
Please do my last steps
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline cdipirro

  • Newbie
  • *
  • Posts: 19
  • Karma: +0/-0
    • View Profile
win32.p2p-worm.alcon
« Reply #19 on: July 08, 2007, 08:33:45 PM »
I enabled all again and scanned. When the scan is finished the notepad popped up and I select all, copy and paste.  I thought it was
old but when I did it again , I got the same scan on notepad. What am I doing wrong?  ~ C

ps- enjoy your dinner http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Logged
Pages: [1] 2
« previous next »