How Do I Remove Worm/VB.CC?

mikmik
edited May 2006 in Spyware & Virus Removal
Hey, every now and then avg resident shield i think it is comes up with virus detected but it says it cant do anything to get rid of it or heal it etc. I have to keep clicking ignore untill it eventually goes away. It is really annoying the hell outa me and i wanna get rid of it but dont know how to as none of my anti-spyware/virus programs can find it. any help would be hugely appreciated..
cheers
mik

Comments

  • Shaba
    edited May 2006
    Hi mik.

    Please post a HijackThis log, instructions are here
    (step 7)
  • mikmik
    edited May 2006
    Ok cool..downloaded the programs and did scans etc..here is my hjt log.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:22:51 PM, on 11/05/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.revolutionstudiostore.com/xxxstyle
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2520BA45-3D97-4864-82FF-F47F951727BA} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9B053E00-78D3-47AE-B763-60FF36FF2886} - (no file)
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E1FCC9B-A1F9-4A7C-B20B-B10771549AE7}: NameServer = 203.49.70.20 139.134.2.190
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E1FCC9B-A1F9-4A7C-B20B-B10771549AE7}: NameServer = 203.49.70.20 139.134.2.190
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • Shaba
    edited May 2006
    That doesn't look so bad :)

    Fix with HjT (open HijackThis, click do a system scan only, checkmark these and press fix checked):


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.revolutionstudiostore.com/xxxstyle
    O2 - BHO: (no name) - {2520BA45-3D97-4864-82FF-F47F951727BA} - (no file)
    O2 - BHO: (no name) - {9B053E00-78D3-47AE-B763-60FF36FF2886} - (no file)
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    Please download ewido anti malware it is a free version of the program -> http://www.ewido.net/en/download/

    1. Install ewido security suite
    2. When installing, under "Additional Options" uncheck..
    * Install background guard
    * Install scan via context menu
    3. Launch ewido, there should be an icon on your desktop, double-click it.
    4. The program will now open to the main screen.
    5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    6. You will need to update ewido to the latest definition files.
    * On the left hand side of the main screen click update.
    * Then click on Start Update.
    7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")

    If you are having problems with the updater, you can use this link to manually update ewido.
    ewido manual updates -> http://www.ewido.net/en/download/updates/

    Once the updates are installed do the following:

    Reboot your computer in SafeMode by doing the following:

    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.


    then launch ewido:

    * Click on scanner
    * Click on Complete System Scan and the scan will begin.
    * You will be prompted to clean the first infection.
    * Select "Perform action on all infections", then proceed.
    * Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    * Click Save report.
    * Save the report .txt file to your desktop or a location where you can find it easily.

    Close ewido security suite.

    Reboot back to normal mode

    Update your java:

    Click Start -> Control Panel and doubleclick Java-icon (coffee cup).
    Go to "Update" - tab . Update your Java by clicking "Update Now" and then reboot.
    If you are unable to perform an automatic update, please download Java from this address:


    http://www.java.com/en/download/manual.jsp


    After reboot, go back to Control Panel and Java.
    In Temporary Internet Files, click Delete Files-button.
    Make sure that all these three options are checkmarked:


    Downloaded Applets
    Downloaded Applications
    Other Files


    Click OK in "Delete Temporary Internet Files" window.

    After that, you can uninstall older version of Java via Add/remove programs in Control Panel

    It should look like this:
    Java 2 Runtime Environment, SE v1.5.0_03

    Send a fresh HjT log along with ewido report.
  • mikmik
    edited May 2006
    Hey, thanx heaps for the help. Ive done what you asked and here is my hjt log.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:09:43 PM, on 11/05/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Now heres my ewido report while i was in safe mode.
    ewido anti-malware - Scan report

    + Created on: 7:31:01 PM, 11/05/2006
    + Report-Checksum: 47462474

    + Scan result:

    HKLM\SOFTWARE\Classes\Interface\{06CA2DA3-3A44-4FC7-8FD9-246C0F53407C} -> Adware.CoolWebSearch : Cleaned with backup
    C:\adj.exe -> Downloader.Tiny.bw : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@bigpond.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Program Files\TrustIn Bar\trustin.dll -> Adware.Azesearch : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\loader2.exe -> Adware.Azesearch : Cleaned with backup
    C:\WINDOWS\system32\ticads.exe -> Adware.Azesearch : Cleaned with backup
    C:\WINDOWS\system32\ticont.dll -> Adware.Azesearch : Cleaned with backup
    C:\WINDOWS\system32\tisa.dll -> Adware.Azesearch : Cleaned with backup
    C:\WINDOWS\system32\ttu.exe -> Adware.Azesearch : Cleaned with backup
    C:\WINDOWS\system32\tu.exe -> Adware.Azesearch : Cleaned with backup


    ::Report End

    Cheers
  • Shaba
    edited May 2006
    That looks good :) Do you still have problems with Worm/VB.CC?
  • mikmik
    edited May 2006
    I dont think so...but it only happens every couple of hours or so...so ill keep an eye out for it but yeah hopefully its all good. Thanks heaps for that! much appriciated..ill let ya know if i have any other problems.
    cheers
    mik
  • mikmik
    edited May 2006
    hey...it came back to haunt me again lol...I dont know what it is but yeah it came up with the same thing Virus detected says its called Win32.Alcan.D or something..do you know what it could be why it still came back?
    thanx mik
  • Shaba
    edited May 2006
    Hi mik.

    Let's do an online scan next:

    Please run this online scan:

    Panda ActiveScan
    • Once you are on the Panda site, click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on Local Disks to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log
  • mikmik
    edited May 2006
    aye man..cheers for the help..sorry ive taken so long just havent been able to get around to it.

    Heres my panda scan report:


    Incident Status Location

    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.sensismediasmart.com[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bs.serving-sys[1].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt
    Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@landing.domainsponsor[1].txt
    Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revenue[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[1].txt
    Security Risk:HackTool/Gendel.A Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\Weird ****\Misc\Shrink\DVDShrink\setup\gendel32.ex_
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\Cookies\compaq_owner@ad.sensismediasmart.com[1].txt


    Heres my hjt log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:36:14 PM, on 15/05/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=desktop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1E1FCC9B-A1F9-4A7C-B20B-B10771549AE7}: NameServer = 203.49.70.20 139.134.2.190
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1E1FCC9B-A1F9-4A7C-B20B-B10771549AE7}: NameServer = 203.49.70.20 139.134.2.190
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • Shaba
    edited May 2006
    Logs are clean. Can you tell me where that Alcan.D is located?
  • mikmik
    edited May 2006
    umm When it came up it said "Virus Detected...While Opening: C:\System Volume Information\_restore {52a8467F-12D1-4672-A3BB-55910C386EF6}\RP132\A0033145.exe"

    Yeah it comes up as Win32.Alcan.D

    cheers
  • Shaba
    edited May 2006
    Ok, that's in your system restore :)

    See this guide for how to disable and re-enable system restore ->
    http://www.bleepingcomputer.com/forums/tutorial56.html

    Disable system restore, then boot and re-enable it. Virus will be deleted then.

    WARNING: By disabling system restore you will delete all stored restore points.
  • mikmik
    edited May 2006
    Ok...alls i did was went into the system restore section..turned the system restore off then back on again...is that all i have to do?
  • Shaba
    edited May 2006
    If you rebooted after you disabled system restore, then everything should be ok :) You can always scan with AVG to find out if it finds it again.
  • mikmik
    edited May 2006
    Yerp i did it again and rebooted after i disabled it...it should be all good now hopefully..cheers heaps for the help its much appreciated. I should be right but it does come back ill be back here hehe...anyways thanx for your help
    cya later
    mik
  • Shaba
    edited May 2006
    You're welcome :)

    Here are also few good tips:

    Follow these simple steps in order to keep your computer clean and secure:
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    Here are some additional utilities that will enhance your safety
    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

    Happy surfing and stay clean!
Sign In or Register to comment.