This is in restore folder

wendiau · February 22, 2006

Scan Results: Virus Infection Found

Our scan of 33627 files found these viruses:

The W32/Alcan.A.worm Virus was found in file C:\_RESTORE\ARCHIVE\FS65.CAB

DISINFECT IMMEDIATELY!

Ok this is what i have after the panda scan....

Can anyone help me get rid of it...

Thanks

Wendi

**Wademan** · February 22, 2006

Scan Results: Virus Infection Found

Our scan of 33627 files found these viruses:

The W32/Alcan.A.worm Virus was found in file C:\_RESTORE\ARCHIVE\FS65.CAB

DISINFECT IMMEDIATELY!

Ok this is what i have after the panda scan....

Can anyone help me get rid of it...

Thanks

Wendi

Hi wendi, ya need to turn off sytem restore, the virus is "hidding" in there, it "should" remove it by simply turning off system restore an re-enableing it, keep in mind ALL previous restore points will be gone....but when virus hides there, its only sure way to remove it,...if it somehow comes back, turn off system restore an scan with it off, av "should" kill it, but I think simply disableing, an re-enableing sys restore should remove it...good luck

Edit: If this doesnt work, ya may need to use hjt an post log THERE, as i was reading some had to use HJT to remove it, but try the above first Edited February 22, 2006 by Wademan

wendiau · February 22, 2006

Hi wendi, ya need to turn off sytem restore, the virus is "hidding" in there, it "should" remove it by simply turning off system restore an re-enableing it, keep in mind ALL previous restore points will be gone....but when virus hides there, its only sure way to remove it,...if it somehow comes back, turn off system restore an scan with it off, av "should" kill it, but I think simply disableing, an re-enableing sys restore should remove it...good luck

Thanks Wade.....will do a scan in safemode while sys rest..is off too...

Hopefully will fix it

Thanks again

Wendi

**Wademan** · February 22, 2006

Thanks Wade.....will do a scan in safemode while sys rest..is off too...

Hopefully will fix it

Thanks again

Wendi

YW, btw this worm seams to come from peer to peer file sharing ya use those?.. I wouldnt advise myself using them, tons of virus's come from using those file sharing programs... let us know how ya make out wendi,

wendiau · February 22, 2006

YW, btw this worm seams to come from peer to peer file sharing ya use those?.. I wouldnt advise myself using them, tons of virus's come from using those file sharing programs... let us know how ya make out wendi,

Hi Wade.....I did what you suggested.....then rescanned with panda and avg....all clear....but!

now my desktop is all different...example....my windows med player icon is notepad?

All the main ones on desktop have changed too....

I have silent runners...and did a scan.....this is what came up.....

Not sure now what to do..

Wendi

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/

Operating System: Windows Me (Millennium Edition)

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]

"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]

"SystemTray" = "SysTray.Exe" [MS]

"S3apphk" = "S3apphk.exe" [null data]

"Desktop Service Centre" = "C:\Program Files\OptusNet DSL Internet\DSC.exe" ["OptusNet"]

"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]

"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

"EnsoniqMixer" = "starter.exe" ["Creative Technology, Ltd."]

"Line Speed Meter V3.0" = "C:\PROGRAM FILES\TCPIQ\LINE SPEED METER\LineSpeedMeter.exe -minimized" [file not found]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

"Hidserv" = "Hidserv.exe run" [MS]

"Ulead AutoDetector" = "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}

"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]

"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Active Setup\Installed Components\

PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"

\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]

"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ICQ\ICQSHEXT.DLL" ["ICQ"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:

-----------------------------

Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Windows Me.htm"

WIN.INI & SYSTEM.INI launch points:

-----------------------------------

SYSTEM.INI

[boot]

"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR" (3D Flower Box.scr) [MS]

Enabled Scheduled Tasks:

------------------------

"Tune-up Application Start" -> launches: "walign" [MS]

"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]

"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]

"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]

"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:

C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1

C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4

C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Miscellaneous IE Hijack Points

------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://dsl.optusnet.com.au/

[strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

Missing lines (compared with English-language version):

[strings]: 2 lines

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 23 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 18 seconds.

---------- (total run time: 69 seconds)

**Jacee** · February 22, 2006

I don't know if this will work for you Wendi, but try it any way:

Go to Display properties and click the desktop tab.

Click the Customize Desktop Button.

Click the Web tab and remove the checkmark from the the Lock Desktop Items box.

Apply.

Apply and Exit Display properties.

In display Properties > Desktop

Choose a new background color and picture. Apply.

Close Display properties. If you need to, click the desktop and press F5 to

refresh.

**Jacee** · February 22, 2006

If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm

wendiau · February 22, 2006

If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm

Hi Jacee nice to see you

ok...I changed the icons and refreshed...they are back to normal now...

All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope

Thanks for your help

Wendi

wendiau · February 22, 2006

If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm

Hi Jacee nice to see you

ok...I changed the icons and refreshed...they are back to normal now...

All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope

Thanks for your help

Wendi

**Wademan** · February 22, 2006

Hi Jacee nice to see you

ok...I changed the icons and refreshed...they are back to normal now...

All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope

Thanks for your help

Wendi

Wendi...Good work, told ya system restore hid that virus, an jacee..well super smart an all, lol...ya ok now? ..id advise being MORE secure...always keep av , anti spyware FULLY updated,....ya have MVPS host file?....I just trying to help.....from what i been thru....here read>>> http://www.mvps.org/winhelp2002/hosts.htm any questions I WILL respound...

btw keep ewido on board FREE super malware scanner>> http://www.ewido.net/en/download/ UPDATE ...FIRST an scan....ewdio has helped me over 10 times....

wendiau · February 22, 2006

Wendi...Good work, told ya system restore hid that virus, an jacee..well super smart an all, lol...ya ok now? ..id advise being MORE secure...always keep av , anti spyware FULLY updated,....ya have MVPS host file?....I just trying to help.....from what i been thru....here read>>> http://www.mvps.org/winhelp2002/hosts.htm any questions I WILL respound... btw keep ewido on board FREE super malware scanner>> http://www.ewido.net/en/download/ UPDATE ...FIRST an scan....ewdio has helped me over 10 times....

Hi Wade....hey thanks for your help....

I cant run edwido as i run windows me...i have avg adaware zonealarm all running on my comp.

I have a couple of issues...

My icons (on desktop and in folders) are acting a little weird.....(changing icons and colours)and monitor is blinking off and on its a new monitor..all leads are ok......it doesnt do it all the time.....

I have a post in user to user....

Any imput will be greatful

Thanks

Wendi

**Wademan** · February 23, 2006

Hi Wade....hey thanks for your help....

I cant run edwido as i run windows me...i have avg adaware zonealarm all running on my comp.

I have a couple of issues...

My icons (on desktop and in folders) are acting a little weird.....(changing icons and colours)and monitor is blinking off and on its a new monitor..all leads are ok......it doesnt do it all the time.....

I have a post in user to user....

Any imput will be greatful

Thanks

Wendi

How old is pc? is it under warranty? if so call tech support for this.. or if monitor is new as you say in your other post, call its tech support... also your tech express link is invalid, can ya post a NEW, an Up todate Tech Express link?

wendiau · February 23, 2006

How old is pc? is it under warranty? if so call tech support for this.. or if monitor is new as you say in your other post, call its tech support... also your tech express link is invalid, can ya post a NEW, an Up todate Tech Express link?

TechExpress link for your current results:

http://www.pcpitstop.com/techexpress.asp?id=T78R0WN4QSCS0SVR

Hey Wade...ok PC is old...

monitor is new......i have the drivers here somewhere..lol will find them and re-install them...

Please don;t tell me it's PC

Regards

Wendi

**Wademan** · February 23, 2006

TechExpress link for your current results:

http://www.pcpitstop.com/techexpress.asp?id=T78R0WN4QSCS0SVR

Hey Wade...ok PC is old...

monitor is new......i have the drivers here somewhere..lol will find them and re-install them...

Please don;t tell me it's PC

Regards

Wendi

Hi Wendi,

Ya test looks ok, all i see is some disk fragmentation ( 3% ) an hard drive has only 43% space left, ya ever use good junk cleaners to clean up things? like CCleaner? i doubt this would fix ya weird icon colors etc. though still would clean up pc well using free program like ccleaner, an defrag in safe mode. i dont know why ya pc has icons doing what ya say there doing, i see ya posted a hjt log in the hjt forum, i dont see anything, but iam not an expert in that yet. here is ccleaner in case ya dont have it>> http://www.ccleaner.com/ good luck wendi

Edited February 23, 2006 by Wademan

Sign In

This is in restore folder

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in