wendiau Report post Posted February 22, 2006 Scan Results: Virus Infection Found Our scan of 33627 files found these viruses: The W32/Alcan.A.worm Virus was found in file C:\_RESTORE\ARCHIVE\FS65.CAB DISINFECT IMMEDIATELY! Ok this is what i have after the panda scan.... Can anyone help me get rid of it... Thanks Wendi Quote Share this post Link to post Share on other sites
Wademan Report post Posted February 22, 2006 (edited) Scan Results: Virus Infection Found Our scan of 33627 files found these viruses: The W32/Alcan.A.worm Virus was found in file C:\_RESTORE\ARCHIVE\FS65.CAB DISINFECT IMMEDIATELY! Ok this is what i have after the panda scan.... Can anyone help me get rid of it... Thanks Wendi Hi wendi, ya need to turn off sytem restore, the virus is "hidding" in there, it "should" remove it by simply turning off system restore an re-enableing it, keep in mind ALL previous restore points will be gone....but when virus hides there, its only sure way to remove it,...if it somehow comes back, turn off system restore an scan with it off, av "should" kill it, but I think simply disableing, an re-enableing sys restore should remove it...good luck Edit: If this doesnt work, ya may need to use hjt an post log THERE, as i was reading some had to use HJT to remove it, but try the above first Edited February 22, 2006 by Wademan Quote Share this post Link to post Share on other sites
wendiau Report post Posted February 22, 2006 Hi wendi, ya need to turn off sytem restore, the virus is "hidding" in there, it "should" remove it by simply turning off system restore an re-enableing it, keep in mind ALL previous restore points will be gone....but when virus hides there, its only sure way to remove it,...if it somehow comes back, turn off system restore an scan with it off, av "should" kill it, but I think simply disableing, an re-enableing sys restore should remove it...good luck Thanks Wade.....will do a scan in safemode while sys rest..is off too... Hopefully will fix it Thanks again Wendi Quote Share this post Link to post Share on other sites
Wademan Report post Posted February 22, 2006 Thanks Wade.....will do a scan in safemode while sys rest..is off too... Hopefully will fix it Thanks again Wendi YW, btw this worm seams to come from peer to peer file sharing ya use those?.. I wouldnt advise myself using them, tons of virus's come from using those file sharing programs... let us know how ya make out wendi, Quote Share this post Link to post Share on other sites
wendiau Report post Posted February 22, 2006 YW, btw this worm seams to come from peer to peer file sharing ya use those?.. I wouldnt advise myself using them, tons of virus's come from using those file sharing programs... let us know how ya make out wendi, Hi Wade.....I did what you suggested.....then rescanned with panda and avg....all clear....but! now my desktop is all different...example....my windows med player icon is notepad? All the main ones on desktop have changed too.... I have silent runners...and did a scan.....this is what came up..... Not sure now what to do.. Wendi "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS] "TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS] "SystemTray" = "SysTray.Exe" [MS] "S3apphk" = "S3apphk.exe" [null data] "Desktop Service Centre" = "C:\Program Files\OptusNet DSL Internet\DSC.exe" ["OptusNet"] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] "AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."] "EnsoniqMixer" = "starter.exe" ["Creative Technology, Ltd."] "Line Speed Meter V3.0" = "C:\PROGRAM FILES\TCPIQ\LINE SPEED METER\LineSpeedMeter.exe -minimized" [file not found] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"] "Hidserv" = "Hidserv.exe run" [MS] "Ulead AutoDetector" = "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS] "StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS] "TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter" \StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS] "{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ICQ\ICQSHEXT.DLL" ["ICQ"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] "{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Windows Me.htm" WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR" (3D Flower Box.scr) [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS] "Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS] "Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS] "Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://dsl.optusnet.com.au/ [strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome" Missing lines (compared with English-language version): [strings]: 2 lines ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 23 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 18 seconds. ---------- (total run time: 69 seconds) Quote Share this post Link to post Share on other sites
Jacee Report post Posted February 22, 2006 I don't know if this will work for you Wendi, but try it any way: Go to Display properties and click the desktop tab. Click the Customize Desktop Button. Click the Web tab and remove the checkmark from the the Lock Desktop Items box. Apply. Apply and Exit Display properties. In display Properties > Desktop Choose a new background color and picture. Apply. Close Display properties. If you need to, click the desktop and press F5 to refresh. Quote Share this post Link to post Share on other sites
Jacee Report post Posted February 22, 2006 If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm Quote Share this post Link to post Share on other sites
wendiau Report post Posted February 22, 2006 If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm Hi Jacee nice to see you ok...I changed the icons and refreshed...they are back to normal now... All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope Thanks for your help Wendi Quote Share this post Link to post Share on other sites
wendiau Report post Posted February 22, 2006 If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm Hi Jacee nice to see you ok...I changed the icons and refreshed...they are back to normal now... All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope Thanks for your help Wendi Quote Share this post Link to post Share on other sites
Wademan Report post Posted February 22, 2006 Hi Jacee nice to see you ok...I changed the icons and refreshed...they are back to normal now... All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope Thanks for your help Wendi Wendi...Good work, told ya system restore hid that virus, an jacee..well super smart an all, lol...ya ok now? ..id advise being MORE secure...always keep av , anti spyware FULLY updated,....ya have MVPS host file?....I just trying to help.....from what i been thru....here read>>> http://www.mvps.org/winhelp2002/hosts.htm any questions I WILL respound... btw keep ewido on board FREE super malware scanner>> http://www.ewido.net/en/download/ UPDATE ...FIRST an scan....ewdio has helped me over 10 times.... Quote Share this post Link to post Share on other sites
wendiau Report post Posted February 22, 2006 Wendi...Good work, told ya system restore hid that virus, an jacee..well super smart an all, lol...ya ok now? ..id advise being MORE secure...always keep av , anti spyware FULLY updated,....ya have MVPS host file?....I just trying to help.....from what i been thru....here read>>> http://www.mvps.org/winhelp2002/hosts.htm any questions I WILL respound... btw keep ewido on board FREE super malware scanner>> http://www.ewido.net/en/download/ UPDATE ...FIRST an scan....ewdio has helped me over 10 times.... Hi Wade....hey thanks for your help.... I cant run edwido as i run windows me...i have avg adaware zonealarm all running on my comp. I have a couple of issues... My icons (on desktop and in folders) are acting a little weird.....(changing icons and colours)and monitor is blinking off and on its a new monitor..all leads are ok......it doesnt do it all the time..... I have a post in user to user.... Any imput will be greatful Thanks Wendi Quote Share this post Link to post Share on other sites
Wademan Report post Posted February 23, 2006 Hi Wade....hey thanks for your help.... I cant run edwido as i run windows me...i have avg adaware zonealarm all running on my comp. I have a couple of issues... My icons (on desktop and in folders) are acting a little weird.....(changing icons and colours)and monitor is blinking off and on its a new monitor..all leads are ok......it doesnt do it all the time..... I have a post in user to user.... Any imput will be greatful Thanks Wendi How old is pc? is it under warranty? if so call tech support for this.. or if monitor is new as you say in your other post, call its tech support... also your tech express link is invalid, can ya post a NEW, an Up todate Tech Express link? Quote Share this post Link to post Share on other sites
wendiau Report post Posted February 23, 2006 How old is pc? is it under warranty? if so call tech support for this.. or if monitor is new as you say in your other post, call its tech support... also your tech express link is invalid, can ya post a NEW, an Up todate Tech Express link? TechExpress link for your current results: http://www.pcpitstop.com/techexpress.asp?id=T78R0WN4QSCS0SVR Hey Wade...ok PC is old... monitor is new......i have the drivers here somewhere..lol will find them and re-install them... Please don;t tell me it's PC Regards Wendi Quote Share this post Link to post Share on other sites
Wademan Report post Posted February 23, 2006 (edited) TechExpress link for your current results: http://www.pcpitstop.com/techexpress.asp?id=T78R0WN4QSCS0SVR Hey Wade...ok PC is old... monitor is new......i have the drivers here somewhere..lol will find them and re-install them... Please don;t tell me it's PC Regards Wendi Hi Wendi,Ya test looks ok, all i see is some disk fragmentation ( 3% ) an hard drive has only 43% space left, ya ever use good junk cleaners to clean up things? like CCleaner? i doubt this would fix ya weird icon colors etc. though still would clean up pc well using free program like ccleaner, an defrag in safe mode. i dont know why ya pc has icons doing what ya say there doing, i see ya posted a hjt log in the hjt forum, i dont see anything, but iam not an expert in that yet. here is ccleaner in case ya dont have it>> http://www.ccleaner.com/ good luck wendi Edited February 23, 2006 by Wademan Quote Share this post Link to post Share on other sites