Jump to content
Sign in to follow this  
wendiau

This is in restore folder

Recommended Posts

Scan Results: Virus Infection Found

Our scan of 33627 files found these viruses:

The W32/Alcan.A.worm Virus was found in file C:\_RESTORE\ARCHIVE\FS65.CAB

 

DISINFECT IMMEDIATELY!

 

Ok this is what i have after the panda scan....

Can anyone help me get rid of it...

Thanks

Wendi

Share this post


Link to post
Share on other sites

Scan Results: Virus Infection Found

Our scan of 33627 files found these viruses:

The W32/Alcan.A.worm Virus was found in file C:\_RESTORE\ARCHIVE\FS65.CAB

 

DISINFECT IMMEDIATELY!

 

Ok this is what i have after the panda scan....

Can anyone help me get rid of it...

Thanks

Wendi

 

Hi wendi, ya need to turn off sytem restore, the virus is "hidding" in there, it "should" remove it by simply turning off system restore an re-enableing it, keep in mind ALL previous restore points will be gone....but when virus hides there, its only sure way to remove it,...if it somehow comes back, turn off system restore an scan with it off, av "should" kill it, but I think simply disableing, an re-enableing sys restore should remove it...good luck ;) Edit: If this doesnt work, ya may need to use hjt an post log THERE, as i was reading some had to use HJT to remove it, but try the above first Edited by Wademan

Share this post


Link to post
Share on other sites

Hi wendi, ya need to turn off sytem restore, the virus is "hidding" in there, it "should" remove it by simply turning off system restore an re-enableing it, keep in mind ALL previous restore points will be gone....but when virus hides there, its only sure way to remove it,...if it somehow comes back, turn off system restore an scan with it off, av "should" kill it, but I think simply disableing, an re-enableing sys restore should remove it...good luck ;)

 

 

Thanks Wade.....will do a scan in safemode while sys rest..is off too...

 

Hopefully will fix it :)

Thanks again

Wendi

Share this post


Link to post
Share on other sites

Thanks Wade.....will do a scan in safemode while sys rest..is off too...

 

Hopefully will fix it :)

Thanks again

Wendi

 

YW, btw this worm seams to come from peer to peer file sharing ya use those?.. I wouldnt advise myself using them, tons of virus's come from using those file sharing programs... let us know how ya make out wendi, ;)

Share this post


Link to post
Share on other sites

YW, btw this worm seams to come from peer to peer file sharing ya use those?.. I wouldnt advise myself using them, tons of virus's come from using those file sharing programs... let us know how ya make out wendi, ;)

 

 

Hi Wade.....I did what you suggested.....then rescanned with panda and avg....all clear....but!

now my desktop is all different...example....my windows med player icon is notepad?

All the main ones on desktop have changed too....

I have silent runners...and did a scan.....this is what came up.....

 

Not sure now what to do..

Wendi

 

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/

Operating System: Windows Me (Millennium Edition)

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]

"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]

"SystemTray" = "SysTray.Exe" [MS]

"S3apphk" = "S3apphk.exe" [null data]

"Desktop Service Centre" = "C:\Program Files\OptusNet DSL Internet\DSC.exe" ["OptusNet"]

"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]

"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]

"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

"EnsoniqMixer" = "starter.exe" ["Creative Technology, Ltd."]

"Line Speed Meter V3.0" = "C:\PROGRAM FILES\TCPIQ\LINE SPEED METER\LineSpeedMeter.exe -minimized" [file not found]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]

"Hidserv" = "Hidserv.exe run" [MS]

"Ulead AutoDetector" = "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe" ["Ulead Systems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}

"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]

"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]

"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

 

HKLM\Software\Microsoft\Active Setup\Installed Components\

PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"

\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\msohev.dll" [MS]

"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ICQ\ICQSHEXT.DLL" ["ICQ"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]

"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

 

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

 

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Windows Me.htm"

 

 

WIN.INI & SYSTEM.INI launch points:

-----------------------------------

 

SYSTEM.INI

[boot]

"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR" (3D Flower Box.scr) [MS]

 

 

Enabled Scheduled Tasks:

------------------------

 

"Tune-up Application Start" -> launches: "walign" [MS]

"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]

"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]

"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]

"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

 

Transport Service Providers

 

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:

C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1

C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4

C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

 

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

 

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://dsl.optusnet.com.au/

[strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome"

 

Missing lines (compared with English-language version):

[strings]: 2 lines

 

 

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 23 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

took 18 seconds.

---------- (total run time: 69 seconds)

Share this post


Link to post
Share on other sites

I don't know if this will work for you Wendi, but try it any way:

 

Go to Display properties and click the desktop tab.

 

Click the Customize Desktop Button.

 

Click the Web tab and remove the checkmark from the the Lock Desktop Items box.

Apply.

Apply and Exit Display properties.

 

In display Properties > Desktop

Choose a new background color and picture. Apply.

 

Close Display properties. If you need to, click the desktop and press F5 to

refresh.

Share this post


Link to post
Share on other sites

If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm

 

 

Hi Jacee nice to see you :)

 

ok...I changed the icons and refreshed...they are back to normal now...

 

All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope

 

Thanks for your help

Wendi

Share this post


Link to post
Share on other sites

If that doesn't work, please tell me what program you used to get rid of W32/Alcan.A.worm

 

 

Hi Jacee nice to see you :)

 

ok...I changed the icons and refreshed...they are back to normal now...

 

All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope

 

Thanks for your help

Wendi

Share this post


Link to post
Share on other sites

Hi Jacee nice to see you :)

 

ok...I changed the icons and refreshed...they are back to normal now...

 

All I did to remove worm...was disable restore.....then went to safe mode and scanned then enabled sys restore again....rebooted normally..scanned again...looks all clear...I hope

 

Thanks for your help

Wendi

 

Wendi...Good work, told ya system restore hid that virus, an jacee..well super smart an all, lol...ya ok now? ..id advise being MORE secure...always keep av , anti spyware FULLY updated,....ya have MVPS host file?....I just trying to help.....from what i been thru....here read>>> http://www.mvps.org/winhelp2002/hosts.htm any questions I WILL respound... ;) btw keep ewido on board FREE super malware scanner>> http://www.ewido.net/en/download/ UPDATE ...FIRST an scan....ewdio has helped me over 10 times.... ;)

Share this post


Link to post
Share on other sites

Wendi...Good work, told ya system restore hid that virus, an jacee..well super smart an all, lol...ya ok now? ..id advise being MORE secure...always keep av , anti spyware FULLY updated,....ya have MVPS host file?....I just trying to help.....from what i been thru....here read>>> http://www.mvps.org/winhelp2002/hosts.htm any questions I WILL respound... ;) btw keep ewido on board FREE super malware scanner>> http://www.ewido.net/en/download/ UPDATE ...FIRST an scan....ewdio has helped me over 10 times.... ;)

 

 

Hi Wade....hey thanks for your help....

I cant run edwido as i run windows me...i have avg adaware zonealarm all running on my comp.

 

I have a couple of issues...

My icons (on desktop and in folders) are acting a little weird.....(changing icons and colours)and monitor is blinking off and on its a new monitor..all leads are ok......it doesnt do it all the time.....

 

I have a post in user to user....

Any imput will be greatful

Thanks

Wendi

Share this post


Link to post
Share on other sites

Hi Wade....hey thanks for your help....

I cant run edwido as i run windows me...i have avg adaware zonealarm all running on my comp.

 

I have a couple of issues...

My icons (on desktop and in folders) are acting a little weird.....(changing icons and colours)and monitor is blinking off and on its a new monitor..all leads are ok......it doesnt do it all the time.....

 

I have a post in user to user....

Any imput will be greatful

Thanks

Wendi

 

How old is pc? is it under warranty? if so call tech support for this.. or if monitor is new as you say in your other post, call its tech support... also your tech express link is invalid, can ya post a NEW, an Up todate Tech Express link? ;)

Share this post


Link to post
Share on other sites

How old is pc? is it under warranty? if so call tech support for this.. or if monitor is new as you say in your other post, call its tech support... also your tech express link is invalid, can ya post a NEW, an Up todate Tech Express link? ;)

 

 

 

 

TechExpress link for your current results:

http://www.pcpitstop.com/techexpress.asp?id=T78R0WN4QSCS0SVR

 

Hey Wade...ok PC is old...:(

monitor is new......i have the drivers here somewhere..lol will find them and re-install them...

 

 

Please don;t tell me it's PC :(:(

 

Regards

Wendi

Share this post


Link to post
Share on other sites

TechExpress link for your current results:

http://www.pcpitstop.com/techexpress.asp?id=T78R0WN4QSCS0SVR

 

Hey Wade...ok PC is old...:(

monitor is new......i have the drivers here somewhere..lol will find them and re-install them...

Please don;t tell me it's PC :(:(

 

Regards

Wendi

 

Hi Wendi,

Ya test looks ok, all i see is some disk fragmentation ( 3% ) an hard drive has only 43% space left, ya ever use good junk cleaners to clean up things? like CCleaner? i doubt this would fix ya weird icon colors etc. though still would clean up pc well using free program like ccleaner, an defrag in safe mode. i dont know why ya pc has icons doing what ya say there doing, i see ya posted a hjt log in the hjt forum, i dont see anything, but iam not an expert in that yet. here is ccleaner in case ya dont have it>> http://www.ccleaner.com/ good luck wendi ;)

Edited by Wademan

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...