Hi guys,

2 questions...

I believe I had/have a variant of the worm Alcan.a - I have done my best to remove it with adaware/spybot/antivir xp (all updated and ran in safe mode) but I don't know if I have got rid of it - have I?

Second question, when running antivir xp I saw the worm had created 1000+ files in C:\Uploads - I went to delete this folder but it doesn't show up when I look at C drive through my My Computer...why is this? How can I delete the files that are there?


Most recent Hijack This Log:-

Logfile of HijackThis v1.99.1
Scan saved at 20:17:36, on 05/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
F:\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\CookieWall\cookie.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
F:\Wireless LAN Utility\TIWLANCu.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
F:\AVPersonal\AVWUPSRV.EXE
F:\Alcohol120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
F:\Wireless Lan Utility\tiwlnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe
F:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saxosportsclub.com/forum/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CookieWall] F:\CookieWall\cookie.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TI WLAN] F:\Wireless LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E951041F-57BD-4895-8159-E4CD672863B2}: NameServer = 62.31.176.39,194.117.134.19,195.188.53.175
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\AVPersonal\AVWUPSRV.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Alcohol120\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - F:\Wireless Lan Utility\tiwlnsvc.exe



Many thanks in advance,



Ian

*gentle nudge*

sorry if its not the done thing, I'm very paranoid about my pc at the minute... ;)

Hi Ian,

Please do not do this. Especially before someone has answered. This could get you killed, since helpers are thinking that you are already being helped! Also, your log is barely one hour old before you start bumping your thread!

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\System32ati2vid.exe
C:\WINDOWS\System32msconfg.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2cf41f1db14bc8f414e16e1555b77108\update\update.exe

Restart your computer and post a new log in this thread.

Please enable everything you have turned off in 'System Configuration Utility' (MSConfig.exe). This way your system will not hide any potential malware and hijackers. What I cannot see, I cannot fix!

Post a fresh log. Afterwards you can turn off everything you had turned off. Do NOT restart your computer while everything is turned on

You probably have files hidden. See the earlier instuctions on how to unhide them.

Hi Bobbi,

As you can see in my bump post I didn't want to do it, but if you look closely it had been 1 day and 1 hour, not barely an hour, without a reply ;)

Thank you very much for the reply - I checked the entries and fixed them with Hijackthis, but those 3 files to be deleted were not on my system...

New log:-

Logfile of HijackThis v1.99.1
Scan saved at 16:05:09, on 06/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
F:\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\CookieWall\cookie.exe
F:\Wireless LAN Utility\TIWLANCu.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
F:\AVPersonal\AVWUPSRV.EXE
F:\Alcohol120\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
F:\Wireless Lan Utility\tiwlnsvc.exe
C:\WINDOWS\System32\rsvp.exe
F:\Teamspeak2_Server\server_windows.exe
F:\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\explorer.exe
F:\Winamp\Winamp.exe
C:\WINDOWS\System32\LVComsX.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saxosportsclub.com/forum/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [CookieWall] F:\CookieWall\cookie.exe
O4 - HKLM\..\Run: [TI WLAN] F:\Wireless LAN Utility\TIWLANCu.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - F:\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E951041F-57BD-4895-8159-E4CD672863B2}: NameServer = 62.31.176.39,194.117.134.19,195.188.53.175
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - F:\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - F:\AVPersonal\AVWUPSRV.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Alcohol120\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - F:\Wireless Lan Utility\tiwlnsvc.exe



Thanks again,

Ian

Hi Ian,

Oops.. You're correct with not being one hour, but your math is off too... Check the dates and time. 13 hours and 38 minutes. When you take into account that this is a global board (meaning I'm probably in another part of the world than you) I don't think it's a reason to get upset (read bump).

Posted Yesterday, 09:21 PM
Posted Today, 10:59 AM

--
This log looks clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....

Hey,

I wasn't upset, just hopeful I would get a reply before more damage was done...it seems we both struggle with time and dates ;)

Many thanks for your help, good riddance to the little blighter.

Ian