Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I Have A Alcra Worm


  • This topic is locked This topic is locked
4 replies to this topic

#1 grizz1029

grizz1029

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 13 April 2006 - 03:04 AM

I think i picked up the Alcra worm from limewire. Lime wire starts on its own and will not say closed at all. Also i tried to get into the rededit and i cant. I tried running norton and it says nothing was found I ran webroot spy sweeper and turned up nothing both are up to date. dont know what the problem is please help...


Logfile of HijackThis v1.99.1
Scan saved at 2:40:02 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\lxamsp32.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\limewire\limewire.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Travis\Desktop\New Folder\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pogo.com/home/home.jsp?sls=2&site=pogo
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Gtwatch] C:\WINDOWS\gtwatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} (CamfrogWEB Advanced Unicode Control) - http://activex.camfrogweb.com/advanced/cfw..._instmodule.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:16 AM

Posted 16 April 2006 - 09:29 PM

Hello grizz1029,

Let get rid of that alcan virus. :thumbsup:

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now. Click Yes/ok
Your system should reboot now.

After reboot...

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - Global Startup: svchost.exe
If you did not install or want PartyPoker, then fix it:
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!



Please download Brute Force Uninstaller.
Unzip it to its own folder (c:\BFU)

Next, RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field (on the far right) copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do its job.


Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Perform an online scan with Panda: (please use this scanner instead of any other scanner!)

Panda Online
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report together with a fresh HijackThis log.

Edited by SifuMike, 16 April 2006 - 09:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 grizz1029

grizz1029
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 18 April 2006 - 03:38 AM

Heres the Panda scan
had alot of virus'
like 26 spyware
anyway here it is.

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Travis\Cookies\travis@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Travis\Cookies\travis@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Travis\Cookies\travis@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Travis\Cookies\travis@adtech[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Travis\Cookies\travis@apmebf[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Travis\Cookies\travis@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Travis\Cookies\travis@com[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Travis\Cookies\travis@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Travis\Cookies\travis@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Travis\Cookies\travis@qksrv[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Travis\Cookies\travis@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Travis\Cookies\travis@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Travis\Cookies\travis@revenue[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Travis\Cookies\travis@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Travis\Cookies\travis@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Travis\Cookies\travis@tribalfusion[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Travis\Cookies\travis@tucows[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Travis\Cookies\travis@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Travis\Cookies\travis@zedo[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Travis\Local Settings\Temp\nsnD.tmp
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Travis\My Documents\Downloads\Norton Antivirus 2006 updated with keygen.rar[keygen.exe]
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Travis\My Documents\Downloads\Norton Antivirus 2006 Version 2 with keygen\keygen.exe
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\Travis\My Documents\Downloads\Norton Internet Security 2006 pro with keygen\keygen.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\#1 DVD Ripper 1.3.38.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\#1 Video Converter 3.6.9.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\007 DVD Copy 5.1.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\007 DVD Copy v5.1.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\007 DVD Creator v2.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\007 Spy Software v3.81.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\007 Spy Software v3.85.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\123 Flash Menu v1.64.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\123 Video Converter v3.31.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\18 Wheels Of Steel Pedal To Metal.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\1Click DVD Copy 4.2.9.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\1Click DVD Copy Pro 2.1.0.5.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\1Click DVD Copy Pro v1.0.0.6.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\2 Find MP3 8.7.4.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\24 The Game PS2, playstation 2.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\246 Arcade Games FTP!.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\25 To Life.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\2d3 Moujou v1.0 For Maya 6.5 and 7.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\32bit Convert It c9.73.01.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3aLab iRadio v1.5.0.516.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3D Box Maker Professional v1.1.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3D Mark 2003.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3D MP3 Sound Recorder v3.8.17.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3D Shop Modeldesign v2.7.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3d Studio Max 8 (incl. Keygen).exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3D World Studio 5.31.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\3ds Max 8.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\4WomenOnly v5.1.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\7 Sins ISO.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\7 Sins.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\8Signs Firewall v2.3.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\9 Great Games.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\A Plus CADCopy v2.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\A1 DVD Audio Ripper v1.1.41.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Abander TagControl v2.66.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ABBYY FineReader Professional Edition 8.0.0.706 Multila.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ABC DVD Copy v2.0.1.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ABC Video Roll v2.5.70.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AbiWord 2.3.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Able2Extract Pro v3.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute MP3 Splitter.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute Sound Recorder v3.24.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute Sound Recorder v3.32.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute Uninstaller 1.43.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute Uninstaller v1.51.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute Video Converter v2.5.8.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Absolute Video Converter v2.6.5.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Abylon Enterprise v6.00.04.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Abylon Shredder v5.50.12.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Ac Browser Plus 3.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ACD Systems AcdSee 7 Retail.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ACD Systems FotoSlate v4.0.22.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ACDSee 7.0 PowerPack.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ACDSee 8.0.67 PRO.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ACDSee Photo Viewer 5.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ACDSee Pro v8.0.67.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Ace Utilities 2.20.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Ace Video Workshop 1.4.40.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AceHTML Pro v6.04.2.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AceHTML Pro v6.05.8.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AceNotes v1.0.0.1408.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AceReader Pro Deluxe Network Edition.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acme CAD Converter 6.52.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acme Photo ScreenSaver Maker v1.70.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acme Photo ScreenSaver Maker v1.8.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acmeta Fragmento v 1.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acoustica Beatcraft 1.00.9.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acoustica Mixcraft 2.50.45.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acoustica MP3 Audio Mixer 2.471.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acoustica MP3 CD Burner 4.0 Build 84.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acoustica v3.20.251.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis Disk Director Suite v10.0.2077.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis Disk Director Suite v9.0.549.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis True Image Server 8.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis True Image Server v9.1.3534.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis True Image v7.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis True Image v9.0 Build 3567.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Acronis True Image v9.0.3567.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Action Ball Deluxe v1.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Active Key Logger 2.5.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Active Whois v2.6.4145.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Activestate Komodo v2.5.1.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ActMon Password Recovery XP 4.03.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Ad-Aware SE Personal Edition 1.05.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AD-aware SE Pro Edition 1.05.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Add Remove Plus 2003 v4.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Add Remove Plus 2004 4.1.0.7.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Acrobat 3D 7.0.7.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Acrobat 3D v7.0.7.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Audition 2.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Illustrator CS2 10.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe PageMaker 7.0.1.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Photoshop CS 8.0 Portable Edition.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Photoshop CS2 9.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Photoshop Plug-Ins 2006 Full.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Premiere Elements v2.0 Retail WinXP.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Adobe Premiere Pro 2.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AdsCleaner v4.3.08 Pro.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ADSLKeepalive Version v3.1 FULL.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AdSpy Eliminator 1.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced Call Corder v3.6.0.181.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced MP3 Converter v1.80.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced MP3 WMA Recorder 5.3.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced Pic Hunter v2.2.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced Registry Doctor Pro 6.0.09.12.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced Spyware Remover 1.86.23985.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Advanced Uninstaller Pro 2004.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Age Of Empires 2 and mortal kombat 4.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Agnitum Outpost Firewall Pro 2.5.369.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Agnitum Outpost Firewall Pro v2.6.451.51.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Ahead Nero 7.0.8.2.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Ahead Nero Burning ROM 6.6.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AI RoboForm V6.3.97.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AIO AutoFX Photoshop PlugIn.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\AirMagnet Laptop Analyzer v5.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Alarm Master Plus v4.9.9 WinXP2K3.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Algolab Photo Vector v1.98.49.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Algolab Raster to Vector Conversion Toolkit v2.94.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Algorithmix Plugins Bundle DX v1.3.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Alias ImageStudio v3.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Alive DVD Ripper v1.3.2.8.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Alive WMA MP3 Recorder v2.1.3.6.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\All In One - Anti-Virus.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\All In One DJ Toolz.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\All In One Download.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\All Sound Recorder Xp v2.05.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\All-In-One Common Tools for Morphing.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok AVI MPEG Converter v1.5.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok AVI MPEG WMV RM To MP3 Converter v1.5.4.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok AVI To DVD SVCD VCD Converter v1.6.6.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok OGG MP3 Converter v1.0.6.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok Video Joiner v1.6.4.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok Video Splitter v1.6.4.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Allok WMV To AVI MPEG DVD WMV Converter v1.6.6.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Almost Famous.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ALO Audio Editor 2.0.9.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ALO Power Audio Converter 1.3.9.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ALO RM to MP3 Converter 2.2.3.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\ALO Video Converter v1.0.exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Alt-N MDaemon Pro v9.0.0 (German).exe
Virus:W32/Gaobot.MJA.worm Not disinfected C:\Documents and Settings\Travis\Shared\_\Altostorm Rectilinear Panorama Pro v1.2.1 for Adobe Pho.exe
Virus:W32/Gaobot.MJA.wo

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:16 AM

Posted 18 April 2006 - 12:35 PM

Hi grizz1029,

Have you been downloading programs with Limewire?
Panda is showing an alphabetical listing, starting with the "A" programs. Looks like you chopped off the Panda listing for the rest of them.
It looks like all those
hundreds programs you downloaded are infected with the Gaobot virus. :thumbsup:
Downloading programs from an unknown source is a sure way to get infected. :flowers:

Some of what Panda found was cookies in your Documents and Setteings folder, so lets use CCleaner to get rid of them.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

Please download Ewido Anti Malware it is a trial version of the program.
  • Install ewido anti malware
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Please reboot your computer in SafeMode by doing the following:
    Restart your computer
    After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    Instead of Windows loading as normal, a menu should appear
    Select the first option, to run Windows in Safe Mode.
  • Click on Ewido Anti Malware icon to open it
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close Ewido Anti Malware.

Note: Ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.


*****************************************

Run BitDefender Free Online Virus Scan http://www.bitdefender.com/scan8/ie.html



*****************************************

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section including Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!


Run Panda Online Scan again.

Please post the report .txt from Ewido and, Panda Scan log and a fresh Hijackthis log.

Edited by SifuMike, 18 April 2006 - 03:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:16 AM

Posted 25 April 2006 - 01:43 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users