|
|
W32Alcra.B - can not remove?
|
|
|
stumpied
Junior Member
|
1. February 2006 @ 18:56 |
Link to this message
|
|
This message keeps popping up when I do a scan with Ad-aware. While going through the scan, a window pops up saying Nortan has detected a virus and it has been remove. Virus name is W32Alcra.B Ad-aware does not seem to find anything, but everytime I run ad-aware, Norton pops up with this warning. It only pops up when ad-aware is running. I updated ad-aware today and this is when all this started happening. Even though Norton says it has deleted the virus, it keeps coming back. If anyone has any ideas, i'd really appreciate the help. Thanks.
|
|
Advertisement
|
|
|
|
Senior Member
|
1. February 2006 @ 21:51 |
Link to this message
|
|
If it ONLY pop's up when adaware's running then it could be nothing, it could just be that norton has detected one of the items on ad aware's detection list and deemed it as a virus.
But i think its best that you post a HJT log.
This message has been edited since posting. Last time this message was edited on 1. February 2006 @ 21:52
|
|
stumpied
Junior Member
|
2. February 2006 @ 17:34 |
Link to this message
|
Here is the log. Let me know what you think, thanks.
Logfile of HijackThis v1.99.1
Scan saved at 9:30:52 PM, on 2/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x8...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{484AF49B-5E42-433D-927D-A728EA36468F}: NameServer = 142.161.2.155 142.161.130.155
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
|
|
spertti
Senior Member
|
2. February 2006 @ 18:27 |
Link to this message
|
The log is clean. Does Norton say which file is the one with infection?
If so then scan the file here > http://www.virustotal.com
And you could also try scanning with Ewido. You can get it from here > http://www.ewido.net/en/download/
Just remember to update it before scanning and be sure that you change the settings to scan every file and make a complete system scan.
Save Ewido´s log and post it here
|
Member
|
2. February 2006 @ 18:34 |
Link to this message
|
 - Ideal way to deal with the MPAA~RIAA |
|
spertti
Senior Member
|
2. February 2006 @ 19:01 |
Link to this message
|
|
@stumpied
DO NOT REMOVE that 017 entry or you´ll lose your internet connection at the same time!
I think you live in Canada right?
@thugs121
Why don´t you check those IP´s before fixing them?
|
|
stumpied
Junior Member
|
2. February 2006 @ 19:24 |
Link to this message
|
|
Correct, I live in Canada. I guess that means I will leave that 017 entry. What about the 04, is it safe to remove that one? I have gone in Norton to see where it is detecting this from and it seems to originate from here:
Source: C:\DOCUME~1\User\LOCALS~1\Temp\AAWTMP\C682265\34CE1\Setup.exe
I tried deleting that AAWTMP folder, but it seems to come back. When I open that folder as well, there is nothing in it? There are several entries in norton with this being found in AAWTMP, but the numbers after that are always different. I would assume that folder is for the Ad Aware program? I did a complete system scan with Norton last night in safe mode and it did not detect anything. Perhaps it is just something with the 2 programs together? Let me know what I should try next. Thanks
|
|
spertti
Senior Member
|
2. February 2006 @ 19:56 |
Link to this message
|
Yeps... Nothing to worry that´s just a temporary folder that Ad-Aware creates while scanning. The virus that is found is already being handled so nothing to worry about.
The 04 entry isn´t necessary and you can fix it but it is an optional fix and that´s why I didn´t mention it.
There are also a couple more entries that you may want to fix just to make your system a little faster when booting. These aren´t necessary on the log. ( 04 entry means that the program is started automatically when booting )
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
If you want some of these to start automatically later you can easily do that from HijackThis backups
|
Member
|
2. February 2006 @ 21:59 |
Link to this message
|
|
@spertti
saw your other post....I guess most of the time it's safe...
- Ideal way to deal with the MPAA~RIAA
This message has been edited since posting. Last time this message was edited on 2. February 2006 @ 22:06
|
|
stumpied
Junior Member
|
4. February 2006 @ 08:50 |
Link to this message
|
Thanks for the help guys. I have tried running both Norton ad Ad-Aware and the message does not appear anymore. Whatever was the cause it seems to be better now. I am not sure if I will delete the 04 enteries if they will only make the computer boot up faster. I had noticed awhile back that it is taking a bit longer to boot uo, but is still not very long, maybe 2 minutes at most. If I will not gain anything in performance other than a quicker start up, I will probably leave them for now. Again, thanks for the help.
|
|
Advertisement
|
|
|
|
spertti
Senior Member
|
4. February 2006 @ 08:52 |
Link to this message
|
|
Sure Itll make it faster in all ways too. I´m finnish so my english isn´t so easy to understand =)
|
