Nastly Limewire Virus

[Xeratul]

I got this virus a while ago from Limewire called W32.Alcra.f.

Up until now I thought I had properly deleted it. One of the things that is did was create a folder "%userprofile%\Complete" or "C:\Documents and Settings\Jay\Complete" with the hidden +H and system +S directory attributes. The virus downloaded all sorts of pornography into the folder. When I found it I knew I was infected, so I scanned with AVG and Ad-Aware. It found the infection, and said it deleted it. The virus no longer shows up in my scans anymore or does some of the other things it was supposed to. Somewhere during the process I thought maybe it would be a good idea to reinstall Limewire. After I reinstalled I picked another Limewire folder at "C:\Documents and Settings\Jay\LIMEWIRE" rather than the default "%userprofile%\shared". I no longer get any pornography in my "complete" folder.

After a while I noticed pornography was being downloaded to my LIMEWIRE folder. At first I thought it was my brother, but I've seen more porn download even when no one has been on.

How do I get it to stop? What should I do to fix it? :-?

Does it have something to do with my Limewire configuration file? :-?

[Dilbert]

You know the drill by now. HijackThis log, please.

[dl65]

Wraith......

I got this virus a while ago from Limewire called W32.Alcra.f.  

.....W32.Alcra.F is a worm that attempts to propagate through various file-share networks accessible with BearShare, LimeWire, Morpheus and Shareaza applications. It also attempts to disable several programs on the compromised computer and drops a variant of W32.Spybot.Worm onto the compromised computer.

Up until now I thought I had properly deleted it.

 No , you didn't .   This is what it does .... [bAttempts to disable several programs by creating the following empty files with the hidden and system attributes set:

%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Modifies attributes of the %System% folder.

Copies itself as %ProgramFiles%\outlook\outlook.exe.

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.][/b]  

Which anti virus are you using and is it up to date ....... This is a very recent nasty.......
If you havent already done this ......
Go into folder options and make sure your hidden files and folder are shown.
Turn off your system restore feature .
Reboot into safe mode and run a complete scan ......... Record exactly what is found and where it was located .....

let us know how you make out .

dl65  

[Xeratul]

%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com
mFiles%\outlook\outlook.exe.

Yes, I thought that was the only thing it did. I'm trying to boot into safe mode, but it will not work. I pound on the F8 key during the Windows loading screen, and when I hold it down it's not working. Now I'm on the inscructions at Symantec to boot into safe mode using the msconfig utility.
.
Why doesn't F8 work though? What am I doing wrong? :-?

I'm using AVG which was updated 04/10/06. Yesterday.

Why doesn't F8 work though? What am I doing wrong? :-?

I'm using AVG which was updated 04/10/06. Yesterday.

[dl65]

Wraith.....

Why doesn't F8 work though? What am I doing wrong?

Sounds like you are waiting too long before hitting the F8 key.....
Try this ....... As soon as the machine shuts down and just before it starts to boot back up ......repeatedly tap the F8 key ........

dl65  

[Xeratul]

I have see hidden files and folders on.

I booted into safe mode, and scanned with AVG. It didn't find anything.

I'll attach a hijackthis log too, but I don't think I have any hijackers.

EDIT 1: It won't let me attach the file even though it's only 2 killobytes.

[dl65]

Wraith......  Have you gone through all your pc files to be certain that you have removed those dummy files that the bug created ?   What is the current status ....... is porn still d/l itself ?
Zip your hijackthis log , save it to your desktop and then go to .....
http://photobucket.com/login.php?action=logout     ......... register , then upload the zipped file and once its up loaded ..post the link here .



dl65