System32.p2p-worm.alcra.a

Discussion in 'malware problems & news' started by mzjazz2u, Jun 24, 2005.

Thread Status:
Not open for further replies.
  1. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Ok I thought I had a security fortress here but I got infected anyway. Please help! When I run adaware it finds a p2p worm called alcra.a. Adaware removes 8 files/registry entries but when I reboot everything is there again and so are the symptoms. My updated Norton2005 didn't dectect it and still doesn't. Oh yeah, it also hides all its files even if you have show all files checked in options. I Also have Zone Alarm, Counter Spy and SpybotSD. Also tried using killbox and hijackthis. And I've scanned using adawre and Norton in safe mode. The first symptoms I noticed were that Limewire would load automatically on restart. If you exit Limewire, it starts again. The worm also changes your limewire settings so it shared everything in your "My Documents" folder. When adaware removes the worm (and I say this lightly because it's still somewhere or it wouldn't reactivate when I restart), you can exit Limewire after adaware does it thing. Also Task Manager, MSCONFIG and the registry are disabled. You can run the registry after running adawre (until system restart again.) This is starting to really p&$$ me off! I've been messing with this for 3 days! Please help!! :'(
     
  2. CatL8E

    CatL8E Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    2
    Location:
    Somewhere over the rainbow
    This also sometimes shows up as alcan.a. I've tried the fix listed in the forum here with no luck. The darn thing just keeps coming back after restart.
     
  3. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  4. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647

    Yes, your security fortress is not a fortress at all if you can get hit even by the tiniest/biggest piece of malware.
    Read what symantec said:
    W32.Alcra.A is a worm that spreads through file-sharing networks, such as Limewire.


    So, you have a ''security fortress''. Why are you using P2P programs like limewire anyway?

    Follow snowy's instructions and post your HJT log at another forum for analysis. Tip from me: DO NOT use P2P programs, especially those that are known to spread malware and viruses.
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    In computer security, prevention is always better than cure. ;)
     
  8. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Gee... thanks for the spanking. That's EXACTLY what I came here for! 47 years old and still getting SPANKED! That said... there are many programs that can spread malware and viruses that are not P2P. Someone's website could get infected, freeware downloaded from a mirror site can be infected, a friend could unknowingly send something to you via email! And using an ftp file transfer program to update your website can leave you wide open. So, sorry but your advise is flawed.

    I used limewire occassionally for years and never had a problem with it. Yeah, I knew it was still a risk even though I had lots of security measures going. Funny thing is... this time was the first time in 6 months that I used it and it was to get a program that was freeware because it is faster and easier. And Thanks for the smart remarks but I don't understand why you feel you have to drive people in the ground with cutting remarks instead of helping them. Must be an insecurity issue. Didn't you're mother ever tell you, if you don't have something nice to say, then don't say it? :p There was nothing constructive in your post. All you did was repeat what snowbound had the goodness to tell me.

    snowbound, Thanks for trying to help me.I appreciate your constructive advice and will follow it! Mods, you don't have to worry about kicking me off the forums.... This grandma won't be back for "advice" here anyway. Sorry for the scene! ;)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there mzjazz2u, and welcome to the forum.
    I'm very sorry for the bad experiences you're going through at the moment. This was never intended and not in the spirit of the Wilders forum at all!

    Wished so much you had come sooner here to help you out.
    Most of time we advice users to take all these steps in this thread
    https://www.wilderssecurity.com/showthread.php?t=50662
    (it involves Snowbound's advice too :) )

    I think from the description you gave it sounds logical the lime thing opens: could it be the spybot worm opening a backdoor as described in the symantec site?

    Once ready with the HJT log, please let us know how you're doing.
    I think we would like to see an AutoStartViewer log as well ( http://www.diamondcs.com.au/index.php?page=asviewer - free tool ): recently in another occasion in an ASV log showed up an infection which was not visible in HJT, so to be extra sure .... Anything to help you preventing you formatting the HD.
    I'm almost sure you did try a system restore to before the moment you might have got that infection?
     
  10. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Thank you so much! You're so gracious and roped me back in for the time being! ;)

    Yes, I believe the worm is using limewire as a back door. It changes the settings so that it shares the whole "My Documents" folder. I'm kind of paranoid to try system restore because I read somewhere that it attaches or infects the restore points. Can't remember where I saw that because I've read so darn many things on it the last 3 or 4 days. I will post the HJT but I have a feeling nothing will be found. Thanks for telling me about the ASV thing too. I'll also follow that advice.

    The worm hides all it's files, reg. entries and other properties. After I remove what I can of it with Adaware, I think I'm ok to run the system. That is, until I restart and the worm reactivates. After cleaning with Adaware, I found the registry key that Symantec says makes the worm start up again on startup and I deleted it. But the darn thing came back on restart again. So there is something else hiding somewhere. I'm baffled why Norton systemworks 2005 doesn't pick up on it yet alone why it didn't pick it up at the time of download. Because from what the symantec website says, it should. I've even scanned in safemode several times.

    Can you edit the registry in safemode? Because I tried and keyboard strokes are disabled in safe mode. I've never had to do much in safe mode so I don't know if this is a limitation of safe mode or perhaps part of the worm.

    In the mean time... I uninstalled Limewire the other day so the worm doesn't have access to it every time I restart the system. And I've limited my internet and email activity and when my PC is sitting idol, I unplug my DSL modem. I also uninstalled my ftp program that I use for my website just as a precaution. I'll let you know how it goes. I'm just starting to feel that a reformat may be easier at this point. Only thing is, as much as you try to back up documents and files you always miss something that you end up losing! And I create digital dvd scrapbooks for people so I have a lot of files! And a lot of programs to reinstall! And can my other files end up being infected? What a pain in the keester!

    Thanks again.
     
  11. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Got a question. Where (on Castlecops for example) do I post the hjt log and the ASV log? Is it somewhere in their forums? I'm looking around and it may be smacking me in the face but I just don't see where to post them!

    Oh yes, in all my ramblings I forgot to confirm that yes, this worm is a variant of the spybot worm.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, it is a real disaster when we got our systems infected. So we try to help you cleansing without a reformat, as like you said, we always forget things and we never will feel comfortable with our files.

    Thinking aloud now:
    If you have system restore enabled, and you clean up the system and restart, all the malware you just cleansed out will be back from the system restore.
    But if you disable system restore, clean out and reboot, all the former restore points have gone. So if you made a mistake with deleting too much you can't go back.

    You could clean out, create a new system restore point from the clean situation and reboot; if the nastyness is back you go back to the cleansed situation or if you have any idea when the malware entered your system, you could give it a try anyway to get to an older restore point, say a week ago for instance and see how that worked out.
    If there is anything wrong with the restore points, your scanners should have alarmed on those, i hope.

    You're not the only one with this malware, googling around noticed this thread as well http://www.computing.net/windowsxp/wwwboard/forum/133675.html with several tips, i'm about sure you used that as well.

    Found the HJT posting area in CastleCops http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

    I'm not sure about regedit in safe mode.
     
    Last edited: Jun 25, 2005
  13. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    And this is the page at Net Integration,

    http://forums.net-integration.net/i...e_day=30&sort_by=Z-A&sort_key=last_post&st=20

    Make sure u follow all the instructions first before u post your HijackThis log.

    Most forums that have experts to read these logs are inundated with them so please be patient as it may take some time to get results.


    snowbound
     
  14. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Holy cow I've wasted the whole day on this stupid thing. But I may have finally gotten somewhere. I uninstalled Norton and installed Panda's antivirus. It detected the worm and cleaned most of the files except for one. It gave more detailed information on locations etc. That wasn't the end of it though. I had to go into safe mode and search the registry for about 12 different entries and delete them. Then I went to the prefetch folder and deleted the files related to the worm. While still in safe mode I rescanned my pc with adaware and for once, it came up clean! I restarted my system and right away had access to msconfig, regedit and task manager. (which previously the worm had disabled.) I ran Panda and my system is clean. The only thing left is that my System32 folder is still hidden.
     
  15. SpiritWind

    SpiritWind Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    52
    Location:
    Southern Calif
    :D The only safe P2P-type program I know is "Shareaza",
    available at www.shareaza.com .
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wow! applause for yourself so far! This really sounds promissing!
    And all that without creating new system restore points etc?
    You must be really brave to uninstall Norton, as that can leave some strange effects on the system. :)
    You did for sure in windows explorer > tools > view, have show all hidden files and file extensions visible i suppose?
    Did you post in the meantime a HJT log and/or ASViewer log? (threads please, so we can take a look too!)
    By the sounds it looks like part of the infection doing this, but it feels like you're getting clean without reformatting.
    Have you been able to stop the sharing of your documents folder too?
     
  17. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Sorry but not so. This worm is rampant in Shareaza too. At least that is what all the security bulletins say. I just don't trust any of them anymore. And the things I download are legal and I can get on other offcial websites.
     
    Last edited: Jun 26, 2005
  18. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Well, I didn't really want to create new system restore points because I didn't think it would do much good if the system was still infected. I've uninstalled Norton before too without problems. But in all this I figured the worse that could happen would be I ended up having to do that reformat!

    Yep! I did have "show all hidden files" etc. checked in options. But the worm still hides the system32 folder. I still can't get to it. But my system remains clean today when I scan with Adaware and Panda. And I'm still able to use msconfig, task manager and regedit (which the worm had previously disabled all). But since I still can't see my system32 folder there must be some element of the worm still around to some extent. And I don't have a shared folder any longer. I got rid of it when I uninstalled Limewire.

    I did post a HJT log on castle cops. I did it just before I uninstalled Norton. Haven't heard anything back about it yet. It's here: mzjazz2u's HJT log

    I didn't post the ASV log. I wasn't sure if I could post it in the same place or what. I do still have it though and at least one of the files from the worm showed up on that. Maybe I'll edit my post in castle cops and add the ASV log.

    I did update/edit the thread at castlecops and included the ASV log.
     
    Last edited: Jun 26, 2005
  19. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    This morning Adaware had some updates and I downloaded and ran again. Also ran Panda again and both picked up more files from the sleezy little worm. Adaware found infection in 3 system restore points and Panda found an *.exe in a temp folder that was previously missed. Everything is still working though. Except I still have not been able to restore access to System32 folder.
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You could clean the temp folder. Did TDS (updated) show anything new too?
    So if you know the restore points by date now, you might know now as well when you probably got infected and could possibly go back to a restore point before that, in case of need.
    I wondered if it would be good to post new logs at Castle Cops now you uninstalled Norton and might have made more changes in the meantime. And i noticed you mistyped the worm's name there, which might confuse people trying to help you with the logs.
     
    Last edited: Jun 28, 2005
  21. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Good idea. I know I was infected June 20th. Today, someone from Castle cops notified me and I have posted a new HJT log as they requested. Looks like I mistyped the name of the worm in the subject line but it's correct in the body of the post. I edited the subject line, so hopefully they should catch that. Nothing new is showing up. All temp folders have been cleaned out (as far as I know but this worm is very good at making things dissapear!)
     
  22. Cyberik

    Cyberik Guest

    Had the same problems with this worm. Finally got rid of it by updating Norton, starting up in safe mode, running Norton, running Adaware (with latest update) and deleting all the Temporary Internet Files and Temp files for all users. Now I got compliments from Adaware/Spybot/Norton by showing no problems after scans. The only thing was this System32 folder... (invisible as well). Found this trick on the net, and it helped me: Type the following in DOS mode:

    attrib c:/windows/system32 -h -s

    For me that did the trick.

    Good luck!

    Cyberik
     
  23. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Good for you for getting rid of that tricky little worm! When I got it, my Norton and Adaware were up to date. And I tried updating again after. But Norton still didn't pick it up. Not even in safe mode. I can't imagine why not. It's a mystery! I want to uninstall Panda and reinstall Norton systemworks but I'm kind of afraid to now. I keep thinking, "what else isn't it going to pick up and take care of?" Anyway, I have a new liscense for Norton and I don't for Panda so I'd really like to go back. Maybe I'll go ahead.

    Thanks for the tip for the system32 folder. I really appreciate it a lot and I'm going to try it as soon as I get home from work! That's the only thing left that I need to fix!
     
  24. mzjazz2u

    mzjazz2u Registered Member

    Joined:
    Jun 23, 2005
    Posts:
    25
    Location:
    Somewhere over the rainbow
    Cyberik, You ROCK! Thanks man... it worked! WOO HOO!! And I didn't have to boot to a dos screen. I just pulled up the dos prompt from Accessories in Windows!
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wow, that sounds good!

    Now for the infections:
    i see there was but an administrative reaction on the HJT log till now, did you also post the link to that log in the general HJT collection thread they're building?

    Time for a manual system restore point of the clean or working situation!

    Are there any more alarms or files you know to be involved?
    Did you also scan with TDS in safe mode and normal mode?
     
Loading...
Thread Status:
Not open for further replies.