W32.Alcra.B worm

Discussion in 'malware problems & news' started by deebo, Oct 29, 2005.

Thread Status:
Not open for further replies.
  1. deebo

    deebo Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    31
    Location:
    sc
    I have it and have run all my "defenders" and it is still there. It seems to be in my program files\winupdates\winupdates exe.
    How do I get rid of the crap in the simpliest manner possible? I am not that good with changing registries and such.

    Thanks for any help....Dee
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
    Run the program and click the Web button as shown here:
    http://metallica.geekstogo.com/BFUonlinescript.jpg

    Use this URL to copy into the address bar of the Download script window:
    http://metallica.geekstogo.com/p2pnetwork.bfu

    Execute the script by clicking the Execute button.

    If you have any questions about the use of BFU please read here:
    http://metallica.geekstogo.com/BFUinstructions.html


    Wait for the complete script execution box to pop up and press OK.
    Press exit to terminate the BFU program.

    Reboot and check if taskmanager, regedit etc are working as they should. You should now be able to remove anything that was left behind.
     
  3. deebo

    deebo Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    31
    Location:
    sc
    Thanks for the quick response. I'll get right on it and let you know what happens.

    Again thanks.....Dee
     
  4. deebo

    deebo Registered Member

    Joined:
    Jul 30, 2004
    Posts:
    31
    Location:
    sc
    Yeah Buddy! I have control again!. Thanks a million for the very helpful info.
    I love this site! :D
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My pleasure. :cool:

    Regards,

    Pieter
     
  6. Soccerzubs

    Soccerzubs Guest

    Thanks, a ton, dont know what that did, but it worked.
    None of my programs could scan or delete it.
    Norton virus detecor doesnt keep popping up now, thanks again.
     
  7. dapug

    dapug Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    1
    I followed the instructions and it seems to have removed the virus. The task manager can come up, but when I try to see if regedit will work, I get the following error:

    16 bit MS-DOS Subsytem

    C:\windows\system32\regedit.com
    The NTVDM CPU has encountered an illegal instruction.
    CS: 0555 IP:0102 OP: ff ff 8a c4 8b choose 'close' to terminate the application.

    Before I used the BFU thing, there was one thing other than alcra.b, that showed when I used Norton Anit-Virus. Now it doesn't appear. Is it safe to leave my computer like this. If not what should I do?

    EDIT: I think the computer is still infected because it is slow and there are currently 36 processes running. Is this normal? I would attach a picture with these showing but I don't know how. If it is needed I can.

    EDIT #2: This morning I after running Ad-Aware it came up with Alcan.A. After deleting that I can access the registry. But now when I scan again with Ad-Aware it pops up again. How should I deal with it.
     
    Last edited: Feb 12, 2006
  8. SAmuelWo

    SAmuelWo Registered Member

    Joined:
    Mar 17, 2006
    Posts:
    1
    Yo i dont know whats going on but BFU seems to work can you explain whyo_O Norton Antivius stop pup-up :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Please note that the p2pnetwork.bfu will no longer be updated.

    Please use this one instead:
    http://metallica.geekstogo.com/alcanshorty.bfu

    (It also kills off several adware programs that are usually installed by the Alcran Worm)

    Please follow up by scanning your computer for malware, preferably in safe mode. This is necessary since the BFU isn't, and never will be, able to remove all of the adware.

    Regards,

    Pieter
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The BFU first kills the Worms processes, then it removes the registry entries it uses to restart, then it removes the files and folders.

    It should at the very least return your computer to a much more workable state.

    Regards,

    Pieter
     
  11. stuxhorn

    stuxhorn Registered Member

    Joined:
    Apr 4, 2006
    Posts:
    1
    Im having the same trouble with this worm, i tried the p2pnetworking link and i got back a couple of the process'. it did not bring back regedit so i can not delete it from the reg. i then tried the new link http://metallica.geekstogo.com/alcanshorty.bfu
    and it gave me a
    run time error 5
    invalid procedure call or argument.

    can u please help me.

    Skylar

    also in my Task Manager my session id is not showing how much memory it is using.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi stuxhorn,

    I found the error and uploaded a new script.
    Can you try the new one please and let us know?

    The run time error 5 usually means I tried to delete a registry value instead of a key. :oops:

    Regards,

    Pieter (aka Metallica)
     
  13. njgio

    njgio Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    5
    Location:
    Derby, UK
    Hi. Sorry, I found this thread through Google and saw that it was quite recent so I tried the BFU thing, which greatly helped the speed of the computer. I used the latter of the scripts you told us to use. However, it's still unusually slow, and I normally have around 51 processes running.

    Every time I do a Norton virus scan it doesn't find anything, however looking through the reports and threat alerts I found a number of things, the worst of which looks to be W32.Alcra.B (found 15/02/06). I must have got this through LimeWire, the P2P program I have installed. Other RECENT (as of 2006) problems that were in the list include Adware.Starware and Downloader.Trojan. This is strange, as these things didn't come up after the scans had finished.

    The main symptoms of whatever problem I have is just general slowness of the whole machine and also frequent programs not responding. These programs normally crash when I try to close them (things such as Internet Explorer, Photoshop Elements, sometimes just folders).

    Other things to note are that I also have Ad-Aware SE and Spybot. Ad-Aware usually just finds tracking cookies and Spybot never finds anything.

    I also came across Alcragui when searching Google. This scanned my computer and said I had no problems. I think it's just a scanner for W32.Alcra.

    Another thing I found is a program called Registry Booster. I used my free scan and it found 190 problems. It can only remove 15 of them until I buy it. Should I buy it?

    I also have a question about BFU; should I run this script every day? Or is it only necessary once?

    I really have know clue what to do or even what I'm talking about when it comes to this kind of thing and that includes where would be a relevant place to post this since I don't know the problem.

    Thanks. :)
     
  14. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  15. njgio

    njgio Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    5
    Location:
    Derby, UK
    Thank you very much. :)
     
  16. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    You're welcome. :)

    Keep us posted as to your progress with this.


    snowbound
     
  17. njgio

    njgio Registered Member

    Joined:
    Apr 15, 2006
    Posts:
    5
    Location:
    Derby, UK
    It turns out the only problem was something called 'poker3'? Bobbi Flekman is a very helpful person. I'm surprised he finds the time to reply to all of these threads.
     
  18. DivineIdentity

    DivineIdentity Registered Member

    Joined:
    Jun 12, 2006
    Posts:
    2
    Thank you all very much, ive spent about the last three hours trying to fix my computer, i knew from the start that i was infected with the alcra worm (or one of its variants) and bfu fixed it for me almost instantaneously, and it sure beats the hell out of tryin to remove it manually (if possible), the galdiator security site is also very helpful.

    I also would reccomend to anyone who is still using Ad-Aware 6 to get the new Adaware SE version from the lavasoft site, it also removes the alcan worms, and is actually "updatable" unlike Ad-Aware 6 which became obsolete in nov of 2004, if you didnt already know
     
  19. DivineIdentity

    DivineIdentity Registered Member

    Joined:
    Jun 12, 2006
    Posts:
    2
    hey everybody, ive been trying to use bfu to run regedit.exe at my school, because its restricted and it would make my life a lot easier if i had access to it, but i cant seem to get it to work, if anybody knows how to do this, please let me know. :)
     
  20. MyGigaHurts

    MyGigaHurts Registered Member

    Joined:
    Jun 26, 2006
    Posts:
    1
    Amazing. Truly outstanding, the service provided here. Holy cow. I was gone for the weekend. Just got back this evening. My wife had been using LimeWire while I was gone. Jumped on my machine and immediately realized I couldn't ping. "The NTVDM CPU has encountered an illegal instruction." Checked system variables and everything looked fine. Went to check registry and same error. DOH. Scanned and realized I had w32.alcra.b, but no fix tools available. Looked it up in Google, found this forum, and five minutes later everything is peachy again. Beautiful. I applaud you... standing ovation. Thank you so much. Where do I donate? Actually, I'm sure I can find such a link if it exists. Also, if any of you are ever in my neck of the woods, I'll be sure to reward you with food, drink and merriment.
     
  21. dog

    dog Guest

    No where ... this site is maintained free off any revenue source; purely on the goodwill and capital of the two owners and the generosity of the members and experts that contribute
    ... that could be expensive. :p :D
     
  22. laterales

    laterales Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    2
    Please help me too - I have tried everything in this thread, in fact I have downloaded and tried every suggestion I have found on the internet all evening - the BFU thing just gives me failed and file not found messages in the log, that doesn't work. The virus is in my Nortons portal folder and is now replicating itself and filling up the quarantine folder with 2,327kb files, how do I stop it please and how do I get rid of it out of that folder?
     
  23. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Hello, lateralis! Have you performed a full scan with Norton ?
    Try to use an online scanner as Bit Defender or Trend Micro to clean your infection.
     
  24. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Everything?

    Have u tried posting a HijackThis log at another forum for help as suggested here?

    https://www.wilderssecurity.com/showpost.php?p=728389&postcount=14

    If not, that's probably your best bet to get expert help in cleaning this malware and any other infections that might be on your system.



    snowbound
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Please note that BFU lists that error if it can't find a file or key.

    It does not list anything for all the files and key it did find.
    To my knowledge the alcanshorty.bfu script works on every known variant of the Alcan/Alcra worm and for a lot, but not all, the related malware it downloads and installs.

    So please follow snowbound's advice and have a expert look at your log what else might be going on.
    Or combine the script with a scan by a spyware/trojan/virusscanner (like Ewido for example).

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.