My bout with Alcra/Alcan.B
Posted by Nathan & Valerie at 1:08 AM |
Earlier tonight I was attempting to close a program on my tablet PC using the task manager utility when I discovered that it would not open. Shortly thereafter I discovered that regedit.exe would not open! So, with the limited knowledge I have of computers and their processes I consulted Google in search of what virus or worm could be causing such a nuisance. It took me a while and I tried a few different removal tools based on what I read occurs with those viruses and none of them worked. Then I found my Holy Grail. I had been infected by the worm known as Alcan.B (a.k.a. Alcra.B). There is also an .A variant of the worm that drops an additional file but I had .B.
According to Symantec (a wonderful website/company), they just discovered the worm yesterday (the 27th) and it seems they have not had time to create a virus removal tool for it yet unfortunately.
Here is what I did in order to rectify the messy situation:
Getting Started
Let's back up a second. I first needed to know what the real worm was called. There are a number of worms that are similar in their annoyances so I had to find the correct one. I did that by reading Google and Symantecs' pages on different viruses. Once I knew it was Alcra/Alcan.B I did a search on Google for 'Alcra.B removal tool.'
What it does
How I fixed it
I found a website through Google that listed what the worm drops and what files need to be removed from your system to fix it:
After making a copy of the regedit.exe file under C:\WINDOWS\, I went into the registry myself and deleted the necessary files (I mentioned that I couldn't access the regedit.exe program via Start»Run...»regedit but Start»Run...»Browse...C:\WINDOWS\regedit.exe worked around the worm).
A quick Google search for 'Alcan.B removal tool' and I found a program that would remove the malicious files for me called Xoftspy, and it worked like a charm, it found the exact files that it was supposed to find on my system but wanted me to purchase the full version in order to have them removed. I wasn't about to drop $40 for a one time deletion, so back to Google I went. This time I found a program called Killbox thanks to Pieter Arntz of The Netherlands which allows you to put in the path of the file you want to not only kill but delete permanently upon reboot. So I pasted in the list of nasty files into Killbox and rebooted and VOILA! those programs are no more and now I can see my task mgr as well as cmd.exe and regedit.exe.
The final step was to get the system32 folder viewable again. In order to do this I once again Googled and was led to the same forum I used to find out what files I needed to delete and this time Ravin helped me out by telling me what to type in the command prompt and now KiKi is clean and it's time for bed. No more worms please!
According to Symantec (a wonderful website/company), they just discovered the worm yesterday (the 27th) and it seems they have not had time to create a virus removal tool for it yet unfortunately.
Here is what I did in order to rectify the messy situation:
Getting Started
Let's back up a second. I first needed to know what the real worm was called. There are a number of worms that are similar in their annoyances so I had to find the correct one. I did that by reading Google and Symantecs' pages on different viruses. Once I knew it was Alcra/Alcan.B I did a search on Google for 'Alcra.B removal tool.'
What it does
- When executed, Win32.Alcan.B copies itself to %Program Files%\winupdate\winupdate.exe .
- The worm then modifies the registry to execute itself at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "\winupdate\winupdate.exe /auto". - The virus also hides the system32 folder from your view in the Windows folder (even with hidden files viewing enabled).
How I fixed it
I found a website through Google that listed what the worm drops and what files need to be removed from your system to fix it:
%Program Files%\MsConfigs\MSCONFIGS.EXE
%System%\CMD.COM
%System%\NETSTAT.COM
%System%\PING.COM
%System%\REGEDIT.COM
%System%\TASKKILL.COM
%System%\TASKLIST.COM
%System%\tracert.com
These registry values needed to be removed as well:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\MsConfigs
(Alcan.A also drops a p2pnetwork.exe file in the registry and the system folder, but I didn't need to delete that)
After making a copy of the regedit.exe file under C:\WINDOWS\, I went into the registry myself and deleted the necessary files (I mentioned that I couldn't access the regedit.exe program via Start»Run...»regedit but Start»Run...»Browse...C:\WINDOWS\regedit.exe worked around the worm).
A quick Google search for 'Alcan.B removal tool' and I found a program that would remove the malicious files for me called Xoftspy, and it worked like a charm, it found the exact files that it was supposed to find on my system but wanted me to purchase the full version in order to have them removed. I wasn't about to drop $40 for a one time deletion, so back to Google I went. This time I found a program called Killbox thanks to Pieter Arntz of The Netherlands which allows you to put in the path of the file you want to not only kill but delete permanently upon reboot. So I pasted in the list of nasty files into Killbox and rebooted and VOILA! those programs are no more and now I can see my task mgr as well as cmd.exe and regedit.exe.
The final step was to get the system32 folder viewable again. In order to do this I once again Googled and was led to the same forum I used to find out what files I needed to delete and this time Ravin helped me out by telling me what to type in the command prompt and now KiKi is clean and it's time for bed. No more worms please!
Previous Posts
3 Comments:
Thanks a ton Nathan for posting your ordeal with Alcra.B. I didn't really know that anything was wrong with my computer until Norton picked up about 990 infected files (all alcra.b). I'd noticed that my computer was a little slower than usual, and it had been running hotter than usual (it's a laptop). Anyways, I searched for and tried many suggestions (I'm not great with computers). That being said, I still spent well over 6 hours before a search came up with your site. Anyways, the advice you provided worked like a charm - very easy for a computer illiterate bum like me to understand and follow. I was pretty relieved as I was close to considering reformating the hard drive (which is a pretty daunting prospect for someone as useless with computers as me). Anyways, I owe you one. Please enjoy your time in DC.
Scott M, Vancouver B.C.
Nathan - thanks a lot!!!
You are a life saver. This was tormenting me, and your instructions worked to a T!
Again, really appreciate you taking the time to post this.
- Mike.
I was the unfortunate victim of the Alcra-b infection on my pc, neither my antivirus (Norton 2007) or antispy could delete the files, in desperation i searched the net using copernic agent and it found your site, using the information,and acting on it i noticed that my machine booted up normally where it was taking ages and touch wood it seems to be behaving,
I would like to Thank you for the information that helped me get rid of the work.
Post a Comment
<< Home