Updated: 05-04-06
Alcan.B Infection Removal Instructions
This infection is a worm that typically changes many of your security settings and
DISABLES both
"Task Manager" and
"Regedit" in the windows operating system. Your antivirus may pick this infection up...but fails to clean it.
The infection has many many files and entrys.
Common hijackthis log entrys associated with this infection:
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll
O4 - HKLM\..\Run: [gimmysmileys] C:\\GIMMYSMILEYS#.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd#.exe
O4 - HKLM\..\Run: [gimmygames] C:\windows\gimmygames#.exe
O4 - HKLM\..\Run: [gimmygames] C:\\gimmygames#.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban#.exe
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD#.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad#.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad#.exe
O4 - HKLM\..\Run: [newname] C:\\newname#.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname#.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC0#.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe
O4 - HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\[semi-random].exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\[semi-random].exe
O4 - Startup: Zstart.lnk = C:\WINDOWS\TEMP\[semi-random].exe
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM(32)\[random].EXE CORN001
O4 - HKLM\..\Run: [Command] C:\WINDOWS\system.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-##-##-######.exe
O4 - HKLM\..\Run: [q8lg] "C:\WINDOWS\System32\slk8x2peu.exe"
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [gjZC2XV] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [ula0U] "D:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20004\services.exe
O4 - HKLM\..\Run: [errorhandler] C:\WINDOWS\errorhandler.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINDOWS\System32\expload.exe
O4 - HKLM\..\Run: [tetriz3] C:\WINDOWS\system32\tetriz3.exe
O4 - HKLM\..\RunServices: [tetriz3] C:\WINDOWS\system32\tetriz3.exe
O4 - HKCU\..\Run: [tetriz3] C:\WINDOWS\system32\tetriz3.exe
O4 - HKCU\..\Run: [Abrada WIN32] C:\WINDOWS\abradaload.dll
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20021\socks.exe 20021
O4 - HKLM\..\Run: [rmalt] C:\Program Files\Update06\Setup.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname12.exe
O4 - HKLM\..\Run: [mousepad] c:\windows\mousepad12.exe
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard12.exe
O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\[user]\LOCALS~1\Temp\[random].tmp
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\[user]\LOCALS~1\Temp\[random].tmp####.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: wmplayer.exe
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - C:\Program Files\FCAdvice\FCAdvice.dll
O18 - Filter: text/html - {8253D547-38DD-4325-B35A-F1817EDFA5F5} - C:\Program Files\System Files\plugin.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\[random].dll
*Note* Entrys that contain
#### are random letters and numbers.
The Fix
+++++++++++++++++++++++++++++++++++
Please download
Brute Force Uninstaller to your desktop.
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:)" or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose
"Save As" (in IE it's "Save Target As") in order to download
Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with this yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
Once in Safe Mode, please go to Start > My Computer and navigate to the C:\
BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Behind the scriptline to execute field click the folder icon
and select alcanshorty.bfu
- Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
Reboot into normal windows.
You should now be free of the
Alcan.B Infection and regained control of
"Task Manager" and
"Regedit". If you require help with the removal of
Alcan.B Infection or to check your HJT log, then please start your own thread in the hijackthis section of this forum and a trained Analyst will review your log.
WARNING:
Use of the information in this fix is to be used at
YOUR own risk. If you are unsure about a step or use of a tool then post your log in the hijackthis section and an Analyst will assist you.