Need some help with Alcan Worm... Please help!

  • Thread starter Thread starter Dan
  • Start date Start date
D

Dan

Just my luck, when I got cable connection yesterday afternoon(for temporary
use since my stupid DSL ISP won't get hooked up yet due to their server
strike) and my notebook starts acting funny. DU meter shows uploading all
the time and I open task manager properly at all. After done looking around
and it looks like one of those Alcan Worm. I've tried Xoftspy and doesn't
remove it completely and just showing up more. The browser(IE) acting kinda
weirdly. Sometimes it'd work fine and sometimes it doesn't now. When it
worked, I did try use the scan from Trend Micro and it'd keep showing error
message around 26% saying something like can't get the content, network is
busy or something like that so I can't finish scan at all. I also tried to
run hijackthis(a suggestion I heard to check what is going on) and it
wouldn't run. When I try again, a error message would pop up but I can't
read at all because something is closing it fast everytime... This is
driving me nuts. Any good remover program would get rid of it? Ad-aware
doesn't at all... Thanks in advance.
 
Just my luck, when I got cable connection yesterday afternoon(for temporary
use since my stupid DSL ISP won't get hooked up yet due to their server
strike) and my notebook starts acting funny. DU meter shows uploading all
the time and I open task manager properly at all. After done looking around
and it looks like one of those Alcan Worm. I've tried Xoftspy and doesn't
remove it completely and just showing up more. The browser(IE) acting kinda
weirdly. Sometimes it'd work fine and sometimes it doesn't now. When it
worked, I did try use the scan from Trend Micro and it'd keep showing error
message around 26% saying something like can't get the content, network is
busy or something like that so I can't finish scan at all. I also tried to
run hijackthis(a suggestion I heard to check what is going on) and it
wouldn't run. When I try again, a error message would pop up but I can't
read at all because something is closing it fast everytime... This is
driving me nuts. Any good remover program would get rid of it? Ad-aware
doesn't at all... Thanks in advance.
Click to expand...

Have you tried System Restore to a restore point prior to infestation?

Since your're flooded with malicious internet activity, I suggest
first trying just a small download of some running process killer such
as:

http://www.beyondlogic.org/solutions/processutil/processutil.htm

to at least get to the point where you have a chance of downloading
larger files. I assume you've read descriptions of the Alcan worm such
as:

http://vil.mcafeesecurity.com/vil/content/v_133690.htm

So you may have other active malware and spyware as well.

This 10.7 meg download of a antivirus using the Kaspersky scan engine
should help identify and clean up a lot once you get to the point that
you can download large files in a finite amount of time :)

http://www.claymania.com/KASFX.EXE

You should follow up by running Ad-Aware and Spybot.

Art

http://home.epix.net/~artnpeg
 
From: "Dan" <[email protected]>

| Just my luck, when I got cable connection yesterday afternoon(for temporary
| use since my stupid DSL ISP won't get hooked up yet due to their server
| strike) and my notebook starts acting funny. DU meter shows uploading all
| the time and I open task manager properly at all. After done looking around
| and it looks like one of those Alcan Worm. I've tried Xoftspy and doesn't
| remove it completely and just showing up more. The browser(IE) acting kinda
| weirdly. Sometimes it'd work fine and sometimes it doesn't now. When it
| worked, I did try use the scan from Trend Micro and it'd keep showing error
| message around 26% saying something like can't get the content, network is
| busy or something like that so I can't finish scan at all. I also tried to
| run hijackthis(a suggestion I heard to check what is going on) and it
| wouldn't run. When I try again, a error message would pop up but I can't
| read at all because something is closing it fast everytime... This is
| driving me nuts. Any good remover program would get rid of it? Ad-aware
| doesn't at all... Thanks in advance.
|

I suggest that you get a Cable/DSL Router such as the Linksys BEFSR41. The NAT Router will
act as a simplistic FireWall and create a barrier against Interbnet worms from accessing
your PC. There are many other benefits to such a device. One relates to DSL if the ISP
uses PPPoE. Instead of having to use a PPPoE software connector on a PC, the Router, not
the PC, will make the PPPoE connection.

As always, I suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on *any* SOHO Router.

I suggest you use a utility called TCPVIEW by Sysinternals -
http://www.sysinternals.com/Utilities/TcpView.html

This tool gives a dynamic GUI view of what program opens up what TCP/UDP port and connects
to what Internet site. Not only will it show programs that open ports but it will show the
fully qualified name and path of the executable opening said port and the command line
switches used to load the executable.

This is a good uutility to find Trojan activity.

In addition to Art's suggestion of using a Kaspersky based AV scanning engine, I can suggest
a utility that provides 3 different anti virus scanners from; McAfee, Sophos and Trend
Micro...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *
 
David H. Lipman said:
I suggest that you get a Cable/DSL Router such as the Linksys BEFSR41. The NAT Router will
act as a simplistic FireWall and create a barrier against Interbnet worms from accessing
your PC. There are many other benefits to such a device. One relates to DSL if the ISP
uses PPPoE. Instead of having to use a PPPoE software connector on a PC, the Router, not
the PC, will make the PPPoE connection.
Click to expand...

Thanks for the suggestion and other help.^^ I am using a router with NAT
though.

By the way, below is the log from hijackthis. Done in safe mode though(not
sureif it matters) since it wouldn't run at all similar to task manager when
I try to run it under normal state.

Logfile of HijackThis v1.99.1
Scan saved at 2:33:25 AM, on 9/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe
/Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\Windows\IME\imjp8_1\IMJPMIG.EXE /Spoil
/RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\Windows\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\Windows\System32\IME\PINTLGNT\ImScInst.exe
/SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]
C:\Windows\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\Windows\System32\IME\TINTLGNT\TINTSETP.EXE
/IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\Windows\TPPALDR.EXE
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windows...b?1123323970712
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\Windows\System32\Ati2evxx.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company -
C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company -
C:\Program Files\HPQ\SHARED\HPQWMI.exe


I asked the question somewhere else and someone suggested this.
"Remove this file and entry.
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
zulu virus:
http://www.liutilities.com/products...ary/msconfig32/"

I want to make sure before getting rid of that. Thanks again.
 
Thank you for the help. Could you take a look at that log I posted? Someone
said it's something else but the symptoms are alot like Alcan worm
though...at least the unable to use task manager part.
 
Thank you for the help. Could you take a look at that log I posted? Someone
said it's something else but the symptoms are alot like Alcan worm
though...at least the unable to use task manager part.
Click to expand...

Use Google. For example, searching msconfig32.exe leads very quickly
to:

http://www.sophos.com/virusinfo/analyses/w32sdbotadc.html

Go to that Sophos page and click Advanced to see detailed info ...
enough there to disable Sdbot manually.

Remember that you probably have multiple infestations.

BTW, the place to post HiJackthis logs is at forums for the purpose.

Art

http://home.epix.net/~artnpeg
 
From: "Dan" <[email protected]>

|
|
| Thanks for the suggestion and other help.^^ I am using a router with NAT
| though.
|
| By the way, below is the log from hijackthis. Done in safe mode though(not
| sureif it matters) since it wouldn't run at all similar to task manager when
| I try to run it under normal state.
|
| Logfile of HijackThis v1.99.1
| Scan saved at 2:33:25 AM, on 9/24/2005
| Platform: Windows XP SP1 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Dan:

This isn't the best place to post HJT Logs. the following is borrowed from the
alt.provacy.spyware News Group

Appendix 2. Forums where you can get expert advice for Hijack This! logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5

That being said, please submit a sample of "msconfig32.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

When you get the report, please post back the EXACT results.

I also suggest that after you clean your system of any malware you should install WinXP SP2
and all post SP2 updates. The following is indicative that IE is out of date and that you
are in need of MS Critical Updates to be installed on your PC !
- Windows XP SP1 (WinNT 5.01.2600)
- Internet Explorer v6.00 SP1 (6.00.2800.1106)

I strongly suggest blocking both TCP and UDP ports 135 ~ 139 and 445 on your Router and
performing the scans that I or Art suggested.
 
David H. Lipman - 24.09.2005 14:28 :

David, please help. Why does my Netscape 7.1 always show mainly your
postings in such a way as below (linefeed/carriage return)?:

-----
I suggest that you get a Cable/DSL Router such as the Linksys BEFSR41.
The NAT Router will
act as a simplistic FireWall and create a barrier against Interbnet
worms from accessing
your PC. There are many other benefits to such a device. One relates
to DSL if the ISP
uses PPPoE. Instead of having to use a PPPoE software connector on a
PC, the Router, not
the PC, will make the PPPoE connection.
 
From: "Peter Seiler" <[email protected]>

| David H. Lipman - 24.09.2005 14:28 :
|
| David, please help. Why does my Netscape 7.1 always show mainly your
| postings in such a way as below (linefeed/carriage return)?:
|
| -----
| I suggest that you get a Cable/DSL Router such as the Linksys BEFSR41.
| The NAT Router will
| act as a simplistic FireWall and create a barrier against Interbnet
| worms from accessing
| your PC. There are many other benefits to such a device. One relates
| to DSL if the ISP
| uses PPPoE. Instead of having to use a PPPoE software connector on a
| PC, the Router, not
| the PC, will make the PPPoE connection.
| -----
|
| Is it some kind of virus or depends it on some kind of "special"
| Netscape- or OE-configuration? Thanks in advance for your kind response.
|
| --
| by(e) PS
| spam will be killed

I have NO idea Peter ! However, I truly doubt it is any form of infector but most likely a
limitation of Netscape 7.x

Maybe you should update to 8.03.x ?
ftp://ftp.netscape.com/pub/netscape8/english/8.0.3.3/windows/win32/
 
David said:
I have NO idea Peter ! However, I truly doubt it is any form of infector but most likely a
limitation of Netscape 7.x

Maybe you should update to 8.03.x ?
ftp://ftp.netscape.com/pub/netscape8/english/8.0.3.3/windows/win32/
Click to expand...

David and Peter,

Netscape 8 is an AOL/Netscape browser, browser only, no email/NNTP client.

If you want to stick with Netscape, the latest (and last) is Netscape 7.2:

(http://browser.netscape.com/ns8/download/archive72x.jsp)

Seamonkey is the continuation of Netscape 7.2, and is in development as
an open source project:

(http://www.mozilla.org/projects/seamonkey/)

Or try Firefox with Thunderbird as your email/NNTP client:

(http://www.mozilla.org/)
(http://www.mozilla.org/products/thunderbird/)

You will find that if you are familiar with Netscape email/NNTP,
Thunderbird is a piece of cake.

Ron :-)
 
David H. Lipman - 25.09.2005 14:13 :
From: "Peter Seiler" <[email protected]>

| David H. Lipman - 24.09.2005 14:28 :
|
| David, please help. Why does my Netscape 7.1 always show mainly your
| postings in such a way as below (linefeed/carriage return)?:
|
| -----
| I suggest that you get a Cable/DSL Router such as the Linksys BEFSR41.
| The NAT Router will
| act as a simplistic FireWall and create a barrier against Interbnet
| worms from accessing
| your PC. There are many other benefits to such a device. One relates
| to DSL if the ISP
| uses PPPoE. Instead of having to use a PPPoE software connector on a
| PC, the Router, not
| the PC, will make the PPPoE connection.
| -----
|
| Is it some kind of virus or depends it on some kind of "special"
| Netscape- or OE-configuration? Thanks in advance for your kind response.
|
| --
| by(e) PS
| spam will be killed

I have NO idea Peter ! However, I truly doubt it is any form of infector but most likely a
limitation of Netscape 7.x
Click to expand...

THX for your kind reply.

Otherwise, could it be perhaps your OE? How many letters per line have
you configuerd?

A second thing is evident in your repostings: Normaly my SIG line "-- "
and the two textlines under the SIG line should NOT be in your reposts.

Something must go wrong with my Netscape or your OE. Do you see your
postings and repostings within a thread totally ok? Please have a look. THX.
Maybe you should update to 8.03.x ?
ftp://ftp.netscape.com/pub/netscape8/english/8.0.3.3/windows/win32/
Click to expand...

I'm planning to give Opera 8.5 (free!) a try.
 
From: "Peter Seiler" <[email protected]>

| David H. Lipman - 25.09.2005 14:13 :
||>> David H. Lipman - 24.09.2005 14:28 :
|>>
|>> David, please help. Why does my Netscape 7.1 always show mainly your
|>> postings in such a way as below (linefeed/carriage return)?:
|>>
|>> -----
|>> I suggest that you get a Cable/DSL Router such as the Linksys BEFSR41.
|>> The NAT Router will
|>> act as a simplistic FireWall and create a barrier against Interbnet
|>> worms from accessing
|>> your PC. There are many other benefits to such a device. One relates
|>> to DSL if the ISP
|>> uses PPPoE. Instead of having to use a PPPoE software connector on a
|>> PC, the Router, not
|>> the PC, will make the PPPoE connection.
|>> -----
|>>
|>> Is it some kind of virus or depends it on some kind of "special"
|>> Netscape- or OE-configuration? Thanks in advance for your kind response.
|>>
|>> --
|>> by(e) PS
|>> spam will be killed|
| THX for your kind reply.
|
| Otherwise, could it be perhaps your OE? How many letters per line have
| you configuerd?
|
| A second thing is evident in your repostings: Normaly my SIG line "-- "
| and the two textlines under the SIG line should NOT be in your reposts.
|
| Something must go wrong with my Netscape or your OE. Do you see your
| postings and repostings within a thread totally ok? Please have a look. THX.
||
| I'm planning to give Opera 8.5 (free!) a try.
|
| --
| by(e) PS
| spam will be killed
|

As far as I am concerned (except for my typos which are embarrassing) when I read my posts
they look correct to me.
 
Back
Top