Re: alcan A or a dropper?
- From: "cquirke (MVP Windows shell/user)" <cquirkenews@xxxxxxxxxxxxxxx>
- Date: Sat, 30 Sep 2006 23:17:41 +0200
On Sat, 30 Sep 2006 12:49:39 -0500, "Shenan Stanley"
thunderstruck_302 wrote:
Hi. I'm having a fairly large problem that's probably going to
require a bit of attention for a little while. I have ad-aware se
pro and norton antivirus 2006, both with updated defenitions. I
used both of them becuase I am getting constant popups for
"winantivirus" and "winantivirus pro 2006". I got rid of everythig
that showed on Norton (which were other, smaller viruses) but
Ad-aware SE pro showed Win32.P2P-worm.Alcan.A in the sytem32
folder. Obviously they're invisibleto me and I can't see them by
going there, and, I can fix it on ad-aware, but the thing comes up
again when I do a scan after restarting. So, Ok, its a really
advanced virus I guess that ou have to do more in order to get rid
of. (although my local computer store says it could be a dropper as
well)...
My goal HERE is to find out how to remove this alcan.A thing, or to
find out if htere is a dropper and how to get rid of it. I've tried
googling it, but it seems that everyone that gets this virus has to
go about deleting it in their own way. No two fixes are the same
because people get the viruses from different sources. Thanks in
advance for any help you can provide.
Your best bet - backup your important data (files, folders, installation
media/product keys, email, favorites, contacts, pictures, music, etc..) and
start the machine fresh.
Now before someone jumps in and says, "That's horrible advice" <- it's for
*this case only*.
I've just wrapped up one of these, and it was easier this time that an
earlier SpyAxe case. I did it starting with Bart CDR boot etc. and
did SpyBot, AdAware and Ewido in Safe Cmd, etc. and this time there
wasn't anything running around. So yes, it's doable; just not easy
because MS still pretends "Safe Mode" is safe and/or you'd never need
to disinfect your PC, so they don't give you a suitable platform to
work from. A bit like trying to climb into Appolo without a gantry.
If you have something you do not feel you are capable of
getting rid of and neither does those who you might pay to get rid of it for
you - your best bet is to rebuild that system from scratch.
You should be able to find a tech who can sort this out, unless tech
standards are worse than I'd hope. Look for someone with a particular
interest in malware cleanup - it won't be every tech's thing.
Microsoft has these suggestions for Protecting your computer from the
various things that could happen to you/it:
Protect your PC
http://www.microsoft.com/security/protect/
Outfitting a new computer for the Net
http://www.microsoft.com/athome/security/update/newcomputer.mspx
Getting started with a new PC
http://www.microsoft.com/athome/moredone/yournewpc.mspx
Let's take the cleanup of your computer step-by-step.
Yes, it will take up some of your time - but consider what you use
your computer for and how much you would dislike it if all of your
stuff on your computer went away because you did not "feel like"
performing some simple maintenance tasks
I'll mainly work around Windows XP, as that is what the bulk of this
document is about; however, here is some places for you poor souls
still stuck in Windows 98/ME where you can get information on
maintaining your system:
Windows 98 and 'Maintaining Your Computer':
http://www.microsoft.com/windows98/usingwindows/maintaining/
Windows ME Computer Health:
http://www.microsoft.com/windowsME/using/computerhealth/articles/
Pay close attention to the sections:- get off all networks
(in order)
- Clean up your hard disk
- Check for errors by running ScanDisk
- Defragment your hard disk
- Roll back the clock with System Restore
I don't think I'd want to roll back via SR if that undid the cleanup!
Tip (1):
Locate all of the software you have installed on your computer.
(the installation media - CDs, downloaded files, etc)
Collect these CDs and files together in a central and safe
place along with their CD keys and such. Make backups of these
installation media sets using your favorite copying method
Tip (2):
Empty your Temporary Internet Files and shrink the size it stores to a
size between 128MB and 512MB..
I shrink to 20M. If the connection's fast enough to populate a 20M
cache within a few days, it's fast enough not to need caching.
I tend not to purge TIF until after I've done scanning, but I'd clear
them before running normal Windows. On the one hand, TIF may contain
missed malware; on the other hand, it may contain cues that help
scanners find malware.
Tip (3):
If things are running a bit sluggish and/or you have an older system
(1.5GHz or less and 256MB RAM or less) then you may want to look into
tweaking the performance by turning off some of the 'resource hogging'
Windows XP "prettifications". The fastest method is:
If < 512M in XP, set minimum and maximum page file size to 512M after
your defrag. Else XP will under-estimate how much page space you will
need (it uses an absurd "X x RAM size" logic, so assigns 192k or so if
you're 128M, etc. Nuts.)
Tip (4):
Understanding what a good password might be is vital to your
personal and system security. You may think you do not need to password
your home computer, as you may have it in a locked area (your home) where
no one else has access to it. Remember, however, you aren't always
"in that locked area" when using your computer online
....thanks to XP's "isn't everything one big network?" mindset!
If using XP Pro, you may be better off with NO account password at
all, than a weak (or even moderately strong) password. This is
because XP Pro will expose all HDs for full write access via hidden
admin shares if the account password is anything other than null.
There's a strong case to be made for disabling these hidden admin
shares - but beware, they may be re-enabled behind your back.
See http://cquirke.mvps.org/pwdssuch.htm on passwords. Don't rely on
them if you can simply rip out the risks you don't need instead.
Also - many people complain that they just cannot remember the passwords
for all the sites they have - so they choose one password and use it for
everything. Not a good idea. A much better method would be to use a
Password Management tool
I might try that, because I have a problem remembering multiple
frequently-changed unguessable passwords, as "good practice" demands.
KeePass Password Safe
http://keepass.sourceforge.net/
Hm... wouldn't a fake password holder be a fun place to find malware?
Tip (5):
This tip is also 'questionable' in the one time section; however -
if properly setup - this one can be pretty well ignored for most people
after the initial 'fiddle-with' time.
Why you should use a computer firewall..
http://www.microsoft.com/athome/security/viruses/fwbenefits.mspx
You should, in some way, use a firewall. Hardware (like a nice
Cable Modem/DSL router) or software is up to you. Many use both
I've been using NAT router + XP's firewall, or Kerio if Win2000. I
haven't been as stressed about firewalling Win9x (less fire to wall)
Tip (6):
The system restore feature is a useful - first appearing in Windows
ME and then sticking around for Windows XP. It is only a useful
feature if you keep it maintained and use it to your advantage.
Remember that the system restore pretty much tells you in the name
what it protects which is 'system' files. Your documents, your
pictures, your stuff is NOT system files - so you should also look
into some backup solution.
Also, there can be problems when what is in fact data gets grabbed by
SR, as has happened to Sony victims. They do a System Restore, and
lo! They aren't allowed to play their music any more, thanks to DRM.
Then again, anyone still using Sonyware by now just has to resign
themselves to never-ending pain. Rootkits aside, the Connect Player
that you're forced to use with thier music player hardware is so
buggy, it's really sub-Alpha - and you can't get older SonicStage or
whatever it's called, and the new version of that is CP again.
Too many times have I seen the system restore files go corrupt or get
a virus in them, meaning you could not or did not want to restore from
them. By clearing it out periodically you help prevent any corruption
from happening and you make sure you have at least one good "snapshot".
(*This, of course, will erase any previous restore point you have.*)
I solve this issue slightly differently:
- reduce capacity assigned to SR on C:
- disable SR on any HD data-only volumes, if applicable
- after a successful malware cleanup, set a new SR point
- then use Disk Cleanup, Advanced to clear all older data
SR is your only source of backed-up registry hives, so I never turn it
off completely for C:. The above strategy lets me keep SR backups
throughout the malware cleaning process, while getting rid of that
infected material once I'm clean and stable.
- Turn off System Restore.
http://support.microsoft.com/kb/310405
- Reboot the Computer.
- Review the first bullet to turn on System Restore
- Make a Manual Restoration Point.
I don't like that approach, as it may throw out any per-volume
disables and capacity limit changes. I'd rather set a new point and
then purge all the older ones via Disk Cleanup.
That covers your system files, but doesn't do anything for the files
that you are REALLY worried about - yours!
Backup's too big a topic to get into here. It's easy to have backups
you can't (or dare not) restore... so "just backup" is NOT a
substitute for other maintenance and data recovery.
Tip (7):
You should sometimes look through the list of applications that are
installed on your computer. The list may surprise you. There are more
than likely things in there you know you never use
Your biggest needless risk will be Windows features you don't use.
If you don't use it, you also don't understand it, patch it, set it up
properly, check that it hasn't been broken or abused, etc.
Tip (8):
Patches and Updates!
This one cannot be stressed enough. It is SO simple, yet so neglected
by many people. It is really simple for the critical Microsoft patches!
Microsoft put in an AUTOMATED feature for you to utilize so that you do
NOT have to worry yourself about the patching of the Operating System:
Not nice if you pay per second for dial-up access... usually such
systems have to wait for a passing warez CDR or visit to a nearby chum
with broadband to catch up with SPs and other big lumps. The risks in
sourcing updates from such channels should be obvious.
Windows is not the only product you likely have on your PC. The
manufacturers of the other products usually have updates.
Not all vendors are as trustworth as MS, and many will throw out your
protective settings whenever they "just" update themselves. Top of
the list of untrustworthy vendors is peer-to-peer file sharing clients
(especially Kazaa), with media players (Real, Apple etc.) close
behind. Watch your back with Windows Media Player re-versions too.
You also have hardware on your machine that requires drivers to interface
with the operating system. You have a video card that allows you to see on
your screen, a sound card that allows you to hear your PCs sound output and
so on. Visit those manufacturer web sites for the latest downloadable
drivers for your hardware/operating system.
No, I would not do that.
Driver code runs low enough to really screw things up if it goes
wrong, so unless I have a very good reason, I never update drivers.
The same applies to BIOS updates; too risky to mess with.
Always get the manufacturers' hardware driver over any Microsoft offers.
Agreed!
As for Service Pack 2 (SP2) for Windows XP, Microsoft has made this
particular patch available in a number of ways. First, there is the
Windows Update web page above. Then there is a direct download site.
Direct Download of Service Pack 2 (SP2) for Windows XP
http://snipurl.com/8bqy
Order Windows XP Service Pack 2 on CD
http://snipurl.com/d41v
If all else fails - grab the full download above and try to use that.
In this case - consider yourself a 'IT professional or developer'.
What they have not done, is provide an easy way to re-generate your XP
installation CD to include SP2, so that Recovery Console will still
work and so that "just" re-installing Windows doesn't throw you back
to no firewall, no RPC and LSASS patches, and data corruption if your
hard drive is over 137G in capacity.
Tip (9):
What about the dreaded word in the computer world, VIRUS?
Most of today's malware is non-viral, so one tends to forget about
true viruses... but they still occur.
AntiVir (Free and up)
http://www.free-av.com/
avast! (Free and up)
http://www.avast.com/
AVG Anti-Virus System (Free and up)
http://free.grisoft.com/
eset NOD32 (~$39.00 and up)
http://www.eset.com/products/products.htm
eTrust EZ Antivirus (~$29.95 and up)
http://ca.com/store/home/us/hp2/
Kaspersky Anti-Virus (~$49.95 and up)
http://www.kaspersky.com/products.html
McAfee VirusScan (~$11 and up)
http://www.mcafee.com/
Panda Antivirus Titanium (~$39.95 and up)
http://www.pandasoftware.com/
(Free Online Scanner: http://www.pandasoftware.com/activescan/)
RAV AntiVirus Online Virus Scan (Free!)
http://www.ravantivirus.com/scan/
Symantec (Norton) AntiVirus (~$11 and up)
http://www.symantec.com/nav/nav_9xnt/
Trend Micro (~$49.95 and up)
http://www.trendmicro.com/en/home/us/personal.htm
(Free Online Scanner:
http://housecall.trendmicro.com/housecall/start_corp.asp)
Unless uploading a single un-opened suspect file to be scanned, I
don't see a safe role for online scanners. I don't want some site's
dropped code sifting through all my files when I'm online, thanks.
Make sure you have only one av active, i.e. running as a resident
scanner. You can use additional av only as long as they are purely
on-demand, as is the case with BitDefender 8 (free).
Most of them have automatic update capabilities. You will have to
look into the features of the one you choose. Whatever one you finally
settle with - be SURE to keep it updated (I recommend at least daily) and
perform a full scan periodically (yes, most protect you actively, but a
full scan once a month at 4AM probably won't bother you.)
If you have to rely on a full system scan to find and kill active
malware, your defenses have failed. Once active, malware can break
your av, and attempting to kill it might provoke a payload.
Tip (10):
The most rampant infestation at the current time concerns SPYWARE/ADWARE.
You need to eliminate it from your machine.
There is no one software that cleans and immunizes you against
everything. Antivirus software - you only needed one. Firewall, you
only needed one. AntiSpyware - you will need several. I have a list and
I recommend you use at least the first five.
I need to get more of these into my Bart system... I'd love to add
Ewido and A2 to AdAware and Spybot.
First - make sure you have NOT installed "Rogue AntiSpyware".
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Amen!
Lavasoft AdAware (Free and up)
http://www.lavasoft.de/support/download/
(How-to: http://snipurl.com/atdn )
Spybot Search and Destroy (Free!)
http://www.safer-networking.net/en/download/index.html
(How-to: http://snipurl.com/atdk )
Bazooka Adware and Spyware Scanner (Free!)
http://www.kephyr.com/spywarescanner/
(How-to: http://snipurl.com/ate3 )
SpywareBlaster (Free!)
http://www.javacoolsoftware.com/sbdownload.html
(How-to: http://snipurl.com/ate6 )
Spyware Blaster's not a scanner, so it meshes really well with the
other tools - tho some have similar in-built features.
IE-SPYAD2 (Free!)
https://netfiles.uiuc.edu/ehowes/www/resource.htm
(How-to: http://snipurl.com/ate7 )
CWShredder Stand-Alone (Free!)
http://www.intermute.com/spysubtract/cwshredder_download.html
Hijack This! (Free!)
http://www.spywareinfo.com/~merijn/downloads.html
(Log Analyzer: http://hjt.iamnotageek.com/ )
ToolbarCop (Free!)
http://windowsxp.mvps.org/toolbarcop.htm
Ccleaner (Free!)
http://www.ccleaner.com/
Browser Security Tests (Free Tester)
http://www.jasons-toolbox.com/BrowserSecurity/
Popup Tester (Free Tester)
http://www.popuptest.com/
The Cleaner (~$49.95 and up)
http://www.moosoft.com/
Quite a list - I'd add Ewido 4 (now free, and very good) and I'd
consider A Squared based on repute (I haven't tried it yet). Windows
Defender from MS is good too, but of limited value when cleaning
infected systems, as it can't install in Safe Mode and can't Bart.
Sometimes you need to install the application and reboot into SAFE MODE in
order to thoroughly clean your computer.
Safe Mode's like dabbing yourself in paraffin instead of drenching
yourself in gasoline before lighting a cigarrette - it's safer than
normal Windows, but by no means can it be relied on to prevent all
malware from running. Use Bart for that, difficult as that may be.
Another option is to use an alternative Web browser. I suggest
'Mozilla Firefox', as it has some great features and is very easy to use:
Agreed - but remember, any edge-facing sware you add (Firefox, Sun
Java, Acrobat Reader, Winamp) has to be updated regularly, and this
won't be done via Windows Update. Always uninstall old Java before
installing a new one! Firefox and the rest are OK to install
over-old, it's only Sun who don't "get" what patching's all about.
Tip (11):
You should periodically check your hard drive(s) for errors and defragment
them. Only defragment after you have cleaned up your machine and
never defragment as a solution to a quirkiness in your system.
Amen! Defrag makes a healthy system fitter, but can kill the weak.
Tip (12):
SPAM! JUNK MAIL!
This one can get annoying, just like the rest. You get 50 emails in one
sitting and 2 of them you wanted. NICE! (Not.) What can you do?
Never give out your real email address
Set up multiple aliases to your real email address
Use different aliases in different contexts
Filter each alias to particular mailboxes
Filter in any remaining elists etc. you want
What's left in the In box will be 99% junk
Always use BCC: if sending to more than 5 recipients
Tip (13):
There are lots of services on your PC that are probably turned on by default
you don't use. Be CAREFUL what you set to manual
Amen. The only service I kill is the MDM (Machine Debug Manager). I
do set RPC's Recovery tab to restart the service (not the whole PC)
whenever it falls over (as it tends to do when exploited).
------------ ----- --- -- - - - -Drugs are usually safe. Inject? (Y/n)
------------ ----- --- -- - - - -.
- Prev by Date: Re: Uninstalling unlisted programs
- Next by Date: Re: Dual-core, lost second CPU
- Previous by thread: Re: alcan A or a dropper?
- Next by thread: Re: alcan A or a dropper?
- Index(es):
Relevant Pages
|
