Cant remove worm.alcra variant

Welcome to Major Geeks!

Try getting a log from CounterSpy in normal boot mode? If that does not work, then just uninstall CounterSpy and reboot. Then try using AVG AntiSpyware as instructed in the READ ME and attach a log from it. You can run it in normal boot mode.

Can you please attach a log from SuperAntiSpyware?

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Also download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
  [*]It will create a folder named HostsXpert in whatever folder you extract it to.
  [*]Run HostsXpert.exe, click Restore Microsoft's Hosts File and then click OK.
  [*]Click the X to exit the program

Also please run this ChodeFix - How download and run and then attach a new log from GetRunKey amd also from ShowNew!

Have you been working this problem in another forum? I see MsnVirRem.exe on you Desktop which would imply that you are.

Did you recently (on April 13 th) use a tool to make tweaks to your TCPIP settings?

 

You did not attach them! Please attach the new GetRunKey and ShowNew logs. Make sure they are NEW logs.

 

Use Windows Explorer to navigate to the folder where you extracted ChodeFix.bat to . You will see a file named fixChode.reg. Double click on it and answer yes to add it into the registry. Tell me if you receive a success message! Then attach another new log from GetRunKey.

 

You did not extract ALL of the files from the ChodeFix.zip file. You did not extract the swreg.exe file and that is why all those error messages occurred. Extract that file and run ChodeFix.bat again. Attach another fixchode.txt file. Did you run fixChode.reg by double clicking on it.

Look for the below file and see if you can delete it:
C:\WINDOWS\w0.exe

 

You can either extract all or just the one file. If you jsut extract the swreg.exe file make sure you extract it to the folder where the other files are already located.

 

No place in my instructions did I ask you to double click on swreg.exe. It did exactly what it should do it some one double clicks on it.

Look at the difference in this fixchode. txt log and the previous one and you will see that this time the batch file ran properly. Last time it could not find swreg.exe

You did not answer my question from message # 9:

Run it again and confirm adding it to the registry! DID YOU GET A SUCCESS MESSAGE AT THE END!

Now attach new logs from GetRunKey, ShowNew, and HJT

 

• It does not look like you ran HostsXpert that I requested in message # 2. Please run it.
• Now uninstall CounterSpy since we are finished with it now
• Is your copy of SuperAntiSpyware a paid or free trial version?
• Now download the current ChodeFix.zip file from ChodeFix - How download and run
• Then extract all files (4 of them) into the same folder as last time.
• Locate the RegFix.bat file and double click on it.
• Now run HijackThis and select (but do not fix yet) the below lines (note: I included items that you have in the Trusted Zone. We don't believe in having any site allowed to be totally trusted and it is rarely needed to access sites. I have nothing in the TZ and have never needed it. If you really need them (but I doubt it), you can skip those lines)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: ECHO is off.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O15 - Trusted Zone: http://www.globalhighland.com
O15 - Trusted Zone: http://jobsearch.monsterscotland.co.uk
O15 - Trusted Zone: www.yell.com
O15 - Trusted Zone: http://www.yell.com

• After selecting the above lines close ALL browsers including this one you are reading
• Then click Fix checked
• Now attach new logs from GetRunKey and from HJT

 

Based on your HJT log, it does not appear like you are fixing anything. Are you sure you clicked Fix checked after selecting all the lines! If you are sure you fixed things, we need to pursue the possibility that your multiple antispyware applications are causing us problems. Since SuperAntiSpyware is the free version uninstall it to avoid conflicts with Windows Defender. Then do the below to temporarily disable Windows Defender while we fix problems.

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

No go back and run my previous instructions from the part where I have you run HijackThis. Make sure you select the lines and also remember to click Fix checked. Then reboot and then attach a new HJT. Make sure you are not blocking any changes via your Symantec software too.


Nothing we are doing has anything to do with your wireless connection.

 

Now it looks like you got everything fixed! Go back and renable your Windows Defender protection now.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome!

The forums are graciously provided for free by the owners of Major Geeks (Major Attitude and Corporal Punishment as seen in the About link on the main page). To help keep it free, you can support them by doing all of your downloading and purchasing of software via links from the file systems on the main page (www.majorgeeks.com). Also send your friends to those pages too. All downloads are tested before being made available on the site.