Help, win32/alcan.d, it doesn't go away

A few weeks ago I open a corrupt file and it ended up infecting my computer… long story short, I was able to get rid of all of the worms and viruses, except for the worm: win32/alcan.d… it just kept appearing whenever I do a scan with the “Malicious Software Removal Tool” of MS, and it doesn’t appear in the Avast scans or in any other anti-virus or ad-aware programs that I have. How do I finally can get rid of it?

If a virus is replicant (coming and coming again), you should:

  1. Enable/Disable System restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k.

  2. Clean your temporary files. You can use the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run other trojan remover tools: a-squared, Free AVG Antispyware or SUPERantispyware (trojan removers). Some users recommend Spyware Terminator.

  5. Use the immunization of [url=SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.

If it is a valid detection, help avast improve its detections and send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject.

See here:

http://forum.avast.com/index.php?topic=24955.msg204397#msg204397

Until this point the worm only appears when I do a scan with the Microsoft Malicious Software Removal Tool… and this scan doesn’t show me an specific infected file, it just tells me it found win32/alcan.d and it partially remove it… the worm does not appear on a Avast scan.

Does it appear in other antitrojan applications?
Please, download, install, update and run other trojan remover tools: a-squared, Free AVG Antispyware or SUPERantispyware (trojan removers). Some users recommend Spyware Terminator.

Have you tried the removal instructions in the link above?

OK… the Brute Force Unistaller did the job, the Alcan.d is no longer appearing anymore on the MS Malicious Software Removal Tool scans… I’m posting a HJT log so you guys can check if I’m free and clear… Thanks a lot for all your help.

I reckon this is a baddie:

O4 - HKLM..\Run: [{C8B863EB-0D3F-1033-0110-050405120001}] “C:\Program Files\Common Files{C8B863EB-0D3F-1033-0110-050405120001}\Update.exe” mc-110-12-0000137

Can you find the file? If you can, submit it to VirusTotal and see what the scanners there say. I’m pretty sure it’s nothing good, and something you need to fix with HijackThis!, but check it out just to be sure.

If as Frank said you can find the file and it is detected as malware at virustotal also send a sample to avast virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest and send it from there (right click, email to Alwil Software).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

OK I scan the file on Virus Total, a lot of bad stuff came up… I ran a HJT scan and fix the file with it… I ran another scan with HJT and the file was no longer on the log… All the scans I’ve made with Ad-Aware, Avast & Malicious Software Removal Tool turn out clean… Thanks again

You’ll need to update Java. I recommend you run the Secunia Software Inspector. It will provide a link to update Java, and also inform you of anything else that needs updating.

http://secunia.com/software_inspector/