Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alfacleaner Infection


  • Please log in to reply
1 reply to this topic

#1 DMoney

DMoney

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 27 March 2006 - 10:56 PM

I have the AlfaCleaner spyware infection and couldnt figue out a way to get rid of it, here the scan and thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:49:54 PM, on 3/27/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139542363639
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

BC AdBot (Login to Remove)

 


#2 dknoppix

dknoppix

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 28 March 2006 - 10:23 PM

Hello , welcome to the forum

Looks like you've been infected with Alfa Cleaner

Please do not delete anything unless instructed to.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Posted Image


Removal Instructions:
  • Print out these instructions as we will need to close every window that is open later in the fix.
  • Download SmitRem.exe. When downloading smitRem.exe save it to your desktop.

    Posted Image
  • Double-click on the smitRem.exe file.

    Posted Image

    Click on the Start button and the program will start extracting the files into a folder on your desktop called smitRem. When it is finished, click on the OK button. If you look on your desktop you will now see a folder called smitRem.
  • Download HijackThis and save it to your C:\ folder. We will use this program later.
  • Click on the Start button and then click Run.
  • Type control.exe in the Open: field and press enter on your keyboard.
  • When in the Control Panel double-click on the Add or Remove Programs icon.
  • Uninstall the following programs if present:

    AlfaCleaner.com
    Desktop Uninstall


    If any of the uninstallers ask you to reboot your computer, do not reboot at this time.
  • Next, please reboot your computer into Safe Mode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
  • Now navigate to the folder that you extracted HijackThis to in an earlier step and double-click on HijackThis.exe.
  • When the program, press the Scan button has started put a checkmark next to each of these entries if they are present:

    O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
    O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe

  • Once you have put a checkmark in each of the above entries, press the Fix button, and then close HijackThis.
  • Delete the following files and folders if they exist (Do not be concerned if they do not exist):

    C:\Program Files\AlfaCleaner\
    C:\Windows\System32\intell321.exe
    C:\Windows\System32\voi640.exe
    C:\Windows\warnhp.html
    c:\winstall.exe
    C:\Windows\uninstDsk.exe
    C:\Windows\System32\voi271.exe

  • Open the smitRem folder on your desktop and the contents of the folder will be similar to the image below.

    Posted Image

    Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.
  • When the tool starts you will see a series of screens with information on them. Read each screen, and when you are finished reading it, simply press any key on your keyboard. After reading the various screens that appear, the program will start the removal process.

    If there is an uninstaller present for an infection found by smitRem, smitRem will start this uninstaller. Simply click on the Uninstall button and allow the uninstaller to finish. When it is completed, it will close automatically and smitRem will prompt you to continue. Now you should press any key to continue.

    When no more uninstallers can be found, the tool will continue. Your desktop will disappear and you will start seeing text scroll across the screen. This is normal and nothing to be concerned about. When smitRem has finished running it will automatically start the Disk Cleanup program as shown by the image below.

    Posted Image

    This program will remove all Temp, Temporary Internet Files, and empty your Recycle Bin in order to remove any leftover files installed by this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will be back at your desktop.
  • When the tool is finished, it will will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or the partition where your operating system is installed. Examining that log should show that the infection was cleaned.
  • Reboot your computer back to normal mode.
  • Start Internet Explorer and click on the Tools menu and then select the Internet Options menu option.
  • Click on the Programs tab and then click the Reset Web Settings button.
  • Press the Apply button and then OK.
  • Click on the Start button and then click Run.
  • Type control.exe in the Open: field and press enter on your keyboard.
  • When in the Control Panel double-click on the Display icon.
  • Click on the Desktop tab and then click on the Customize Desktop button.
  • Click on the Web tab and under Web Pages you should see an entry that says Security Info or something similar. If it is
    there, select the entry and press the Delete button.
  • Press the OK button and the Apply button and then the OK button again.
  • Reboot back into Windows and go [url=http://www.pandasoftware.com/products/activescan.htm]HERE to run Panda's ActiveScan
    • Once you are on the Panda site aclick the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, and the contents of smitfiles.txt by using Add Reply.
Let us know if any problems persist.

dk :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users