Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

!@#$% Alpha Cleaner


  • Please log in to reply
12 replies to this topic

#1 DevilWo

DevilWo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 29 March 2006 - 08:39 AM

Hi,
I'm new here so I hope I'm doing this right. For the past month or so my virus protection keeps "finding and blocking" alpha cleaner. I've tried everything to get rid of this <expletive> program to no avail. I think I finally found the problem in my registry. There's a folder there "Legacy alfa claner" or something similar and no matter what I try, it will NOT delete. If someone could help me get rid of this program I'd be forever greatful. The virus protection blocks it at LEAST 100 times a day. Here is my Hijack log.
Thanks in advance,
Shar

Logfile of HijackThis v1.99.1
Scan saved at 8:21:20 AM, on 3/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\1141171544\ee\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\files we downloaded\Spyware Doctor\sdhelp.exe
C:\Program Files\files we downloaded\Spyware Doctor\swdoctor.exe
c:\program files\common files\aol\1141171544\ee\aolssc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\FILES WE DOWNLOADED\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\files we downloaded\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O4 - HKLM\..\Run: [MPFEXE] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1141171544\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\files we downloaded\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\FILESW~1\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\FILESW~1\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\files we downloaded\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:12 PM

Posted 02 April 2006 - 07:23 AM

Hi there and welcome to Bleeping Computer ! :thumbsup:

As you may have noticed already, the forums are very busy at the moment and i have noticed your log has gone unanswered so far!

We look at the oldest logs first, and we were wondering that if you still need help, please start by posting a new HijackThis log in this topic and i will then be able to take a look!

Thanks very much :flowers:

David

#3 DevilWo

DevilWo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 02 April 2006 - 12:38 PM

Thanks David, I was starting to wonder if there was anyone out there lol
Here's the new log!
Shar

Logfile of HijackThis v1.99.1
Scan saved at 1:36:08 PM, on 4/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\1141171544\ee\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\files we downloaded\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
c:\program files\common files\aol\1141171544\ee\aolssc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\FILES WE DOWNLOADED\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\files we downloaded\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MPFEXE] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1141171544\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\FILESW~1\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\FILESW~1\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.bigfishgames.com/online/trijinx...nx.1.0.0.55.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\files we downloaded\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:12 PM

Posted 02 April 2006 - 01:39 PM

Hello DevilWo

I don't actually see much wrong in your log. There are a few entries I want you to delete. Although parts of Big Fish Game are not technically malware, it is known to come bundled with spyware, and most security experts remove it. I would recommend you also do this.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O2 - BHO: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Big Fish Games - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://www.bigfishgames.com/online/trijinx...nx.1.0.0.55.cab


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

Now on to the main topic...AlphaCleaner. What I need you to do is to tell me what the scanner is finding...is it a file or a registry entry? Also what scanner are you using? What steps did you use to try to remove the program? Let's run Panda scan and see what malware it finds:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new Hijackthis log.
David

#5 DevilWo

DevilWo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 03 April 2006 - 07:12 PM

David,

OK, redid the hijack scan and a panda scan. they are posted below. I believe that what the scan says about alpha cleaner is "has found and blocked alpha cleaner". I use Mcafee, which is provided, along with firewall protection, by AOL (AOL safety and security center). What I've tried to rid myself of the "bleeping" program....I can't BEIGN to tell you. I've tried every spyware/malware program I know of and I've tried amlost everything I've found on the web, in any forum or scan program, that has a removal solution for this. Obviously, my computer thinks it's special cuz none of them have worked!
I've also done a search through everything on my computer for anything remotely close to alfa or alpha cleaner. The only thing I'm finding now is in my registry. In HKLM/system/current control set/control/enum/root
I'm finding a folder called LEGACY_ALPHACLEANER in which there is a folder named 0000. In THAT folder, on the right hand side are the following:

NAME TYPE DATA

(Default) REG_SZ (value not set)
Capabilities REG_DWORD 0x00000000 (0)
Class REG_SZ LegacyDriver
ClassGUID REG_SZ {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags REG_DWORD 0x00000000 (0)
DeviceDesc REG_SZ alfacleaner
Legacy REG_DWORD 0x00000000 (1)
Service REG_SZ alfacleaner

This was found with a manual search, it didn't show up with a "find" search of the registry.
I'm assuming those should not be there and might be what's left of my problem? By the way, none of them will delete, nor can I do a rename then delete.

Here's the Hijack log, followed by Panda.
Thanks!
Shar

Logfile of HijackThis v1.99.1
Scan saved at 4:53:04 PM, on 4/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\Common Files\AOL\1141171544\ee\aolsoftware.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\files we downloaded\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\FILES WE DOWNLOADED\Azureus\Azureus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\FILES WE DOWNLOADED\eDonkey2000\edonkey2000.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\common files\aol\1141171544\ee\aolssc.exe
C:\Program Files\FILES WE DOWNLOADED\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\files we downloaded\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MPFEXE] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1141171544\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\FILESW~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\FILESW~1\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\FILESW~1\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1141171544\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\files we downloaded\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

PANDA SCAN - I usually delete cookies but figured I'd leave them just in case



Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@ads.pointroll[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@as-us.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@bravenet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@casalemedia[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@centrport[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@maxserving[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@statcounter[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@target[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@tribalfusion[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@zedo[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@ads.pointroll[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@as-us.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Mike & Shar\Cookies\mike & shar@bravenet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@casalemedia[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@centrport[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@dist.belnk[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@go[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@maxserving[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@statcounter[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@target[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@tribalfusion[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\"MY NAME"\Cookies\"MY NAME"@zedo[1].txt
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Documents and Settings\"MY NAME"\Desktop\"MY NAME"\sf241\Myriad ( karaoke4u).zip[myriad.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\"MY NAME"\Desktop\smitRem\Process.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\"MY NAME"\Local Settings\Temp\Cookies\"MY NAME"@2o7[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\RECYCLER\S-1-5-21-4042830210-2999732989-294780835-1005\Dc37.zip[YSB_toolBar.exe]
Adware:Adware/IST.ISTBar Not disinfected C:\RECYCLER\S-1-5-21-4042830210-2999732989-294780835-1005\Dc46.zip[YSB_toolBar.exe]

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:12 PM

Posted 04 April 2006 - 04:02 AM

Hi DevilWo

These keys you are talking about are harmless:
LEGACY_ALPHACLEANER

They can't affect your system in anyway and are normally just orphaned left overs from a previous infection. These legacy keys often have protection which means they often cannot be deleted. I think we should do a registry search for alphacleaner and see what we get. The Panda Scan hasn't shown anything major, but we can deal with the few discrepancies later.

Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.

RegSearch Options File

[Search]
AlphaCleaner
Alpha Cleaner
wupd
[Exclude]

[Options]
Filter=KVDLUI


* Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Next can you tell me what you know about the following file:

C:\Documents and Settings\"MY NAME"\Desktop\"MY NAME"\sf241\Myriad ( karaoke4u).zip

I'm pretty sure it can be deleted, but I just want to confirm with you before doing so. So please post back with the regsearch log and we can go from there. Also post the infomation regarding the above file.

David

#7 DevilWo

DevilWo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 04 April 2006 - 05:16 PM

Hi David,

Here are the results of the regsearch:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 4/4/2006 5:54:32 PM for strings:
; 'alphacleaner'
; 'alpha cleaner'
; 'wupd'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\MusicMatch\MusicMatch Jukebox\4.0\MainApp]
"LastSWUpdateDate"="3-2-2006"
"SWUpdateInterval"=dword:0000001e
"SkipSWUpdates"=dword:00000000

; End Of The Log...

The file you asked about: "C:\Documents and Settings\"MY NAME"\Desktop\"MY NAME"\sf241\Myriad ( karaoke4u).zip" doesn't seem to be on here anymore so I am assuming it was something my husband had on here and has removed. (he DJ's at work so anything that says "karaoke" is his.)

Shar
PS.....My virus protection is still catching alpha cleaner on a regular basis.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:12 PM

Posted 05 April 2006 - 02:53 AM

Hi there,

We did the regsearch script wrong unfortunley. The topic of this title made me think alphacleaner was spelt like that. As we didn't get any results, i checked and it's actually spelt alfacleaner!

Please run the regsearch again using the following script:

RegSearch Options File

[Search]
AlfaCleaner
Alfa Cleaner
[Exclude]

[Options]
Filter=KVDLUI

Please post back with that log.
David

#9 DevilWo

DevilWo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 05 April 2006 - 07:55 AM

David,
No problem, it's spelled either way depending on where you see it. I never know which spelling to use either. Here's the new regsearch log. I'm going to be out of town till Friday so don't think I've given up, I haven't. I'll get this stupid thing off my computer come hell or high water!
Shar
PS...I found alfacleaner in my start up folder in the registry and deleted it. I haven't seen the scanner block anything in the last hour.....of course, it may just be teasing me.
PPS....I'm editing this an hour later......it was teasing, but then, I haven't rebooted either

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 4/5/2006 8:50:59 AM for strings:
; 'alfacleaner'
; 'alfa cleaner'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ALFACLEANER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ALFACLEANER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ALFACLEANER\0000]
"Service"="alfacleaner"
"DeviceDesc"="alfacleaner"

Edited by DevilWo, 05 April 2006 - 08:43 AM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:12 PM

Posted 06 April 2006 - 04:03 AM

Hi DevilWo

Please download the following attachment and save it to your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

[attachment=790:attachment]
Then please reboot and run RegSearch again using the previous instructions withe options.txt file with ALFACLEANER not ALPHACLEANER

David

Edited by D-Trojanator, 06 April 2006 - 04:03 AM.


#11 DevilWo

DevilWo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 07 April 2006 - 04:28 PM

Have a great time in Spain!!

Here's the new regsearch log for when ya get back.
Shar

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 4/7/2006 5:25:20 PM for strings:
; 'alfacleaner'
; 'alfa cleaner'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ALFACLEANER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ALFACLEANER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ALFACLEANER\0000]
"Service"="alfacleaner"
"DeviceDesc"="alfacleaner"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ALFACLEANER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ALFACLEANER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ALFACLEANER\0000]
"Service"="alfacleaner"
"DeviceDesc"="alfacleaner"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ALFACLEANER]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ALFACLEANER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ALFACLEANER\0000]
"Service"="alfacleaner"
"DeviceDesc"="alfacleaner"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-21-4042830210-2999732989-294780835-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Enum\\Root\\LEGACY_ALFACLEANER"

[HKEY_USERS\S-1-5-21-4042830210-2999732989-294780835-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-21-4042830210-2999732989-294780835-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\alfacleaner.com\www]

; End Of The Log...

#12 DevilWo

DevilWo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:12 AM

Posted 01 May 2006 - 10:00 PM

First you tell me it would be great if I could manage on my own while you're in Spain (funny how THAT part of your last post seems to have been edited out)....If I could, I wouldn't have contacted you guys in the first place.
Then you tell me, on April 7th, that you'll be back in 5 days.....it's May 1 now.....thanks so much for getting back to me...IF you should happen to bother to remember that you left me in the middle of a so called "fix", don't bother......I'll find someone or something else to help me.

Edited by DevilWo, 01 May 2006 - 10:02 PM.


#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:12 PM

Posted 02 May 2006 - 11:07 AM

Wow DevilWo, sorry.
This thread slipped through the cracks, and I have have just been notified by another member about this thread. We sometimes get a thread that we are not notified about. I'll ignore what you said about editing the post - I have no clue what you are talking about.

Right down to business, the entries in the Hijackthis log are simply Legacy keys from a leftover infection - they are like a snake without a head and are a REAL pain to remove as they are protected.
They can't damage your system at all and just lie about doing nothing. I've heard that Ewido can sometimes do a good job of removing these sorts of things, so before getting into really complexed stuff I want to try this first:

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

* Please reboot back to normal mode and post a new Hijackthis log and the ewido log.
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users