Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have alfacleaner


  • Please log in to reply
18 replies to this topic

#1 AnthonyV

AnthonyV

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 15 September 2006 - 04:17 PM

Hey buddy,

Sorry took so long.
Ran all tools as instructed.
Computer is now very slow to open pages.
Here is log from Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 7:04:24 PM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Anthony\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142575892458
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://216.66.37.162:8000//activex/AMC.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by AnthonyV, 15 September 2006 - 06:06 PM.


BC AdBot (Login to Remove)

 


#2 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 21 September 2006 - 01:52 PM

Hello AnthonyV,

This same log is posted at Lavasoft Support Forums. What other forums have you posted this in? We work in a lot of the same forums so if you are getting help elsewhere, we don't need to duplicate efforts.

What tools did you run previously as mentioned above? I don't see any immediate problems in this log. Do have any remaining symptoms?
Microsoft MVP Windows-Security 2003-2008
Posted Image

#3 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 02:08 PM

Hi Miss Jane,

Thanks for getting back to me,

I dont know what happened to my computer, all of a sudden it takes 2-3 minutes to open any site I go to.

This is really frustrating and it hasnt happened before.

I ran ad-aware, spy-bot, panda, I also have spy sweeper along with all microsoft programs "live one, defender"

I noticed the problem when after windows notified that programs were being installed I had a power outage, then I started recieving an plug in error.

I have alot of dclk, rad msn cluttering up my back button.

and spyware doctor says I have alfacleaner.

I am not sure how to correct.

Any Advise?

#4 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 02:09 PM

Also that was the only other post I went too, I was waiting for reply for a couple of days so I looked other sites.

#5 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 02:13 PM

I also noticed in task manager that iexplore is taking up to 50% usage. (Idont know if that helps)

Sorry for the add ons

#6 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 21 September 2006 - 04:01 PM

Ok! Let's see what we can do.

Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline.com/compresstut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Open the SmitfraudFix folder
Double-click smitfraudfix.cmd
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the results of rapport.txt back here please :thumbsup:

I also need a fresh HijackThis log please. That last one was posted days ago and things may have changed since then.
Microsoft MVP Windows-Security 2003-2008
Posted Image

#7 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 04:50 PM

Hey Jane,

Here are new logs,

p.s. My computer says this might be a phishing site, why???


SmitFraudFix v2.90

Scan done at 17:47:46.90, Thu 09/21/2006
Run from C:\Documents and Settings\Anthony\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Anthony\Application Data


Start Menu


C:\DOCUME~1\Anthony\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

Scanning wininet.dll infection

Logfile of HijackThis v1.99.1
Scan saved at 5:48:24 PM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Anthony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] "C:\Program Files\Napster\napster.exe" /systray
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142575892458
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://216.66.37.162:8000//activex/AMC.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


End

#8 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 21 September 2006 - 05:53 PM

First, no this is not a phishing site. Microsoft OneCare is your AV?

It is possible if your were viewing other people's HijackThis logs that it recognized some bad links that sometimes show in logs of infected PCs - that occasionally is seen by an AV but, of course, it can't tell that the context is in a diagnostic log and not a link affliated with this site.

Both your logs are clean. No sign of Alfacleaner or any of it's cousins whatsoever.

What is the file name and exact location that Spyware Doctor is giving you this indication?
Microsoft MVP Windows-Security 2003-2008
Posted Image

#9 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 06:13 PM

Spyware doctor wont let me copy so here is what it says:

14 infections:

All start with :HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ALFACLEANER...

they all have different endings.

Question: All those add screens (rad.msn.com) (dclk), not a adware virus???

#10 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 21 September 2006 - 07:22 PM

Alfacleaner leaves some (harmless) residuals in the registry that Spyware Doctor is probably seeing. You don't have an active infection, no. The fix for these residuals is difficult because it changes permissions on the keys and most programs can't remove them even if it can see them. However, I found this fix in another topic that seemed to work
(Post #20 in this topic: http://www.bleepingcomputer.com/forums/ind...;hl=alfacleaner )

However, before editing the registry, always make a backup first:

1. 1. Go to *Start* then *Run* and type in regedit and hit *OK*.
Go to *File* then *Export* and save the registry somewhere as a backup. Give it a name you'll remember like SaveReg.reg.

2. Next, Click Start>Run and copy and paste the following into the box:

SWREG ACL hklm\system\currentcontrolset\enum\root\legacy_alfacleaner /OM

Click OK

Click Start>Run and copy and paste the following into the box:

SWREG DELETE hklm\system\currentcontrolset\enum\root\legacy_alfacleaner

Click OK
Microsoft MVP Windows-Security 2003-2008
Posted Image

#11 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 07:32 PM

Hi jane,

Ran both opened small box and closed, nothing else happened.

I apperciate the help you have given.

Any other advice as to those annoying ads that show up in my browser back button.

Should I reinstal windows.

#12 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 08:28 PM

Hi jane I just ran another spyware doctor sweep,

The alfaware is still present plus in addition it is showing high risk (possible website hijack) objects as well

Location
(1461)127.0.0.1 freeware ad.t35.com#[unimaxsearch.com]
(1462)127.0.0.1hkvn99.t35.com
(1463)127.0.0.1ijj.t35.com#[w32/bagle.HQ][wildcard DNS]
(1464)127.0.01nolko.t35.com
(1465)127.0.0.1 spyware-re.t35.com #[umaxsearch.com]
(1466)127.0.0.1ud7swe.t35.com#[w32.Dinoxi][w32/style-a]
(1467)127.0.0.1vbs.t35.com
(993)127.0.0.1sdc.mcafee.com#[statse.webtrendslive.com]

ARRGGHHH.

#13 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 09:27 PM

I did some more research and found the following:


Strange behavior in the Back Button

Sometimes when you click the Back button to return to the previous page it appears that nothing happens. What usually occurs is that the HOSTS file has blocked one or more (<IFrame>) ad pages that are embedded into the web page you are viewing.

To verify this click the small drop-down arrow on the Back button, do you see just an ad server listed? ... well now you know ..... As you can see the first three links are blocked ad servers, simply skip to the valid link. However there are a few exceptions. In some cases the web page can contain a script to prevent the user from returning to a previous page.

Martin Hawes sends along this tip:

If you add the "ad servers" you see listed in the Back Button drop-down, to the Restricted Zone this will eliminate the Back button issue. Editors Note: however if you are using Windows XP SP2, you will be prompted by the "Security Center" about a 3rd party connection. Just click No and continue.


Why does Spyware Doctor report "Possible Website Hijack" in the HOSTS file?

This is a false detection and can be Ignored ... (see screenshot) you can place these items in the "Ignore List" or if it becomes a problem - turn off hosts protection (on Network Guard screen). PCTools has been notified but has not corrected this problem



does this sound correct to you :thumbsup:

Edited by AnthonyV, 21 September 2006 - 11:55 PM.


#14 AnthonyV

AnthonyV
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 21 September 2006 - 11:53 PM

jane,

one last observation, (god you must think i am a pain in the a**) :thumbsup:

I noticed that the lag only happens on certain sites, (bleeping computer for example) along with monster and others. But sites like yahoo or hotmail only take the usual 1-2 seconds that I am used to. Does this info make any sence to you.

P.S. I cleared out a bunch of programs and ran an ewido sweep which only had 1 adware (minibug) and tried a windows update fix.

#15 CalamityJane

CalamityJane

  • Security Colleague
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:39 AM

Posted 22 September 2006 - 07:22 AM

Location
(1461)127.0.0.1 freeware ad.t35.com#[unimaxsearch.com]
(1462)127.0.0.1hkvn99.t35.com
(1463)127.0.0.1ijj.t35.com#[w32/bagle.HQ][wildcard DNS]
(1464)127.0.01nolko.t35.com
(1465)127.0.0.1 spyware-re.t35.com #[umaxsearch.com]
(1466)127.0.0.1ud7swe.t35.com#[w32.Dinoxi][w32/style-a]
(1467)127.0.0.1vbs.t35.com
(993)127.0.0.1sdc.mcafee.com#[statse.webtrendslive.com]

ARRGGHHH.

Good morning!

SpyWare Doctor should not be alerting on those. They are *good* entries in your HOSTS file that protect you from those harmful sites. They should not be removed. That is also what you found about the "back button" problem - because apparently you do have a HOSTS file protecting your PC.
These are entries above are false warnings by Spyware Doctor.

The regsitry keys being found are NOT harmful to your computer, nor is it an active infection. They are leftovers. You can try the steps in this topic if you wish to try to remove them manually:

removal of residual alfacleaner entries from registry
http://www.geekstogo.com/forum/index.php?s...mp;#entry596327

see Posts #10 and 11

Please note that registry keys by and of themselves with no file present are not indicative of an active infection, so please calm down and quit letting Spyware Doctor scare you. :thumbsup:
Microsoft MVP Windows-Security 2003-2008
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users