My daughter's laptop became infected with AlphaCleaner. It wiped out her desktop and made opening most apps impossible. (Kept getting a WININET.DLL error.) Her custom wallpaper was overlaid with a black nag screen with a "Your computer may be infected" message and a link to a supposed list of malware apps. It also seemed to have corrupted the AVG anti-virus application. (Coincidence perhaps.)

After repairing Windows and AVG, I ran Spybot S&D with the latest definitions. S&D found AlphaCleaner and killed it. But the black nag screen won't go away!

Curiously, the "real" wallpaper is visible briefly at start-up and power-off. But moments before the desktop icons become visible, the wallpaper is overlaid with the AlphaCleaner nag screen, and it stays there until right before the power goes off.

Any ideas on how to remove it?

:scratch:

Welcome to the forum Schnazola

I have moved your post here, do not post in other threads please.

Please go here and follow instructions.
"Before you post a log"
http://forums.spybot.info/showthread.php?t=288
Post the hjt log here in this thread.
Someone will then take a look at the system and advise you.

As a newb, I wasn't aware that I needed to start my own thread. Sorry.

I will post the log -- using HJT -- as soon as I regain access to the afflicted laptop.

Thank you in advance for your support.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:07 AM, on 2/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Carol Lombardi\My Documents\download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trschools.com/index.asp
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Shortcut to vcleaner.exe.lnk = C:\Documents and Settings\Carol Lombardi\Desktop\vcleaner.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

As I stated in my initial post, I'm pretty sure I purged my daughter's laptop of the AlphaCleaner trash-app. An artifact of the infection, however, is the false wall paper that is overlaying the actual wall paper.

This problem now may have less to do with an "infection" and more to do with a bug in Windows. (Perhaps it's a bug that AlphaCleaner exploited.)

Anyway, I hope the log file helps.

Welcome to the forum Schnazola

I have moved your post here, do not post in other threads please.


I removed your post in another member's topic.

If after three days you still need assistance please go here and post a link back to this topic to flag a helper.

If you have waited three days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Regards.

>>>I have moved your post here, do not post in other threads please.<<<

Oops! Forgot. :o Thought I was being helpful.

So that's two newbie strikes against me. One to go?

Scan with hijackthis place a check next to
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
===================
Click fix checked

Can you provide any information on this program >
O4 - Startup: Shortcut to vcleaner.exe.lnk = C:\Documents and Settings\Carol Lombardi\Desktop\vcleaner.exe

Fallow the instructions on this page and post the logs mentioned (here in this thread) No need for the before hijackthis log as thats already posted.
http://forums.spybot.info/showthread.php?t=1958

Can you provide any information on this program >
O4 - Startup: Shortcut to vcleaner.exe.lnk = C:\Documents and Settings\Carol Lombardi\Desktop\vcleaner.exe

Yes, I can.

That is a utility that supplements the AVG antivirus software application. Since my daughter runs AVG-FREE, the free version of te AVG application, it is necessary to run the Vcleaner program when viruses are found. It runs in a DOS window.

See: Link to AVG Free and Vcleaner page (http://free.grisoft.com/doc/8/lng/us/tpl/v5)

First, thank you for all your support. Altho the advice given here did not result directly in a solution, it did inspire me to delve on and come up with a rather low-tech solution.

When I right-clicked the offending nag screen, the context menu for the Desktop did not appear. Instead I got a menu for an HTML file. I clicked Properties and saw the name of the HTML file that AlphaCleaner wrote to my Windows directory. I deleted it.

But the problem was not resolved yet.

The nag screen disappeared but was replaced by a plain white image that still obscured the wallpaper. On a whim, I moved the mouse pointer around and -- lo and behold -- a barely visible CLOSE button appeared in the right-hand corner. I clicked it, the white screen disappeared, and the wallpaper was revealed.

Thanks for all your help.

I Belive that is covered in the link provided

G. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" or anything similar if present.

Were are the requested log ?

Vcleaner is a stand alone malware specific program that is probaly updated once and awhile, there is no reason to run it except when the avg program suggests it, then only once..

Vcleaner is a stand alone malware specific program that is probaly updated once and awhile, there is no reason to run it except when the avg program suggests it, then only once. AVG-Free is installed on my daughter's laptop. (I pay for a subscription to the AVG home version on my desktop.) I noticed that AVG-Free found the same virus infections on her computer night after night when the scheduled scan ran, but did nothing about them, even tho the preferences were set to quarantine infected files. That's when I ran VCleaner. After doing so, the viruses were no longer flagged during the nightly scans.

I have since updated her laptop with the latest AVG software (the app and the virus defs). Now, it seems to be trapping the nasties and locking them in the "virus vault" without having to run VCleaner.

I noticed that Grisoft offers other virus-specific cleaning tools. I suppose that anyone -- even one who doesn't use AVG -- who suspects his computer is infected with a particular bug can download and run the dedicated anti-virus tool.

As soon as I get the chance, I will download and install SmitRem, Panda ActiveScan, and Ewido AntiMalware and run them and repost the log file.

How is it going Schnazola.

As I reported in an earlier post, the problem that caused me to start this thread has been resolved to my satisfaction.

I intended to do the extra steps recommended (i.e., running SmitRem, Panda ActiveScan, and Ewido AntiMalware ) anyway, but I no longer have access to my daughter's laptop. (And she doesn't have the savvy to do it herself.)

This thread may be archived.

Thanks to all who donated their time to help out.

-Schnaz
Toms River, NJ, USA

This topic will now be closed and archived. If a problem related to malware, spyware or adware returns and you need this topic re-opened, please send a message to myself or Tashi with a link to this thread.