View Full Version : Alpha Cleaner
I wonder if anyone can help me with a problem???
My PC guard scans for viruses and spyware and deletes at regular intervals. It is now telling me after each automatic run that it cannot remove Alphacleaner. I have been unable to find any files which refer to Alphacleaner on my machine, but the PC Guard says it is located in the Registry
I googled alphacleaner and am now aware that it is some sort of adware(??), but I am not having any problems with pop ups, although my machine seems a bit slow
I have posted my Hijack This log below;
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 21:00:55, on 03/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\NMcM\My Documents\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136242415\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [NI.UWFX6_0001_N68M2301] "C:\Documents and Settings\NMcM\Local Settings\Temporary Internet Files\Content.IE5\8967W9ER\WinFixer2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
pskelley
2006-03-04, 17:10
Hello and welcome to the forum. If you still need help, please follow these directions in the posted order.
1) It appears this log was produced in safe mode. Please make sure all logs are in normal mode with everything enabled in MSConfig unless I ask otherwise.
2) I see ewido onboard, open the program and choose update, allow time for it to finish. Now click scanner then complete system scan. Allow ewido to remove anything it locates unless you know it is not bad. Save that scan report, I must see it.
3) Start > Control Panel > Add Remove Programs and uninstall Winfixer, Alphacleaner and anything you see you know should not be there.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [NI.UWFX6_0001_N68M2301] "C:\Documents and Settings\NMcM\Local Settings\Temporary Internet Files\Content.IE5\8967W9ER\WinFixer2006FreeInstall[1].exe" -nag
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba2218.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Documents and Settings\NMcM\Local Settings\Temporary Internet Files\ <<< delete everything in the folder in red (not the folder)
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the ewido scan results, a new HJT log (normal mode all enabled in msconfig) and any comment you have you think will help.
Thanks...pskelley
Safer Networking Forums
Hi
Firstly, thanks for your help, it is much appreciated.
I have followed your instructions with the following results;
Ewido scan
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 20:00:22, 04/03/2006
+ Report-Checksum: 12437FCB
+ Scan result:
HKU\S-1-5-21-1981287317-2655332060-426458040-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-1981287317-2655332060-426458040-1006\Software\Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
HKU\S-1-5-21-1981287317-2655332060-426458040-1006_Classes\CLSID\{D1A2E7CD-F5C1-21A8-CA2C-13D0AC72D19D} -> Adware.SpyFalcon : Cleaned with backup
::Report End
I followed the other processes (HJT, CCleaner, etc) although there were no Winfix or Alphacleaner programs shown in the "add/ remove programs".
The revised HJT log is below.
Logfile of HijackThis v1.99.1
Scan saved at 11:04:27, on 05/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Power Manager\PM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\blueyonder\PCguard\RPS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1136242415\ee\AOLHostManager.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\AOL\1136242415\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1136242415\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\NMcM\My Documents\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ProgramPath] C:\Program Files\Power Manager\PM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136242415\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
I should probably also point out that I have also just received another pop up message from my PC Guard that it has been unable to remove Alphacleaner.
Thanks again.
pskelley
2006-03-05, 13:40
Ok, let's look at what we have. First I know nothing about PC Guard, but I know these program give the location of the items they are finding if you look. Run it again and give me more information than are providing.
In your Ewido scan I see a references to Adware.SpyFalcon (registry) which it was able to clean, and I am guessing these are leftover register items that were not removed with the program. You should try running ewido in safe mode, it may pick up what it did not the first time?
http://www.bleepingcomputer.com/tutorials/tutorial61.html
In looking at this item: C:\Program Files\Power Manager\PM.exe (do you know that it is a safe valid program?) I located this information: http://castlecops.com/startuplist-2779.html
To be safe I would like you to use at least two of these free online scans and to post the results for me:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
CCleaner has a registry cleaner built into it. Did you use Issues during the cleaning with it? If not, open CCleaner and click the Issues button and scan, once it finds stuff take a look to see if any Alphaclearner registry entries is on the list of junk it finds. Fix the crap and when asked to backup, make sure you do. Put the backup on the Desktop and let it set for a few days to be safe. Careful when you remove it, it is RIGHT click and delete only.
Try using your search, make sure you have all files and folders enabled and then ask search to look for Alphacleaner. Then delete any instances search locates. Try these options and see if that cleans it. If not you will need to edit the registry, or ignore PC Guard, and you will need to know where the item is to edit it. PC Guard will tell you that.
Thanks...Phil
Phil
Thanks again.
PC Guard is the anti-virus/ anti spyware software that is installed with the blueyonder broadband software provided by my cable company.
http://www.blueyonder.co.uk/blueyonder/getContent.jspx?page=services_securitypcguard
I have re-run the PC guard antispyware that keeps telling me it can't delete Alphacleaner, and the report it produced is below. It highlighted that it had detected 5 cookies and 1 registry issue- however, the report just seems to refer to the 5 cookies.
Scan Target Scanned Items Detected Spyware
N00813 (C:) 47762 0
Cookies 19 5
Registry 20688 1
Memory 18 0
Total 68487 6
Spyware Type Item Action
WebTrends Spyware cookie C:\Documents and Settings\NMcM\Cookies\nmcm@statse.webtrendslive[2].txt Delete
DoubleClick Spyware cookie C:\Documents and Settings\NMcM\Cookies\nmcm@doubleclick[2].txt Delete
Adtech.de Spyware cookie C:\Documents and Settings\NMcM\Cookies\nmcm@adtech[2].txt Delete
TribalFusion.com Spyware cookie C:\Documents and Settings\NMcM\Cookies\nmcm@tribalfusion[1].txt Delete
Serving-Sys Spyware cookie C:\Documents and Settings\NMcM\Cookies\nmcm@serving-sys[2].txt Delete
I will post again when I have run the other instructions.
Thanks,
NM
pskelley
2006-03-05, 16:59
Thanks for that information, I would have thought that CCleaner, using the instructions I provided, would have cleaned all cookies. In case it did not, I would remove those manually. As some pont we will need to know where in the registry the item PC Guard is identifying is located.
C:\Documents and Settings\NMcM\Cookies\ <<< delete the contents of the folder in red (not the folder)
Thanks...Phil
Hi
Right, I have gone through all of the above steps now.
Ewido couldn't find anything at all. I ran 2 of the scans you linked on Power Manager, and neither found anything wrong (neither produced a report that I could copy).
CCleaner couldn't find any issues at all in the registry, and I re-ran PC Guard for spyware. It continues to identify 1 issue in the registry, although doesn't give any more detail as to where I can find it.
Finally, I searched my c drive for Alphacleaner, but again there was nothing.
Any thoughts?
pskelley
2006-03-05, 21:42
Nope, I am out of thoughts on a single registry entry. You can look at PC Guard, perhaps there is a way to tell it to ignore the item? Here is a good registry cleaner if you wish to go looking for it but I caution you to back up as suggested to be safe.
http://www.hoverdesk.net/freeware.htm and the instructions for using it:
Backup Registry:
Backup your Registry...
- Press "CTRL - ALT - DEL" keys all at the same time to start "Task Manager"
- In the Task Manager window click on "File", then from the drop-down menu select "New Task (Run...)"
- In the "Create New Task" window enter\type "regedit" (without quotes)
- Once Regedit opens click on the FILE menu and select Export
- Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
download RegSeeker. Extract it to it's own folder,
open and double click RegSeeker.exe to start the program.
Maximize the window and click clean registry. Check all sections and click OK.
When the scan is complete, verify the backup box in lower left corner is checked
and click the select all button, then select all again. Then right click within
the search results and select delete. Run it again and again, deleting everything
it finds until it finds nothing. Reboot and make sure your programs are working properly,
control panel and add/remove programs windows open, etc (basically just do a quick check of everything).
In the event anything was 'broken', you can open RegSeeker, click backups and double click
any/all files to put the information back. A reboot may be required for the effects to be seen.
Reboot When done.
I hope this helps...Phil
This topic will now be archived to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.