alpha antivirus removal

[caunterstrike]

my sister has got a virus pretending to be an antivirus program called alpha antivirus. i told her to remove it using a program called XoftSpySE but it wanted credit card details. does anyone know of a way of getting rid of it without surrendering any credit card details.

 

[johnb35]

Follow the instructions here.

http://www.computerforum.com/131398-important-please-read-before-posting.html

Come back here and post the requested logs.

 

[grandude]

Try these free tools:

SmitfraudFix (it helped me alot in the past. Unfortunately, there is no Alpha Antivirus entry in programs database, but give it a try, maybe they are late with updating information in their website)

Superantispyware free edition: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

Malwarebytes free version for one time removal: http://www.wikihow.com/Delete-Personal-Anti-Virus-Using-MalWareBytes (see program installation steps, do not pay attention to personal antivirus)

If non of the above tools worked, try to remove AlphaAntivirus with Spyware Doctor: http://www.pcindanger.com/alpha-antivirus-removal.html

 

[kimsland]

If non of the above tools worked, try to remove AlphaAntivirus with Spyware Doctor

Hi grandude, please note "Spyware Doctor" will NOT help, under any infection. Unless you pay for it.

I only use free tools, such as the ones already mentioned in this thread
Which always works. Why pay when you can remove Malware for free

Also SmitfraudFix is a bit old now, if you had mentioned Combofix, with warnings of course (usually updated every few days or so) that would have been OK

@caunterstrike, how did you go with following member johnb35's instructions?
Or is it all fixed now?

 

[grandude]

Agreed, you have to buy SD to remove infection. On the other hand, Malwarebytes is good for the moment of infection, but it won't protect the computer in real-time until licensed version is purchased.

P.S. thanks for Smitfraudfix correction

 

[kimsland]

Malwarebytes is good for the moment of infection, but it won't protect the computer in real-time until licensed version is purchased.

Again you mention paying for something

Free Malwarebytes works perfectly well, actually I'd go as far as saying that free Malwarebytes is the best Malware removal tool presently in the world (my opinion of course)
You do not need to have real time protection going on, with these types of tools
Once clean, you just update malwarebytes and run regular (even fortnightly) scans

Free has worked for me servicing thousands of computers for years

 

[caunterstrike]

@caunterstrike, how did you go with following member johnb35's instructions?
Or is it all fixed now?

its my sisters laptop and i was trying to help her over the phone so i can't post the log but she ran malwarebytes and it didn't find anything. i will get her to try the other programs mentioned and let you know if theres still no joy

 

[guyfromhawaii]

Guys malwarebytes works great with this. I was able to remove it by scanning in safemode and ending some running process. You can follow the removal I used here.
Alpha Antivirus removal

 

[ignys]

For those who don't know yet, there is free version of Spyware Doctor without any restrictions. Removes all infections for free. You may download this version from Google Pack website. http://pack.google.com/intl/en/pack_installer.html

MalwareBytes anti-malware is of course a good tool, however, I had a situation when MBAM actually missed several infected files. So I had to use Spyware Doctor. As for Alpha Antivirus malware, there are also manual removal instructions if you somehow won't be able to run any of those anti-spyware applications.
http://www.2-spyware.com/remove-alpha-antivirus.html
http://remove-malware.net/how-to-remove-alpha-antivirus-rogue-anti-spyware/
http://www.geekpolice.net/malware-removal-guides-f12/how-to-remove-alpha-antivirus-removal-guide-t14654.htm (with MBAM)

Also from Yahoo Answers:
http://answers.yahoo.com/question/index?qid=20090927161147AAX9eGH
http://answers.yahoo.com/question/index?qid=20090926122459AAOJX9e

 

[caunterstrike]

ok she did a hi jack this scan. here is the log it produced. i havent got a clue what any of it means so can someone please explain

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:00, on 27/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIEFE.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.tattoodle.com?tid={C585F01A-367E-43d0-A7B9-E0241C25BD09}&v=12
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{91C18ED5-5E1C-4AE5-A148-A861DE8C8E16} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Program Files\SGPSA\BHO.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\Windows\TEMP\E_SD9B0.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)

--
End of file - 7303 bytes

 

[johnb35]

I see a few problems from your log.

1. You are running a very old version of Java. Please go into add/remove progams and uninstall all older version of Java. They could be labeled as Java or J2SE runtime. After all old versions are uninstalled please go here and download the latest version.

http://www.java.com/en/download/index.jsp

2. I highly recommend uninstalling the program called Advanced Registry Optimizer. The only program that most people recommend is Ccleaner.

3. Also I recommend uninstalling the ask toolbar.

Also, did she do a full scan using malwarebytes or just a quick scan? Have you run Combofix on it yet?

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post the logs from the full scan of malwarebytes and the scan from combofix.

 

[kimsland]

Also

It would be best to uninstall uTorrent whilst presently trying to clean your system of Malware
Once your system is confirmed clean (by posting the logs ) You can then re-install that file sharing program if you want.

For those who don't know yet, there is free version of Spyware Doctor without any restrictions.

Thanks for this information ignys :good: