Alfacleaner Removal Instructions and Help

What is AlfaCleaner and How Did it Get on My Computer?

alfacleaner.jpg (35334 bytes)

 

Alfacleaner is a "spyware removal program" that has been known to install itself when visiting a WMF exploit-infected web page.

This exploit affects Windows XP/2000 and Windows 2003 Server-based computers. Microsoft describes the exploit in its security bulletin this way:

A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

This exploit, and other similar unpatched problems, open the way for a variety of trojans, viruses, spyware and other malware to attack the system. Most of these attacks happen through a automatic download from an infected webpage. Which means if you do not have the patch loaded for this Windows Meta File (WMF) Exploit, you could visit a particular web page and become infected.

This exploit is also responsible for the various problems Spyaxe, SpySheriff, Spy Trooper, etc. 

You'll see a new icon in the system tray when you are infected by this problem. intell321exeicon.jpg (924 bytes) This file is associated with the intell321.exe file shown in the Hijackthis log.

You'll also see a new icon on your desktop alfacleanericon.jpg (1959 bytes) and your desktop background will probably show the following message:

infection.jpg (23296 bytes)

HijackThis will show various problem files, a typical Hijackthis log infected with this issue will look similar to this:

O4 - HKLM\..\Run: [lich] C:\windows\system32\lich.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [AlfaCleaner] C:\Program Files\AlfaCleaner\AlfaCleaner.exe
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe

What's the Best Way to Remove Alfacleaner?

Intentionally infecting a test computer with Alfacleaner, I have come up with a multiple step approach to cleaning the system. Unfortunately, because this exploit opens the doors for several different trojans, viruses, and spyware to attack your computer, you'll need a few pieces of software to effectively delete these problems.

Before attempting this removal procedure, download the following removal tools to your desktop and install them.

  • SmitRem by NoahdFear - Tool to remove Spyaxe, SpySheriff, PSGuard, WinHound, and other issues
  • Ewido Anti-Malware - Highly recommended anti-malware, anti-spyware program
  • HijackThis 1.99.1 - Essential tool for finding spyware, virus, trojan, and other problems
  • CCleaner - Free tool for removing temporary files, cookies, history, and cleaning up registry problems

Removal Procedure

1) Download the programs above to your desktop, extracting and install them. Then update the signatures for Ewido Anti-Malware. Once this is complete,  reboot your computer in Safe Mode

2) Open the SmitRem folder and double-click on RunThis.bat to start the SmitRem removal procedure. Besides removing particular files that it looks for, the tool also runs the Disk Cleanup tool to remove temporary files on the hard drive that may contain problem files. For a Tutorial on using SmitRem click here

3) After SmitRem has finished, open Ewido Anti-Malware and run a full system scan deleting anything it finds.

4) Open Control Panel, Add/Remove Programs and uninstall the following programs

  • Alfacleaner
  • Desktop Uninstall

5) Search for and manually delete the following directories and files if they remain.

  • nvctrl.exe
  • ntzl.exe (Associated with Trojan.LowZones)
  • ntpsg.exe
  • intelli321.exe
  • lich.exe (Associated with Trojan.LowZones)
  • C:\Program Files\AlfaCleaner

6) While still in Safe Mode, run CCleaner. Analyze and Clean files it finds, then click on the Issues button on the left side of the screen and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing else is found.

7) Run Hijackthis and Remove any leftover issues. If you are not sure, if a line in Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner to see if the file is a threat. Just copy and paste your Hijackthis log file into the scanner and let it analyze it for you. Although its not perfect, it will give you an idea if your system is clean or still needs some work. Do not delete anything with Hijackthis unless you are absolutely sure what the file is and what it does.

8) Reboot computer in Normal mode

9) Fix your desktop wallpaper by going to Control Panel, double-click on Display, on the Desktop tab, make sure the background wallpaper is correct, then click on Customize Desktop and click on the Web tab. On this tab is usually where active components such as web pages have taken over your desktop. Delete any problems here and click OK twice to leave the Display settings.

10) Go into Control Panel, Internet Options, and click on the Security tab. Many times, the Trojan.LowZones files change your security to the Lowest level. Click on Default level and return your settings to Medium.

Congratulations! Your computer should be free from Alfa Cleaner. However, now that your computer is running better, scan your system for other problems and patch this problem exploit before you visit another webpage. Follow the instructions below to download the patch for this exploit. If for some reason, you are still experiencing problems or have files that you are not sure of, you can email me a Hijackthis log and I'll see if I can help.

Scan your computer with online virus scanner like Housecall, BitDefender, or ETrust or download and install an antivirus program and run a complete scan. A list of online scanners is below, some however will only scan but not remove issues.

Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check
- user can upload and test for threats on particular files

Trojan Scanner
TrojanScan by WindowsSecurity.com

Free Antivirus Programs to Download
ANTI-VIR
AVAST
AVG

You may also want to run a thorough scan for adware/spyware using Ad-aware SE, Spybot Search and Destroy, or Microsoft Antispyware now known as Windows Defender as well to make sure your system is absolutely clean of other malware.

Update Windows with the Latest Patches

Visit Windows Update and download any Critical Updates for your computer

How to Patch the WMF Exploit

Click on the following link to visit Microsoft's Security Bulletin for the WMF exploit
and download the patches available.

Microsoft Security Bulletin MS06-001:
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

WMF Exploit Patch Downloads


Printer Friendly Version of This Page






Bookmark and Share this Article on PCHELL with these Social Networks:
Add to: Mr. Wong Add to: Digg Add to: Del.icio.us Add to: Reddit Add to: Simpy Add to: StumbleUpon Add to: Slashdot Add to: Netscape Add to: Furl Add to: Yahoo Add to: Spurl Add to: Google Add to: Blinklist Add to: Blogmarks Add to: Technorati Add to: Blinkbits Add to: Ma.Gnolia


Removal Instructions for Other Programs

Spyware Removal and Other Resources

Essential Tools for Removing Spyware, Adware, and Malware

Rootkit Removal Tools and Help

How to Delete Undeleteable Files

Review of Free Registry Cleaner

How to Manually Run the Microsoft Malicious Software Removal Tool

Review of WinsockFix

How to Remove Windows Diagnostic or Windows Restore malware

Review of SuperAntiSpyware

How to Remove SurferBar

How to Remove Starware

Bargain Buddy Removal Instructions and Help

Bonzi Buddy Removal

Click2FindNow and I-Lookup Removal

Comet Cursor Removal

Electronic Greeting Card Virus - MSDATAACCESS.EXE Removal Instructions and Help

Date Manager Removal

Powered by Zedo Popup Ad Removal Instructions and Help

Search and Destroy Removal Instructions and Help

Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help

TheSpyBot Removal Instructions and Help

Spam Blocker Utility Removal Instructions and Help

DriveCleaner Removal Instructions and Help

Alfacleaner Removal Instructions and Help

Spylocked Removal Instructions and Help

AntivirusGolden Removal Instructions and Help

VirusProtectPro Removal Instructions and Help

UltimateDefender and UltimateCleaner 2007 Removal Instructions and Help

VirusRescue Removal Instructions and Help

PestCapture Removal Instructions and Help

SystemDoctor 2006 Removal Instructions and Help

How to Fix Task Manager disabled by your Administrator

How to Fix Problem Changing Desktop Wallpaper

How to Remove SmitFraud Variants like WinAntivirus Pro 2007 and PestCapture

SurfSideKick Removal Instructions and Help

How to Remove Zango Search Assistant and Toolbar

How to Remove Alot Toolbar

About:Blank Homepage Hijacker Removal Instructions and Help

Kazaa Removal Instructions and Help

How to Disable Windows XP Security Alert Balloons and Notifications

res://random.dll Homepage Hijacker Removal Instructions and Help

IBIS Web Search (websearch.com) Removal Instructions and Help

Open Search Web (Lop.com) Removal Instructions and Help

UPDMGR.EXE Removal Instructions and Help

FCADVICE.EXE Removal Instructions and Help

U3 Smart Drives - What are they and how to remove U3

Dubolom.com Homepage Hijacker Removal Instructions and Help

DSO Exploit Removal Instructions and Help

FastSearch.cc Homepage Hijacker Removal Instructions and Help

My Web Search Removal Instructions and Help

Cursor Mania Removal Instructions and Help

Fun Buddy Icons Removal Instructions and Help

Smiley Central Removal Instructions and Help

My Mail Stamps Removal Instructions and Help

My Mail Stationery Removal Instructions and Help

My Mail Signatures Removal Instructions and Help

Fun Web Products Popular Screensavers Removal Instructions and Help

Webfetti Removal Instructions and Help

What is PDF Spam and Does it Contain Viruses

Gator Software Removal

Hugesearch.net Homepage Hijacker Removal Instructions and Help

Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help

How to Remove Global-Finder.com Homepage Hijacker

Globaltoolbar Removal

GoHip Software Removal

HotBar Toolbar Removal

Huntbar and Search Toolbar Info and Removal

Look2Me Removal Instructions and Help

Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help

MaximumSearch.net Homepage Hijacker Removal Instructions and Help

Ncase Removal Instructions and Help

People OnPage Toolbar Info and Removal

Precision Time Removal

Prolivation.com Removal

SaveNow and NewDotNet Removal

SearchMyRequest.com Homepage Hijacker Removal Instructions and Help

Smartsearch.ws Homepage Hijacker Removal Instructions and Help

SysUpd.exe (TSCash) Removal Instructions and Help

Ezula TopText (yellow underlined links) Removal Instructions and Help

How to Remove SpeedBlaster and MemoryMeter

TopRebates and WebRebates Removal Instructions and Help

Twaintec.dll Removal Instructions and Help

Viewpoint Removal Instructions and Help

WeatherBug Removal

WildTangent Removal Instructions and Help

WinTools Removal Instructions and Help

Xupiter Removal

Xzoomy.com Removal

ZY Web Search (db105.com) Removal

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google