Loads of spyware problems (and I've tried the obvious)

Posted on 2004-08-17
Last Modified: 2008-01-09
Hi everyone

Problems: When surfing, I get an ie window load (hidden until an ad is displayed). I'm damned if I can work out why. I've done EVERYTHING I can think of. I believe it modifys the code of the incoming page to load some JavaScript (I get javascript errors on almost EVERY page I go to and when there's an error, no popup)

OK, I've run:

msconfig and removed everything I don't want running
Adaware 6

I have a program called alg.exe running as a local service but don't want to kill it as I suspect it may be for my Alcatel Speedtouch modem (anyone know?)

Below is a dump of all running processes:
Process      PID      CPU      CPU Time      Priority      Description      User Name      Command Line
System Idle Process      0      54      15:31:11.238      0            NT AUTHORITY\SYSTEM      
 Interrupts      0            0:12:40.643      0      Hardware Interrupts            
 DPCs      0      5      0:38:31.894      0      Deferred Procedure Calls            
 System      4      2      0:16:03.685      8            NT AUTHORITY\SYSTEM      
  smss.exe      464            0:00:00.070      11      Windows NT Session Manager      NT AUTHORITY\SYSTEM      \SystemRoot\System32\smss.exe
   csrss.exe      520            0:01:54.354      13      Client Server Runtime Process      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxReque{ÖwC:\Procexp.txt
   winlogon.exe      544            0:00:02.824      13      Windows NT Logon Application      NT AUTHORITY\SYSTEM      winlogon.exe
    services.exe      588      1      0:00:04.536      9      Services and Controller app      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\services.exe
     svchost.exe      776            0:00:01.141      8      Generic Host Process for Win32 Services      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\svchost -k rpcss
      IEXPLORE.EXE      1444            0:03:40.457      8      Internet Explorer      SOWARE\Administrator      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
     svchost.exe      824            0:02:50.535      8      Generic Host Process for Win32 Services      NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\svchost.exe -k netsvcs
     svchost.exe      980            0:00:01.792      8      Generic Host Process for Win32 Services      NT AUTHORITY\NETWORK SERVICE      C:\WINDOWS\System32\svchost.exe -k NetworkService
     svchost.exe      996            0:01:27.325      8      Generic Host Process for Win32 Services      NT AUTHORITY\LOCAL SERVICE      C:\WINDOWS\System32\svchost.exe -k LocalService
     spoolsv.exe      1104            0:00:00.120      8      Spooler SubSystem App      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\spoolsv.exe
     alg.exe      1596            0:00:00.080      8      Application Layer Gateway Service      NT AUTHORITY\LOCAL SERVICE      C:\WINDOWS\System32\alg.exe
     gearsec.exe      1636            0:00:00.030      8      gearsec      NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\gearsec.exe
     mdm.exe      1676            0:00:04.256      8      Machine Debug Manager      NT AUTHORITY\SYSTEM      "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
     nvsvc32.exe      1784            0:00:00.310      8            NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\nvsvc32.exe
    lsass.exe      600            0:00:06.919      9      LSA Shell (Export Version)      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\lsass.exe
explorer.exe      1452            0:17:20.546      8      Windows Explorer      SOWARE\Administrator      C:\WINDOWS\Explorer.EXE
 dragdiag.exe      1536            0:01:00.587      8      SpeedTouch Statistics      SOWARE\Administrator      "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
 msnmsgr.exe      1564            0:00:09.523      8      MSN Messenger      SOWARE\Administrator      "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
 boinc_gui.exe      1668            0:00:02.173      8      boinc_gui      SOWARE\Administrator      "C:\Program Files\BOINC\boinc_gui.exe"  -min
  setiathome_3.08_windows_intelx86.exe      2020            0:00:31.405      4            SOWARE\Administrator      projects\\setiathome_3.08_windows_intelx86.exe
 getright.exe      1688            0:00:00.460      8      GetRight®      SOWARE\Administrator      "C:\Program Files\GetRight\getright.exe"
  getright.exe      1724            0:00:06.289      8      GetRight®      SOWARE\Administrator      "C:\Program Files\GetRight\getright.exe"
   btdownloadgui.exe      2396      3      0:12:19.202      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Downloads\Beautiful Agony[].torrent"
 Client.exe      1704      5      0:25:51.130      8            SOWARE\Administrator      "C:\Program Files\Samurize\Client.exe" i=Default
  procexp.exe      2204      3      0:00:04.055      13      Sysinternals Process Explorer      SOWARE\Administrator      "D:\procexpnt\procexp.exe"
 msimn.exe      2752            0:00:27.699      8      Outlook Express      SOWARE\Administrator      "C:\Program Files\Outlook Express\msimn.exe"
 wmplayer.exe      3236      23      2:02:51.329      8      Windows Media Player      SOWARE\Administrator      "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:8 /SHELLHLP_V9 Play /DataObject:NEFEPEHFBAAAAAAAOABAAAAAAAAAAAAAAMAAAAAAAAAAAAGEAAAAAAAAFAAAAAAAJKDMFFPPFJDLJDKKIMDOOHFBBDPDEMLGEAAOAAAAMKFAAENAILICJOIEMLEJKJAEAAAAAAAA
 notepad.exe      1432      2      0:00:00.270      8      Notepad      SOWARE\Administrator      C:\WINDOWS\system32\NOTEPAD.EXE c:\Procexp.txt
webshots.scr      1736            0:00:12.618      8      Webshots Photo Manager      SOWARE\Administrator      C:\WINDOWS\webshots.scr /t
btdownloadgui.exe      1816            0:16:49.481      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Documents and Settings\Administrator\Desktop\Horny Bunnies_ [by]_"
btdownloadgui.exe      1468      5      0:25:18.353      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Documents and Settings\Administrator\Desktop\BASIC_INSTINCT_SCN.torrent"

Process: Procexp Pid: -2

ProceXP is the program doing the dump, webshots is a desktoip manager (I like it, anyway), boinc is the latest seti@home thing, torrent/getright are there by choice.

Next, a dump from hijackthis:

Running processes:
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\gearsec.exe ???
C:\Program Files\BOINC\boinc_gui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\nvsvc32.exe ???
C:\Program Files\BOINC\projects\\setiathome_3.08_windows_intelx86.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Samurize.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: BOINC.lnk = C:\Program Files\BOINC\boinc_gui.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A45D9D7A-1970-49DC-A982-1433C66019DA}: NameServer = <hidden by Basiclife>
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C5F498-6B8E-4D4C-ABA6-16EC5C24AF95}: NameServer = <hidden by Basiclife>

Not usre about nwiz and what is nvsvc32? I'm guessing it's a 32-bit service of some kind... Also not sure about wsaupdater.

Google toolbar is there by choice, so is Samurise
Question by:basiclife
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 65

Accepted Solution

SheharyaarSaahil earned 500 total points
ID: 11821260
Hello basiclife =)

u have to Edit a registry entry >> F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

goto Start>run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupdater.exe,

chnage it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine
after that make sure it has not reverted back, and then fix the following entries !!!!

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

and why u have restrictions on IE..... if u dont have put them urself then fix them also....

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

reboot in Safemode and run Adware, Spybot, CWShredder and Antivirus tool to make sure everything is clean !!!!
then restart in normal mode and dont connecto to internet, fisrt perform a repair on IE !!!!

try running this tool:

then reboot again, and now check for the problem..... post back the results ??


Author Comment

ID: 11824067
Will do thanks. While I'm doing this, what's wsaupdater?
LVL 65

Expert Comment

ID: 11824096
variant of BlazeFind adaware,,,, u need to edit the registry entry before removing it via spyware removal tools, otherwise u will be unable to login to windows !!!!!
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.


Author Comment

ID: 11825341
Congratulatios:- You just gave me a heart attack :D

I did nuke the offending link (rather than repair) and then my computer died due to a power cut. Fortunately, there's a reg entry of OldUserinit which has the correct setting. I'm guessing windows defaulted to this *phew* Either way, the iefix took worked fine except that after DLing the new version of IE it gave me an error similar to the "untested driver" except that it was "untested / unsigned software" and wouldn't let me re-install ie. I undid the registry nuking of my current version and played on a bit. Seems to all be working now, except that MSN is now unable o interact with outlook express (oh, no!) but tbh that's an improvement as well so no complaints.

I'll browse the web for an hour or so and see if I get any more popups. If not, the points are yours :-D
LVL 65

Expert Comment

ID: 11825389
>> except that MSN is now unable o interact with outlook express (oh, no!)

u mean windows messenger  ??
if yes then u must have disabled messenger service like this >>

Author Comment

ID: 11825498
No I mean MSN messenger (Chat program) I use trillian anyway but have never gotten around to disabling MSN at startup. If you use outlook express, it tries to import the MSN contacts as email contacts. This is INCREDIBLY irritating, as it means MSN won't close unless outlook is closed and MSN launches with outlook. I don't use MSN but I do (for my sins) use outlook. Normally, the only way to kill MSN without outlook is to kill the process. Now, it doesn't seem to object which is nice. I'll eventually get round to disabling MSN altogether but since I only reboot my machine about once a fortnight (or more) it's not a major nag.

On a different note, browsing seems to be going fine so

*drum roll*


Author Comment

ID: 11825519
On a different note, I think my computer is getting sluggish form all the s**t I install and then remove so I think a reinstall is about due. The problem is finding somewhere to store the approx. 200GB of useful data I have. Looks like time to buy another few HDDs and a use my RAID array ot the full potential
LVL 65

Expert Comment

ID: 11825716
yeah u can think,,,, when a person rolls a bag on ground from a place to another, and then the other person comes and rolls it back to the original place,,,, how sluggish will it be ;-)
same applies to computers i think,,,, i dont take them as machines most of the times,,,,, i have spent that much time with them, that i have started to think abt their "Sufferings"  :D

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article ( first and run the tool TDSSKiller ( to get rid of the infection. Once done, and if the …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question