asked on

Loads of spyware problems (and I've tried the obvious)

Hi everyone

Problems: When surfing, I get an ie window load (hidden until an ad is displayed). I'm damned if I can work out why. I've done EVERYTHING I can think of. I believe it modifys the code of the incoming page to load some JavaScript (I get javascript errors on almost EVERY page I go to and when there's an error, no popup)

OK, I've run:

msconfig and removed everything I don't want running
Adaware 6
SpyBot
HiJackThis

I have a program called alg.exe running as a local service but don't want to kill it as I suspect it may be for my Alcatel Speedtouch modem (anyone know?)

Below is a dump of all running processes:
Process      PID      CPU      CPU Time      Priority      Description      User Name      Command Line
System Idle Process      0      54      15:31:11.238      0            NT AUTHORITY\SYSTEM
Interrupts      0            0:12:40.643      0      Hardware Interrupts
DPCs      0      5      0:38:31.894      0      Deferred Procedure Calls
System      4      2      0:16:03.685      8            NT AUTHORITY\SYSTEM
smss.exe      464            0:00:00.070      11      Windows NT Session Manager      NT AUTHORITY\SYSTEM      \SystemRoot\System32\smss.exe
csrss.exe      520            0:01:54.354      13      Client Server Runtime Process      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxReque{ÖwC:\Procexp.txt
winlogon.exe      544            0:00:02.824      13      Windows NT Logon Application      NT AUTHORITY\SYSTEM      winlogon.exe
services.exe      588      1      0:00:04.536      9      Services and Controller app      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\services.exe
svchost.exe      776            0:00:01.141      8      Generic Host Process for Win32 Services      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\svchost -k rpcss
IEXPLORE.EXE      1444            0:03:40.457      8      Internet Explorer      SOWARE\Administrator      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
svchost.exe      824            0:02:50.535      8      Generic Host Process for Win32 Services      NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe      980            0:00:01.792      8      Generic Host Process for Win32 Services      NT AUTHORITY\NETWORK SERVICE      C:\WINDOWS\System32\svchost.exe -k NetworkService
svchost.exe      996            0:01:27.325      8      Generic Host Process for Win32 Services      NT AUTHORITY\LOCAL SERVICE      C:\WINDOWS\System32\svchost.exe -k LocalService
spoolsv.exe      1104            0:00:00.120      8      Spooler SubSystem App      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\spoolsv.exe
alg.exe      1596            0:00:00.080      8      Application Layer Gateway Service      NT AUTHORITY\LOCAL SERVICE      C:\WINDOWS\System32\alg.exe
gearsec.exe      1636            0:00:00.030      8      gearsec      NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\gearsec.exe
mdm.exe      1676            0:00:04.256      8      Machine Debug Manager      NT AUTHORITY\SYSTEM      "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
nvsvc32.exe      1784            0:00:00.310      8            NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\nvsvc32.exe
lsass.exe      600            0:00:06.919      9      LSA Shell (Export Version)      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\lsass.exe
explorer.exe      1452            0:17:20.546      8      Windows Explorer      SOWARE\Administrator      C:\WINDOWS\Explorer.EXE
dragdiag.exe      1536            0:01:00.587      8      SpeedTouch Statistics      SOWARE\Administrator      "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
msnmsgr.exe      1564            0:00:09.523      8      MSN Messenger      SOWARE\Administrator      "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
boinc_gui.exe      1668            0:00:02.173      8      boinc_gui      SOWARE\Administrator      "C:\Program Files\BOINC\boinc_gui.exe" -min
setiathome_3.08_windows_intelx86.exe      2020            0:00:31.405      4            SOWARE\Administrator      projects\setiathome.berkeley.edu\setiathome_3.08_windows_intelx86.exe
getright.exe      1688            0:00:00.460      8      GetRight® www.getright.com      SOWARE\Administrator      "C:\Program Files\GetRight\getright.exe"
getright.exe      1724            0:00:06.289      8      GetRight® www.getright.com      SOWARE\Administrator      "C:\Program Files\GetRight\getright.exe"
btdownloadgui.exe      2396      3      0:12:19.202      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Downloads\Beautiful Agony[www.lokitorrent.com].torrent"
Client.exe      1704      5      0:25:51.130      8            SOWARE\Administrator      "C:\Program Files\Samurize\Client.exe" i=Default
procexp.exe      2204      3      0:00:04.055      13      Sysinternals Process Explorer      SOWARE\Administrator      "D:\procexpnt\procexp.exe"
msimn.exe      2752            0:00:27.699      8      Outlook Express      SOWARE\Administrator      "C:\Program Files\Outlook Express\msimn.exe"
wmplayer.exe      3236      23      2:02:51.329      8      Windows Media Player      SOWARE\Administrator      "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:8 /SHELLHLP_V9 Play /DataObject:NEFEPEHFBAAAAAAAOABAAAAAAAAAAAAAAMAAAAAAAAAAAAGEAAAAAAAAFAAAAAAAJKDMFFPPFJDLJDKKIMDOOHFBBDPDEMLGEAAOAAAAMKFAAENAILICJOIEMLEJKJAEAAAAAAAA
notepad.exe      1432      2      0:00:00.270      8      Notepad      SOWARE\Administrator      C:\WINDOWS\system32\NOTEPAD.EXE c:\Procexp.txt
webshots.scr      1736            0:00:12.618      8      Webshots Photo Manager      SOWARE\Administrator      C:\WINDOWS\webshots.scr /t
btdownloadgui.exe      1816            0:16:49.481      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Documents and Settings\Administrator\Desktop\Horny Bunnies_ [by]_ www.zaebok.net.torrent"
btdownloadgui.exe      1468      5      0:25:18.353      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Documents and Settings\Administrator\Desktop\BASIC_INSTINCT_SCN.torrent"

Process: Procexp Pid: -2

ProceXP is the program doing the dump, webshots is a desktoip manager (I like it, anyway), boinc is the latest seti@home thing, torrent/getright are there by choice.

Next, a dump from hijackthis:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\gearsec.exe ???
C:\Program Files\BOINC\boinc_gui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\nvsvc32.exe ???
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_3.08_windows_intelx86.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\procexpnt\procexp.exe
C:\Downloads\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Samurize.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: BOINC.lnk = C:\Program Files\BOINC\boinc_gui.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A45D9D7A-1970-49DC-A982-1433C66019DA}: NameServer = <hidden by Basiclife>
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C5F498-6B8E-4D4C-ABA6-16EC5C24AF95}: NameServer = <hidden by Basiclife>

Not usre about nwiz and what is nvsvc32? I'm guessing it's a 32-bit service of some kind... Also not sure about wsaupdater.

Google toolbar is there by choice, so is Samurise

ASKER CERTIFIED SOLUTION

SheharyaarSaahil

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

basiclife

ASKER

Will do thanks. While I'm doing this, what's wsaupdater?

SheharyaarSaahil

variant of BlazeFind adaware,,,, u need to edit the registry entry before removing it via spyware removal tools, otherwise u will be unable to login to windows !!!!!

basiclife

ASKER

Congratulatios:- You just gave me a heart attack :D

I did nuke the offending link (rather than repair) and then my computer died due to a power cut. Fortunately, there's a reg entry of OldUserinit which has the correct setting. I'm guessing windows defaulted to this *phew* Either way, the iefix took worked fine except that after DLing the new version of IE it gave me an error similar to the "untested driver" except that it was "untested / unsigned software" and wouldn't let me re-install ie. I undid the registry nuking of my current version and played on a bit. Seems to all be working now, except that MSN is now unable o interact with outlook express (oh, no!) but tbh that's an improvement as well so no complaints.

I'll browse the web for an hour or so and see if I get any more popups. If not, the points are yours :-D

SheharyaarSaahil

>> except that MSN is now unable o interact with outlook express (oh, no!)

u mean windows messenger ??
if yes then u must have disabled messenger service like this >> http://www.itc.virginia.edu/desktop/docs/messagepopup/

basiclife

ASKER

No I mean MSN messenger (Chat program) I use trillian anyway but have never gotten around to disabling MSN at startup. If you use outlook express, it tries to import the MSN contacts as email contacts. This is INCREDIBLY irritating, as it means MSN won't close unless outlook is closed and MSN launches with outlook. I don't use MSN but I do (for my sins) use outlook. Normally, the only way to kill MSN without outlook is to kill the process. Now, it doesn't seem to object which is nice. I'll eventually get round to disabling MSN altogether but since I only reboot my machine about once a fortnight (or more) it's not a major nag.

On a different note, browsing seems to be going fine so

*drum roll*

THE POINTS!

basiclife

ASKER

On a different note, I think my computer is getting sluggish form all the s**t I install and then remove so I think a reinstall is about due. The problem is finding somewhere to store the approx. 200GB of useful data I have. Looks like time to buy another few HDDs and a use my RAID array ot the full potential

SheharyaarSaahil

yeah u can think,,,, when a person rolls a bag on ground from a place to another, and then the other person comes and rolls it back to the original place,,,, how sluggish will it be ;-)
same applies to computers i think,,,, i dont take them as machines most of the times,,,,, i have spent that much time with them, that i have started to think abt their "Sufferings" :D