Solved

Loads of spyware problems (and I've tried the obvious)

Posted on 2004-08-17
8
693 Views
Last Modified: 2008-01-09
Hi everyone

Problems: When surfing, I get an ie window load (hidden until an ad is displayed). I'm damned if I can work out why. I've done EVERYTHING I can think of. I believe it modifys the code of the incoming page to load some JavaScript (I get javascript errors on almost EVERY page I go to and when there's an error, no popup)


OK, I've run:

msconfig and removed everything I don't want running
Adaware 6
SpyBot
HiJackThis

I have a program called alg.exe running as a local service but don't want to kill it as I suspect it may be for my Alcatel Speedtouch modem (anyone know?)

Below is a dump of all running processes:
Process      PID      CPU      CPU Time      Priority      Description      User Name      Command Line
System Idle Process      0      54      15:31:11.238      0            NT AUTHORITY\SYSTEM      
 Interrupts      0            0:12:40.643      0      Hardware Interrupts            
 DPCs      0      5      0:38:31.894      0      Deferred Procedure Calls            
 System      4      2      0:16:03.685      8            NT AUTHORITY\SYSTEM      
  smss.exe      464            0:00:00.070      11      Windows NT Session Manager      NT AUTHORITY\SYSTEM      \SystemRoot\System32\smss.exe
   csrss.exe      520            0:01:54.354      13      Client Server Runtime Process      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxReque{ÖwC:\Procexp.txt
   winlogon.exe      544            0:00:02.824      13      Windows NT Logon Application      NT AUTHORITY\SYSTEM      winlogon.exe
    services.exe      588      1      0:00:04.536      9      Services and Controller app      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\services.exe
     svchost.exe      776            0:00:01.141      8      Generic Host Process for Win32 Services      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\svchost -k rpcss
      IEXPLORE.EXE      1444            0:03:40.457      8      Internet Explorer      SOWARE\Administrator      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
     svchost.exe      824            0:02:50.535      8      Generic Host Process for Win32 Services      NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\svchost.exe -k netsvcs
     svchost.exe      980            0:00:01.792      8      Generic Host Process for Win32 Services      NT AUTHORITY\NETWORK SERVICE      C:\WINDOWS\System32\svchost.exe -k NetworkService
     svchost.exe      996            0:01:27.325      8      Generic Host Process for Win32 Services      NT AUTHORITY\LOCAL SERVICE      C:\WINDOWS\System32\svchost.exe -k LocalService
     spoolsv.exe      1104            0:00:00.120      8      Spooler SubSystem App      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\spoolsv.exe
     alg.exe      1596            0:00:00.080      8      Application Layer Gateway Service      NT AUTHORITY\LOCAL SERVICE      C:\WINDOWS\System32\alg.exe
     gearsec.exe      1636            0:00:00.030      8      gearsec      NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\gearsec.exe
     mdm.exe      1676            0:00:04.256      8      Machine Debug Manager      NT AUTHORITY\SYSTEM      "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"
     nvsvc32.exe      1784            0:00:00.310      8            NT AUTHORITY\SYSTEM      C:\WINDOWS\System32\nvsvc32.exe
    lsass.exe      600            0:00:06.919      9      LSA Shell (Export Version)      NT AUTHORITY\SYSTEM      C:\WINDOWS\system32\lsass.exe
explorer.exe      1452            0:17:20.546      8      Windows Explorer      SOWARE\Administrator      C:\WINDOWS\Explorer.EXE
 dragdiag.exe      1536            0:01:00.587      8      SpeedTouch Statistics      SOWARE\Administrator      "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
 msnmsgr.exe      1564            0:00:09.523      8      MSN Messenger      SOWARE\Administrator      "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
 boinc_gui.exe      1668            0:00:02.173      8      boinc_gui      SOWARE\Administrator      "C:\Program Files\BOINC\boinc_gui.exe"  -min
  setiathome_3.08_windows_intelx86.exe      2020            0:00:31.405      4            SOWARE\Administrator      projects\setiathome.berkeley.edu\setiathome_3.08_windows_intelx86.exe
 getright.exe      1688            0:00:00.460      8      GetRight®  www.getright.com      SOWARE\Administrator      "C:\Program Files\GetRight\getright.exe"
  getright.exe      1724            0:00:06.289      8      GetRight®  www.getright.com      SOWARE\Administrator      "C:\Program Files\GetRight\getright.exe"
   btdownloadgui.exe      2396      3      0:12:19.202      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Downloads\Beautiful Agony[www.lokitorrent.com].torrent"
 Client.exe      1704      5      0:25:51.130      8            SOWARE\Administrator      "C:\Program Files\Samurize\Client.exe" i=Default
  procexp.exe      2204      3      0:00:04.055      13      Sysinternals Process Explorer      SOWARE\Administrator      "D:\procexpnt\procexp.exe"
 msimn.exe      2752            0:00:27.699      8      Outlook Express      SOWARE\Administrator      "C:\Program Files\Outlook Express\msimn.exe"
 wmplayer.exe      3236      23      2:02:51.329      8      Windows Media Player      SOWARE\Administrator      "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:8 /SHELLHLP_V9 Play /DataObject:NEFEPEHFBAAAAAAAOABAAAAAAAAAAAAAAMAAAAAAAAAAAAGEAAAAAAAAFAAAAAAAJKDMFFPPFJDLJDKKIMDOOHFBBDPDEMLGEAAOAAAAMKFAAENAILICJOIEMLEJKJAEAAAAAAAA
 notepad.exe      1432      2      0:00:00.270      8      Notepad      SOWARE\Administrator      C:\WINDOWS\system32\NOTEPAD.EXE c:\Procexp.txt
webshots.scr      1736            0:00:12.618      8      Webshots Photo Manager      SOWARE\Administrator      C:\WINDOWS\webshots.scr /t
btdownloadgui.exe      1816            0:16:49.481      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Documents and Settings\Administrator\Desktop\Horny Bunnies_ [by]_ www.zaebok.net.torrent"
btdownloadgui.exe      1468      5      0:25:18.353      8            SOWARE\Administrator      "C:\Program Files\BitTorrent\btdownloadgui.exe" --responsefile "C:\Documents and Settings\Administrator\Desktop\BASIC_INSTINCT_SCN.torrent"

Process: Procexp Pid: -2


ProceXP is the program doing the dump, webshots is a desktoip manager (I like it, anyway), boinc is the latest seti@home thing, torrent/getright are there by choice.

Next, a dump from hijackthis:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\gearsec.exe ???
C:\Program Files\BOINC\boinc_gui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Samurize\Client.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\nvsvc32.exe ???
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_3.08_windows_intelx86.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\procexpnt\procexp.exe
C:\Downloads\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Samurize.lnk = C:\Program Files\Samurize\Client.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: BOINC.lnk = C:\Program Files\BOINC\boinc_gui.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A45D9D7A-1970-49DC-A982-1433C66019DA}: NameServer = <hidden by Basiclife>
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6C5F498-6B8E-4D4C-ABA6-16EC5C24AF95}: NameServer = <hidden by Basiclife>


Not usre about nwiz and what is nvsvc32? I'm guessing it's a 32-bit service of some kind... Also not sure about wsaupdater.

Google toolbar is there by choice, so is Samurise
0
Comment
Question by:basiclife
  • 4
  • 4
8 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
Comment Utility
Hello basiclife =)

u have to Edit a registry entry >> F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

goto Start>run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupdater.exe,

chnage it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine
after that make sure it has not reverted back, and then fix the following entries !!!!

O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

and why u have restrictions on IE..... if u dont have put them urself then fix them also....

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

reboot in Safemode and run Adware, Spybot, CWShredder and Antivirus tool to make sure everything is clean !!!!
then restart in normal mode and dont connecto to internet, fisrt perform a repair on IE !!!!

try running this tool:
http://www.mvps.org/sramesh2k/IEFIX.htm

then reboot again, and now check for the problem..... post back the results ??

!! GOOD LUCK !!
0
 
LVL 5

Author Comment

by:basiclife
Comment Utility
Will do thanks. While I'm doing this, what's wsaupdater?
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
variant of BlazeFind adaware,,,, u need to edit the registry entry before removing it via spyware removal tools, otherwise u will be unable to login to windows !!!!!
0
 
LVL 5

Author Comment

by:basiclife
Comment Utility
Congratulatios:- You just gave me a heart attack :D

I did nuke the offending link (rather than repair) and then my computer died due to a power cut. Fortunately, there's a reg entry of OldUserinit which has the correct setting. I'm guessing windows defaulted to this *phew* Either way, the iefix took worked fine except that after DLing the new version of IE it gave me an error similar to the "untested driver" except that it was "untested / unsigned software" and wouldn't let me re-install ie. I undid the registry nuking of my current version and played on a bit. Seems to all be working now, except that MSN is now unable o interact with outlook express (oh, no!) but tbh that's an improvement as well so no complaints.

I'll browse the web for an hour or so and see if I get any more popups. If not, the points are yours :-D
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
>> except that MSN is now unable o interact with outlook express (oh, no!)

u mean windows messenger  ??
if yes then u must have disabled messenger service like this >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
0
 
LVL 5

Author Comment

by:basiclife
Comment Utility
No I mean MSN messenger (Chat program) I use trillian anyway but have never gotten around to disabling MSN at startup. If you use outlook express, it tries to import the MSN contacts as email contacts. This is INCREDIBLY irritating, as it means MSN won't close unless outlook is closed and MSN launches with outlook. I don't use MSN but I do (for my sins) use outlook. Normally, the only way to kill MSN without outlook is to kill the process. Now, it doesn't seem to object which is nice. I'll eventually get round to disabling MSN altogether but since I only reboot my machine about once a fortnight (or more) it's not a major nag.

On a different note, browsing seems to be going fine so

*drum roll*

THE POINTS!
0
 
LVL 5

Author Comment

by:basiclife
Comment Utility
On a different note, I think my computer is getting sluggish form all the s**t I install and then remove so I think a reinstall is about due. The problem is finding somewhere to store the approx. 200GB of useful data I have. Looks like time to buy another few HDDs and a use my RAID array ot the full potential
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
yeah u can think,,,, when a person rolls a bag on ground from a place to another, and then the other person comes and rolls it back to the original place,,,, how sluggish will it be ;-)
same applies to computers i think,,,, i dont take them as machines most of the times,,,,, i have spent that much time with them, that i have started to think abt their "Sufferings"  :D
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now