Posted on 2005-05-16
Last Modified: 2013-12-04
Im having real trouble with some irritating dialler. I have used spybot too try and pick it up and still no joy... Everytime I connet too the internet which my normal provider, i get disconnected nearly immediately... I also regularly get a message c:\windows \system32\ The system file is not suitable for running MS-DOS and windows applications...

Any advice?
Question by:paulo111
    LVL 67

    Expert Comment

    Download then post your log to the same site...

    Author Comment

    Many Thanks

    There is a 'nasty' called ALCMTR (logo like a crab?) I have just tried to delete thefile and it wont let me... Any advice?

    running process. (ALCMTR.EXE)
    Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor ones actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers   This is a nasty process! You should fix it and try to delete it manually!  
    LVL 67

    Expert Comment

    Try booting into safe mode and rerun Hijackthis
    LVL 67

    Expert Comment

    This even recommends Hijackthis:

    Author Comment

    Still having trouble with this damn dialler, have used the site you recommend and deleted all the nastys.. I still have this damn dialler thing loading up and some agreement popping up each time is sing into the net, obviously i dont agree too this damn agreement, but I continually get this lauch dialler stuff every time, and get disconnected all the time from my internet connection.

    Each time after I have been disconnected I get c:\windows\system32\

    c:\windows\system32\autoexec.nt and then he system file is not suitable for running MS-DOS and windows application. Click close t terminate the application??

    I never had these problems b4 this irritating dialler 'appeared', how can I kill it? Used sirbountys site above and spybot, still no joy...
    LVL 67

    Expert Comment

    paulo111 - try this:

    Start->Run->Notepad %systemroo%\system32\autoexec.nt <Enter>
    Anything in that file?  If so, please post it.

    Also post your hijackthis log please.

    Author Comment

    nothing in that file

    Logfile of HijackThis v1.99.1
    Scan saved at 15:20:18, on 17/05/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
    C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\ntldial\NTLDIAL.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 2 for\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
    R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\uytuy.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
    O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewdm32.exe
    O4 - HKLM\..\Run: [gaSrv] C:\WINDOWS\gaSrv.exe
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\RunOnce: [isDeleteMe] "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\isDel.bat"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Search -
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BCCA9E39-F8A6-4CBB-A7F4-B61891D603C7}: NameServer =
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

    LVL 67

    Accepted Solution

    I would be a bit suspicious about agrsmmsg - read more here:

    gah95on6 is suspected as being spyware.  You probably want to remove it as well as
    O4 - HKLM\..\Run: [gaSrv] C:\WINDOWS\gaSrv.exe
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe

    I'm wondering why msiexec.exe was loaded here - were you installing something at the time?

    But I think the dialer may be coming from svchos1at.exe.  
    Kazaa is known for stirring up trouble as well.  The lite version is supposed to be 'safer'.

    Clear all your R0,R1 & R3 entries
    Then remove these as well:
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\uytuy.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewdm32.exe
    O8 - Extra context menu item: &Search -

    I would also be suspicious of what's inside of C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\isDel.bat (open it with notepad - don't double-click it)
    LVL 67

    Expert Comment

    Glad you got it sorted. :)

    Featured Post

    Superior storage. Superior surveillance.

    WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

    Join & Write a Comment

    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now