Nasty Invasion

[pursang]

This is my 1st comp and after a week of being plagued with annoyances I've decided to dive in and ask for help.

I think this may have started when I un-installed my old AVG to install the new version.

The problems, after I've started the comp it seems to keep on running (makes noises like it's downloading" long after it should be ready to use, my only solution to this is to hit the switch on the powerbar, wait a minute, then restart again, this seems to work but lately I've had to repeat this a few times.

I keep getting bumped out of threads and sometimes completely out of sites.

Garbage keeps poping onto the screen and quickly hitting the back button doesn't always remove it.

Yesterday my google toolbar went missing.

Today it's taking two hits on the back button to go back one page.

I'm looking to get some good advice on this before I proceed, I read the "Essential Read" and it mentions to install stuff like Spybot but then when I looked into that I found some disturbing reviews, this is one from CNET.

"It does not uninstall without leaving disastrous effects."

"It leaves TCP port 25 outbound blocked so you can't send email anymore with various email programs. The Spybot site does not give a solution. I you don't want to completely re-install Windows and everything else, avoid this program like the plague."


The editors at CNET mentioned there was better (free) stuff available but didn't mention any names, so, I'm just left kind of hanging here !

 

[PC eye]

I found reviews sometimes helpful or a hinderence at times. The problem you are running into there is most likely what is called a browser hijacker. The latest AVG 7.5 does have an updated data base but the real word is never counting on one or two or three "bug hunters" to get anything done! The following will help in de"Bugging" your system.

Since you are already familiar with AVG the 7.5 version won't be so new. But did you know Grisoft bought out Ewido? You'll find the 7.5 version and the new AVG Anti-Spyware Remover at http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

PC World recently had a good review on Spyware Terminator that includes a personal firewall. This will prompt you to either allow or deny "anything new" from starting up. It's also free at http://www.spywareterminator.com/

How about a free online scan of your system. House Call may require you to download and install Trend Micro's PC-cillin which also includes a personal firewall but includes some "bug blasters" as well. http://housecall.trendmicro.com/

Sometimes Lavasoft's AdAware SE Personal edition(free too) will remove this type of annoyance. http://www.lavasoft.com

 

[pursang]

Thanks PC eye, not sure if this helps any but this is one of the pop up's that keeps showing up.

 

[Buzz1927]

Post a Hijackthis log.
http://www.computerforum.com/24672-hijackthis-logs.html

 

[PC eye]

The wonders(Blonders) of addon toolbars. They always leave you wide open for something! If you need one that sees far less crud then Google, Yahoo, and others I can point you at it one you get situated.

 

[pursang]

When I try to download Hijackthis I get this WinZip Self Extractor window comes up and I don't see anything about the default directory ?

 

[Buzz1927]

When I try to download Hijackthis I get this WinZip Self Extractor window comes up and I don't see anything about the default directory ?

What does it say in the directory box? It should be C:\program files\hijackthis. Does the "browse" button work?

 

[PC eye]

When going to download anything compressed first create a temporary folder for unpacking the files or using the "check out" option in wwinzip itself to extract the files. Winzip will create a new subfolder where you then simply right click to create a new desktop shortcut or simply drag the executable onto the desktop.

You can also try different download links found at http://www.spywareinfo.com/~merijn/programs.php to see if the previous attempt saw an incomplete download.

 

[pursang]

What does it say in the directory box? It should be C:\program files\hijackthis. Does the "browse" button work?

Yes the directory box looks pretty much as you've written it, the browse button works and I thought that's where I would find the default directory but didn't see it.

 

[Buzz1927]

Use this link, it'll put Hijackthis on your desktop.
http://www.wilderssecurity.com/supportfiles/HijackThis1991.exe

 

[pursang]

When going to download anything compressed first create a temporary folder for unpacking the files or using the "check out" option in wwinzip itself to extract the files. Winzip will create a new subfolder where you then simply right click to create a new desktop shortcut or simply drag the executable onto the desktop.

You can also try different download links found at http://www.spywareinfo.com/~merijn/programs.php to see if the previous attempt saw an incomplete download.

I was wondering how I create the temporary folder you mentioned ? I decided to check out the Merijn.org site and pressed the button for downloading HijackThis but I'm not really sure what's happened or what to do, a white screen came up and the HijackThis icon appears at the upper left hand corner, but I didn't want to play with it too much cause I wasn't sure if it was in it's own folder and wouldn't produce backups.

 

[Buzz1927]

Did you see my last post?

 

[PC eye]

Buzz just gave you a link for a direct download to the desktop for fast installation there. To create a temp folder or even one for storing files you simply click on the "file" item seen on the explorer window while browsing your hard drive and choose where you want the new folder created. Under a main of "XPfiles" or "WINXP updates" or utilities you can also create and organize various sub folders for saving the full versions of HT, AVG, Spybot S&D, and other types of files like video and sound updates, drive utilities, etc.. Once on the file menu you simply click on the "new folder" link to create and name as many as you need.

 

[pursang]

Here we go.

Logfile of HijackThis v1.99.1
Scan saved at 4:47:50 PM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\O79N2MF5\HijackThis1991[1].exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchEnhancer\nsoA.dll
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

[PC eye]

Let's see you have a few questionable items that could fixed or manually removed like the Realtek customer data collector.
C:\WINDOWS\ALCXMNTR.EXE

You have a browser hijacker now being seen.
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchEnhancer\nsoA.dll

How about a nice little adbot from smartshopper.
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll

You use Weatherbug? That's a guranteed "bug attracter" with it's own set of adwares and spywares!
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

 

[pursang]

Let's see you have a few questionable items that could fixed or manually removed like the Realtek customer data collector.
C:\WINDOWS\ALCXMNTR.EXE

You have a browser hijacker now being seen.
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchEnhancer\nsoA.dll

How about a nice little adbot from smartshopper.
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-436325722327} - C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll

You use Weatherbug? That's a guranteed "bug attracter" with it's own set of adwares and spywares!
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Excellent work PC eye ! Thank you, I imagine the browser hijacker has been causing the most problems, or at least the most obvious ones.

I'm not sure about the Weatherbug, I remember when I first got my computer there was some kind of weather service which was pretty useless to me as it only covered the states and not canada, I thought I got rid of that.

I'll hold off on making any changes and wait for your advice, I'm afraid I may have messed up the download of Hijackthis, my first attemp involved installing the program to the default directory which I couldn't find, I installed it from the link that Buzz gave me and that process seemed to be different again from the first, anyway my attempt at following your advice on making a file has gone awry, I went into Presario (C) Hard Disc and made a folder, thinking it would be available for the Hijackthis program, it remains empty though so I deleted it. honestly at this point I'm not even sure where the Hijackthis program is !

Thanks again for your patience and advice.

 

[PC eye]

Usually I first create a main folder with sub folders for different things like one named "utility" for utilities downloaded, a "system" folder for things like IE kept in another sub folder there, jpeg for jpgs, wavs for wav files, etc. in order to know "just where" to look since you can download directly to predetermined folder. Now you will have to either use the file search method(advised anyways) to located and move it to it's own or download another copy.

The registry values there along with the file can be manually removed while HT makes it easier with the "fix" option. Just browse to the Windows directory to locate the "alcxmntr.exe" file and sent it to the trash can. The other would involve typing regedit at the Run prompt and browsing the registry "hives" that seem to look just like folders. The effort there takes a little bit more familiarity to avoid "costly" mistakes by removing the wrong item(s) by mistake however.

Weather Bug is not a good tool for anyone! For Canada the main page for weather information is found at http://weatheroffice.ec.gc.ca/canada_e.html

 

[pursang]

I think I've browsed the windows directory.

I went. Start-Run-Browse-My Computer-Presario (C)-Windows Folder.

I found ALCXMNTR tried to open it but nothing happened, tried to delete but it said Access is denied.

 

[PC eye]

Open the task manager to see if you see it listed as an active process and end it there if you can. You can then try right clicking on it and unchecking the hidden or read only box and try deleting it then. The other method is to simply run Windows in safe mode for the manual attempt there since only the basics are running. This stuff likes to bury itself deep at times.

 

[pursang]

I found the ALCXMNTR in task manager, R clicked and clicked on End Process, it gave me a bunch of warnings and said all sorts of nasty things might happen but I'm assuming it was OK to hit End Process ? am I done with this one now ? move on to this one now ?

You have a browser hijacker now being seen.
O2 - BHO: ohb - {5ED7D3DE-6DBE-4516-8712-01B1B64B7057} - C:\WINDOWS\system32\SearchEnhancer\nsoA.dll