TechSpot

Help please - possible hijacker pt1

By sweaty
Mar 31, 2007
  1. First, let me say I'm not very computer savy. My computer has been operating odd lately and I've been doing some research and I believe I may be being hijacked. The problem started a while back when I started getting a pop-up called mIRC at start up. I did not install that program and have since removed it. However I am still receiving errors and belive that was just part of my problem.

    I have tried many programs to fix my problems and believe it's still there. I started with McAfee virus scan and McAfee firewall. Since then I have add MooSoft Cleaner, XoftSpy Se, etc. I kept receiving the same errors and found Hijack This program. I understand this is a potentially dangerous program for a person of my experience to play with so I'm asking you your opinion. The following is the result of my scan:

    I am concerned about lines 017. I googled the ping address from line 017 and found this forum. I have US (QWest) internet service and I think this may be a hijacker. Any help is appreciated.

    Since the limit of character is 10,000 I am posting the results of the scan is part 2.

    Thank you
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I have deleted your copy and pasted HJT log. Logfiles must be posted as attachments.

    Go and read this thread HERE and post a HJT log as an attachment into this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. sweaty

    sweaty TS Rookie Topic Starter

    HJT log file

    Sorry, please see attached file.

    Thank you
     

    Attached Files:

  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system has a very nasty hijack.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. sweaty

    sweaty TS Rookie Topic Starter

    Howard

    I have done all that's recommended. A few notes:
    -I started the online virus scanner and it shut down my browser (IE)
    -On start up I still received a message from TC Monitor "HKLM\software\microsoft\windows\currentversion\run"
    -AVG Antiroot scan found nothing

    Thank you again

    I am having difficulty attaching reports.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    See HERE for instructions on how to attach your logfiles.

    If you still have difficulty after reading the above, you can copy and paste your logfiles and I`ll remove them once I`ve finished with them.

    Regards Howard :)

    This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. sweaty

    sweaty TS Rookie Topic Starter

    Reports

    I think we have them now.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    UltimateBet

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    UltimateBet.exe
    ALCXMNTR.EXE
    ALCMTR.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

    O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

    Fix all 017 entries.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\UltimateBet<Delete the entire folder.
    C:\windows\ALCMTR.EXE
    C:\windows\ALCXMNTR.EXE

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. sweaty

    sweaty TS Rookie Topic Starter

    Current HJT Log

    Howard

    Done as told and attached the current HJT log. Difficult to say right now how the system is running but seems normal. Still received TC Monitor "HKLM\software\microsoft\windows\currentversion\run" alert on start up.

    Question:
    -Do you think this hijacker is viewing my UltimateBet? Cannot think of another reason for someone to hijack my computer as it's only used for recreation.

    Thanks
    Sweaty
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this entry, as it is known to cause problems.

    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

    Click on the fix checked button.

    Close HJT and reboot your system.

    Your HJT log is clean.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    Regards Howard :)

    This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. sweaty

    sweaty TS Rookie Topic Starter

    Autoruns log

    Howard

    The TC Monitor alert "HKLM\software\microsoft\windows\currentversion\run" did not pop up on the latest reboot. Attached are the Autoruns log.

    Thank you
    Sweaty
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I Can`t see any problems in your Autoruns log.

    See how it goes and post back if the problem resurfaces.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...