Help please - possible hijacker pt1

[sweaty]

First, let me say I'm not very computer savy. My computer has been operating odd lately and I've been doing some research and I believe I may be being hijacked. The problem started a while back when I started getting a pop-up called mIRC at start up. I did not install that program and have since removed it. However I am still receiving errors and belive that was just part of my problem.

I have tried many programs to fix my problems and believe it's still there. I started with McAfee virus scan and McAfee firewall. Since then I have add MooSoft Cleaner, XoftSpy Se, etc. I kept receiving the same errors and found Hijack This program. I understand this is a potentially dangerous program for a person of my experience to play with so I'm asking you your opinion. The following is the result of my scan:

I am concerned about lines 017. I googled the ping address from line 017 and found this forum. I have US (QWest) internet service and I think this may be a hijacker. Any help is appreciated.

Since the limit of character is 10,000 I am posting the results of the scan is part 2.

Thank you

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have deleted your copy and pasted HJT log. Logfiles must be posted as attachments.

Go and read this thread HERE and post a HJT log as an attachment into this thread.

Regards Howard :wave: :wave:

This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sweaty]

HJT log file

Sorry, please see attached file.

Thank you

 

[howard_hopkinso]

Your system has a very nasty hijack.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sweaty]

Howard

I have done all that's recommended. A few notes:
-I started the online virus scanner and it shut down my browser (IE)
-On start up I still received a message from TC Monitor "HKLM\software\microsoft\windows\currentversion\run"
-AVG Antiroot scan found nothing

Thank you again

I am having difficulty attaching reports.

 

[howard_hopkinso]

See HERE for instructions on how to attach your logfiles.

If you still have difficulty after reading the above, you can copy and paste your logfiles and I`ll remove them once I`ve finished with them.

Regards Howard

This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sweaty]

Reports

I think we have them now.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

UltimateBet

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

UltimateBet.exe
ALCXMNTR.EXE
ALCMTR.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe

O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

Fix all 017 entries.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\UltimateBet<Delete the entire folder.
C:\windows\ALCMTR.EXE
C:\windows\ALCXMNTR.EXE

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sweaty]

Current HJT Log

Howard

Done as told and attached the current HJT log. Difficult to say right now how the system is running but seems normal. Still received TC Monitor "HKLM\software\microsoft\windows\currentversion\run" alert on start up.

Question:
-Do you think this hijacker is viewing my UltimateBet? Cannot think of another reason for someone to hijack my computer as it's only used for recreation.

Thanks
Sweaty

 

[howard_hopkinso]

Have HJT fix this entry, as it is known to cause problems.

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

Click on the fix checked button.

Close HJT and reboot your system.

Your HJT log is clean.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

Regards Howard

This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[sweaty]

Autoruns log

Howard

The TC Monitor alert "HKLM\software\microsoft\windows\currentversion\run" did not pop up on the latest reboot. Attached are the Autoruns log.

Thank you
Sweaty

 

[howard_hopkinso]

I Can`t see any problems in your Autoruns log.

See how it goes and post back if the problem resurfaces.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of sweaty only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.