Tech Support Guy banner
Cancel

IE toolbar, icons, error reports, homepage change, and many more problems

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 11 of 11 Posts
K

· Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
I'm not sure if this matters, but the following has occured on my laptop, rather than a normal PC.

I recently downloaded what I thought was a simple plugin to play games. Aparently, not. Ever since it has been download, all of the following items/problems have arrived: a new toolbar, 10 new desktop icon, a homepage that won't revert back, continual Error Messages/Reports in IE (all resulting in the page closing itself), and everything has been running noticeably slower than usual. The Error Report Messages may even appear if I'm not doing anything at all; I've tried posting this message for the third time because the page kept closing itself.

I scanned with Norton AntiVirus, but nothing showed up (as expected). I was wondering what I need to download to get rid of all of this; HiJack This, AdAware, SpyBot Search and Destroy? If any of those, I need a link. If I try to search for anything throught the web, I get taken to the default page; even if the page doesn't exsist. Thanks for reading. I eagerly await a cure.
 
K

· Registered
Joined
·
10 Posts
Discussion Starter · #2 ·
By the way, here is my logfile using HiJack This....

Logfile of HijackThis v1.97.7
Scan saved at 5:55:43 PM, on 4/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\aim\aim.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\DOCUME~1\NewUser\LOCALS~1\Temp\Rem5.exe
C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Alset\HelpExpress\NewUser\Client\HELPEXP.EXE
C:\WINDOWS\emsw.exe
C:\WINDOWS\System32\wjview.exe
C:\Program Files\couponsandoffers\couponsandoffers.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\NewUser\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = amazingautossearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D5F193A6-74E4-71BB-614A-931A0A9CF533} - C:\PROGRA~1\KINDPR~1\tickblah.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: lessmixdelete - {CBC9764C-0F83-677F-B6A9-5E0181B91950} - C:\PROGRA~1\KINDPR~1\tickblah.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Bold Two] C:\PROGRA~1\gram army\bolt rdr else.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.positivebeats.com/dlmp3.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{423C1E37-6379-40F1-A81F-6862068CCA85}: NameServer = 205.188.146.146
 
B

· Registered
Joined
·
22,834 Posts
#3 ·
Since you already know you are infected, you might as well download and run a good Spyware and Trojan Removal program(s).

Spybot Search and Destroy:
http://www.safer-networking.org/index.php?page=spybotsda

SpySweeper:
http://www.webroot.com/wb/products/spysweeper/index.php
This will also protect your home page from being hijacked.

Ad-Aware:
http://www.lavasoft.de/

With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan.

CWShredder:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

KazaaBeGone
http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

Programs that can help prevent getting infected:

Spyware Blaster
http://www.javacoolsoftware.com/spywareblaster.html

Spyware Guard
http://www.wilderssecurity.net/spywareguard.html
 
Flrman1

· Registered
Joined
·
46,465 Posts
#5 ·
First go to Add/Remove programs and uninstall Help Express if it is there.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = amazingautossearch.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

O2 - BHO: (no name) - {D5F193A6-74E4-71BB-614A-931A0A9CF533} - C:\PROGRA~1\KINDPR~1\tickblah.dll

O3 - Toolbar: lessmixdelete - {CBC9764C-0F83-677F-B6A9-5E0181B91950} - C:\PROGRA~1\KINDPR~1\tickblah.dll

O4 - HKLM\..\Run: [Bold Two] C:\PROGRA~1\gram army\bolt rdr else.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE

O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.positivebeats.com/dlmp3.exe

Restart to safe mode and delete:

The C:\Program Files\AutoUpdate folder
The C:\Program Files\Alset folder
The C:\Program Files\couponsandoffers folder
The C:\Program Files\KINDPR~1 folder (See *Note below)
The C:\Program Files\gram army folder
The C:\WINDOWS\emsw.exe file

*Note: I have know way of knowing the exact name of this folder, but the first six letters will be KINDPR.

How to start your computer in safe mode
 
Save Share
K

· Registered
Joined
·
10 Posts
Discussion Starter · #6 ·
Thanks for the help so far, but not everything has been solved. I did as you said, flrman1, but I was unable to delete the folder entitled "Alset." I get the error message claiming the access denied and to be sure it's not in use or that it is wright-protected. Not sure what to do about that...
Another thing is a desktop icon entitled "Activate Desktop" remains. I know it wasn't there before, but I'm not sure if it's something I need? I can't find it on the list of programs, so I'm not sure what to do.
One other small problem since I used HiJack This: some of the folder pictures (I use Windows XP, and some folders are unique) no longer exsist. I know this isn't a big deal, but I was wondering if I deleted something I wasn't supposed to? Here is my log, just in case I missed something:
Logfile of HijackThis v1.97.7
Scan saved at 9:30:27 PM, on 4/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\aim\aim.exe
C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\NewUser\HXDL.EXE
C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe
C:\WINDOWS\emsw.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Documents and Settings\NewUser\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jersconsin.tk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXDL.EXE -from="CLIENT.CAB" -to="CLIENT.CAB"
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{423C1E37-6379-40F1-A81F-6862068CCA85}: NameServer = 205.188.146.146
 
Flrman1

· Registered
Joined
·
46,465 Posts
#7 ·
Were you in safe mode when you tried to delete the Alset folder? Did you find Help Express in Add/Remove programs?

I'm not sure what you mean by the "some of the folder pictures (I use Windows XP, and some folders are unique) no longer exsist". Nothing I had you remove would have affected your folder icons.

The Activate Desktop icon sounds a shortcut to Active Desktop. What does it do when you click on it?

You have picked up some new ones since you last posted.

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE

O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXDL.EXE -from="CLIENT.CAB" -to="CLIENT.CAB"

O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe

Restart to Safe Mode and delete:

The C:\Program Files\Alset folder
The C:\WINDOWS\emsw.exe file

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.
 
Save Share
K

· Registered
Joined
·
10 Posts
Discussion Starter · #8 ·
I greatly appreciate all of your help! I did as you said, but I was unable to find any file named "emsw.exe" in the WINDOWS folder. Just a few other things, now: more icons have disappeared or reverted to the default icon, and I'm not sure how to change them back, if it's possible (e.g. "My Music" folder icon, "Wireless Internet" icon). Now, I have noticed two more icons have appear on the bottom taskbar that I haven't see before. One is entitled "Big Fix" and the other "Synaptics Pointing Device." I'm assuming I've had both since before the infection since the Pointing Device records the pressure on the mouse pad, but I'm not sure how they got there or if the BigFix was there before either.
Once again, here is my logfile after all the scanning.
Logfile of HijackThis v1.97.7
Scan saved at 5:49:56 PM, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\atray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\aim\aim.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Documents and Settings\NewUser\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jersconsin.tk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [Atray] atray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{423C1E37-6379-40F1-A81F-6862068CCA85}: NameServer = 205.188.146.146

Ps. This has been a constant tiny annoyance that I'm sure is nothing serious. When I open any window with a gray taskbar at the top (e.g. AOL), if I put my cursor over any of the buttons (e.g. File, Edit, etc.), a white box forms around each word, but doesn't appear until I close the window and re-open it. I was wondering if there was any way to fix this? Thanks.
 
Flrman1

· Registered
Joined
·
46,465 Posts
#9 ·
I'm don't have aclue what's going on with your icons.

The "Big Fix" and the other "Synaptics Pointing Device." are these which were not there in your previous logs.

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

I'm sure you did something to cause them to load, because nothing I instruted you to do would have caused that. They're both legitimate applications. If you want to remove them from your startups go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by those items. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.
 
Save Share
K

· Registered
Joined
·
10 Posts
Discussion Starter · #10 ·
Thanks for helping. Just as an extra precaution, I downloaded something called "PC Doctor" since I'm using it on my normal PC as well. It claims 16 errors still exsist: (3) Invalid Active X \ COM File; (3) Invalid Active X \ COM SubSection File; (6) Invalid Application Path; (1) Invalid Microsoft Shared File; (3) Invalid Uninstall Information. I'm curious if you think any of these really need to be fixed. None of the other programs found anything, and this PC Doctor costs money, so I wanted an opinion if you think it's worth it...
Also, do you have any clue about the white boxes in gray toolbars? It's not in IE, but almost anything else with that same toolbar. It's just weird and annoying.
One last thing since you're just as clueless about the icons as I am.... (last favor, I promise). Do you know how to change the settings for the mouse pad? I used to be able to tap the pad for a click, but now I need to click the actual buttons. I've gotten so much into the habbit of the clicking pad, that I mess up nearly every time...
 
K

· Registered
Joined
·
10 Posts
Discussion Starter · #11 ·
I'm sorry for this confusion, but I take back my last request. I know how to change the settings, but I can't find the Synaptics Pointing Device that controls those settings. I only removed it from the bottom toolbar; I never deleted it. I've searched for it, but all the searches came up with nothing. However, I think you've helped me far enough already. Now I'm only asking for your opinion on those problems I listed earlier.
 
1 - 11 of 11 Posts
Status
Not open for further replies.
About this Discussion
10 Replies
3 Participants
Last post:
Kalicyddian
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top