1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can't get rid of spyware

Discussion in 'Virus & Other Malware Removal' started by melonhead, Oct 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Help!

    I keep running Spybot and Adaware and running Hijack this and clean out easily identifable trouble areas. But, this one Search toolbar always appears at the bottom of the screen when I open up Internet Explorer. When I right click, it is not identified by name. Then the pop ups keep coming back and the coupon and offers shows up in running programs. Does anyone have any other suggestions? Any other good clean out programs that I might use?

    Also, when I first open up IE, it searches for wabu.com before it goes to my default page. I think this involved, but don't know what to do.

    Thanks is advance.

    Here is the current log

    Logfile of HijackThis v1.97.2
    Scan saved at 9:09:28 AM, on 10/18/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
    C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\APPLICATION DATA\OACRQUKR.EXE
    C:\WINDOWS\WJVIEW.EXE
    C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\WINNET.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\THE NELSON FAMILY\HXIUL.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\THE NELSON FAMILY\CLIENT\HELPEXP.EXE
    C:\WINDOWS\TEMP\WJC31A4.TMP
    C:\PROGRAM FILES\COMMONNAME\ADDRESSBAR\COMWIZ.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\THE NELSON FAMILY\CLIENT\PRINTMONITOR.EXE
    C:\WINDOWS\EMSW.EXE
    C:\WINDOWS\SYSTEM\HQA0WW.EXE
    C:\WINDOWS\SYSTEM\DWSRZ1LO.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wabu.com/passthrough/index.html?http://www.msn.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {78b7aa00-ff2e-11d7-9c58-004005389143} - C:\WINDOWS\APPLICATION DATA\ACHGWTRLLSS.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: crfstwoarlg - {78b7aa01-ff2e-11d7-9c58-004005389143} - C:\WINDOWS\APPLICATION DATA\ACHGWTRLLSS.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [27A9ZBX4WFBHM4] C:\WINDOWS\SYSTEM\IKXNU62.EXE
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [itrllch] C:\WINDOWS\APPLIC~1\oacrqukr.exe -QuieT
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\The Nelson Family\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\The Nelson Family\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: ZoEZSPlayR3 - http://www.ezsquirtland.com/heinz/ezsquirt-v1.0/ZoEZSPlayR3.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37904.7929050926
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.0.6.12.4/ttinst.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

    Thanks in advance.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,149
    First Name:
    Derek
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi...you have a particularly nasty and dificult to remove trojan....go here: http://tds.diamondcs.com.au/index.php?page=download
    Download the trial version of TDS3....update the program...Terminate your norton A/V and run a full system scan

    let TDS do its thing and come back with another HijackThis logfile.
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    The fastest fingers in the south strikes again:D
     
  5. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thanks so much to you both for your QUICK response!! So appreciated. I did as you instructed and it just finished the scan.

    Positive identified 20+ files
    Suspicious files 2
    RegVal Trace 1

    Do I delete these? I noticed if I right click on them, this is an option. Thanks
     
  6. Backspace

    Backspace

    Joined:
    May 22, 2003
    Messages:
    740
    First Name:
    Lyn
    I am reloading some software on a new HDD.... since hearing about the Spybot worm... is it safe to download form the PCWorld site and what should I do to make sure it doesn't have the worm .....?????

    Thanks alot!:)
     
  7. Backspace

    Backspace

    Joined:
    May 22, 2003
    Messages:
    740
    First Name:
    Lyn
    ooopsy..... SORRY.... MEANT TO MAKE A NEW THREAD.
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    No problem Backspace:)


    Mellonhead.....Yes,if you get the option delete them,then post another H/T logfile.
    ;)
     
  9. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Regarding the pop-ups, let me throw this out on the table for my learned colleagues ...

    The old Aveo Attune went out of business, and was resurrected by Alset ... Attune was widely hated for the pop-up reminders it offered in the name of "helping the user".

    "Attune is a revolutionary service which provides end-users with targeted, "plain-English" messages (called "Intelligrams") to help them avoid common computer problems. Attune may also let users know when they need a specific product, service, or upgrade to optimize the use of their computer. Attune runs quietly in the background and automatically updates its Intelligrams when users connect to the Internet. Subsequently, when a user is about to encounter a situation that is known to cause problems, Attune displays the Intelligram that contains the solution."

    I noticed these 3 running processes:

    C:\PROGRAM FILES\ALSET\HELPEXPRESS\THE NELSON FAMILY\CLIENT\PRINTMONITOR.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\THE NELSON FAMILY\HXIUL.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\THE NELSON FAMILY\CLIENT\HELPEXP.EXE

    According to AnswersThatWork regarding HXIUL.exe (Alset):

    Alset's HelpExpress. Useless background adware which tells you when you need to buy printer cartridges, and where to buy them, and all sorts of other things like this.

    Recommendation :
    Firstly Alset are the same crowd as Aveo who produce the similarly useless Aveo Attune. Secondly, at the time of writing of this entry (March 2002), Alset and Aveo seem to have gone out of business. Thirdly, as with Aveo Attune, some users have experienced conflicts with other software. De-install HelpExpress immediately via the "Add/Remove Programs" icon in the Control Panel.

    According to pacs-portal regarding HXIUL.EXE:

    Also known as "HelpExpress". Will install itself if you have previously had Attune by Aveo installed as they're by the same company. Uninstall via Add/Remove programs.

    Regarding HelpExp.exe:

    Attune HelpExpress. Disable - see here: http://www.c-squad.org/mpn/article.php?sid=42

    According to cexx:

    "HelpExpress / Attune (HXIUL.EXE) - Appears to be advertising ... that displays sponsored ads, e.g. "Buy toner"/etc. messages when you use your printer. No additional information available at this time. Remove by uninstalling "HelpExpress" and "Attune" under Windows' Add/Remove Programs."

    If these are the pop-ups, a similar problem was solved on another board by uninstalling the HelpExpress program via Add/Remove.
     
  10. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Nice one winch(y)
     
  11. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Thanks ... like I said, I had a similar situation on another board, but that user complained specifically about printer cartridge pop-ups.

    I'd be interested in exactly what pop-ups are annoying this time around.

    Regardless, I doubt those three running processes will be missed.
     
  12. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I deleted those files.

    Unable to get rid of Help Express by add remove. Physically went in and removed. Ran Spybot and Adaware again and Hijack this and took out the obvious.

    Here is the Hijack now. THanks so much again for your help!

    Logfile of HijackThis v1.97.2
    Scan saved at 1:44:19 AM, on 10/19/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
    C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\EMSW.EXE
    C:\WINDOWS\APPLICATION DATA\OACRQUKR.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\TEMP\AWG3040.TMP
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R3 - Default URLSearchHook is missing
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {78b7aa00-ff2e-11d7-9c58-004005389143} - C:\WINDOWS\APPLICATION DATA\ACHGWTRLLSS.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: crfstwoarlg - {78b7aa01-ff2e-11d7-9c58-004005389143} - C:\WINDOWS\APPLICATION DATA\ACHGWTRLLSS.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [itrllch] C:\WINDOWS\APPLIC~1\oacrqukr.exe -QuieT
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: ZoEZSPlayR3 - http://www.ezsquirtland.com/heinz/ezsquirt-v1.0/ZoEZSPlayR3.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37904.7929050926
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.0.6.12.4/ttinst.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
     
  13. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
    Can't tell from here what these 2 are
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [itrllch] C:\WINDOWS\APPLIC~1\oacrqukr.exe -QuieT

    but I'd bet you don't want them.

    Of the 2, the emsw.exe file is the more likely to be legitimate than the other.
    Can you determine the author of them?

    These 2 items are probably baddies associated with them
    O2 - BHO: (no name) - {78b7aa00-ff2e-11d7-9c58-004005389143} - C:\WINDOWS\APPLICATION DATA\ACHGWTRLLSS.DLL
    O3 - Toolbar: crfstwoarlg - {78b7aa01-ff2e-11d7-9c58-004005389143} - C:\WINDOWS\APPLICATION DATA\ACHGWTRLLSS.DLL

    and make it look like it might be LOP or WurldMedia or similar.
     
  14. IMM

    IMM Malware Specialist

    Joined:
    Feb 1, 2002
    Messages:
    3,257
  15. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    I'd be interested in anything anyone finds on emsw.exe ... it has turned up in a few logs lately, and a Google-go-getum turns up nothing.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172831

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice