glquchyjmee

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Doomsday123

Thread Starter
Joined
Jul 1, 2002
Messages
505
Some how a search bar was added to my internet explorer tool bar named glquchyjmee. I cant seem to get it off. Could someone help me??

Also when I run Spybot Search & Destroy, it gives me some files that are running and I cant delete them so it asks me if I want to start spybot when i restart next time and I say yes. When i reboot it doesnt start up so the files are still there and so are the ones that spybot deleted when i ran it the time before. So then I thought if I just deleted the files that spybot couldnt remove then it would work so i deleted them and restarted and then they came back. The files are...

C2.lop: Tracking cookie or cookie of tracking site (File, fixed)
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

CommonName: Autorun settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnet

CommonName: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000000}

CommonName: Class (Registry key, fixed)
HKEY_CLASSES_ROOT\BabeIE.AgentIE.1

CommonName: Class (Registry key, fixed)
HKEY_CLASSES_ROOT\BabeIE.Handler

CommonName: Class (Registry key, fixed)
HKEY_CLASSES_ROOT\BabeIE.Handler.1

CommonName: Class (Registry key, fixed)
HKEY_CLASSES_ROOT\BabeIE.Helper.1

CommonName: Class (Registry key, fixed)
HKEY_CLASSES_ROOT\BabeIE.Helper

CommonName: Class (Registry key, fixed)
HKEY_CLASSES_ROOT\BabeIE.AgentIE

CommonName: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}

CommonName: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

CommonName: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

CommonName: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\CommonName

CommonName: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{99908473-1135-4009-BE4F-32B921F86ED9}

CommonName: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2D0F5208-3198-49A4-86A7-D65E9E582751}

CommonName: Program directory (Directory, fixing failed)
C:\Program Files\CommonName

CommonName: Program file (File, fixed)
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

CommonName: Protocol handler (Registry key, fixed)
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cn

CommonName: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}

CommonName: Typelib (Registry key, fixing failed)
HKEY_CLASSES_ROOT\Typelib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}

eZula HotText: Program directory (Directory, fixed)
C:\Program Files\eZula


--- Spybot-S&D version: 1.2 ---
2003-09-05 Includes\Cookies.sbi
2003-09-09 Includes\Dialer.sbi
2003-09-08 Includes\Hijackers.sbi
2003-09-05 Includes\Keyloggers.sbi
2003-09-08 Includes\Malware.sbi
2003-03-15 Includes\plugin-ignore.ini
2003-09-05 Includes\Security.sbi
2003-09-09 Includes\Spybots.sbi
2003-08-28 Includes\Temporary.sbi
2003-09-05 Includes\Tracks.uti
2003-09-05 Includes\Trojans.sbi

If someone could help me get rid of all this crap I would appreciate it.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Doomsday123

Thread Starter
Joined
Jul 1, 2002
Messages
505
This is what Hijack this gave me.

Logfile of HijackThis v1.97.2
Scan saved at 11:34:32 AM, on 10/3/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT1\System32\smss.exe
C:\WINNT1\system32\winlogon.exe
C:\WINNT1\system32\services.exe
C:\WINNT1\system32\lsass.exe
C:\WINNT1\system32\svchost.exe
C:\WINNT1\system32\spoolsv.exe
C:\WINNT1\System32\CTSvcCDA.exe
C:\WINNT1\System32\svchost.exe
C:\WINNT1\system32\nvsvc32.exe
C:\WINNT1\system32\regsvc.exe
C:\WINNT1\system32\MSTask.exe
C:\WINNT1\System32\WBEM\WinMgmt.exe
C:\WINNT1\system32\svchost.exe
C:\WINNT1\Explorer.EXE
C:\WINNT1\system32\devldr32.exe
C:\WINNT1\System32\svchost.exe
C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\WINNT1\system32\w1n.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Media\Media\updatestats.exe
C:\WINNT1\system32\rundll32.exe
C:\Documents and Settings\Default User\My Documents\Data\clrschP030.exe
c:\progra~1\exact\exactupdate00123.exe
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\POP\PopSrv205.exe
C:\Program Files\POP\sysmono.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT1\system32\Xmt10UI.exe
C:\WINNT1\system32\Ddcu.exe
C:\Program Files\Alset\HelpExpress\Administrator\Client\HELPEXP.EXE
C:\Program Files\Alset\HelpExpress\Administrator\Client\PrintMonitor.exe
C:\WINNT1\emsw.exe
C:\WINNT1\system32\wjview.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\couponsandoffers\couponsandoffers.exe
C:\WINNT1\rundll16.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT1\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: (no name) - {1222cdd9-0571-46a6-800d-07e8bbe83009} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop205.dll
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT1\rundll16.dll
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINNT1\bs3.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT1\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: glquchyjmee - {fdd2bc39-de22-48ce-804d-f9a3e87fd495} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: (no name) - {495E1546-D729-4BB0-9628-978FA077DD45} - (no file)
O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\Program Files\POP\pop205.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT1\Updreg.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [er] w1n.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT1\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINNT1\bs3.dll,DllRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [[email protected]] C:\WINNT1\system32\Ubi06I5Y.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT1\rundll16.exe
O4 - HKLM\..\RunServices: [er] w1n.exe
O4 - HKLM\..\RunServices: [SysApi32] SysApi32.exe
O4 - HKCU\..\Run: [Dlei] C:\Documents and Settings\Administrator\Application Data\wnep.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
O4 - HKLM\..\RunOnce: [NavHelper Uninstaller] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NE3\NHUninstaller.exe" silent
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37841.5893402778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
That is a compromised computer with a humendous amount of spyware/trojans & other malware

this will take a bit of fixing so first do this:
download AdAware 6 181
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then

Run an online antivirus check from at least one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/

then reboot & post a new hijackthis log so we can see what is left, I suspect quite a bit, I need to do a bit of research on some of the entries that I have never seen before
 

Doomsday123

Thread Starter
Joined
Jul 1, 2002
Messages
505
Ok, I deleted all the thinks that showed up on Ad-aware and then ran Housecall. It showed up with some things that could not be cleaned or deleted.

5 Files Like This

JAVA BYTVERIFY .A CanNotAccess C:\Documents And Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file(or jar)\and a bunch of random stuff here.

2 Files Like This

JAVA NOCHEAT .A CanNotAccess C:\Documents And Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file(or jar)\and a bunch of random stuff here.


Then I ran HiJackThis and here is what it gave me.

Logfile of HijackThis v1.97.2
Scan saved at 5:22:30 PM, on 10/3/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT1\System32\smss.exe
C:\WINNT1\system32\winlogon.exe
C:\WINNT1\system32\services.exe
C:\WINNT1\system32\lsass.exe
C:\WINNT1\system32\svchost.exe
C:\WINNT1\system32\spoolsv.exe
C:\WINNT1\System32\CTSvcCDA.exe
C:\WINNT1\System32\svchost.exe
C:\WINNT1\system32\nvsvc32.exe
C:\WINNT1\system32\regsvc.exe
C:\WINNT1\system32\MSTask.exe
C:\WINNT1\System32\WBEM\WinMgmt.exe
C:\WINNT1\system32\svchost.exe
C:\WINNT1\Explorer.EXE
C:\WINNT1\system32\devldr32.exe
C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
C:\WINNT1\system32\w1n.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
C:\Program Files\Alset\HelpExpress\Administrator\Client\PrintMonitor.exe
C:\WINNT1\emsw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT1\system32\QjlRXhe9.exe
C:\WINNT1\system32\Fsei.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT1\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: (no name) - {1222cdd9-0571-46a6-800d-07e8bbe83009} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT1\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: glquchyjmee - {fdd2bc39-de22-48ce-804d-f9a3e87fd495} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
O3 - Toolbar: (no name) - {495E1546-D729-4BB0-9628-978FA077DD45} - (no file)
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT1\Updreg.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [er] w1n.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT1\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
O4 - HKLM\..\Run: [[email protected]] C:\WINNT1\system32\Idk277f.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
O4 - HKLM\..\RunServices: [er] w1n.exe
O4 - HKLM\..\RunServices: [SysApi32] SysApi32.exe
O4 - HKCU\..\Run: [Dlei] C:\Documents and Settings\Administrator\Application Data\wnep.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37841.5893402778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thanks again :D
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
First sorry for the delay in replying but have been without computer all day today

run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT1\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
O2 - BHO: (no name) - {1222cdd9-0571-46a6-800d-07e8bbe83009} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
O3 - Toolbar: glquchyjmee - {fdd2bc39-de22-48ce-804d-f9a3e87fd495} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
O3 - Toolbar: (no name) - {495E1546-D729-4BB0-9628-978FA077DD45} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINNT1\Updreg.exe

O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
O4 - HKLM\..\Run: [[email protected]] C:\WINNT1\system32\Idk277f.exe

O4 - HKCU\..\Run: [Dlei] C:\Documents and Settings\Administrator\Application Data\wnep.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)

Then using task manager stop the running processes on these files
C:\WINNT1\system32\Idk277f.exe
C:\WINNT1\system32\QjlRXhe9.exe
C:\WINNT1\system32\Fsei.exe
then using windows explorer delete those 3 files

IT is very important that you do those steps in that order and do not reboot before deleting those files because if you do they morph, that is change their name and restart a new infection

I can find nothing about the following files but suspect them to be bad and would suggest fixing their entries in Hijackthis and then deleting the files themselves, unless you know what they are and have installed them yourself
O4 - HKLM\..\Run: [er] w1n.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
O4 - HKLM\..\RunServices: [er] w1n.exe
O4 - HKLM\..\RunServices: [SysApi32] SysApi32.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
 

Doomsday123

Thread Starter
Joined
Jul 1, 2002
Messages
505
Well, I have done all that you have listed and everything seems to be working. Thank you for all your help and if you have any furthor instructions please post them. Once again thanks a bunch for everyones help.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top