1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

glquchyjmee

Discussion in 'Virus & Other Malware Removal' started by Doomsday123, Oct 2, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Doomsday123

    Doomsday123 Thread Starter

    Joined:
    Jul 1, 2002
    Messages:
    505
    Some how a search bar was added to my internet explorer tool bar named glquchyjmee. I cant seem to get it off. Could someone help me??

    Also when I run Spybot Search & Destroy, it gives me some files that are running and I cant delete them so it asks me if I want to start spybot when i restart next time and I say yes. When i reboot it doesnt start up so the files are still there and so are the ones that spybot deleted when i ran it the time before. So then I thought if I just deleted the files that spybot couldnt remove then it would work so i deleted them and restarted and then they came back. The files are...

    C2.lop: Tracking cookie or cookie of tracking site (File, fixed)
    C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt

    CommonName: Autorun settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winnet

    CommonName: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000000-0000-0000-0000-000000000000}

    CommonName: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\BabeIE.AgentIE.1

    CommonName: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\BabeIE.Handler

    CommonName: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\BabeIE.Handler.1

    CommonName: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\BabeIE.Helper.1

    CommonName: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\BabeIE.Helper

    CommonName: Class (Registry key, fixed)
    HKEY_CLASSES_ROOT\BabeIE.AgentIE

    CommonName: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{6656b666-992f-4d74-8588-8ca69e97d90c}

    CommonName: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}

    CommonName: Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000000}

    CommonName: Global settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\CommonName

    CommonName: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{99908473-1135-4009-BE4F-32B921F86ED9}

    CommonName: Interface (Registry key, fixed)
    HKEY_CLASSES_ROOT\Interface\{2D0F5208-3198-49A4-86A7-D65E9E582751}

    CommonName: Program directory (Directory, fixing failed)
    C:\Program Files\CommonName

    CommonName: Program file (File, fixed)
    C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe

    CommonName: Protocol handler (Registry key, fixed)
    HKEY_CLASSES_ROOT\PROTOCOLS\Handler\cn

    CommonName: Type library (Registry key, fixed)
    HKEY_CLASSES_ROOT\TypeLib\{D879D743-E2CC-4161-8034-2234203681C9}

    CommonName: Typelib (Registry key, fixing failed)
    HKEY_CLASSES_ROOT\Typelib\{DD0032DF-CEEF-4E0A-8B75-E4D8861E11E5}

    eZula HotText: Program directory (Directory, fixed)
    C:\Program Files\eZula


    --- Spybot-S&D version: 1.2 ---
    2003-09-05 Includes\Cookies.sbi
    2003-09-09 Includes\Dialer.sbi
    2003-09-08 Includes\Hijackers.sbi
    2003-09-05 Includes\Keyloggers.sbi
    2003-09-08 Includes\Malware.sbi
    2003-03-15 Includes\plugin-ignore.ini
    2003-09-05 Includes\Security.sbi
    2003-09-09 Includes\Spybots.sbi
    2003-08-28 Includes\Temporary.sbi
    2003-09-05 Includes\Tracks.uti
    2003-09-05 Includes\Trojans.sbi

    If someone could help me get rid of all this crap I would appreciate it.
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. Doomsday123

    Doomsday123 Thread Starter

    Joined:
    Jul 1, 2002
    Messages:
    505
    This is what Hijack this gave me.

    Logfile of HijackThis v1.97.2
    Scan saved at 11:34:32 AM, on 10/3/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT1\System32\smss.exe
    C:\WINNT1\system32\winlogon.exe
    C:\WINNT1\system32\services.exe
    C:\WINNT1\system32\lsass.exe
    C:\WINNT1\system32\svchost.exe
    C:\WINNT1\system32\spoolsv.exe
    C:\WINNT1\System32\CTSvcCDA.exe
    C:\WINNT1\System32\svchost.exe
    C:\WINNT1\system32\nvsvc32.exe
    C:\WINNT1\system32\regsvc.exe
    C:\WINNT1\system32\MSTask.exe
    C:\WINNT1\System32\WBEM\WinMgmt.exe
    C:\WINNT1\system32\svchost.exe
    C:\WINNT1\Explorer.EXE
    C:\WINNT1\system32\devldr32.exe
    C:\WINNT1\System32\svchost.exe
    C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    C:\WINNT1\system32\w1n.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Media\Media\updatestats.exe
    C:\WINNT1\system32\rundll32.exe
    C:\Documents and Settings\Default User\My Documents\Data\clrschP030.exe
    c:\progra~1\exact\exactupdate00123.exe
    C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
    C:\Program Files\POP\PopSrv205.exe
    C:\Program Files\POP\sysmono.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINNT1\system32\Xmt10UI.exe
    C:\WINNT1\system32\Ddcu.exe
    C:\Program Files\Alset\HelpExpress\Administrator\Client\HELPEXP.EXE
    C:\Program Files\Alset\HelpExpress\Administrator\Client\PrintMonitor.exe
    C:\WINNT1\emsw.exe
    C:\WINNT1\system32\wjview.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\couponsandoffers\couponsandoffers.exe
    C:\WINNT1\rundll16.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT1\system32\search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: (no name) - {1222cdd9-0571-46a6-800d-07e8bbe83009} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop205.dll
    O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINNT1\rundll16.dll
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINNT1\bs3.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT1\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: glquchyjmee - {fdd2bc39-de22-48ce-804d-f9a3e87fd495} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: (no name) - {495E1546-D729-4BB0-9628-978FA077DD45} - (no file)
    O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\Program Files\POP\pop205.dll
    O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT1\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT1\Updreg.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [er] w1n.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT1\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINNT1\bs3.dll,DllRun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [winactive] C:\Program Files\Window Active\winactive.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [[email protected]] C:\WINNT1\system32\Ubi06I5Y.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
    O4 - HKLM\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINNT1\rundll16.exe
    O4 - HKLM\..\RunServices: [er] w1n.exe
    O4 - HKLM\..\RunServices: [SysApi32] SysApi32.exe
    O4 - HKCU\..\Run: [Dlei] C:\Documents and Settings\Administrator\Application Data\wnep.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
    O4 - HKLM\..\RunOnce: [NavHelper Uninstaller] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NE3\NHUninstaller.exe" silent
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37841.5893402778
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    That is a compromised computer with a humendous amount of spyware/trojans & other malware

    this will take a bit of fixing so first do this:
    download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then

    Run an online antivirus check from at least one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/

    then reboot & post a new hijackthis log so we can see what is left, I suspect quite a bit, I need to do a bit of research on some of the entries that I have never seen before
     
  5. THoey

    THoey

    Joined:
    Feb 12, 2001
    Messages:
    3,420
    I know you are not finished, but nice work Derek...
     
  6. Doomsday123

    Doomsday123 Thread Starter

    Joined:
    Jul 1, 2002
    Messages:
    505
    Ok, I deleted all the thinks that showed up on Ad-aware and then ran Housecall. It showed up with some things that could not be cleaned or deleted.

    5 Files Like This

    JAVA BYTVERIFY .A CanNotAccess C:\Documents And Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file(or jar)\and a bunch of random stuff here.

    2 Files Like This

    JAVA NOCHEAT .A CanNotAccess C:\Documents And Settings\Administration\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file(or jar)\and a bunch of random stuff here.


    Then I ran HiJackThis and here is what it gave me.

    Logfile of HijackThis v1.97.2
    Scan saved at 5:22:30 PM, on 10/3/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT1\System32\smss.exe
    C:\WINNT1\system32\winlogon.exe
    C:\WINNT1\system32\services.exe
    C:\WINNT1\system32\lsass.exe
    C:\WINNT1\system32\svchost.exe
    C:\WINNT1\system32\spoolsv.exe
    C:\WINNT1\System32\CTSvcCDA.exe
    C:\WINNT1\System32\svchost.exe
    C:\WINNT1\system32\nvsvc32.exe
    C:\WINNT1\system32\regsvc.exe
    C:\WINNT1\system32\MSTask.exe
    C:\WINNT1\System32\WBEM\WinMgmt.exe
    C:\WINNT1\system32\svchost.exe
    C:\WINNT1\Explorer.EXE
    C:\WINNT1\system32\devldr32.exe
    C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    C:\WINNT1\system32\w1n.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
    C:\Program Files\Alset\HelpExpress\Administrator\Client\PrintMonitor.exe
    C:\WINNT1\emsw.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT1\system32\QjlRXhe9.exe
    C:\WINNT1\system32\Fsei.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT1\system32\search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: (no name) - {1222cdd9-0571-46a6-800d-07e8bbe83009} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT1\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: glquchyjmee - {fdd2bc39-de22-48ce-804d-f9a3e87fd495} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
    O3 - Toolbar: (no name) - {495E1546-D729-4BB0-9628-978FA077DD45} - (no file)
    O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT1\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT1\system32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBPCI5122k\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT1\Updreg.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\SBPCI5122k\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [er] w1n.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT1\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
    O4 - HKLM\..\Run: [[email protected]] C:\WINNT1\system32\Idk277f.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
    O4 - HKLM\..\RunServices: [er] w1n.exe
    O4 - HKLM\..\RunServices: [SysApi32] SysApi32.exe
    O4 - HKCU\..\Run: [Dlei] C:\Documents and Settings\Administrator\Application Data\wnep.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37841.5893402778
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    Thanks again :D
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,187
    First Name:
    Derek
    First sorry for the delay in replying but have been without computer all day today

    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT1\system32\search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - (no file)
    O2 - BHO: (no name) - {1222cdd9-0571-46a6-800d-07e8bbe83009} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
    O3 - Toolbar: glquchyjmee - {fdd2bc39-de22-48ce-804d-f9a3e87fd495} - C:\DOCUME~1\ADMINI~1\APPLIC~1\xshnypudr.dll
    O3 - Toolbar: (no name) - {495E1546-D729-4BB0-9628-978FA077DD45} - (no file)
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT1\Updreg.exe

    O4 - HKLM\..\Run: [POP] C:\Program Files\POP\PopSrv205.exe
    O4 - HKLM\..\Run: [[email protected]] C:\WINNT1\system32\Idk277f.exe

    O4 - HKCU\..\Run: [Dlei] C:\Documents and Settings\Administrator\Application Data\wnep.exe

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)

    Then using task manager stop the running processes on these files
    C:\WINNT1\system32\Idk277f.exe
    C:\WINNT1\system32\QjlRXhe9.exe
    C:\WINNT1\system32\Fsei.exe
    then using windows explorer delete those 3 files

    IT is very important that you do those steps in that order and do not reboot before deleting those files because if you do they morph, that is change their name and restart a new infection

    I can find nothing about the following files but suspect them to be bad and would suggest fixing their entries in Hijackthis and then deleting the files themselves, unless you know what they are and have installed them yourself
    O4 - HKLM\..\Run: [er] w1n.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
    O4 - HKLM\..\RunServices: [er] w1n.exe
    O4 - HKLM\..\RunServices: [SysApi32] SysApi32.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINNT1\emsw.exe
     
  8. Doomsday123

    Doomsday123 Thread Starter

    Joined:
    Jul 1, 2002
    Messages:
    505
    Well, I have done all that you have listed and everything seems to be working. Thank you for all your help and if you have any furthor instructions please post them. Once again thanks a bunch for everyones help.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169113

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice