1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IE toolbar, icons, error reports, homepage change, and many more problems

Discussion in 'Virus & Other Malware Removal' started by Kalicyddian, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Kalicyddian

    Kalicyddian Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    10
    I'm not sure if this matters, but the following has occured on my laptop, rather than a normal PC.

    I recently downloaded what I thought was a simple plugin to play games. Aparently, not. Ever since it has been download, all of the following items/problems have arrived: a new toolbar, 10 new desktop icon, a homepage that won't revert back, continual Error Messages/Reports in IE (all resulting in the page closing itself), and everything has been running noticeably slower than usual. The Error Report Messages may even appear if I'm not doing anything at all; I've tried posting this message for the third time because the page kept closing itself.

    I scanned with Norton AntiVirus, but nothing showed up (as expected). I was wondering what I need to download to get rid of all of this; HiJack This, AdAware, SpyBot Search and Destroy? If any of those, I need a link. If I try to search for anything throught the web, I get taken to the default page; even if the page doesn't exsist. Thanks for reading. I eagerly await a cure.
     
  2. Kalicyddian

    Kalicyddian Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    10
    By the way, here is my logfile using HiJack This....

    Logfile of HijackThis v1.97.7
    Scan saved at 5:55:43 PM, on 4/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\aim\aim.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\DOCUME~1\NewUser\LOCALS~1\Temp\Rem5.exe
    C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
    C:\Program Files\SysAI\SysAI.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\Program Files\Alset\HelpExpress\NewUser\Client\HELPEXP.EXE
    C:\WINDOWS\emsw.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\couponsandoffers\couponsandoffers.exe
    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\NewUser\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = amazingautossearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {D5F193A6-74E4-71BB-614A-931A0A9CF533} - C:\PROGRA~1\KINDPR~1\tickblah.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: lessmixdelete - {CBC9764C-0F83-677F-B6A9-5E0181B91950} - C:\PROGRA~1\KINDPR~1\tickblah.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [Bold Two] C:\PROGRA~1\gram army\bolt rdr else.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.positivebeats.com/dlmp3.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{423C1E37-6379-40F1-A81F-6862068CCA85}: NameServer = 205.188.146.146
     
  3. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    Since you already know you are infected, you might as well download and run a good Spyware and Trojan Removal program(s).

    Spybot Search and Destroy:
    http://www.safer-networking.org/index.php?page=spybotsda

    SpySweeper:
    http://www.webroot.com/wb/products/spysweeper/index.php
    This will also protect your home page from being hijacked.

    Ad-Aware:
    http://www.lavasoft.de/

    With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan.

    CWShredder:
    http://www.spywareinfo.com/downloads/tools/CWShredder.exe

    KazaaBeGone
    http://www.spywareinfo.com/~merijn/files/kazaabegone.zip

    Programs that can help prevent getting infected:

    Spyware Blaster
    http://www.javacoolsoftware.com/spywareblaster.html

    Spyware Guard
    http://www.wilderssecurity.net/spywareguard.html
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Moved to Security forum
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First go to Add/Remove programs and uninstall Help Express if it is there.

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = amazingautossearch.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://amazingautossearch.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://amazingautossearch.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://amazingautossearch.com/searchbar.html

    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

    O2 - BHO: (no name) - {D5F193A6-74E4-71BB-614A-931A0A9CF533} - C:\PROGRA~1\KINDPR~1\tickblah.dll

    O3 - Toolbar: lessmixdelete - {CBC9764C-0F83-677F-B6A9-5E0181B91950} - C:\PROGRA~1\KINDPR~1\tickblah.dll

    O4 - HKLM\..\Run: [Bold Two] C:\PROGRA~1\gram army\bolt rdr else.exe

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE

    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.positivebeats.com/dlmp3.exe


    Restart to safe mode and delete:

    The C:\Program Files\AutoUpdate folder
    The C:\Program Files\Alset folder
    The C:\Program Files\couponsandoffers folder
    The C:\Program Files\KINDPR~1 folder (See *Note below)
    The C:\Program Files\gram army folder
    The C:\WINDOWS\emsw.exe file

    *Note: I have know way of knowing the exact name of this folder, but the first six letters will be KINDPR.

    How to start your computer in safe mode
     
  6. Kalicyddian

    Kalicyddian Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    10
    Thanks for the help so far, but not everything has been solved. I did as you said, flrman1, but I was unable to delete the folder entitled "Alset." I get the error message claiming the access denied and to be sure it's not in use or that it is wright-protected. Not sure what to do about that...
    Another thing is a desktop icon entitled "Activate Desktop" remains. I know it wasn't there before, but I'm not sure if it's something I need? I can't find it on the list of programs, so I'm not sure what to do.
    One other small problem since I used HiJack This: some of the folder pictures (I use Windows XP, and some folders are unique) no longer exsist. I know this isn't a big deal, but I was wondering if I deleted something I wasn't supposed to? Here is my log, just in case I missed something:
    Logfile of HijackThis v1.97.7
    Scan saved at 9:30:27 PM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\aim\aim.exe
    C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\NewUser\HXDL.EXE
    C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe
    C:\WINDOWS\emsw.exe
    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Documents and Settings\NewUser\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jersconsin.tk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXDL.EXE -from="CLIENT.CAB" -to="CLIENT.CAB"
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingstone.com/cab/2000XP/CDTInc/bridge.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{423C1E37-6379-40F1-A81F-6862068CCA85}: NameServer = 205.188.146.146
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Were you in safe mode when you tried to delete the Alset folder? Did you find Help Express in Add/Remove programs?

    I'm not sure what you mean by the "some of the folder pictures (I use Windows XP, and some folders are unique) no longer exsist". Nothing I had you remove would have affected your folder icons.

    The Activate Desktop icon sounds a shortcut to Active Desktop. What does it do when you click on it?

    You have picked up some new ones since you last posted.

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll

    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXIUL.EXE

    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\NewUser\HXDL.EXE -from="CLIENT.CAB" -to="CLIENT.CAB"

    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\NewUser\Client\HelpExp.exe


    Restart to Safe Mode and delete:

    The C:\Program Files\Alset folder
    The C:\WINDOWS\emsw.exe file


    Go here and download Adaware 6 Build 181

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

    Make sure the following settings are made and on -------ON=GREEN

    From main window :Click Start then Activate in-depth scan (recommended)

    Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

    Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

    Click proceed to save your settings.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.


    Then go here and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.
     
  8. Kalicyddian

    Kalicyddian Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    10
    I greatly appreciate all of your help! I did as you said, but I was unable to find any file named "emsw.exe" in the WINDOWS folder. Just a few other things, now: more icons have disappeared or reverted to the default icon, and I'm not sure how to change them back, if it's possible (e.g. "My Music" folder icon, "Wireless Internet" icon). Now, I have noticed two more icons have appear on the bottom taskbar that I haven't see before. One is entitled "Big Fix" and the other "Synaptics Pointing Device." I'm assuming I've had both since before the infection since the Pointing Device records the pressure on the mouse pad, but I'm not sure how they got there or if the BigFix was there before either.
    Once again, here is my logfile after all the scanning.
    Logfile of HijackThis v1.97.7
    Scan saved at 5:49:56 PM, on 4/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\System32\atray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\aim\aim.exe
    C:\Program Files\America Online 8.0\aol.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\America Online 8.0\waol.exe
    C:\Documents and Settings\NewUser\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jersconsin.tk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Removecpl] RemoveCpl.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [Bcmwltry] bcmwltry.exe
    O4 - HKLM\..\Run: [Atray] atray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{423C1E37-6379-40F1-A81F-6862068CCA85}: NameServer = 205.188.146.146

    Ps. This has been a constant tiny annoyance that I'm sure is nothing serious. When I open any window with a gray taskbar at the top (e.g. AOL), if I put my cursor over any of the buttons (e.g. File, Edit, etc.), a white box forms around each word, but doesn't appear until I close the window and re-open it. I was wondering if there was any way to fix this? Thanks.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm don't have aclue what's going on with your icons.

    The "Big Fix" and the other "Synaptics Pointing Device." are these which were not there in your previous logs.

    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe


    I'm sure you did something to cause them to load, because nothing I instruted you to do would have caused that. They're both legitimate applications. If you want to remove them from your startups go to Start > Run and type in msconfig.
    Click OK or hit the Enter key.

    Click on the "Startup" tab and remove the check by those items. Click "Apply" then "Close"

    You will be prompted to restart. Go ahead and restart.

    Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

    Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.
     
  10. Kalicyddian

    Kalicyddian Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    10
    Thanks for helping. Just as an extra precaution, I downloaded something called "PC Doctor" since I'm using it on my normal PC as well. It claims 16 errors still exsist: (3) Invalid Active X \ COM File; (3) Invalid Active X \ COM SubSection File; (6) Invalid Application Path; (1) Invalid Microsoft Shared File; (3) Invalid Uninstall Information. I'm curious if you think any of these really need to be fixed. None of the other programs found anything, and this PC Doctor costs money, so I wanted an opinion if you think it's worth it...
    Also, do you have any clue about the white boxes in gray toolbars? It's not in IE, but almost anything else with that same toolbar. It's just weird and annoying.
    One last thing since you're just as clueless about the icons as I am.... (last favor, I promise). Do you know how to change the settings for the mouse pad? I used to be able to tap the pad for a click, but now I need to click the actual buttons. I've gotten so much into the habbit of the clicking pad, that I mess up nearly every time...
     
  11. Kalicyddian

    Kalicyddian Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    10
    I'm sorry for this confusion, but I take back my last request. I know how to change the settings, but I can't find the Synaptics Pointing Device that controls those settings. I only removed it from the bottom toolbar; I never deleted it. I've searched for it, but all the searches came up with nothing. However, I think you've helped me far enough already. Now I'm only asking for your opinion on those problems I listed earlier.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - toolbar icons error
  1. Dano2
    Replies:
    0
    Views:
    691
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217433

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice