Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
My Norton antivirus found this file HelpExp.exe as a trojan and can't quarantine or delete it, neither can adaware. I read to get hijackthis and post a logfile, so that is what i am doing, can someone please help me with which files to delete and so forth, thank you.
Logfile of HijackThis v1.97.7
Scan saved at 7:56:15 PM, on 11/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Alset\HelpExpress\Victoria\HXIUL.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Alset\HelpExpress\Victoria\HXDL.exe
C:\WINDOWS\System32\Npi9.exe
C:\WINDOWS\System32\Npi9.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.exe
C:\Documents and Settings\Student\My Documents\download\sneakylilslovak\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginia.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.virginia.edu/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.159.91.200 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: (no name) - {16472BCB-1BAA-400C-BEA9-E04C00C0A2AA} - C:\WINDOWS\System32\wdavclnt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Dpsy6V9.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Victoria\HXIUL.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Victoria\HXDL.exe -from="MANIFEST.DAT" -to="MANIFEST.DAT"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05bb81137866c83f5421/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37732.2446875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = virginia.edu
O17 - HKLM\Software\..\Telephony: DomainName = virginia.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{945A857E-5241-4321-A346-662EA5D285D5}: NameServer = 207.69.188.187 207.69.188.186
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = virginia.edu
Use MSCONFIG.
go to start-run
type msconfigSelect the startup tab.
uncheck the box that runs then restart.
You should be able to delete the file.
0 
I need to know what to do with hijackthis to get rid of that and anything else that doesnt need to be on my system
0
Highlight the item tou wan to delete then use the undelete key in HighjackThis to delete... but your log looks Ok to me.
0
Brennan, what you have is the peper trojan.
No easy way out, Tom41 can give better
instrutcions than myself.
0
well how can i get a hold of tom41, i really need to get rid of this asap, can someone please help me
0
Brennan, Download, install, read the directions, then update and run Spybot Search & Destroy. The latest update includes the peper trojan and it should get rid of it.
2003-11-24
Hijacker
+ AdultLinks.QaBar + AdGoblin + Xupiter.OrbitExplorer + IEDLL.ToonComics ++ SearchDotCom ++ CoolWWWSearch.HTMLEdit + CoolWWWSearch.SVCPack + SearchXL ++ ExPup ++ SearchOMatic + I-Lookup ++ RSSToolbar ++ SearchForge + CoolWWWSearch.WinSearch ++ Mirar.NNBar + eUniverse.IncrediFind ++ CleverIEHooker.Jeired + IEDLL.ToonComics + CoolWWWSearch + Search-Exe + MediaLoads + ClearSearch.Net + SearchAndClick + eXactSearchbar ++ FastSeeker + ToolbarCC ++ CoolWWWSearch.XPlugin + Adtomi.YahooStocks ++ AdsStore ++ ISTbar.CSearch ++ LoadHTML.BHOPopup ++ LoudMarketing.WinFavorites ++ ++ AdRoad.Cpr
Spyware
+ PurityScan + Outwar ++ iPend + Huntbar + ShopNav + eAcceleration + WildTangent + BrowserAid + SearchSquire
Malware
++ iempg + eUniverse.MyFreeCursors ++ ClimaxBucks.InternetOptimizer ++ KeenValue.PerfectNav + Haczyk.Ulubione
Keylogger
+ NetSpy + Winvestigator
Trojans
++ Peper ++ VividGalut ++ SpamRelayer.DiskServ ++ Remover.TrojanHere's the link.
Tufenuf
0
Brennan, "are you sure HXIUL.exe and HXDL.exe dont present a problem?"
Those 2 files are part of HelpExpress which is Adware. Below is a link with Manual Removal Instructions.
HelpExpress Removal Instructions
Tufenuf
0
Tufenuf, this one is a pain in the ie
to remove.
Brennan, post your log at link below,
you will get a faster response and more
eyes reading it. Post the subject line:
Peper trojanSpyware and Hijackware Removal Support
So how did I get infected in the first place?
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
