B
BobGare
How do I get ride of this(helpexp.exe trojan horse)? Norton found it but
can get ride of it.
can get ride of it.
B
BobGare
Forgot to tell you I'm running xp pro.
K
kurt wismer
BobGare said:
helpexp.exe is the filename, not the name of the malware... perhaps you
could tell us the exact text of the alert from norton, along with the
exact text of the removal failure notice from norton (since there are a
variety of reasons why it might fail)...
S
Sir_George
Bob,
Go to http://www.spywareinfo.com/downloads.php#det
Download "Hijack This!" [freeware] or download direct (below):
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, double-click "HijackThis.exe" and Press "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")
Open "hijackthis.log" in Notepad and paste the contents in your next post to
this newsgroup and either I, or someone else, will reply with further info
to help you solve the problem.
Go to http://www.spywareinfo.com/downloads.php#det
Download "Hijack This!" [freeware] or download direct (below):
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, double-click "HijackThis.exe" and Press "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log"
button.
Click: "Save Log" (generates "hijackthis.log")
Open "hijackthis.log" in Notepad and paste the contents in your next post to
this newsgroup and either I, or someone else, will reply with further info
to help you solve the problem.
K
kurt wismer
Sir_George said:
not to put too fine a point on it but is HijackThis going to give you
more than the filename that bob has already given us?
what and where it is has already been determined by his scanner -
what's left is what it does and why can't he remove it with the tools
he's already got...
S
Sir_George
Bob,
As a follow up to my initial post, visit the following site for a solution;
http://www.kephyr.com/spywarescanner/library/helpexpress/index.phtml
As a follow up to my initial post, visit the following site for a solution;
http://www.kephyr.com/spywarescanner/library/helpexpress/index.phtml
B
BobGare
Logfile of HijackThis v1.97.7
Scan saved at 11:56:09 AM, on 11/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Save\Save.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe
C:\WINDOWS\System32\wjview.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Alset\HelpExpress\Administrator\Client\PrintMonitor.exe
C:\WINDOWS\emsw.exe
C:\Program Files\couponsandoffers\couponsandoffers.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\Nmain.exe
C:\PROGRA~1\NORTON~2\NORTON~3\navw32.exe
C:\PROGRA~1\NORTON~2\NORTON~3\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program
Files\E2G\IeBHOs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} -
C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp
Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P
Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program
Files\Tech\MagicBall\1.2\LWBWHEEL.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp
"C:\Program
Files\couponsandoffers\System\Code" Main lp: "C:\Program
Files\couponsandoffers"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common
Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &NeoTrace It! -
C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Coupons - file://C:\Program
Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://c:\Program
Files\topMoxie\TEMP\ebates_script.htm
O8 - Extra context menu item: Find Using Copernic Shopper - C:\Program
Files\Copernic 2001 Basic\Copernic Shopper\Web\Find.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program
Files\Copernic 2001 Basic\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Shop Using Copernic Shopper (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Shop (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O9 - Extra button: NeoTrace It! (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
Class) -
http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1069642740171
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {58ED4C6D-350A-11D6-83EB-0060083CA107} (JPlayInst Class) -
http://www.videogram.com/lib/videogram/AJPINST1012.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -
http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37652.1761574074
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/dj/qdiagh.cab?305
Scan saved at 11:56:09 AM, on 11/27/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Save\Save.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe
C:\WINDOWS\System32\wjview.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Alset\HelpExpress\Administrator\Client\PrintMonitor.exe
C:\WINDOWS\emsw.exe
C:\Program Files\couponsandoffers\couponsandoffers.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\Nmain.exe
C:\PROGRA~1\NORTON~2\NORTON~3\navw32.exe
C:\PROGRA~1\NORTON~2\NORTON~3\navw32.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program
Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program
Files\E2G\IeBHOs.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} -
C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp
Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P
Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program
Files\Tech\MagicBall\1.2\LWBWHEEL.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp
"C:\ProgramFiles\couponsandoffers\System\Code" Main lp: "C:\Program
Files\couponsandoffers"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common
Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &NeoTrace It! -
C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Coupons - file://C:\Program
Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates - file://c:\Program
Files\topMoxie\TEMP\ebates_script.htm
O8 - Extra context menu item: Find Using Copernic Shopper - C:\Program
Files\Copernic 2001 Basic\Copernic Shopper\Web\Find.htm
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program
Files\Copernic 2001 Basic\Copernic Agent\Web\SearchExt.htm
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Shop Using Copernic Shopper (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Shop (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O9 - Extra button: NeoTrace It! (HKCU)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
Class) -
http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1069642740171
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {58ED4C6D-350A-11D6-83EB-0060083CA107} (JPlayInst Class) -
http://www.videogram.com/lib/videogram/AJPINST1012.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} -
http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37652.1761574074
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry
Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) -
http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/dj/qdiagh.cab?305
Sir_George said:
B
BobGare
kurt wismer said:
This is the message.
Unable to repair.
Access denied
S
Sir_George
Bob,
The following should solve the problem;
Uninstall procedure:
Uninstall HelpExpress from "Add/Remove Programs" in the Windows® Control
Panel. Look for an entry called "HelpExpress". Do not uninstall HelpExpress
if you value the service that it offers.
(ALWAYS BACKUP THE REGISTRY PRIOR TO MAKING ANY CHANGES!)
Manual removal
1.. Start the registry editor. This is done by clicking Start then Run.
(The Run dialog will appear.) Type regedit and click OK. (The registry
editor will open.)
2.. Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Run'
3.. In the right pane, delete the value called 'HXIUL.EXE', 'HELPEXP.EXE',
'emsw.exe' and 'HXDL.EXE', if they exists.
4.. Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Run'
5.. In the right pane, delete the value called 'HXIUL.EXE', 'HELPEXP.EXE',
'emsw.exe' and 'HXDL.EXE', if they exists.
6.. Exit the registry editor.
7.. Restart your computer.
8.. Delete the following directories and their content:
%ProgramsDir%\Alset\
%ProgramsDir%\Alset Network\
Note: %ProgramsDir% is a variable. By default, this is C:\Program Files.
You can also get rid of the "CouponsAndOffers" entries, unless you actually
use it.
The following should solve the problem;
Uninstall procedure:
Uninstall HelpExpress from "Add/Remove Programs" in the Windows® Control
Panel. Look for an entry called "HelpExpress". Do not uninstall HelpExpress
if you value the service that it offers.
(ALWAYS BACKUP THE REGISTRY PRIOR TO MAKING ANY CHANGES!)
Manual removal
1.. Start the registry editor. This is done by clicking Start then Run.
(The Run dialog will appear.) Type regedit and click OK. (The registry
editor will open.)
2.. Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Run'
3.. In the right pane, delete the value called 'HXIUL.EXE', 'HELPEXP.EXE',
'emsw.exe' and 'HXDL.EXE', if they exists.
4.. Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Run'
5.. In the right pane, delete the value called 'HXIUL.EXE', 'HELPEXP.EXE',
'emsw.exe' and 'HXDL.EXE', if they exists.
6.. Exit the registry editor.
7.. Restart your computer.
8.. Delete the following directories and their content:
%ProgramsDir%\Alset\
%ProgramsDir%\Alset Network\
Note: %ProgramsDir% is a variable. By default, this is C:\Program Files.
You can also get rid of the "CouponsAndOffers" entries, unless you actually
use it.
S
Sir_George
kurt,
The OP states that Norton can't get rid of the file; the reason is because
it is in use.
Now, after looking at Bob's log created by "HiJackThis" the appropriate
registry entries (not just the one found by Norton) are noted and once
edited (removed) the offending directories/files can also be deleted.
So, the fact that Norton found one file, helpxp.exe, associated with
"HelpExpress" adware was not the entire story.
There were two entries in Bob's case that needed to be removed from the
registry;
1. HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\HXIUL.EXE
2. HKCU\..\Run: [HELPEXP.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
as well as two program file entries;
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
Thus, my reason for recommending "HiJackThis" was to be sure that all the
necessary entries, files, and directories would be found and listed so the
removal process would be complete.
HTH
--
Sir_George
For better access to newsgroups;
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
The OP states that Norton can't get rid of the file; the reason is because
it is in use.
Now, after looking at Bob's log created by "HiJackThis" the appropriate
registry entries (not just the one found by Norton) are noted and once
edited (removed) the offending directories/files can also be deleted.
So, the fact that Norton found one file, helpxp.exe, associated with
"HelpExpress" adware was not the entire story.
There were two entries in Bob's case that needed to be removed from the
registry;
1. HKCU\..\Run: [HXIUL.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\HXIUL.EXE
2. HKCU\..\Run: [HELPEXP.EXE] C:\Program
Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
as well as two program file entries;
C:\Program Files\Alset\HelpExpress\Administrator\HXIUL.EXE
C:\Program Files\Alset\HelpExpress\Administrator\Client\HelpExp.exe
Thus, my reason for recommending "HiJackThis" was to be sure that all the
necessary entries, files, and directories would be found and listed so the
removal process would be complete.
HTH
--
Sir_George
For better access to newsgroups;
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
kurt wismer said:
M
mzlindyone
So are you leaving GAIN and SaveNow on there?
Carol
K
kurt wismer
that's *one* of the messages i asked for, and it does help a bit...
access denied happens most commonly because the file is in use (ie.
currently running, try restarting in safe mode to remove it) or because
it's in the system restore (only windows ME and XP have system restore)
and can only be removed by purging all your restore points...
if you provide the message that norton gives when it detects this in
the first place it should include the trojan name and the file location
- the location would allow me to verify or rule out the possibility of
it being in your system restore (or if you are using a version of
windows other than ME or XP then it's ruled out automatically)...
K
kurt wismer
Sir_George said:
correct me if i'm wrong, but HijackThis won't actually identify those
entries, just list them with a bunch of other entries and leave it to
the user to figure out what is what...
i'm guessing you put more google time into this than i did... the OP
didn't provide any malware name, just a filename... i tried to get him
to provide the malware name so that he could learn to identify it and
how to use it in future to find specific removal information...
i suspect that in reality he would probably want to delete the entire
C:\Program Files\Alset\HelpExpress\ directory... perhaps even the
entire C:\Program Files\Alset\ directory...
and my point was that HijackThis doesn't identify the things you need
to remove and that the user should learn better diagnostic procedures
(like properly parsing the messages his anti-virus gives him and
extracting the important information)... from that he may well find
even more things needing removal with regards to this peice of malware...
i'm not criticizing HijackThis, or it's use for finding otherwise
unknown malware, but the OP has a product that was identifying the
malware and needs to learn how to use the information that product
gives him... using HijackThis to generate a generic logfile and hope
that someone in cyberspace can make a diagnosis from that when a
product has already given a specific diagnosis seems like the wrong way
to go...
S
Sir_George
mzlindyone,
I have absolutely no idea what you are talking about. Neither "Gain" or
"SaveNow" are listed in Bob's log file. Additionally, the question had
nothing to do with analyzing his entire system, but to answer his question
on how to get rid of a specific file.
I have absolutely no idea what you are talking about. Neither "Gain" or
"SaveNow" are listed in Bob's log file. Additionally, the question had
nothing to do with analyzing his entire system, but to answer his question
on how to get rid of a specific file.
S
Sir_George
kurt,
Answers provided in line;
Therefore, my suggestion to post back with the results and have someone more
familiar with the entries provide the additional information about which
registry entries, file(s), folder(s), and directories should be modified or
deleted.
I didn't spend time on Google to provide the link to HiJackThis, I'm very
familiar with it. As for the site location I provided;
http://www.kephyr.com/spywarescanner/library/helpexpress/index.phtml
it was listed in another newsgroup I was browsing through and I merely
copied it.
Probably a good idea. However, not totally necessary.
Well let's see his AV program provided the following message;
Unable to repair.
Access denied
That information seems pretty cryptic compared to the results from
"HiJackThis" when interpreted by someone who understands the log file
entries. I don't think even the most advanced user could provide much help
based solely on "Unable to repair. Access denied." Wouldn't you agree?
Again the information provided by his product is;
Unable to repair.
Access denied
I don't see how that data is going to help.
In summary, I simply replied to your inquiry about;
"not to put too fine a point on it but is HijackThis going to give you
more than the filename that bob has already given us?"
So I don't see why you feel the need to get into a pissing contest. You post
with what you think will help and I post with what I think will help. No big
deal and no need to try and belittle my advice.
Hope you had a Good Turkey Day
Answers provided in line;
Therefore, my suggestion to post back with the results and have someone more
familiar with the entries provide the additional information about which
registry entries, file(s), folder(s), and directories should be modified or
deleted.
I didn't spend time on Google to provide the link to HiJackThis, I'm very
familiar with it. As for the site location I provided;
http://www.kephyr.com/spywarescanner/library/helpexpress/index.phtml
it was listed in another newsgroup I was browsing through and I merely
copied it.
Probably a good idea. However, not totally necessary.
Well let's see his AV program provided the following message;
Unable to repair.
Access denied
That information seems pretty cryptic compared to the results from
"HiJackThis" when interpreted by someone who understands the log file
entries. I don't think even the most advanced user could provide much help
based solely on "Unable to repair. Access denied." Wouldn't you agree?
Again the information provided by his product is;
Unable to repair.
Access denied
I don't see how that data is going to help.
In summary, I simply replied to your inquiry about;
"not to put too fine a point on it but is HijackThis going to give you
more than the filename that bob has already given us?"
So I don't see why you feel the need to get into a pissing contest. You post
with what you think will help and I post with what I think will help. No big
deal and no need to try and belittle my advice.
Hope you had a Good Turkey Day
K
kurt wismer
Sir_George said:
you're missing a key point... in order for that "someone more familiar"
to be of any help they'd have to actually recognize the entries for a
particular piece of malware... you have to know which ones are related
to the problem program in order to know which ones to delete, right?
the number of different pieces of malware is so large that no one, and
frankly not even a group experts with a fair number of people in it,
are going to be able to remember the characteristics of all of them...
without very specialized tools, resources, and expertise, human
diagnosis of malware will fail for most malware...
my mistake then... i assumed you found that link after googling the
filename the OP posted... it seems like it's a likely suspect for the
cause of the OP's NAV alert but the page proves my point nicely - it's
a spyware description in an online library for a spyware scanner, not
unlike the virus description libraries av vendors put up... which means
there are not one but at least 2 different tools available that could
have provided specific diagnosis - one of which the OP had already used...
[snip]
that information was only part of what the scanner told him...
understanding the log file entries isn't enough... you have to actually
be able to recognize the traces of particular pieces of malware... take
a look at the log, are any of those entries marked "probable malware
here"? no... and is it humanly possible to remember the traces all
malware leaves in the registry or on your disk? no, not by a long shot...
the more advanced user would ask for more of the information provided
by the scanner because the more advanced user would recognize the
"Unable to repair. Access denied" message was not the detection message
but rather the message that pops up after you tell the scanner to
repair something it's already detected and it fails...
and again, if you think that's all the info NAV provided i think you
should stop and think again... that message clearly doesn't contain the
filename the OP gave us so there had to be another message...
well, it does, actually... it narrows down the number of reasons why he
can't get rid of what his scanner is detecting, but as you recognize
there are more pieces to this puzzle than just that...
you replied to my inquiry, but you didn't answer my question...
the real answer is that hijackthis will *not* provide any more specific
info about what the OP has than NAV already has...
what it does provide is a log of various registry entries and running
processes without distinguishing between good and bad... this is useful
when dealing with unidentified problems because you can go through the
log and rule out known good programs and see if the process of
elimination can turn up a bad program - but that's not the situation
the OP was in...
Hope you had a Good Turkey Day
i did... some time ago... canadian thanksgiving is earlier in the year
than american thanksgiving...
N
Nick FitzGerald
"Sir_George" <[email protected]> replied to mzlindyone:
[Corrected for top-postingitis...]
I guess she was referring to:
Running processes:
C:\PROGRA~1\Save\Save.exe
C:\Program Files\gator.com\Gator\Gator.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common
Files\GMT\GMT.exe
....
Also, it seems this:
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
is part of Alset's HelpExpress. I don't know what happens if it is left, but
my guess is it is likely to be a "guardian" whose purpose is to check for
installation and configuration and to "fix" things (i.e. re-install) should
the "product" be missing or "mis-configured".
There's a bunch of other dubious through downright undesirable cruft in there
too -- seems the OP has a severe case of Click-OK-itis...
[Corrected for top-postingitis...]
I guess she was referring to:
Running processes:
C:\PROGRA~1\Save\Save.exe
C:\Program Files\gator.com\Gator\Gator.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common
Files\GMT\GMT.exe
....
Also, it seems this:
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
is part of Alset's HelpExpress. I don't know what happens if it is left, but
my guess is it is likely to be a "guardian" whose purpose is to check for
installation and configuration and to "fix" things (i.e. re-install) should
the "product" be missing or "mis-configured".
There's a bunch of other dubious through downright undesirable cruft in there
too -- seems the OP has a severe case of Click-OK-itis...
B
BobGare
Thanks to every ones help and advice I have found and cleaned it off Of my
system.
system.
M
Mark
Can you provide me with the step you took to get rid of the
(helpexp.exe trojan horse)?
Thanks---Mark(NY)
(helpexp.exe trojan horse)?
Thanks---Mark(NY)
B
BobGare
Mark said:
I down loaded http://www.spywareinfo.com/downloads.php#det
Download "Hijack This!" [freeware] or download direct (below):
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
like sir_george said. And also did a search for anything on the computer
realed to it. I found "HelpExpress" and uninstalled it. Thank did the
trick.