Unsolved
This post is more than 5 years old
1 Message
0
3261
August 15th, 2004 18:00
I've been hijacked
I am a rookie at all of this and don't understand most of it. I do know I have been hijacked. I have run ad-a-ware, spybot, cwshredder (nothing there) and now Hijack This. My IE home page will not display anthing. It always says: cannot display pages.
I have had to install Mozilla just to get anywhere, and these desktop icons keep popping up with a word I can't use on the forum ! Help.
Here is what I get:
ogfile of HijackThis v1.98.0
Scan saved at 2:00:12 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\services\msxmidi.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\securer\syshost.exe
C:\WINDOWS\System32\helpefa\sychost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
D:\hjtlog.exe
c:\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {198A1403-E245-7FE1-D521-6D557CA27B4F} - C:\WINDOWS\System32\lbxohee.dll
O2 - BHO: (no name) - {1EDE1351-B416-76B2-8621-6D557CA27848} - C:\WINDOWS\System32\ljqdimm.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows OleServer - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D58B809A-AAAA-433E-86DC-4F189FB82976} - C:\WINDOWS\System32\ekk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKLM\..\Run: [securer] C:\WINDOWS\System32\securer\syshost.exe
O4 - HKLM\..\Run: [helpefa] C:\WINDOWS\System32\helpefa\sychost.exe
O4 - HKLM\..\Run: [LA65] c:\documents and settings\erin jadinak\local settings\temp\LA65.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC3B1B95-5FB3-4A5C-BB32-0EA70638F3AD}: NameServer = 64.136.28.120 64.136.20.133
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Filter: text/html - {88DB5204-79B6-4CBA-8342-74B9A37D8375} - C:\WINDOWS\System32\ekk.dll
O18 - Filter: text/plain - {88DB5204-79B6-4CBA-8342-74B9A37D8375} - C:\WINDOWS\System32\ekk.dll
I have had to install Mozilla just to get anywhere, and these desktop icons keep popping up with a word I can't use on the forum ! Help.
Here is what I get:
ogfile of HijackThis v1.98.0
Scan saved at 2:00:12 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\services\msxmidi.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\securer\syshost.exe
C:\WINDOWS\System32\helpefa\sychost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
D:\hjtlog.exe
c:\hijackthis\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {198A1403-E245-7FE1-D521-6D557CA27B4F} - C:\WINDOWS\System32\lbxohee.dll
O2 - BHO: (no name) - {1EDE1351-B416-76B2-8621-6D557CA27848} - C:\WINDOWS\System32\ljqdimm.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows OleServer - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D58B809A-AAAA-433E-86DC-4F189FB82976} - C:\WINDOWS\System32\ekk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKLM\..\Run: [securer] C:\WINDOWS\System32\securer\syshost.exe
O4 - HKLM\..\Run: [helpefa] C:\WINDOWS\System32\helpefa\sychost.exe
O4 - HKLM\..\Run: [LA65] c:\documents and settings\erin jadinak\local settings\temp\LA65.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC3B1B95-5FB3-4A5C-BB32-0EA70638F3AD}: NameServer = 64.136.28.120 64.136.20.133
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Filter: text/html - {88DB5204-79B6-4CBA-8342-74B9A37D8375} - C:\WINDOWS\System32\ekk.dll
O18 - Filter: text/plain - {88DB5204-79B6-4CBA-8342-74B9A37D8375} - C:\WINDOWS\System32\ekk.dll
volcano11
2 Intern
•
28K Posts
0
August 16th, 2004 00:00
See the following message from ChrisRLG concerning the best place to get help from a HijackThis expert:
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=21867
Steve
cghost
302 Posts
0
August 16th, 2004 15:00
You have the sp.html version of coolwebsearch and some other problems too. The fix I've proposed for you is based on the following thread, with other problems in your log added to the fix.
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=17212
Please get cwshredder and adaware.
Download and install them, do not scan with them yet.You can get cwshredder here:
http://www.majorgeeks.com/download4086.html
http://www.subratam.org/?page=removalHere is a link with instructions for adaware:
http://forums.spywareinfo.com/index.php?showtopic=11150
Now we will start fix activities.
Please close all but one browser window.
Go to Pandasoft and run their online virus scan.
{ http://www.pandasoftware.es/activescan/activescan-com.asp }After you run the online virus scan, please reboot into safe mode to run cwshredder.
[ How to do it: http://www.computerhope.com/issues/chsafe.htm ]
After you have run cwshredder:
Still in safe mode, Run HijackThis, tick to fix any of the following that show up:
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\TERIJA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
O2 - BHO: (no name) - {198A1403-E245-7FE1-D521-6D557CA27B4F} - C:\WINDOWS\System32\lbxohee.dll
O2 - BHO: (no name) - {1EDE1351-B416-76B2-8621-6D557CA27848} - C:\WINDOWS\System32\ljqdimm.dll
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\System32\services\2.01.00.dll
O2 - BHO: Windows OleServer - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
O2 - BHO: (no name) - {D58B809A-AAAA-433E-86DC-4F189FB82976} - C:\WINDOWS\System32\ekk.dll
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O4 - HKLM\..\Run: [securer] C:\WINDOWS\System32\securer\syshost.exe
O4 - HKLM\..\Run: [helpefa] C:\WINDOWS\System32\helpefa\sychost.exe
O4 - HKLM\..\Run: [LA65] c:\documents and settings\erin jadinak\local settings\temp\LA65.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\msxmidi.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.com/scj/rotation/templates/um2/x.chm::/ad.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O18 - Filter: text/html - {88DB5204-79B6-4CBA-8342-74B9A37D8375} - C:\WINDOWS\System32\ekk.dll
O18 - Filter: text/plain - {88DB5204-79B6-4CBA-8342-74B9A37D8375} - C:\WINDOWS\System32\ekk.dll
I do not know how to evaluate these type of lines. Do you know if this is required by your network or your isp?
If it is it needs to be left, if it is not, it should be fixed.
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC3B1B95-5FB3-4A5C-BB32-0EA70638F3AD}: NameServer = 64.136.28.120 64.136.20.133
Then delete these files:
C:\WINDOWS\System32\lbxohee.dll
C:\WINDOWS\System32\ljqdimm.dll
C:\WINDOWS\System32\services\2.01.00.dll
C:\WINDOWS\System32\msmk.dll
C:\WINDOWS\msopt.dll
C:\WINDOWS\System32\ekk.dll
C:\WINDOWS\System32\services\msxmidi.exe
C:\WINDOWS\System32\securer\syshost.exe
(Is there anything in this folder besides the syshost file?)
C:\WINDOWS\System32\helpefa\sychost.exe
(Is there anything in this folder besides the sychost file?)
c:\documents and settings\erin jadinak\local settings\temp\LA65.exe
C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo <==== this one is a folder
It may be necessary to show hidden files and folders to see the files.
[ How to do it: http://www.xtra.co.nz/help/0,,4155-1916458,00.html ]
We then want to clear your temporary file locations.
If you are storing any programs or information, that you know is good and you want to keep, in these locations; please move it to a different archive location before proceeding with the following steps:Browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.
Then reboot into normal mode.
Scan with Adaware and let it remove any bad files found.
Reboot again in normal mode and post a new log.
Regards.
cg
jamez kann
860 Posts
0
September 6th, 2004 02:00