Please Help with spyware-my Hijackthis log

Discussion in 'adware, spyware & hijack cleaning' started by james0056, Jul 1, 2004.

Thread Status:
Not open for further replies.
  1. james0056

    james0056 Registered Member

    Joined:
    Jul 1, 2004
    Posts:
    2
    Logfile of HijackThis v1.97.7
    Scan saved at 2:48:02 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\addej.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\jefmjs.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\addmm32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Thomas Sunken\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = yahoo
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cexaz.dll/index.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hallindsey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cexaz.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hallindsey.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cexaz.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hallindsey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hallindsey.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus8l.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {983F24D5-6232-7A89-5AC0-B57402B34312} - C:\WINDOWS\system32\ipys.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [kqprnizcijv] C:\WINDOWS\System32\jefmjs.exe
    O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\Program Files\DeskMates\DeskMateAutoUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [addmm32.exe] C:\WINDOWS\addmm32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [netie32.exe] C:\WINDOWS\system32\netie32.exe
    O4 - HKLM\..\RunOnce: [addej.exe] C:\WINDOWS\addej.exe
    O4 - HKLM\..\RunOnce: [croh32.exe] C:\WINDOWS\system32\croh32.exe
    O4 - HKLM\..\RunOnce: [atlhp.exe] C:\WINDOWS\system32\atlhp.exe
    O4 - HKLM\..\RunOnce: [ieok.exe] C:\WINDOWS\system32\ieok.exe
    O4 - HKLM\..\RunOnce: [netld.exe] C:\WINDOWS\netld.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.7773958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    Logfile of HijackThis v1.97.7
    Scan saved at 2:48:02 PM, on 6/30/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\addej.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\WINDOWS\System32\jefmjs.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\addmm32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Thomas Sunken\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = yahoo
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cexaz.dll/index.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hallindsey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cexaz.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hallindsey.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cexaz.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hallindsey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hallindsey.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus8l.hpwis.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {983F24D5-6232-7A89-5AC0-B57402B34312} - C:\WINDOWS\system32\ipys.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
    O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [kqprnizcijv] C:\WINDOWS\System32\jefmjs.exe
    O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\Program Files\DeskMates\DeskMateAutoUpdate.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [addmm32.exe] C:\WINDOWS\addmm32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\RunOnce: [netie32.exe] C:\WINDOWS\system32\netie32.exe
    O4 - HKLM\..\RunOnce: [addej.exe] C:\WINDOWS\addej.exe
    O4 - HKLM\..\RunOnce: [croh32.exe] C:\WINDOWS\system32\croh32.exe
    O4 - HKLM\..\RunOnce: [atlhp.exe] C:\WINDOWS\system32\atlhp.exe
    O4 - HKLM\..\RunOnce: [ieok.exe] C:\WINDOWS\system32\ieok.exe
    O4 - HKLM\..\RunOnce: [netld.exe] C:\WINDOWS\netld.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d60fc084c01dd05/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.7773958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

    I need to know how to know how to clear spyware off my laptop. I have windows xp. I used spyware blaster and adware removal but the spyware is attached to one of my run programs and keeps replicating itself. My e-mail is ~snip~@yahoo. com.
     
    Last edited by a moderator: Jul 2, 2004
    james0056, Jul 1, 2004
    #1
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello james0056,

    Make sure your settings allow you to view "Hidden files". Open up any explorer windows and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders".

    Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for addej.exe and jefmjs.exe and addmm32.exe

    If you find the files, click on them, and then click End Process => Exit the Task Manager.

    Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
    Scroll down and find the service called "Network Security Service".
    When you find it, double-click on it. In the next window that opens, click the Stop button, then change the Startup Type to Disabled. Now hit Apply and then OK and close any open windows.
    Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cexaz.dll/index.html#27859
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hallindsey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cexaz.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hallindsey.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cexaz.dll/index.html#27859
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cexaz.dll/sp.html#27859
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = hallindsey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = hallindsey.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: (no name) - {983F24D5-6232-7A89-5AC0-B57402B34312} - C:\WINDOWS\system32\ipys.dll

    O4 - HKLM\..\Run: [kqprnizcijv] C:\WINDOWS\System32\jefmjs.exe
    O4 - HKLM\..\Run: [addmm32.exe] C:\WINDOWS\addmm32.exe
    O4 - HKLM\..\RunOnce: [netie32.exe] C:\WINDOWS\system32\netie32.exe
    O4 - HKLM\..\RunOnce: [addej.exe] C:\WINDOWS\addej.exe
    O4 - HKLM\..\RunOnce: [croh32.exe] C:\WINDOWS\system32\croh32.exe
    O4 - HKLM\..\RunOnce: [atlhp.exe] C:\WINDOWS\system32\atlhp.exe
    O4 - HKLM\..\RunOnce: [ieok.exe] C:\WINDOWS\system32\ieok.exe
    O4 - HKLM\..\RunOnce: [netld.exe] C:\WINDOWS\netld.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08f04d6...ip/RdxIE601.cab

    Reboot the computer into safe mode

    Because XP will not always show you hidden files and folders by default.
    Reset your search settings first.

    Open Folder Options>view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
    Be sure the first three boxes are selected:
    Search System folders
    Search Hidden Files and folders
    Search SubFolders

    Find and delete these files/folders:

    C:\WINDOWS\system32\cexaz.dll
    C:\WINDOWS\system32\ipys.dll
    C:\WINDOWS\System32\jefmjs.exe
    C:\WINDOWS\addmm32.exe
    C:\WINDOWS\system32\netie32.exe
    C:\WINDOWS\addej.exe
    C:\WINDOWS\system32\croh32.exe
    C:\WINDOWS\system32\atlhp.exe
    C:\WINDOWS\system32\ieok.exe
    C:\WINDOWS\netld.exe


    Reboot in Normal Mode.
    Download the file attached to this post and rename it to cwsuninst.reg
    Doubleclick it and confirm you want to merge it with the registry.
    Run HijackThis again and post a new log.

    https://www.wilderssecurity.com/attachment.php?attachmentid=137634
     
    Taz71498, Jul 2, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...