help with iexplorer

Discussion in 'adware, spyware & hijack cleaning' started by ren_of_heavens, Jun 2, 2004.

Thread Status:
Not open for further replies.
  1. ren_of_heavens

    ren_of_heavens Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    2
    i think i opened a bad e-mail and now every time i open up explorer it goes to some website. I set the website default back to what i want but it just changes back. a pop up also appears quite often (it is for an anit spyware program). and after a while a window will pop up saying that iexplorer has a problem and has to be shut down. sometimes it will say this is an illegal operation and will be shut down and i will click ok but nothing happens.
    when i opened the email a bunch of popups appeared and it has on sying the computer was infected with spyware and it had my IP address. what kind of download should i get to stop this. I already have spybot and that does not help.
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hi there, and welcome to Wilders! I've moved your post over here where it will get the proper attention. If you follow these directions, one of our experts will help you get fixed up quickly!
     
  3. ren_of_heavens

    ren_of_heavens Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    2
    need help

    i finished using both Ad-awarw and spybot seach and destroy in that order. I believe i have the most recent copies of both. I contined on using hijack this and these are my results

    Logfile of HijackThis v1.97.7
    Scan saved at 4:33:13 PM, on 6/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
    C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
    C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\TEMP\QVI1WBQIS.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DESKTOP\MIKE'S GAMES\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://home.searchingtheweb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://find.searchingtheweb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.searchingtheweb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {87F50601-B3EE-11D8-AFCB-30E56D72B332} - C:\WINDOWS\SYSTEM\JJKCJC.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [QVI1WBQIS] C:\WINDOWS\TEMP\QVI1WBQIS.EXE
    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O8 - Extra context menu item: Web Search - c:\windows\ex.htm
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O15 - Trusted Zone: http://www.mt-download.com
    O15 - Trusted Zone: http://www.myexexex.com
    O19 - User stylesheet: (file missing)

    thank you in advance for your help
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re: need help

    Hi ren_of_heavens,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://home.searchingtheweb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://find.searchingtheweb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\JJKCJC.DLL/sp.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://home.searchingtheweb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)

    O2 - BHO: (no name) - {87F50601-B3EE-11D8-AFCB-30E56D72B332} - C:\WINDOWS\SYSTEM\JJKCJC.DLL

    O4 - HKLM\..\Run: [QVI1WBQIS] C:\WINDOWS\TEMP\QVI1WBQIS.EXE

    O8 - Extra context menu item: Web Search - c:\windows\ex.htm

    O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O15 - Trusted Zone: http://www.mt-download.com
    O15 - Trusted Zone: http://www.myexexex.com
    O19 - User stylesheet: (file missing)

    Then reboot into safe mode and (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folder.

    Then download
    StartDreck and unzip it.
    DoubleClick: 'StartDreck.exe'
    Hit: config
    Hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Then post the log.

    Regards,

    Pieter
     
    Last edited: Jun 3, 2004
Thread Status:
Not open for further replies.