any help would really be appreciated

**saturnvoyager** · 10-03-2005

Hi. I've been hijacked! I'm sure you hear that a lot. Anyway, I've run adaware and spybot and deleted temp files, etc etc, but to no avail. Any help anyone could give me would be greatly appreciated.
Thanks!
Eliza

Logfile of HijackThis v1.99.1
Scan saved at 2:49:47 PM, on 3/10/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {4F9712A0-0F67-47BB-AB5D-83E3AFBF27DB} - C:\WINDOWS\SYSTEM\DEJP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [633] C:\WINDOWS\TEMP\633.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: RegFreeze.lnk = C:\Program Files\RegFreeze\regfreeze.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\PROGRAM FILES\REGFREEZE\RFSEARCHHANDLER.DLL
O9 - Extra 'Tools' menuitem: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\PROGRAM FILES\REGFREEZE\RFSEARCHHANDLER.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O18 - Filter: text/html - {79983DEB-F085-4B7F-93E9-CDFD7035E55C} - C:\WINDOWS\SYSTEM\DEJP.DLL
O18 - Filter: text/plain - {79983DEB-F085-4B7F-93E9-CDFD7035E55C} - C:\WINDOWS\SYSTEM\DEJP.DLL

**owen** · 20-03-2005

Hiya,
Sorry about the response time. If you still require help could you post a fresh log because the infection may have morphed.

**saturnvoyager** · 23-03-2005

Hey. Thanks for responding. I was actually out of town all last week, so the long response time didn't bother me. Fancy that! Here's my new log file.

The problem is that it has taken over my homepage and won't allow me to see some pages. When I open a new webpage it goes to about:blank and it's just not going away. I think this is something you may have seen before. I really appreciate that you're willing to help me.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:39:32 AM, on 3/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\WUAUBOOT.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {4F9712A0-0F67-47BB-AB5D-83E3AFBF27DB} - C:\WINDOWS\SYSTEM\DEJP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [633] C:\WINDOWS\TEMP\633.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: RegFreeze.lnk = C:\Program Files\RegFreeze\regfreeze.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\PROGRAM FILES\REGFREEZE\RFSEARCHHANDLER.DLL
O9 - Extra 'Tools' menuitem: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\PROGRAM FILES\REGFREEZE\RFSEARCHHANDLER.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O18 - Filter: text/html - {79983DEB-F085-4B7F-93E9-CDFD7035E55C} - C:\WINDOWS\SYSTEM\DEJP.DLL
O18 - Filter: text/plain - {79983DEB-F085-4B7F-93E9-CDFD7035E55C} - C:\WINDOWS\SYSTEM\DEJP.DLL

**owen** · 24-03-2005

Download Startdreck and unzip it to a new folder on your desktop.

Double click on StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log here in your next reply.

**saturnvoyager** · 24-03-2005

Thanks a lot, Owen. Here's the new log:

StartDreck (build 2.1.7 public stable) - 2005-03-24 @ 10:55:05 (GMT -06:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as d1805 at LIZA MAE

»Registry
»Run Keys
»Current User
»Run
*Weather=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
»RunOnce
*QRIA=
»Default User
»Run
*Weather=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
*SpySweeper="C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
»RunOnce
*QRIA=
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*Hidserv=Hidserv.exe run
*Service Connection=c:\cpqs\bwtools\sccenter.exe
*LexStart=Lexstart.exe
*LexmarkPrinTray=PrinTray.exe
*zBrowser Launcher=C:\Program Files\Logitech\iTouch\iTouch.exe
*mswspl=
*633=C:\WINDOWS\TEMP\633.EXE
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**uaa=rundll32 C:\WINDOWS\READM_S2.HTZ,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\windows\googletoolbar1.dll
*{4F9712A0-0F67-47BB-AB5D-83E3AFBF27DB}
`InprocServer32=C:\WINDOWS\SYSTEM\DEJP.DLL
»Files
»System/Drivers
»Running Processes
+FFEF11B7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFDA43=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFE25B=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE4EAF=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEE9B3=C:\WINDOWS\RUNDLL32.EXE
+FFFE356B=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFD6FCF=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFDA73F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFC4D73=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFCAC7B=C:\WINDOWS\TASKMON.EXE
+FFFCA1E3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB2CFF=C:\CPQS\BWTOOLS\SCCENTER.EXE
+FFFBEAF3=C:\WINDOWS\RUNDLL32.EXE
+FFFA62FB=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFA6837=C:\PROGRAM FILES\NOADS\NOADS.EXE
+FFFB8833=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF945EF=C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
+FFFA13C3=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFF99D87=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFA5E9B=C:\PROGRAM FILES\WINAMP\WINAMP.EXE
+FFF8C11B=C:\PROGRAM FILES\AIM95\AIM.EXE
+FFF4E567=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF2083F=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+F72AFC27=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+F729B89F=C:\WINDOWS\EXPLORER.EXE
+FFF95D63=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF1EFEF=C:\WINDOWS\DESKTOP\STARTREG\STARTDRECK.E XE
»Application specific

**owen** · 24-03-2005

Download the Pocket Killbox from here.

Unzip it.

Boot into Safe Mode.

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
O2 - BHO: (no name) - {4F9712A0-0F67-47BB-AB5D-83E3AFBF27DB} - C:\WINDOWS\SYSTEM\DEJP.DLL
O4 - HKLM\..\Run: [633] C:\WINDOWS\TEMP\633.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O9 - Extra button: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\PROGRAM FILES\REGFREEZE\RFSEARCHHANDLER.DLL
O9 - Extra 'Tools' menuitem: Search and Remove Spyware - {CDB280E8-BE43-4128-8A5A-3FCD094E2D88} - C:\PROGRAM FILES\REGFREEZE\RFSEARCHHANDLER.DLL
O18 - Filter: text/html - {79983DEB-F085-4B7F-93E9-CDFD7035E55C} - C:\WINDOWS\SYSTEM\DEJP.DLL
O18 - Filter: text/plain - {79983DEB-F085-4B7F-93E9-CDFD7035E55C} - C:\WINDOWS\SYSTEM\DEJP.DLL

Click Fix Checked

Run the KillBox.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\READM_S2.HTZ
C:\WINDOWS\SYSTEM\DEJP.DLL
C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\TEMP\633.EXE
C:\PROGRAM FILES\REGFREEZE

When KillBox has rebooted your system, post a fresh Hijack This log here.

**saturnvoyager** · 29-03-2005

Thanks Owen. I did the above on Saturday, but seem to have gotten reinfected since then, because the about:blank is still popping up as my homepage and interfering with pages I try to look at. I really appreciate you helping me. Here's my newest log.
-Eliza

Logfile of HijackThis v1.99.1
Scan saved at 1:36:08 PM, on 3/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NOADS\NOADS.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: (no name) - {C14762EE-0D45-44DF-913E-C6831C2963E0} - C:\WINDOWS\SYSTEM\EPK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
O4 - Startup: Free WebSite Tools.lnk = C:\Program Files\CoffeeCup Software\CoffeeCup Free FTP\ThirtyDayTimer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/r...c=3c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Dialpad US Java Applet - http://dialpad.com/applet/src/vscp.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O18 - Filter: text/html - {C6EF7E0C-9E88-4F17-B391-1C1087C4E941} - C:\WINDOWS\SYSTEM\EPK.DLL
O18 - Filter: text/plain - {C6EF7E0C-9E88-4F17-B391-1C1087C4E941} - C:\WINDOWS\SYSTEM\EPK.DLL

**owen** · 03-04-2005

You have indeed been reinfected. I'll need another StartDreck log.

**saturnvoyager** · 05-04-2005

Thanks. Latest log:
StartDreck (build 2.1.7 public stable) - 2005-04-05 @ 03:35:50 (GMT -05:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as d1805 at LIZA MAE

»Registry
»Run Keys
»Current User
»Run
*Weather=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
*QRIA=
»Default User
»Run
*Weather=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
*NoAds="C:\PROGRAM FILES\NOADS\NOADS.EXE"
»RunOnce
*QRIA=
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*Hidserv=Hidserv.exe run
*Service Connection=c:\cpqs\bwtools\sccenter.exe
*LexStart=Lexstart.exe
*LexmarkPrinTray=PrinTray.exe
*zBrowser Launcher=C:\Program Files\Logitech\iTouch\iTouch.exe
*mswspl=
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
»RunServicesOnce
**p=rundll32 C:\WINDOWS\READM_S2.HTZ,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\windows\googletoolbar1.dll
*{C14762EE-0D45-44DF-913E-C6831C2963E0}
`InprocServer32=C:\WINDOWS\SYSTEM\EPK.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Free WebSite Tools.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Webshots.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Free WebSite Tools.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Webshots.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\command\cmdinit.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FFEF6C7B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF9B4B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF9353=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFFA43=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE96AB=C:\WINDOWS\RUNDLL32.EXE
+FFFE43F7=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFD2C07=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFDE5F7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFC3D57=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFDD0CF=C:\WINDOWS\EXPLORER.EXE
+FFFCD683=C:\WINDOWS\TASKMON.EXE
+FFFB3903=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB5593=C:\CPQS\BWTOOLS\SCCENTER.EXE
+FFFBA40B=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFFBDF7B=C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
+FFFCDD83=C:\WINDOWS\RUNDLL32.EXE
+FFFBAB3F=C:\PROGRAM FILES\NOADS\NOADS.EXE
+FFFA5E8F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFAA0CB=C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
+FFFA00AF=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF97227=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFF9C933=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF610FB=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF6AF93=C:\PROGRAM FILES\AIM95\AIM.EXE
+FFF39183=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFF23C8F=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
+FFF7D5A7=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF1307B=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK .EXE
»NT Services
»Application specific

**owen** · 08-04-2005

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C14762EE-0D45-44DF-913E-C6831C2963E0} - C:\WINDOWS\SYSTEM\EPK.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {C6EF7E0C-9E88-4F17-B391-1C1087C4E941} - C:\WINDOWS\SYSTEM\EPK.DLL
O18 - Filter: text/plain - {C6EF7E0C-9E88-4F17-B391-1C1087C4E941} - C:\WINDOWS\SYSTEM\EPK.DLL

Click Fix Checked

Download the Pocket Killbox from here.

Unzip it and run the program.

Put a check in the Delete on Reboot box.

Enter each of these lines into the white box one by one and then press the red X button. If firsts asks to confirm the deletion after each entry is added and the red X is pressed, you need to click yes, but it also asks if you want to Reboot. Click No each time until the last entries been entered.

C:\WINDOWS\SYSTEM\EPK.DLL
C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\READM_S2.HTZ

When KillBox has rebooted your system, post a fresh log here.

any help would really be appreciated

any help would really be appreciated

Similar Threads

Help MUCH Appreciated.

Help would be appreciated.

Hijackthis Log- Help Appreciated

New to this. Help appreciated.

Help would be appreciated