Jump to content


Photo

pkie and iehr.dll


  • Please log in to reply
2 replies to this topic

#1 netizen

netizen

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 30 June 2004 - 02:41 PM

Hi. I'm new but I've been reading this forum for a few days. I had this problem where the about:blank startup page was hijacked by a search page with an antispyware pop-up. The second problem was that everytime I used Yahoo! search I'd get this "sexocean" pop-up :gasp: (on my dad's comp). No other fixes seemed to work. Then I ran msinfo32 and found pkie and iehr which didn't belong to anything. I removed them with Hijackthis and it seems to have solved my problems. I suspect pkie.dll (fixed the about:blank) came with a pop-up killer that my bro installed to deal with "sexocean". If anyone knows anything thing about these two .dll files please let me know.

Edited by netizen, 30 June 2004 - 02:42 PM.


#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 30 June 2004 - 06:47 PM

Mods, please move this thread to Malware Removal.

Click the link in my signature marked "Ad-Aware" and download the program. Install it, run it, and click the globe icon in the top-right corner of the program's window. Click "Connect," then "OK." Once that's done, click "Finish."

Once that's done, click "Start," then start the scan.

Once that's done, right-click on the first thing in the list, then click "Select All Products" and click the "Quarantine" button.

It'll ask to run on reboot; say "Yes" and exit Ad-Aware, then reboot your machine. Let it scan and remove what it wishes, then scan with HJT and post the new log.
Signature file is under revision. This will be back shortly.

#3 netizen

netizen

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 July 2004 - 08:35 AM

thanks for your reply. I didn't put it in the removal forum because I wasn't really asking how to remove it since it seems to be gone. Just wanted to know if anyone else had come across the two files. Anyways I ran Ad-Aware and it found nothing. Here's my HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 9:19:44 AM, on 7/1/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.yahoo.com
O2 - BHO: (no name) - {7EB5E461-C89D-11D8-BBCE-0000E74671DB} - C:\WINDOWS\SYSTEM\PKIE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button