Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

about:blank


  • Please log in to reply

#16
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Don77,

I did what you asked. I have noticed that the '015 - Trusted Zone:*.finefind.nettraffic2cash.biz' after "Fix Checked" came back. I think it was never removed.

As usual i could not delete se.dll and mhkhj.dll (i was in safe mode!!), the sourse of se.dll was in use and mhkhj.dll was in use by windows. I ran Ad-aware and se.dll was removed at startup but mhkhj.dll is still present.

here is my HJT log again:

Logfile of HijackThis v1.99.1
Scan saved at 18:24:30, on 19/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {69E0C6F6-1AD3-4E97-A495-A5A01A3669A3} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O18 - Filter: text/html - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
  • 0

Advertisements


#17
window-washer

window-washer

    Member

  • Member
  • PipPip
  • 11 posts
Do you see this line in your post?

res://C:\WINDOWS\TEMP\se.dll/sp.html

This .DLL is in your windows temp and it is locked. None of the programs sugested can delete or uninstall a locked file that I know of...

You must remove it manually after booting in safe mode, and run all of your cleaning programs in safe and then reboot in full mode and then run them all again. then go to Windows temp and see if it is still there...

Regards...
  • 0

#18
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Where exactly should i find res://c:\windows\temp\se.dll/sp.html ?
I am not familiar with this "res://", what is that?

When i started windows i receved the messege from NAV: "The virus Trojan.StartPage in C:\windows\temp\se.dll was successfully removed from your computer.". (I seriously doubs that.)
Next a box with the title "RUNDLL" appeared: There has been an error when loading c:\windows\temp\se.dll. The system could not found the file.
When opening Explorer to controle wheter the file was actually gone, NAV interfered again: "reparation successfull: NAV has solved the problem c:\windows\temp\se.dll" (Again ???)
I could not find the file se.dll any more, but still got the problem with the startpage and popups.
  • 0

#19
Belgjer

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is my log again:
Logfile of HijackThis v1.99.1
Scan saved at 20:20:51, on 20/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {69E0C6F6-1AD3-4E97-A495-A5A01A3669A3} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O18 - Filter: text/html - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
  • 0

#20
window-washer

window-washer

    Member

  • Member
  • PipPip
  • 11 posts
OK... Sorry about that omission...

Start in safe mode by pushing on the F8 key before the Win splash page appears.
Some times it helps to click the key repeatedly until the safe option appears...
Then scroll down to safe and hit enter...

Then go to ...Start>>Programs>C: Drive>windows explorer>Windows>Temp>Open windows temp... in the right window pane, SE.DLL can be seen, if it is not there, it has been removed. if it is there, it will be "inactive" in safe mode, so right click on it and when it is highlighted hit the delete key on your keyboard ans click yes to delete.

Be sure to run all of your cleaning programs both before and after you do this...
Run them in full operating mode and in safe mode and then once again after the restart, in full operating mode, just to be sure...

Best Regards...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP