Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

about:blank

Started by Belgjer , Mar 11 2005 01:40 PM

  • Please log in to reply

#16
Belgjer
Posted 19 March 2005 - 11:48 AM

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Don77,

I did what you asked. I have noticed that the '015 - Trusted Zone:*.finefind.nettraffic2cash.biz' after "Fix Checked" came back. I think it was never removed.

As usual i could not delete se.dll and mhkhj.dll (i was in safe mode!!), the sourse of se.dll was in use and mhkhj.dll was in use by windows. I ran Ad-aware and se.dll was removed at startup but mhkhj.dll is still present.

here is my HJT log again:

Logfile of HijackThis v1.99.1
Scan saved at 18:24:30, on 19/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {69E0C6F6-1AD3-4E97-A495-A5A01A3669A3} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O18 - Filter: text/html - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
  • 0

Advertisements

#17
window-washer
Posted 20 March 2005 - 05:52 AM

window-washer

    Member

  • Member
  • PipPip
  • 11 posts
Do you see this line in your post?

res://C:\WINDOWS\TEMP\se.dll/sp.html

This .DLL is in your windows temp and it is locked. None of the programs sugested can delete or uninstall a locked file that I know of...

You must remove it manually after booting in safe mode, and run all of your cleaning programs in safe and then reboot in full mode and then run them all again. then go to Windows temp and see if it is still there...

Regards...
  • 0

#18
Belgjer
Posted 20 March 2005 - 01:28 PM

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Where exactly should i find res://c:\windows\temp\se.dll/sp.html ?
I am not familiar with this "res://", what is that?

When i started windows i receved the messege from NAV: "The virus Trojan.StartPage in C:\windows\temp\se.dll was successfully removed from your computer.". (I seriously doubs that.)
Next a box with the title "RUNDLL" appeared: There has been an error when loading c:\windows\temp\se.dll. The system could not found the file.
When opening Explorer to controle wheter the file was actually gone, NAV interfered again: "reparation successfull: NAV has solved the problem c:\windows\temp\se.dll" (Again ???)
I could not find the file se.dll any more, but still got the problem with the startpage and popups.
  • 0

#19
Belgjer
Posted 20 March 2005 - 01:33 PM

Belgjer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here is my log again:
Logfile of HijackThis v1.99.1
Scan saved at 20:20:51, on 20/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WOUTER\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {69E0C6F6-1AD3-4E97-A495-A5A01A3669A3} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O18 - Filter: text/html - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
O18 - Filter: text/plain - {48D9185F-F8AD-4F7D-84FC-C880470B20B1} - C:\WINDOWS\SYSTEM\MHKHJ.DLL
  • 0

#20
window-washer
Posted 20 March 2005 - 07:18 PM

window-washer

    Member

  • Member
  • PipPip
  • 11 posts
OK... Sorry about that omission...

Start in safe mode by pushing on the F8 key before the Win splash page appears.
Some times it helps to click the key repeatedly until the safe option appears...
Then scroll down to safe and hit enter...

Then go to ...Start>>Programs>C: Drive>windows explorer>Windows>Temp>Open windows temp... in the right window pane, SE.DLL can be seen, if it is not there, it has been removed. if it is there, it will be "inactive" in safe mode, so right click on it and when it is highlighted hit the delete key on your keyboard ans click yes to delete.

Be sure to run all of your cleaning programs both before and after you do this...
Run them in full operating mode and in safe mode and then once again after the restart, in full operating mode, just to be sure...

Best Regards...
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP