Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan startpage


  • Please log in to reply

#1
csodavid

csodavid

    New Member

  • Member
  • Pip
  • 3 posts
Hi!

I have also a problem with Torjan Startpage...
When I open the IE, the homepage doesn't work, and usually my AVG says that I have the virus...
In the same time the rundll "says" that "se.dll" can't be loaded, access denied.
I can't delete that file, because it's always come back next time when I open the IE.

Please help,
I am just a simple user, have no experience in these.... :tazz: ;) ;)

Thank U ,

Csonka Dávid
Hungary



Logfile of HijackThis v1.98.2
Scan saved at 19:27:37, on 2005.03.13.
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\MEDIASCIENCE\SONIQUE\SQSTART.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\YLJU.EXE
C:\WINDOWS\APPLICATION DATA\UTIE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\KéPEK\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\INSTALL\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
R3 - Default URLSearchHook is missing
O1 - Hosts: 3466709097 #uto.search.msn.com
O1 - Hosts: 3466709097 sea.search.msn.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {81798751-29AB-CDD7-94B0-440339635507} - C:\WINDOWS\NETRI.DLL (file missing)
O2 - BHO: (no name) - {76A6E9EB-85B7-11D9-A562-F52CA350D550} - C:\WINDOWS\SYSTEM\OHFD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Rádió - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoniqueQuickStart] C:\PROGRA~1\MEDIAS~1\SONIQUE\sqstart.exe -nostick
O4 - HKLM\..\Run: [D0B0.TMP] C:\WINDOWS\TEMP\D0B0.TMP.exe 0 10001
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Qckygiz] C:\WINDOWS\SYSTEM\ylju.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O4 - HKCU\..\Run: [Ctae] C:\WINDOWS\Application Data\utie.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware-Cop] "C:\PROGRAM FILES\SPYWARE-COP\SPYWARE-COP.EXE" /s
O4 - Startup: Office Indítópult.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Gyorskereső.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: Microsoft® JavaScript® Console - {3CE9F5A0-A0FF-11D8-A562-444553540000} - (no file)
O9 - Extra 'Tools' menuitem: JavaScript Console - {3CE9F5A0-A0FF-11D8-A562-444553540000} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {3CE9F5A0-A0FF-11D8-A562-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {3CE9F5A0-A0FF-11D8-A562-444553540000} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://neptun.bgf.hu/msrdp.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.101/...nsearchie32.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C: oo.mht!http://xxxmoviestv.c...le.chm::/in.exe
O18 - Filter: text/html - {B50F7EE1-87F1-11D9-A562-BE6C9E4FF583} - C:\WINDOWS\SYSTEM\OHFD.DLL
O18 - Filter: text/plain - {B50F7EE1-87F1-11D9-A562-BE6C9E4FF583} - C:\WINDOWS\SYSTEM\OHFD.DLL
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Hi csodavid, welcome to Geeks to Go. I've split your post into a new topic to prevent confusion. Please limit your replies to this topic.
  • 0

#3
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi cosdavid and welcome,

Need you to do a couple things please,

Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder.
Remove the older version you currently have

Download and install Cleanup

Also
Dowload the following program
CWShredder
It should be the current version, but check for updates
“Don’t run it yet”

Please download and install Ad-aware.
Setting up Ad-aware- please make sure you update it first




Next, reboot into 'SAFE MODE'. (By tapping the F8 key on start up)
Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
R3 - Default URLSearchHook is missing
O1 - Hosts: 3466709097 #uto.search.msn.com
O1 - Hosts: 3466709097 sea.search.msn.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: Class - {81798751-29AB-CDD7-94B0-440339635507} - C:\WINDOWS\NETRI.DLL (file missing)
O2 - BHO: (no name) - {76A6E9EB-85B7-11D9-A562-F52CA350D550} - C:\WINDOWS\SYSTEM\OHFD.DLL
O4 - HKLM\..\Run: [D0B0.TMP] C:\WINDOWS\TEMP\D0B0.TMP.exe 0 10001
O4 - HKCU\..\Run: [Qckygiz] C:\WINDOWS\SYSTEM\ylju.exe
O4 - HKCU\..\Run: [Ctae] C:\WINDOWS\Application Data\utie.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.101/...nsearchie32.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C: oo.mht!http://xxxmoviestv.c...le.chm::/in.exe
O18 - Filter: text/html - {B50F7EE1-87F1-11D9-A562-BE6C9E4FF583} - C:\WINDOWS\SYSTEM\OHFD.DLL
O18 - Filter: text/plain - {B50F7EE1-87F1-11D9-A562-BE6C9E4FF583} - C:\WINDOWS\SYSTEM\OHFD.DLL


make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

C:\WINDOWS\TEMP\se.dll
C:\WINDOWS\NETRI.DLL
C:\WINDOWS\SYSTEM\OHFD.DLL
C:\WINDOWS\TEMP\D0B0.TMP.exe
C:\WINDOWS\SYSTEM\ylju.exe
C:\WINDOWS\Application Data\utie.exe




Next,
Run Program cwshredder and have it fix anything it finds.
Make sure you click the “Fix” button


Next,
Open Cleanup! Click on clean up now and let it run,
When it has finished click NO to reboot now.

Next,
Scan with AdAware have it remove what it finds

Restart your computer,

Restart HJT and post back a fresh log please,
  • 0

#4
csodavid

csodavid

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
HI Don!

Here is my new log. I think It's quite nice. The problem solved. (as i think... :tazz:
By the way, in my windows, in the right-bottm corner there were icons, like "screen properties, running programs's icons, language, and think like this..."
Now there are only the icon of the "connected to the internet, and Webshots icon.
(wich is strange, because I don't remember downloaded that program...)

Anyway I am REALLY thankfull for Your help, and very happy that I'm not meeting with Trojan again and again.

All the best for U,

Dávid

Logfile of HijackThis v1.99.1
Scan saved at 10:22:39, on 2005.03.19.
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE
C:\KéPEK\WEBSHOTS\WEBSHOTSTRAY.EXE

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
  • 0

#5
csodavid

csodavid

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
HI Don!

Firt of all, thank U Your help again.

But I've got still got the problem. or, so I get infected any time, when I connect to the net.

well here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 16:21:38, on 2005.03.23.
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {91DE7E43-9BAF-11D9-A562-EC167BE279A0} - C:\WINDOWS\SYSTEM\BJAAJFA.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O18 - Filter: text/html - {91DE7E42-9BAF-11D9-A562-EC1614AEDC3B} - C:\WINDOWS\SYSTEM\BJAAJFA.DLL
O18 - Filter: text/plain - {91DE7E42-9BAF-11D9-A562-EC1614AEDC3B} - C:\WINDOWS\SYSTEM\BJAAJFA.DLL
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi David, Sorry for the late reply, I was away for a few days,
Seems you have quite a few start ups disabled, Please reenable of them please and post back a fresh log please,
I need to see evrything so we can be sure and get it all,

Thanks
Don
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP