Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

se.dll


  • Please log in to reply

#1
maestro

maestro

    New Member

  • Member
  • Pip
  • 2 posts
Hi there.

Like most other people I am having a nightmare trying to rid myself of the Trojan.Startup that creates se.dll etc...I have deleted key registry items, used SpyBot, Adaware, Killbox, CWS Shredder and StartDreck but to no avail. Just as I think I've got it beat, the adverts appear followed by the se.dll and the about:blank stuff and i'm also taken to that search page.

I have noticed that by using Dr Watson there is a hook to a file called SYSTKM.NAV using Rundll32, which doesn't exist. I have tried both disabling this in StartDreck and even removing it but as soon as I refresh in StartDreck, then the value appears again. Could this be the problem? There is also a file called NADEC.DLL which I have removed and disabled in the regitry (see my StartDreck log). I know how to delete everything but it seems to be the hook file that i cannot find. I've now had this for about 2 weeks.

Can anybody help me please? Thanks in advance



StartDreck (build 2.1.7 public stable) - 2005-03-16 @ 21:37:44 (GMT +00:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as lee at 007681620004

舞egistry
舞un Keys
翟urrent User
舞un
*McAfee.InstantUpdate.Monitor="C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
*Steam=
舞unOnce
聞efault User
舞un
*MoneyAgent="C:\Program Files\Microsoft Money\System\Money Express.exe"
*RealJukeboxSystray=C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
舞unOnce
腿ocal Machine
舞un
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*EM_EXEC=C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
*Hidserv=Hidserv.exe run
*LexStart=Lexstart.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*ISSVC="C:\Program Files\Norton Internet Security\ISSVC.exe"
*ccProxy=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
*KB891711=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
舞unServicesOnce
**q=DISABLED:rundll32 C:\WINDOWS\SYSTKM.NAV,DllGetClassObject
**z=rundll32 C:\WINDOWS\SYSTKM.NAV,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
翡rowser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
*Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
`InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*DISABLED:{0B31C437-A475-495C-A90E-29BA911F5D4E}
`InprocServer32=
肇iles
翠utostart Folders
翟urrent User
聞efault User
腿ocal Machine
膏NI-Files
蓄IN.INI\[windows]
*LOAD=
*RUN=
艋YSTEM.INI\[boot]
*SHELL=Explorer.exe
蓉ext Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\autoexec.bat
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\winstart.bat
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\command\cmdinit.bat
艋ystem/Drivers
舞unning Processes
+FF0F5D3D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF96D9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE36CD=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE3009=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE769D=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE62A5=C:\WINDOWS\RUNDLL32.EXE
+FFFE7C81=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFEDD0D=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
+FFFD2619=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
+FFFD53B9=C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
+FFFD5285=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
+FFFD9111=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
+FFFC206D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFB6471=C:\WINDOWS\EXPLORER.EXE
+FFFB2955=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFAFE11=C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
+FFFA94E1=C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
+FFF98A6D=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFF957F1=C:\WINDOWS\SYSTEM\HIDSERV.EXE
+FFF91529=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF87855=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFF842E1=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFC8B65=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF62C01=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\ADBLOCKING\NSMDTR.EXE
+FFF68509=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF6F661=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF475DD=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF35139=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF4787D=C:\DOWNLOADS\STARTDRECK\STARTDRECK.EXE
+FFF2F41D=C:\WINDOWS\REGEDIT.EXE
+FFF281D1=C:\WINDOWS\REGEDIT.EXE
+FFF14F75=C:\WINDOWS\SYSTEM\SPOOL32.EXE
臧T Services
翠pplication specific




Hijack Log:


Logfile of HijackThis v1.99.1
Scan saved at 21:39:25, on 16/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\STARTDRECK\STARTDRECK.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\ADBLOCKING\NSMDTR.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - DISABLED:{0B31C437-A475-495C-A90E-29BA911F5D4E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServicesOnce: [*z] rundll32 C:\WINDOWS\SYSTKM.NAV,DllGetClassObject
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab


Should i remove systkm.nav - if so how?
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi maestro and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Try following recommendations in this link:REGEDIT-Trojan

4. Restart HJT, SCAN and post a new log for review.

Regards,

Trevuren

  • 0

#3
maestro

maestro

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thanks Trevuren but I think I may have sorted it - see

http://castlecops.com/postt111808.html
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Best of luck maestro

Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP