[djlera]

Hello friends:
My computer has been dragged through the dregs of the net (4 years at college) and now I have an se.dll (about:blank) problem.
I have tried some of the fixes on other posts:
CWShredder
CleanUp
Ad-Aware SE
Spy-bot

unfortuanately I cannot run AboutBuster and I receive an error saying the file is corrupted.
I just paid for Norton Antivirus 2005 (not helping) and I am having problems installing any new software...

I may have more than one infection here... but really this is beyond me. Here is my Hijack This log. Thanks in advance to anyone who wants to try to knock off this doozie! THANKS!

Logfile of HijackThis v1.99.1
Scan saved at 8:14:36 PM, on 3/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Dell Home - {8287F020-7A7B-11D4-9A70-000103208880} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mpl...toInstaller.exe
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.belmont.e...sses/CFJava.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://eap.ucop.edu...tivexviewer.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell..../SysProfLCD.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: systemie - {A523BCE0-1433-11D8-9A71-000103208880} - sysie.dll (file missing)



Pretty ugly....

[Advertisements]

Hi Djlera,

Welcome to Geeks to Go!

I am just not seeing what I want to see out of HijackThis!

I need you to do 3 different Scans and Post a log from each!

1.DLLCompare:
DLLCompare
In this link,you will find a direct download and brief description of what the program does and how to use it!
Copy& Paste the contents of that log into the next post!

2.Silent Runners:
Silent Runners
Select:
Click here to download a zip file.

Unzip it and select Extract all files!

Run the SilentRunners.vbs file.
If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,it takes a bit!

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post!

3.Startdreck:
StartDreck

Download,UnZip and Extract All Files!
DoubleClick StartDreck.exe
First click on the Config button.
Now click the Unmark all button.
Put a check by these boxes only:
"Registry->run keys"
"Registry->Browser helper objects"
"System/drivers> Running processes"
Save Account Info to Log
Refresh on Exiting Config Dialog
Now Click OK!
Let it Scan!

Now click the Save button to Save the Log.
Go to the StartDreck folder and find the Startdreck.log file.

Copy& Paste the contents of that log into the next post!

Edited by Cretemonster, 17 March 2005 - 03:41 PM.

[Wizard]

Hi Djlera,

Welcome to Geeks to Go!

I am just not seeing what I want to see out of HijackThis!

I need you to do 3 different Scans and Post a log from each!

1.DLLCompare:
DLLCompare
In this link,you will find a direct download and brief description of what the program does and how to use it!
Copy& Paste the contents of that log into the next post!

2.Silent Runners:
Silent Runners
Select:
Click here to download a zip file.

Unzip it and select Extract all files!

Run the SilentRunners.vbs file.
If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,it takes a bit!

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post!

3.Startdreck:
StartDreck

Download,UnZip and Extract All Files!
DoubleClick StartDreck.exe
First click on the Config button.
Now click the Unmark all button.
Put a check by these boxes only:
"Registry->run keys"
"Registry->Browser helper objects"
"System/drivers> Running processes"
Save Account Info to Log
Refresh on Exiting Config Dialog
Now Click OK!
Let it Scan!

Now click the Save button to Save the Log.
Go to the StartDreck folder and find the Startdreck.log file.

Copy& Paste the contents of that log into the next post!

Edited by Cretemonster, 17 March 2005 - 03:41 PM.

[djlera]

Oh man...

Thank you so much for the quick response. Your help is greatly appreciated!

DLLCompare-
After download upon 1st opening file I recieve this error:
Run-time error '52'
Bad file name or number

Silent Runners-
First I get this error:
Create TextFile Error
The script cannot create its report file. This is a know intermittent problem under Windows 98.
An alternative script version is avaliable for download. After it runs the script you're using now will run correctly.
Press "Ok" to direct your browser to the alternative script location

(I do this)
It goes to Silent Runners RED.vb script: C:\Silent Runners RED.vbs
Line: 3052
Char: 2
Error: A device attached to the system is not functioning

Code: 8007001F
Source:

(so I guess that didn't work..)

Startdreck- (Good ol Germans)
here's the log with the parameters you set.

StartDreck (build 2.1.7 public stable) - 2005-03-17 @ 18:35:21 (GMT -08:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as High security at CX1226088-A

»Registry
»Run Keys
»Current User
»Run
*Spyware Doctor="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
»RunOnce
»Default User
»Run
*AIM=C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*Microsoft IntelliType Pro="C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
*AudioHQ=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
*TkBellExe=C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
*Zone Labs Client="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*NPFMonitor=C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*SchedulingAgent=mstask.exe
»RunServicesOnce
**pqde=rundll32 C:\WINDOWS\PLAYMR.MIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar2.dll
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
»Files
»System/Drivers
»Running Processes
+FF0F7F61=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFBF3D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB28D=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE329D=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
+FFFE0615=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
+FFFE7245=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE6EF5=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
+FFFE4C9D=C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
+FFFEBAD1=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFD6DC9=C:\WINDOWS\RUNDLL32.EXE
+FFFC21A5=C:\WINDOWS\EXPLORER.EXE
+FFFB2F8D=C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
+FFFB2245=C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
+FFFB7BD1=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFB78CD=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
+FFFBE231=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
+FFFBDBA5=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
+FFF8F309=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
+FFFAF165=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
+FFF73231=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF51A6D=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF4B7DD=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
+FFF4A481=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFF5BBC9=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
»Application specific


So please let me know what else I need to do. Thanks again!!

[Wizard]

OK,it looks like some kind folks have created a fix for this,Lets give it a try!!

First,Create a Folder on the Desktop just for this Application:

Right Click the Desktop and Select New>>>Select Folder>>>Name it SpSeHjfix

Please download SpSeHjfix: fromhere
Place it in the new folder and unzip and make sure to Extract All Files!!

Now Close any Open Programs,Windows or Browsers!
Run SpSeHjfix_Beta8 and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.

Once rebooted, run SpSeHjfix_Beta8 again.

After the second reboot, generate a fresh HijackThis log and post it along with the contents of the 'second' SpSeHjfix log.

[djlera]

This program seems to have worked. What do the chicken bones say?

Log 1:


(3/19/05 7:36:35 PM) SPSeHjFix started v1.09
(3/19/05 7:36:36 PM) OS: Win98SE A (4.10.67766446)
(3/19/05 7:36:36 PM) Language: english
(3/19/05 7:36:42 PM) Disinfect started
(3/19/05 7:36:42 PM) Bad-Dll(IEP): (not found)
(3/19/05 7:36:42 PM) Bad-Dll(IEP) in BHO: (not found)
(3/19/05 7:36:42 PM) UBF: 4
(3/19/05 7:36:42 PM) UBB: 2
(3/19/05 7:36:42 PM) UBR: 14
(3/19/05 7:36:42 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, CustomizeSearch: about:blank
(3/19/05 7:36:42 PM) Stealth-String found: C:\WINDOWS\PLAYMR.MIF
(3/19/05 7:36:42 PM) File added to delete: c:\windows\playmr.mif
(3/19/05 7:36:42 PM) Reboot

Log 2:


(3/19/05 7:40:58 PM) SPSeHjFix started v1.09
(3/19/05 7:40:58 PM) OS: Win98SE A (4.10.67766446)
(3/19/05 7:40:58 PM) Language: english
(3/19/05 7:41:00 PM) Disinfect started
(3/19/05 7:41:00 PM) Bad-Dll(IEP): (not found)
(3/19/05 7:41:00 PM) Bad-Dll(IEP) in BHO: (not found)
(3/19/05 7:41:00 PM) UBF: 4
(3/19/05 7:41:00 PM) UBB: 4
(3/19/05 7:41:00 PM) UBR: 14
(3/19/05 7:41:00 PM) Bad IE-pages:
(3/19/05 7:41:00 PM) Stealth-String not found:
(3/19/05 7:41:00 PM) Not infected->END


HJT Log: (this one's long)

Logfile of HijackThis v1.99.1
Scan saved at 8:04:13 PM, on 3/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\BIN\MAD.EXE
C:\PROGRAM FILES\MOTIVE\ASSTCOMMON\MOTIVEDIRECTORY.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\BIN\MPBTN.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\PROFILES\HIGH SECURITY\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunServices: [Yahoo! Pager] 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Dell Home - {8287F020-7A7B-11D4-9A70-000103208880} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mpl...toInstaller.exe
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.belmont.e...sses/CFJava.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - https://eap.ucop.edu...tivexviewer.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell..../SysProfLCD.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: systemie - {A523BCE0-1433-11D8-9A71-000103208880} - sysie.dll (file missing)

[Wizard]

Holy Cow,it appears to have killed the Primary Infector!!!

Thank my Partner HJM for that one,he located the fix!!!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKCU\..\Run: [Yahoo! Pager] 1

O4 - HKCU\..\RunServices: [Yahoo! Pager] 1

O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.mpl...toInstaller.exe

O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab

O19 - User stylesheet: (file missing)

O21 - SSODL: systemie - {A523BCE0-1433-11D8-9A71-000103208880} - sysie.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
Hidden Files
Make sure to follow Instructions for Windows 98

Using the Windows Search Assistant(Click Start>>>Click Search)

Please search the entire system for this file:

sysie.dll

One folder I want you to search for this file is:

C:\WINDOWS\SYSTEM<<< Search that entire folder for sysie.dll!

For the Time,just let me know if you locate the file?!?!

Post back with a fresh HijackThis log and as much info on file location as possible!

[philipc]

I have just been through this as well, on my son's computer running Win98. All the removal techniques to get rid of se.dll failed to survive a reboot, although I didn't try HijackThis after three rivals wanted my money before they did anything useful.

Someone pointed me at a package called BHODemon - shows "Browser Help Objects" - and sure enough there was another dll there (in this case called bkdg.dll but I bet the name varies from case to case ) which was re-messing up the registry entries after I had fixed them. I killed the file and all references to it in the registry and that seemed to fix the problem once I had sorted out the various registry entries for the umpteenth time.

I was lucky here since this all happened yesterday so I was looking for files dated April 7th.

I also found an unidentified exe of this date in C:\ - size about 16k - which I deleted for good measure.

I got BHO Demon here

http://www.siena.edu...re/bhodemon.asp