[writeroxie]

Hi there,
I read about a similar problem to mine on this board, but that persons browser had their homepage showing up as "about:blank" every day or so. Mine won't change at all. I change it, refresh, and it's back to "about:blank" (which brings me to this no name 'search' page). I've run hijackthis and found the suspicious dll's, i was able to delete "se.dll" quick enough after 'ending it's task'... but the other suspicious one is "phkm.dll" and I can't delete it because it's ALWAYS 'in use'.

Can anyone guide me in the right direction with this? Thanks in advance!

here's my HiJackthis log: (which by the way, i hit 'fix' and these go away for maybe 10 seconds before appearing again.)

----------------------

Logfile of HijackThis v1.97.7
Scan saved at 11:20:40 AM, on 4/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E7E165B9-10D9-4DD6-ABD9-F31DBFC39206} - C:\WINDOWS\SYSTEM\PHKM.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

Edited by writeroxie, 23 April 2005 - 09:27 AM.

[Advertisements]

I think this is the sort of problem my son had on his win98, have you tried ad-aware to get rid of those dodgy dlls?
Try Msconfig and see if they are loaded on start-up, if they are disable them and restart.
Sorry I cant be more help! But it was a while ago when we had this problem.
If I remmeber any thing else I'll post here.

[szmig]

I think this is the sort of problem my son had on his win98, have you tried ad-aware to get rid of those dodgy dlls?
Try Msconfig and see if they are loaded on start-up, if they are disable them and restart.
Sorry I cant be more help! But it was a while ago when we had this problem.
If I remmeber any thing else I'll post here.

[writeroxie]

i did try adaware, but it didnt get rid of them.

How do i run Msconfig? i'm not familiar with that.
thanks

[szmig]

i did try adaware, but it didnt get rid of them.

How do i run Msconfig? i'm not familiar with that.
thanks

Theres a good web-site here-
http://netsquirrel.com/msconfig/
Take note of this-
"The only startup items you absolutely need are:
ScanRegistry
TaskMonitor
SystemTray
LoadPowerProfile
Your antivirus program (trust me, you won't have a hard time figuring out which one is your antivirus program. It is pretty obvious.)"

Hope this helps

[writeroxie]

thanks for the help, but after running msconfig, the only thing that showed up on the startup tab was: "rundll32 C:\windows\temp\SE.DLL,DllInstall"

So i unchecked it and restarted the computer. I still could not delete that suspicious dll found by hijackthis (phkm.dll). Also, I have noticed that i can only delete that "SE.DLL" if i try within seconds of running Hijackthis, otherwise i get an error which says it's "in use". After I quickly have deleted it though, it shows up again a few mintues later. Must be reinstalling itself?

Is there any other way to get this hijacker to stop running long enough for me to delete it? Any suggestions? Thanks.

[writeroxie]

well, it appears i have fixed my problem. i honestly don't know how i did it, other than trying different combinations of running hijackthis(which i just updated to v.1.99), then QUICKLY deleting that SE.DLL, and then running hijackthis again, and QUICKLY deleting that phkm.dll from the system folder. Finally my log is clean and my homepage is back to what i had... no more "about:blank".

This hijacking actually stemmed from me hastily typing in 'google.com' on my browser and i misspelled it, which always brings you to some shady 'search' site... and the hijacking ensues.

Thanks for your help! I really appreciate it. Glad to have forums like these.

[writeroxie]

It's Baaaaaaack!

Uggh. So I had almost an entire day without this hijacker... then this afternoon, Poof! A pop-up... (i never get pop-ups) so i run hijackthis... and it's all back... although a few of the names have changed... phkm.dll changed to pkk.dll and the se.dll is back too... but now it's calling a sp.html, rather than the spage.html

Any idea how to get this out again, and for good?


========================
Logfile of HijackThis v1.99.1
Scan saved at 1:20:16 PM, on 4/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {B1A08B83-0153-4BDB-A852-F33D4852C809} - C:\WINDOWS\SYSTEM\PKK.DLL
O18 - Filter: text/html - {F2BF1071-8128-44FD-90F5-53B1F34FDAE3} - C:\WINDOWS\SYSTEM\PKK.DLL
O18 - Filter: text/plain - {F2BF1071-8128-44FD-90F5-53B1F34FDAE3} - C:\WINDOWS\SYSTEM\PKK.DLL

[billywhizz]

Hi, I've had this too. I got rid of the se.dll and the other dodgy file that it seems to generate. You can normally find this one by looking in windows/system then ordering the files by created date and it gets named randomly.

You should be able to delete them by starting in safe mode. There's a info button in HJT which tells you what the codes are and this might help to identify the ones to fix, although I'd post a log to the HJT link on this site unless you're really confident.

I think mines fixed now but who knows....the other thing with your spelling erroris relevant. There a registry entry called default serch hook which redirects any enquiries to non-existent web sites to a site specified here.

Also, look in MSCONFIG for a startup item called SP which I found was a registry start key to the about blank page.

Regards.

BW

[gerryf]

People, please, please, please

We have an entire forum full of malware professionals who eat this stuff for breakfast

Please follow the link in my signature and follow the instructions at the top