Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

c:/windows/temp/se.dll

Started by valentine , May 29 2005 04:43 AM

  • Please log in to reply

#1
valentine
Posted 29 May 2005 - 04:43 AM

valentine

    New Member

  • Member
  • Pip
  • 4 posts
I require help in removing a trojan virus from my computer. I have a windows 98 OS. i am running AVG anti-virus, ad-aware and Nod 32 anti virus but the virus refuses to go.
Each time I open internet explorer, avg sends a pop up with the following message "virus detected while opening file C:\windows\temp\se.dll, trojan startpage. 19j, error loading se.dll, access is denied. Also the start page goes to about:blank and opens a search besides opening lots of pop ups with messages like "u have a spyware on ur PC" and on clicking ok, this leads me to some weird websites. I am not even able to check my yahoo mail. Each time I log into yahoo, a search page opens and thus I cant check my mail.
Having read abt a similar problem by other people and the solutions given, I ran CW shredder, about buster and I am herwith posting the logfile of hijackthis. Please tell me as to which of the following I can delete:

Here is my hijackthis logfile

Logfile of HijackThis v1.99.1
Scan saved at 4:09:42 PM, on 5/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\MSSQL7\BINN\SQLMANGR.EXE
C:\MSSQL7\BINN\SQLSERVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Satyam Infoway Limited
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)
O2 - BHO: (no name) - {EA9B8921-CE44-11D9-AD7E-44459C48EE25} - C:\WINDOWS\SYSTEM\HDAB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT398246.EXE -auto
O4 - HKLM\..\Run: [QH Live Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK
O4 - HKLM\..\Run: [QH Office 2K Check] C:\PROGRA~1\QUICKH~1\O2KCHECK.EXE /CHECK
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE /start
O4 - HKLM\..\Run: [Quick Heal Messenger] C:\PROGRAM FILES\QUICK HEAL\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] C:\PROGRA~1\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe" -quiet
O4 - HKCU\..\Run: [MemMonster] C:\Program Files\Magellass\MemMonster\memmnstr.exe /S
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1055.dll,InstantAccess
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Startup: SQL Server.lnk = C:\MSSQL7\Binn\scm.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Visual Studio 6 Extensibility Libraries - file://H:\VJ98\VSTUDIO6.CAB
O16 - DPF: Microsoft WFC Forms Designer - file://H:\VJ98\WFCFORMS.CAB
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants...e/iceplayer.cab
O18 - Filter: text/html - {44E25F42-CEBC-11D9-AD7E-D8208E7C5077} - C:\WINDOWS\SYSTEM\HDAB.DLL
O18 - Filter: text/plain - {44E25F42-CEBC-11D9-AD7E-D8208E7C5077} - C:\WINDOWS\SYSTEM\HDAB.DLL

I hope to receive some help at the earliest. Thank you.
Regards
Valentine
  • 0

Advertisements

#2
Wizard
Posted 29 May 2005 - 01:35 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Valentine and Welcome to the Geeks to Go Forums!!

Before I go any further,I want you to run this tool now!!

Please Download Microsoft® Windows® Malicious Software Removal Tool
http://www.microsoft...&displaylang=en

Click Download>Run and then run again!

If any type of report is generated,please save it!

Please go to Add\Remove Programs and Remove these if they exist

NewDotNet
New.Net domains
FirstLook
QuickSearch Toolbar

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem!!

Please Create a Folder on the Desktop>>Right Click the Desktop>>Select New>>Select Folder>>Name it whatever you like!

Please Download all the tools to the New Folder but please DO NOT run any of these until asked!!!

Please Download SpSeHjfix112
http://www.derbilk.de/SpSeHjfix112.zip
or
http://www.trojaner-...gi?file=sphjfix
Once downloaded,Unzip it and Make sure to Extract All Files!

Please Download CWShredder
http://cwshredder.ne.../CWShredder.exe
Make sure you Update this as soon as you download it!

Please Download AboutBuster by RubbeRDuckY
http://www.besttechi...?showtopic=1488
Once downloaded,Unzip it and Make sure to Extract All Files!
Make sure you Update this as soon as you download it!

Download and install CleanUp!
http://downloads.ste...p/CleanUp40.exe

PLEASE DISCONNECT FROM THE INTERNET UNTIL YOU ARE FINISHED!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Once in Safe Mode>>Click Start>>Click Run>>Copy&Paste the text below into the open run box!

regsvr32 /u HDAB.DLL
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\SYSTEM\HDAB.DLL

and

regsvr32 /u EGDACCESS_1055.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\SYSTEM\EGDACCESS_1055.dll

Please Run "AboutBuster"

Click "Start"and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
Click "Yes" to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
Please run AboutBuster as many times as it takes until you get these Results:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Please Run "CWShredder"

Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit"

Please Run "SpSeHjfix112"

Click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process!
The tool creates a log of the fix which will appear in the new folder!
Please Save that Log,I may ask to see it!

Restart back in Safe Mode!

Please Run "AboutBuster" once more!!!

Run AboutBuster as many times as it takes until you get these Results:

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Run "SpSeHjfix112" again
Please Save the Log from the last pass!
Refuse the ooption to Restart!

Run "CleanUp!". Click "CleanUp" and allow it to delete all the temporary files.
Once it is finished,Click "Close" and Click "No" when prompted to "Log Off"

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll (file missing)

O2 - BHO: (no name) - {EA9B8921-CE44-11D9-AD7E-44459C48EE25} - C:\WINDOWS\SYSTEM\HDAB.DLL

O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT398246.EXE -auto

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1055.dll,InstantAccess

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab

O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\wx.cab

O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\wx.cab

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {A2ECDF87-BFE5-4EBA-852A-45E4F881377F} (icePlayer Class) - http://www.flashants...e/iceplayer.cab

O18 - Filter: text/html - {44E25F42-CEBC-11D9-AD7E-D8208E7C5077} - C:\WINDOWS\SYSTEM\HDAB.DLL

O18 - Filter: text/plain - {44E25F42-CEBC-11D9-AD7E-D8208E7C5077} - C:\WINDOWS\SYSTEM\HDAB.DLL

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Locate and Delete

C:\WINDOWS\SYSTEM\EGDACCESS_1055.dll<< File!

C:\PROGRAM FILES\WEBSX<< Folder!

C:\Program Files\NewDotNet<< Folder!

Once Completed,Retstart Normal and have the PC Scanned here
http://www.pandasoft...n_principal.htm

You will need to using Internet Explorer for the Scan to work!!

Save the Report it produces!

Please post these logs:

Both logs from SpSeHjfix112

Pandas Active Scan Log

A Fresh HijackThis Log
  • 0

#3
valentine
Posted 03 June 2005 - 11:24 AM

valentine

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thank you so much for the time u took out to provide ur valuable suggestions. It was very much appreciated.

Regards
Valentine
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP