[mholster]

Please help. I keep removing CoolCWSaboutblank, and Trojan horse start page.16.m (windows\temp\se.dll), but they always come back. Followed your instructions three times but still problems. These are the logs:


C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\WEBROOT\WASHER\WWDISP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\83w4gegk.slt\prefs.js)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\PNEL.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\PNEL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: GotFusion WebForums.lnk = C:\Program Files\GotFusion WebForums\DBabble.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

[Advertisements]

Hi mholster and welcome to the GTG forums. The log file you posted seems to be missing quite a bit of information. I would like you to post a new log file. If you do not have a copy of the latest version (1.99.1) then download it from here: HijackThis_sfx.exe. Double-click on the file you just downloaded and click on the UnZip button to install the program.

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log as quickly as I can.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT

Edited by OldTimer, 15 March 2005 - 08:20 AM.

[OldTimer]

Hi mholster and welcome to the GTG forums. The log file you posted seems to be missing quite a bit of information. I would like you to post a new log file. If you do not have a copy of the latest version (1.99.1) then download it from here: HijackThis_sfx.exe. Double-click on the file you just downloaded and click on the UnZip button to install the program.

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log as quickly as I can.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT

Edited by OldTimer, 15 March 2005 - 08:20 AM.

[mholster]

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\83w4gegk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\83w4gegk.slt\prefs.js)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\PNEL.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\PNEL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Sorry, but I already got desperate and removed the IE about blank lines early this morning. But I just downloaded the latest hijackthis version, as you instructed, and these logs are from that, unchanged.

Seems I am running adaware, spybot and AVG endlessly. Spybot seemed to be doing something when I was first using it, but now adaware seems to be the only one that catches anything. But they can all say my computer is clean even while being attacked.

Winpatrol is now alerting me when they are trying to hijack IE with about blank. Once that starts, it seems to repeat maybe every three minutes endlessly until I am frustrated enough to go through the whole cleaning process again. Also seems like windows\system\temp\se.dll attacks cyclically and starts the about blank attacks (they both seem to synchronize their attacks). When I say attack, I mean that I get a warning that an unknown program is trying to change my start page to about blank, etc. I click no for each window and do the same when it starts again.

The computer might run fine in the morning and start having problems in the afternoon. Although I would not even consider running IE.

Every morning, adaware finds CoolCWS and sometimes other ad stuff, but nothing seems to find the Trojan horse.

Also last night the name changed from temp\se.dll to something else, but the effect was exactly the same. I did not think to write down last night's version.

I wish I knew what to look for to help you help me.

[OldTimer]

Hi again mholster. There appears to be something wrong with your HijackThis if this is all you are getting out of the log file. There should be additional information at the top of the log regarding your version, operating system and ie versions. There should also be additional information at the end of the log. Post another log back here and include all of the information. If that doesn't work we will need to look at some other options.

Cheers.

OT

[mholster]

Hi again, OldTimer.
I downloaded hijackthis again and ran again. Front info is there, but nothing more at end. See below. Thanks for following up.

Logfile of HijackThis v1.99.1
Scan saved at 1:38:51 PM, on 3/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\BRAIN SOUND STUDIO\BRAINSOUNDSTUDIO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink, Inc.
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\83w4gegk.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\83w4gegk.slt\prefs.js)
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\PNEL.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\PNEL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

[OldTimer]

Hello mholster. Since you are running Windows 98 this log is Ok. I couldn't tell what OS you had from the other logs. This log is typical of a win98 installation. After reviewing the log I see no sign of viruses or malware at this time. In your original post you stated that you were having problems with CWS and About:Blank. Could you give me a little more detail on what was happening at that time and what steps you performed up to now. With what you have already done you might have eradicated it already. Also, if you are currently having any problems with Internet Explorer or have any questions please post back here with those details and I look the post over when it comes in.

Cheers.

OT

[mholster]

Hello OT,
Over a month ago, my computer was apparently infected with something and my windows files stop and start working, to the point where I could no longer boot up. I was already running spy sweeper and AVG, but they did not protect me. I finally cleared the hard disk completely and started over clean. Following the reload, I had no problems for a couple of weeks. But then they started again.

Prior to posting to Geekstogo, I ran adaware, CWS shredder, spybot and AVG over and over and over for about a week and my computer seemed to be getting cleaner until I stopped having problems for about 3 days. Then it came back with a vengeance.

I repeated this process again. Results seemed to be mixed. Prior to my post, spybot seemed to be making a lot of progress. This time, adaware and winpatrol seemed to be the only programs doing anything. Adaware was catching stuff, and winpatrol was warning me about CWS and windows\temp\se.dll. (I downloaded winpatrol after my original post and used it to stop everything from trying to load on startup.) Yesterday, I had about 8 hours without problems, a big improvement. Then started getting the messages from winpatrol as described in my previous post.

Early this morning, I put computer in safe mode, ran adaware, then restarted computer in safe mode again and ran adaware, spybot, CWS shredder and AVG. Then restarted the computer, normal mode, and ran them all again. Later, I deleted a program called Tweakmaster, a free download that I got a few weeks ago that was supposed to speed up the internet. (It didn't) So far today, no problems. Following your last reply, I tried Internet Explorer and it finally worked normally.

I really hope these problems are over. But based on the last month and a half, I am both skeptical and discouraged. I really don't want to go through this again.

[OldTimer]

Hi mholster. Thanks for the information. I'm glad to hear that things are running better at this time.

Here's what I would do if the problem comes back. Prior to running the cleaning apps run HijackThis to get a log of what is going on. That will help us in determining the variant of the hijack that you have. Some of the se.dll infections can be quite perniciuos, as you already know. Post the log back here in a new post. Let us know what you are going to do at that time then go ahead and run your cleaning apps while you are waiting for a response to your log.

I will close this topic since everything seems to be ok at this time.

Happy computing!

OT