Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HijackThis log

  • Please log in to reply
3 replies to this topic

#1 U2foreverU2


  • Members
  • 25 posts
  • Gender:Male
  • Local time:01:08 AM

Posted 22 February 2005 - 05:13 PM

Today I "received" a virus alert from Norton on my PC in the office:
Trojan.Startpage found in C:\windows\temp\se.dll
Norton said it was placed in Quarantaine
But every now and then the message came back
First of all I launched Spybot and Ad-aware and they found something of Coolwwwsearch, Fastclick and some cookies. And they removed it, although i seemed.
Then I launched CoolWWWsearch smartkiller & CWShredder and they didn't found anything.
I searched in the windows\temp directory but i didn't found se.dll
But fm dosshell I found it and so I deleted it.
I emptied all temp files including internet temporary files, but the norton alerts came back. Sometimes when I went on internet, 1 time when I wanted to clean the recycledbin and also onces when I just opened explore (my computer).

I also found in controlpanel - install applications a program called
Search Assistant Uninstall
which was unable to remove

In my register I also found some "scary" entries like:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\doubleclick.com

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\shopathomeselect.com

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\sexlist.com

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\porntrack.com

HKEY_USERS\marcells\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\porntrack.com

Probably inserted by this "Search Assistent" thing ???

in the register I have seen also many times things like:

And indeed also my startpage is blank now but first it was redirected to another page which I don't reminder now.

For the moment I am stucked and don't know how to go on and solve and clean this mess.

Could anybody help me with this ??

Underneath my logfile (after Spybot, ad-aware etc.)

Logfile of HijackThis v1.99.1
Scan saved at 16:38:49, on 22.02.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://CHKNTPDC00001:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O1 - Hosts: router_isdn_1 routlee
O1 - Hosts: router_isdn_2 routle2
O1 - Hosts: router_fr_1
O1 - Hosts: router_manchester routman
O1 - Hosts: lwkntbdc00001
O1 - Hosts: lwzunixs00007 j50
O1 - Hosts: lwzntiis00001
O1 - Hosts: lwzunixs00001 m240
O1 - Hosts: lwzunixs00003 f50
O1 - Hosts: lwkntpdc00002
O1 - Hosts: rdzntbdc00002 rdzdomin00001
O1 - Hosts: rdzntpdc00001
O1 - Hosts: itw98-03 # w98 client met ftp-server
O1 - Hosts: rdsftpsr00001 #w95 client met ftp-server
O1 - Hosts: rdsftpsr00002
O1 - Hosts: lozntpdc00001 lozdomin00002
O1 - Hosts: lozunixs00003 motorola
O1 - Hosts: lozunixs00001 salbas1
O1 - Hosts: lozunixs00002 salbas2
O1 - Hosts: brsntbdc00002 brzdomin00001
O1 - Hosts: brsntbdc00003
O1 - Hosts: chkntpdc00001 chkdomin00001
O1 - Hosts: chkunixs00001 kemchi
O1 - Hosts: lw01hp5s hp1 #hplaserjet 5si/mx, midden
O1 - Hosts: lw02hp5s hp2 #hplaserjet 5si/mx, boven
O1 - Hosts: lw10oce0 oce0
O1 - Hosts: lw11oce1 oce1
O1 - Hosts: lw12oce2 oce2
O1 - Hosts: lw00hp4v hp4 #hplaserjet 4v, Ronald
O1 - Hosts: rd02hp5s #hplaserjet 5si/mx, boekhouding
O1 - Hosts: rd04prtk #printek formspro 4503, warehousing (onder)
O1 - Hosts: rd05prtk #printek formspro 4503, binnenland (beneden)
O1 - Hosts: rd08hp50 # HP5000 Scheepvaart
O1 - Hosts: rd09hp50 # HP5000 planning
O1 - Hosts: rd10hp40 # HP4050 boekhouding
O1 - Hosts: rd11hp40 # HP4050 administratie
O1 - Hosts: rd12itmc # Intermec, barcodeprinter
O1 - Hosts: rd13itmc # Intermec, barcodeprinter
O1 - Hosts: rd14oce1
O1 - Hosts: rd15oce2
O1 - Hosts: rd16oce3
O1 - Hosts: rd55hp50 # hp5si IT
O1 - Hosts: lo02hp04 #hplaserjet 4000, trailers (Basildon)
O1 - Hosts: lo03prtk #printek formspro 4503
O1 - Hosts: lo00hp5s #hplaserjet 5si/mx, accounts
O1 - Hosts: br00hp04 #hplaserjet 4000, logistiek
O1 - Hosts: br01hp04 #hplaserjet 4000, internationaal
O1 - Hosts: br02hp08 #hplaserjet 8000, boekhouding
O1 - Hosts: br03hp11 #hplaserjet 1100, Ann De Foer
O1 - Hosts: br04hp11 #hplaserjet 1100, Peter Somers
O1 - Hosts: br10hp20 #hplaserjet 2000 Sales
O1 - Hosts: br06prtk #printek formspro 4503
O1 - Hosts: br07prtk #printek formspro 4503
O1 - Hosts: br08itmc #Intermec, barcodeprinter
O1 - Hosts: br09hp08 #hp 8000 boekhouding 2
O1 - Hosts: br11itmc #Intermec, barcodeprinter
O1 - Hosts: br12le01 #lexmark printer
O1 - Hosts: ch01hp40 #hp4050TN
O1 - Hosts: jr00hp40 #hp4000 Ruud
O1 - Hosts: gerdak
O1 - Hosts: richard_thuis
O1 - Hosts: pc_manchester
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RAM Idle] C:\Programmi\RAM Idle\RAMIdle.exe
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [DkService] C:\Programmi\Executive Software\DiskeeperWorkstation\DkService.exe
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] c:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\PROGRA~1\GETRIGHT\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\PROGRA~1\GETRIGHT\GRbrowse.htm
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www2.incredimail.com/contents/setup...p1/imloader.cab

There are a lot of 01 - Host
but 99% (if not 100%) has to do with the expeditionprogram we use in the office !!
So harmless....

Another thing I found out is that when I (re)start the computer (O.S. W98) and I log in to connect myself with our NT server I get an error message now in Kix32 or something like that.
If I click on OK, the computer goes on and seems to work "normally"

BC AdBot (Login to Remove)


#2 U2foreverU2

  • Topic Starter

  • Members
  • 25 posts
  • Gender:Male
  • Local time:01:08 AM

Posted 23 February 2005 - 01:31 PM

Can pls somebody help me because in the office I really get crazy.
Until now I have tried everything. Programs as:
CCleaner,A2, Spybot, Ad-aware,buster etc.
It seems that they all cleaned something but on restart and after entering the same problems start over again !!

#3 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:12:08 AM

Posted 03 March 2005 - 01:52 PM

Sorry you seem to have fallen thru the cracks there U2foreverU2. We generally look for the oldest log with zero replies, you made one (a reply) to your own thread so it looked as if you were getting help.

If you still need help please do this:

1. Download: StartDreck from: http://www.niksoft.at/download/startdreck.htm

Extract the file into c:\startdreck.
Navigate to c:\startdreck and double-click on Startdreck.exe
When the program opens click on the Config button.
Then click on the unmark all button.
Put checkmarks in the following checkboxes:Under Registry put a checkmark in the Run Keys checkbox.
Under System/Drivers put a check in the Running Proccess checkbox.
Press the OK button.
Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Run HijackThis and post a new log here using the Add Reply button. Please include a copy of the contents of the StartDrek log as well.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

#4 U2foreverU2

  • Topic Starter

  • Members
  • 25 posts
  • Gender:Male
  • Local time:01:08 AM

Posted 08 March 2005 - 01:41 AM

Thanks for responding.

But it took too long to get rid of this horrible thing.
I searched everywhere for help but nowhere there is already a "cure" for this variant.

So I decided to reformat my computer in the office and reinstalled all the programs.

Thx anyway !!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users