Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log--bowlingman


  • Please log in to reply
6 replies to this topic

#1 bowlingman

bowlingman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 22 February 2005 - 09:00 PM

Greetings. I too would like to post a logfile on the dreaded se.dll in hopes of some assistance removing the offending files:

Logfile of HijackThis v1.99.1
Scan saved at 5:32:40 PM, on 2/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\TOPSPEED\2.0\AOLTPSPD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TPPSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\IPCONFIG.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SMBDINS.EXE
C:\WINDOWS\SYSTEM\SETHCD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ms-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ms-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ms-find.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {E92C2F49-D35C-FF4A-6395-A3514B82347F} - (no file)
O2 - BHO: Class - {55F62920-3206-A6D8-CAE8-D9AC675DEF16} - (no file)
O2 - BHO: Name - {45E14540-7341-11D9-8CD3-002078072432} - C:\WINDOWS\SYSTEM\MSOEO.DLL
O2 - BHO: (no name) - {50D6C441-838B-11D1-8CD4-00201B7ACBA9} - C:\WINDOWS\SYSTEM\CNEB.DLL
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - (no file)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [AOL TopSpeedMonitor] C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://67.19.185.246/i/1/loader2.ocx
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: t5TR - {FCC4F1E0-739F-11D9-8CD3-0020FFD4FD47} - (no file)
O18 - Filter: t5VFR - {34409BA5-769E-11D9-8CD3-0020B1FD252F} - (no file)
O18 - Filter: t5FR - {A4787244-75F3-11D9-8CD3-00201100DA6B} - (no file)
O18 - Filter: t5FR - {DF7DB968-786C-11D9-8CD3-00208D6CC1F7} - (no file)
O18 - Filter: t5FR - {EAD1DEE4-79E3-11D9-8CD3-0020573E4D10} - (no file)
O18 - Filter: t5)ER - {EAD1DF10-79E3-11D9-8CD3-0020FC344896} - (no file)
O18 - Filter: t5@R - {8E1AD6B2-8384-11D1-8CD4-0020DD5D240B} - (no file)
O18 - Filter: t5ER - {8BC9AE63-8250-11D1-8CD4-0020BF954D52} - (no file)
O18 - Filter: t5>ER - {275CBCA6-8386-11D1-8CD4-0020CF01C72F} - (no file)
O18 - Filter: text/html - {A027EFC3-848C-11D9-8CD4-00203012C3CA} - C:\WINDOWS\SYSTEM\CNEB.DLL
O18 - Filter: text/plain - {A027EFC3-848C-11D9-8CD4-00203012C3CA} - C:\WINDOWS\SYSTEM\CNEB.DLL

many thanks!

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 PM

Posted 24 February 2005 - 12:14 AM

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#3 bowlingman

bowlingman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 24 February 2005 - 01:59 PM

Good day Grinler! Thanks for the reply.

The file I id'd in Step 1 is Defauwt.sf0

I could not implement Step 2 because my pc won't let me download startdreck. I recieve the following message:

ACRORD32 caused an invalid page fault in
module ACRORD32.EXE at 017f:00425f26.
Registers:
EAX=00425cec CS=017f EIP=00425f26 EFLGS=00010202
EBX=00843908 SS=0187 ESP=00d9fd08 EBP=00d9fd88
ECX=00000000 DS=0187 ESI=008ed22c FS=0e8f
EDX=00425ef8 ES=0187 EDI=00d9fd30 GS=0000
Bytes at CS:EIP:
89 03 8b 44 24 18 8d 1d f8 38 84 00 89 03 8b 44
Stack dump:
00959480 00959480 ffffffff 0000001c 41635072 00425cec 00425d5e 00425dcd 00425e9f 00425e34 0041d9e3 00959480 00959480 ffffffff 00c7027c 0095c010

Anything I can do to manually download startdreck?

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 PM

Posted 24 February 2005 - 07:43 PM

Try downloading and installing firefox and download it with that

#5 bowlingman

bowlingman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 28 February 2005 - 12:18 PM

I have been using firefox as my browser for a few months now. Definetly better than IE, but I am still experiencing the download issue.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,543 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:23 PM

Posted 28 February 2005 - 12:38 PM

Thats strange. Right click on the file and choose save as or save to file. Then save it to your desktop and try unzippping and running it

#7 secondtry

secondtry

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 08 March 2005 - 10:44 PM

Edit, started new thread for new problem

Edited by secondtry, 08 March 2005 - 10:57 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users