Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

About:blank and se.dll


  • Please log in to reply
23 replies to this topic

#1 toddgneumann

toddgneumann

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 28 March 2005 - 06:45 PM

Hi, I have been reading and trying different things that I have found on the internet to fix this problem, but I am failing to do something. It keeps coming back.

It started with about:blank taking over my home page. I have been able to stall this for a short period by using CWShredder, and SpyBot. After a short time, I do not know what triggers it, I will get a "rundll error message". Something about not being able to find "se.dll" in the windows temp file. Once this happens, the homepage is changed to about blank and se.dll is written to the temp file again.

I will again run CWShredder and it will find two hidden dll files and fix them. Spy bot will find a file in the reg edit and fix it. I then reset the web settings and I am good for a short time. This is where it starts all over.

I have tried some info using hijack this and killbox but the directions were confusing and I was not able to complete them. Killbox also locks up my computer.

Judging from what I have read on this site so far you may be able to help.

Thank you for your time, it is greatly appriciated!

BC AdBot (Login to Remove)

 


#2 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 29 March 2005 - 02:57 AM

Hi,

Please download http://www.downloads.subratam.org/hijackthis.zip

Unzip the program scan your computer and post a log in your thread.

#3 toddgneumann

toddgneumann
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 31 March 2005 - 07:41 AM

Here is the log file you requested.


Logfile of HijackThis v1.99.1
Scan saved at 6:54:07 AM, on 3/31/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\PROGRAM FILES\ADWAREFILTERTOOLBAR\ADWAREFILTER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareSafe\adwarefilter.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab



Thank you!

#4 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 31 March 2005 - 04:42 PM

Are you paying for spyware assassian? If not, I would remove it.

http://www.spywarewarrior.com/rogue_anti-spyware.htm


Close all your Internet Browsers, run Hijackthis and place a check next to the following.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

and click fix.

Now reboot and post a fresh Hijackthis log in your thread.

#5 toddgneumann

toddgneumann
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 31 March 2005 - 06:19 PM

Here you are. I followed the directions you provided and her is my most resent hijakethis log.

Logfile of HijackThis v1.99.1
Scan saved at 5:22:43 PM, on 3/31/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ADWARESAFE\ADWAREFILTER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O3 - Toolbar: AdwareFilter - {1028F737-81E7-452B-A860-E50CAD90A08C} - C:\PROGRAM FILES\ADWAREFILTERTOOLBAR\ADWAREFILTER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareSafe\adwarefilter.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab



Now, I am not sure which program you are refering to when you talk about a spyware assassian. I have paid for a program from PCSafe.com called AdwareSafe. This company has done nothing to really assist with this issue. A waste of $30.00. I also have spybot, cwshredder, and some AVG program.

Again, looking forward to hearing from you and thank you for your simple and easy to follow instructions.

Have a nice day!

#6 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 April 2005 - 03:41 AM

AdwareSafe is just one of the names it uses, but it's all the same. Ugh, that stinks they got you. :thumbsup:

Your log looks good. I think you nuked most the problem yourself, well done!

Below are some tips to keep you clean. To prevent the hijackers from taking over your system, increase the level of security on your system. Don't allow the hijackers to take you over!! Review these articles to increase the level of security.

http://www.computercops.biz/postt7736.html
http://www.markusjansson.net/eienbid.html


I am going to lock this thread. If you need this thread re-opened please PM a moderator and request your thread be re-opened.

Edited by QuietFusion, 01 April 2005 - 03:43 AM.


#7 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 06 April 2005 - 03:08 PM

Re-opened thread:



Can you please post a fresh Hijackthis log.

#8 toddgneumann

toddgneumann
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 06 April 2005 - 09:46 PM

Dear Quiet Fusion,
Thank you for your continued support. Here is my most resent HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 9:42:25 PM, on 4/6/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEAUI.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] "C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\Cpqeaui.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab

#9 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 07 April 2005 - 02:50 AM

Not a problem, my pleasure. The Hijackthis log looks good. We'll download a few programs and see if we dig a bit deeper to find what's causing the problem.

Download http://lineofire.geekstogo.com/FindIt%209x-ME.zip
Unzip it and double click on FindIt9xME.bat
Let it run (this will take a while)
Post the log it produces afterwards.

#10 toddgneumann

toddgneumann
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 07 April 2005 - 04:34 PM

Here is the Findit log file you requested.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3541-A475
Directory of C:\WINDOWS\SYSTEM

4,782.81 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 3541-A475
Directory of C:\WINDOWS\SYSTEM

ATI98DEF GID 10,845 10-31-98 8:28p ati98def.GID
ATISETUP LOG 0 10-31-98 3:16p ATISETUP.LOG
2 file(s) 10,845 bytes
0 dir(s) 4,782.80 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"Compaq"="Brand Compaq Computer Corporation"

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------


-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------




#11 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 08 April 2005 - 01:57 AM

That looks good.

Lets try an online scan. http://housecall.trendmicro.com/housecall/start_corp.asp

Let me know the results.

#12 toddgneumann

toddgneumann
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 08 April 2005 - 06:08 AM

:thumbsup: , Internet Explorer keeps giving me an error message and shutting down. Any other ideas?

#13 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 08 April 2005 - 02:15 PM

Can you post what the error message says please.

#14 toddgneumann

toddgneumann
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 08 April 2005 - 06:42 PM

Microsoft Internet Explorer

Microsoft Internet Explorer has encounterd a problem
and nees to close. We are sorry for the inconvenience.

If you were in the middle of something, the infomation you where working on
might be lost.

()Restart Microsoft Internet Explorer. (Close)

This is the message that comes up in an internet explorer message box.

#15 QuietFusion

QuietFusion

    Got Malware?


  • Members
  • 264 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 11 April 2005 - 01:49 AM

Let me know if you receive the same message on panda's scan.

http://www.pandasoftware.com/activescan/co...n_principal.htm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users