Post by: Wenis on March 10, 2005, 12:36:04 AM
I know that there've been alot of se.dll/about:blank threads made here, but after reading them and trying as hard as I can with my own resources I'm feeling drained here. I had problems with the hidden dll about:blank trojan or whatever it is in the past, but fixed them and they never resurfaced. Now, however, I'm having the same problems again literally every single day. Every day I delete se.dll, the registry keys involved with it, delete the hidden dll in safe mode, run HJT, fix suspected problems, run adaware se, run spybot, run cwsshredder, and google for help. Still, every day, se.dll regenerates, the hidden dll regenerates, my homepage gets changed, and I get frequent popups.
It even happens on days when I haven't used the computer all day. I think I've typed enough here sorry to have you read so much but I'm feelin a little desperate.
Heres my log:
(id like to note that i dont have that many IE windows open, it just says in my task manager iexplore a whole bunch of times for some reason)
Logfile of HijackThis v1.99.1
Scan saved at 11:35:20 PM, on 3/9/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {D5285017-90A6-11D9-AB74-000CB62B573F} - C:\WINDOWS\SYSTEM\BEEN.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AlogServEXE] C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\McAfee\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\3rd Works\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs3.chat.yahoo.com/v/yacscom.cab (http://\"http://cs3.chat.yahoo.com/v/yacscom.cab\")
O16 - DPF: Yahoo! Chat (Voice) - http://cs3.chat.yahoo.com/cv/chat.cab (http://\"http://cs3.chat.yahoo.com/cv/chat.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab (http://\"http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall-beta.trendmicro.com/housecall/xscan60.cab\")
O18 - Filter: text/html - {0E8DCE00-90F2-11D9-AB74-000CDA16F9C4} - C:\WINDOWS\SYSTEM\BEEN.DLL
O18 - Filter: text/plain - {0E8DCE00-90F2-11D9-AB74-000CDA16F9C4} - C:\WINDOWS\SYSTEM\BEEN.DLL
Thanks in advance
Post by: Guest on March 10, 2005, 12:38:27 AM
Post by: guestolo on March 10, 2005, 01:32:15 AM
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post back this log
Also, Download STARTDRECK (http://\"http://members.blackbox.net/hp_links/21/nikolaus.rameis/_data/startdreck.zip\")
Unzip it to it's own folder
run StartDreck.exe:
Hit: -config
Hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post the log
Also post back a fresh Hijackthis log afterwards
Post by: Guest on March 11, 2005, 02:36:57 AM
Sorry to take so long but I found a program called about:buster and decided to wait a while after trying it before posting or deciding my problem was handled. All went well for a while, but once again, it's back.
Heres the DLLcompare log:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
1,049 items found: 1,049 files, 0 directories.
Total of file sizes: 201,204,365 bytes 191.88 M
--------------------End log---------------------
Interesting...
Heres the Startdreck log:
StartDreck (build 2.1.7 public stable) - 2005-03-11 @ 01:24:29 (GMT -06:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 5.50.4134.0600
Logged in as joe at Z5M0J1
»Registry
»Run Keys
»Current User
»Run
*PopUpStopperFreeEdition="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
»RunOnce
»Default User
»Run
*Desktop Architect="C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE" -S
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.ExE
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AlogServEXE=C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
*AvconsoleEXE=C:\Program Files\McAfee\McAfee VirusScan\avconsol.exe /minimize
*WheelMouse=C:\Program Files\3rd Works\4DMAIN.EXE -startup
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
*EnsoniqMixer=starter.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*hppwrsav=C:\SCANJET\PrecisionScanLT\hppwrsav.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
»RunServicesOnce
**pd=rundll32 C:\WINDOWS\JOE0G1.ACL,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*SpywareGuardDLBLOCK.CBrowserHelper/{4A368E80-174F-4872-96B5-0B27DDD11DB2}
`InprocServer32=C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
*{683F2E67-91CB-11D9-AB74-000C32D08926}
`InprocServer32=C:\WINDOWS\SYSTEM\CMPA.DLL
»Files
»System/Drivers
»Running Processes
+FF8F13E1=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF29D1=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF5441=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF7E7D=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFF7BDD=C:\WINDOWS\RUNDLL32.EXE
+FFFEC2D9=C:\WINDOWS\EXPLORER.EXE
+FFFD8AD9=C:\WINDOWS\TASKMON.EXE
+FFFDB4A1=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD1331=C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
+FFFD6F55=C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
+FFFD68D9=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
+FFFC0FA5=C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
+FFFC03F5=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
+FFFCD4E9=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFC6DD5=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
+FFFEB82D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB7ABD=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB776D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF98CC5=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB713D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF89B75=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF8B01D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF91C25=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF9BA11=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF9E349=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB059D=C:\PROGRAM FILES\VALVE\STEAM\STEAM.EXE
+FFF7006D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF58CA9=C:\WINDOWS\RUNDLL32.EXE
+FFF67B19=C:\WINDOWS\PROFILES\JOE\DESKTOP\DLLCOMPARE.EXE
+FFF7E1C9=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFB3B5D=C:\ABOUTBUSTER\ABOUTBUSTER\ABOUTBUSTER.EXE
+FFF67779=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF76621=C:\ABOUTBUSTER\STARTDRECK\STARTDRECK.EXE
»Application specific
Id like to point out once more that I dont have that many IE windows open. Also I noticed the file JOE0G1.ACL. That seemed to kind of appear around the same time as these problems, and a google search reveals no matches. Think maybe it has something to do with this?
Heres the HJT:
Logfile of HijackThis v1.99.1
Scan saved at 1:31:48 AM, on 3/11/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\VALVE\STEAM\STEAM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = society.com/]http://www.the[censored]society.com/ (http://\"http://www.the%5bcensored\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {683F2E67-91CB-11D9-AB74-000C32D08926} - C:\WINDOWS\SYSTEM\CMPA.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AlogServEXE] C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\McAfee\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\3rd Works\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs3.chat.yahoo.com/v/yacscom.cab (http://\"http://cs3.chat.yahoo.com/v/yacscom.cab\")
O16 - DPF: Yahoo! Chat (Voice) - http://cs3.chat.yahoo.com/cv/chat.cab (http://\"http://cs3.chat.yahoo.com/cv/chat.cab\")
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab (http://\"http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab (http://\"http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab\")
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab (http://\"http://www.gamespot.com/KDX22/download/kdx.cab\")
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab (http://\"http://housecall-beta.trendmicro.com/housecall/xscan60.cab\")
O18 - Filter: text/html - {683F2E66-91CB-11D9-AB74-000C5D9C2CBD} - C:\WINDOWS\SYSTEM\CMPA.DLL
O18 - Filter: text/plain - {683F2E66-91CB-11D9-AB74-000C5D9C2CBD} - C:\WINDOWS\SYSTEM\CMPA.DLL
Thanks
Post by: guestolo on March 12, 2005, 04:43:38 PM
May I get you too post a fresh Hijackthis log, and then we'll try some fixes on your computer, thanks
Post by: Lou Caraballo on March 13, 2005, 01:45:27 AM
The "se.dll" problem is embbeded deeper in the startup of Windows. The culprit is a 'window hook' called "won.---" located in the Windows/ directory. Use Dr. Watson to verify this. This hook intercepts all window activity and periodically recreates the temp/se.dll pest that's been bothering everone in the internet these days, if it is missing or has been deliberately corrupted, which in turn creates the random message generator located in the /system directory and loaded as a Browser Helper Object. This nasty hook also modifies the Registry with the home page and BHO overwrites. I received this pest ungloriously while I was surging a 'porn site' and didn't have my security level set appropriately...
Booting Windows to "Safe" mode does not work, because this ugly critter loads with the Basic load, before loading the registry.
To remove, you have to DOS boot (or create a "Startup Disk" from the "add/Remove Programs" utility). Re-Boot without starting windows, delete or rename "Windows/won.---". Remove DOS boot diskette, Reboot to windows. You will receive a RunDLL error (saying it cannot find "won.---" on the first boot, but after it will go away after further reboots. Any further problems with SE.DLL should go away and your interaction with windows should be faster since your keystrokes are no longer intercepted by "won.---".
Hope that helps!
-- L
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Post by: guestolo on March 13, 2005, 01:53:46 AM
If you rename the Windows key too NotWindows
delete the value in Appint_dll
and then Rename back to Windows
you may leave your system unsecure
It's better to export the key first
Rename the Windows key
remove the value
Rename the NotWindows back to Windows
Delete the hidden file
Import the reg file
Delete the value again
This will keep your Windows key secure
Not sure if you noticed but Startdreck has shown the installer
RunServicesOnce
**pd=rundll32 C:\WINDOWS\JOE0G1.ACL,DllGetClassObject
The bolded entry to the hidden file will change on every log
Because this is Windows 98, no reason to use your method
We can boot to DOS and strip the attributes of that file and delete it
Do some other registry cleaning and some final cleaning with Hijackthis
Post by: guestolo on March 13, 2005, 03:40:57 AM
on the web
All others please start your own topic