Still trying Unsuccessfully- What Should Be Deleted?

Logfile of HijackThis v1.99.1
Scan saved at 2:37:10 PM, on 7/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\PAL SPYREM\spyrem.exe
C:\Documents and Settings\Debbie Diamond\Local Settings\Temp\Temporary Directory 7 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20F6DD0F-FDB2-4B82-8980-54DAA19F641B} - C:\WINDOWS\System32\jfge.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender8\bdmcon.exe”
O4 - HKLM..\Run: [BDNewsAgent] “C:\Program Files\Softwin\BitDefender8\bdnagent.exe”
O4 - HKLM..\Run: [sp] rundll32 C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra ‘Tools’ menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E24A4EB9-B1BF-4BDC-A998-B019E1886D46}: NameServer = 205.188.146.145
O18 - Filter: text/html - {E39C5294-3AFA-46F5-821F-2D6310E3C4D5} - C:\WINDOWS\System32\jfge.dll
O18 - Filter: text/plain - {E39C5294-3AFA-46F5-821F-2D6310E3C4D5} - C:\WINDOWS\System32\jfge.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Hi again Chloedog,

In your previous posting, you said that avast! had identified se.dll as Win32: StartPage-067(Trj), but been unable to remove the Trojan, even in a boot time scan.

A program which has been successful with another StartPage Trojan today is:

TrojanHunter http://www.trojanhunter.com/ (Free working trial- update before running.)

See http://forum.avast.com/index.php?topic=14769.0

I suggest you download this and try it.

I notice you have Pal Spyware Remover installed: this is not a well known anti-spyware program, and possibly not very effective.

I suggest you download these two programs (both free), install, update and run them, preferably in safe mode. (Tap F8 while booting.)

Ad-Aware: http://www.lavasoft.de/
Spybot Search & Destroy: http://www.safer-networking.org/en/download/

You had a problem with the Panda website before. If TrojanHunter succeeds in removing the Trojan, you may be able to use the Panda scanner: run a scan if you can an delete anything detected as malware.

Hi Chloedog;

Here you can find your file analysis: http://www.hijackthis.de/logfiles/d7d6d2ca54cce097b6f7d406cde51691.html
It is going to be there for 3 days.
I would suggest to take out:

The items that I see and those that Bob suggests below:
02 BHO no name
08 AOL Toolbar search
09 AOL Toolbar
09 Show & Related Links
018 Filter text html
018 text play
020 NavLogon

Do this after friend FreewheelinFrank seconds my suggestions,
so please Frank check up with my analysis?

If you have Alwil’s AVAST it is not a good thing to have NavLogon of another AV product on your comp. Have you got a Firewall already, else you computer wont survive 20 minutes on the net.

greets,

polonus

Hi Chloedog;
Her are some items that need to be taken care of:
Old version of Internet Explorer detected. Update required.
IMMEDIATLY visit http://windowsupdate.microsoft.com
and install ALL security patches/updates.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

Get rid of these:
C:\Program Files\AOL Companion\companion.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

There may be others but this is what was revealed using Eddy’s HJT File Analyzer.

hi

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe

Download ‘SpSeHjfix’. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run ‘SpSeHjfix’. and click on “Start Disinfection”.
When it’s finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn’t find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by ‘SpSeHjfix’.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

edited to add underline tags

No.1 priority is to remove the Trojan infection indicated by the se.dll entries, but it is far safer to let TrojanHunter remove this [Edit: than to use HijackThis!- I wasn’t refering to the program Illukka suggested, in fact, in light of subsequent posting, go with his suggestion!] (assuming it finds it.) The other entries may well be removed by Ad-Aware or Spybot Search and Destroy, saving a lot of mucking about with HijackThis and trying to delete files.

A firewall and updating are essential.

I think spyrem.exe belongs to Pal Spyware Remover. This seems to be a legitimate application, if unheard of. Chloedog, if you paid for it, keep it, but use Ad-Aware and Spybot Search & Destroy as well as they are well known and effective. Pal is unknown and possibly ineffective: it certainly seems to have missed spyware on your system. Sorry.

Hi Chloedog,

I agree with our friend FreewheelinFrank that cleaning your machine of the se.dll pest is priority number one. There is some special removal tool, he will suggest to you. Follow his advice.
Next to that I emphasise on you installing a free firewall Zonealarm. It is a good product, it is easy to install and you are safe on the net. Also I said before use a safer browser like Firefox or Opera. You will not regret it.

greets,

polonus

no trojan hunter does not clean an se.dll infection
i would leave windows update until the machine is clean, trying to update an infected machine will just produce errors

pal spyware remover is a rogue product
check out: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Hi ilukka,

This is a good tool to clear out the se.dll:
http://www.majorgeeks.com/Sp.html-Se.dll_Hijack_Fix_2000XP_d4617.html
Maybe people that have problems with this can use it, Cloedog for instance.

greets,

polonus

yep it is, in fact i posted a link to it in my post above, a link to the authors site btw

I stand corrected. For some reason, spyrem.exe does not come up as anything bad on a Google search. :-[

Hi FreewheelinFrank,

You are forgiven. SpywareGuide.com could not find anything on spyrem.com. Why do you think this se.dll returns all the time in temp? I have adjusted my advuce accordingly.

greets,

polonus

spyrem.exe is a running process, not a startuplist item, therefore its not included in startup databases
if you google for “pal spyware remover” the third link is a link to suzi’s spyware blog entry about PAL’s addition to the rogue list

[

it has a hidden reinstaller, that reloads the infection after an incomplete fix, wait until you see the ‘SpSeHjfix’ log. it will show it

I entered Pal Spyware Remover in the SpywareGuide.com database too- no result. >:(

avast! identified se.dll as a Trojan, not SCBar/SearchExe adware. ???

se.dll is infected by Win32: StartPage-067(Trj)

TrojanHunter has detected a StartPage variant today.

yep trojan hunter detects the trojan, it also removes some components of it…
note:some, not all- as the hidden reinstaller is still there it will reload the infection

Does Ad-Aware kill it dead? A web search shows SCBar/SearchExe has been added to the definitions.

Hi ilukka & FreewheelinFrank,

Was that hidden one not mozvtr.dat? Can you clarify that ilukka?
Where is that hook, and what is it called? Need an API spy to find it.

greets,

polonus

See if the following gives you any more help:
http://www.iamnotageek.com/a/395-p1.php

Hi Bob3160,

Thank you old fox, good link. You sure know your trade.

greets,

polonus

Elementary Dr Polonus,
Google simply Google. Sometimes it comes up with more than you bargained for… ;D