Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan se.dll


  • This topic is locked This topic is locked

#1
dias_ra

dias_ra

    New Member

  • Member
  • Pip
  • 1 posts
i used hijack this and this is what it said. I can access the web without about:blank after using CWshedder and AVG says that i still have a trojan startpage.16.bd... please help me


Logfile of HijackThis v1.99.1
Scan saved at 1:18:36 PM, on 23/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\VIA\RAID\RAID_TOOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\JGLPDVQT\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\WINDOWS\DOWNLO~1\MINICL~1.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Miniclip - {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} - C:\WINDOWS\DOWNLO~1\MINICL~1.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (Miniclip) - http://www.miniclip....cliptoolbar.cab
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi dias_ra

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: Be sure you're able to Enable hidden files and folders:

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is grayed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Reboot into normal mode (simply restart your computer as you normally would),
Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#3
sergio333

sergio333

    New Member

  • Member
  • Pip
  • 1 posts
If what thatman explained didnt work, try it:

Download it and run: ListDlls

This program will show you all Dlls that your system use at logon.

Look for if a .txt file is loading togheter other dll files in system programs as Spool32.dll.

Decorate it location.

Reboot your system in Ms-Dos mode.

Go to the location of the file and type: del name of the file.txt (in my computer it was called "hardwake.txt")

After, follow the explain of thatman.
  • 0

#4
IceCactus

IceCactus

    New Member

  • Member
  • Pip
  • 3 posts
Hello !

Symptoms :
- AVG antivirus protest with Starpage.16.BD detected
- about:blank redirected
- se.dll file (stealth?) found intermittant

I have desinfected this virus with freeware CWShredded:
1 - desactivate restore system
2 - CWShredded and "Fix"
3 - activate restore system

My system : win XP Pro SP1
Perhaps this will do the job...

Good luck!

IceCactus
  • 0

#5
Koretek

Koretek

    Member

  • Member
  • PipPipPip
  • 340 posts
What
"Thataman" gave you was the latest fix for removing ALL the nasties from your system. It is tried and true and there is no guess work involved, now it may take a minute for him to get back to you due to schedules or something BUT I would take the help that is offered and not play with your system, he gave you certain steps to follow but if you have a better way excuse me. If not maybe you may like to follow the advice given.
  • 0

#6
Spy_Slayer

Spy_Slayer

    New Member

  • Member
  • Pip
  • 1 posts
I have a solution about the Trojan.StartPage. I was opening the internet explorer and was getting a Search Bar that i couldn't remove. After trying many things i found that when opening the IE a was getting the file se.dll which i could not delete.

If you notice when opening an IE a rundll32 process is been activated. Note: rundll32 is not a virus. So, after killing the rundll32 process i could delete the se.dll file, but after that i got the file again and again each time i open the IE.
After that i realized that another file is being loaded at windows startup and is that the responsible file which tells windows to download a new se.dll. So we have to remove from the registry two files and then delete them in order to get rid of Trojan.StartPage.

Try these checks before doing anything else.

Search for the file Se.dll if you find it then you have the Trojan.StartPage.
Then, search for a file called kepm.dll (or jgcg.dll, jpcg.dll, hijackthis.exe, sexnow.exe, glufxaoa.dll, bcm.dll).
Note, if you check these two files they don't have any version information.
The kepm.dll (or anything from the list above) is the file which keeps downloading the se.dll each time you delete it.

Show did you find these two files? Then you must proceed to the Trojan.StartPage removement.
To do it you have to use the following two programs:
a) the Microsoft AntiSpyWare Utility
b) a Utility called Pocket Killbox.

Note to have the task manager open and every time you open an IE try to kill any process called rundll32.

Now after download these two utilities, close all the IE and kill any rundll32 processes.
Then open the killbox utility and tell it to delete the se.dll with the options:
a) Standard file kill (enabled)
b) Unregister dll before deleting (enabled).

Do the same for the kepm.dll.

Now run the Microsoft Antispyware Utility and do a Scan.
Remove any IE Options which have any reference to a se.dl or a kepm.dll file.

After that you can restart your PC and open the IE without having the Search Bar the trojan.StartPage have set to your PC.

I hope that these steps will help you to get rid of that Trojan.
  • 0

#7
Liederkranz

Liederkranz

    New Member

  • Member
  • Pip
  • 2 posts
Hi, this is my first post at the forum. Got here looking for a solution to the se.dll problem and got registered 'cause besides that I need help with this, I found it a very interesting forum and I'd like to contribute with everything that could help. I read the excellent explanation from Thatman, but didn't attempt to solve the problem because it's not the same system and of course my logfile is different and don't wanna delete entries by mistake.

So I decided to post my HJT log for the expert eye to have a look at. :tazz:

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 03:45:16 p.m., on 09/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\ARCHIVOS DE PROGRAMA\CA\ETRUST\INOCULATEIT\INOTASK.EXE
C:\ARCHIVOS DE PROGRAMA\CA\ETRUST\INOCULATEIT\INORT9X.EXE
C:\ARCHIVOS DE PROGRAMA\CA\ETRUST\INOCULATEIT\INORPC.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\ARCHIVOS DE PROGRAMA\CA\ETRUST\INOCULATEIT\REALMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\REGEDIT.EXE
C:\ARCHIVOS DE PROGRAMA\CRAZY BROWSER\CRAZY BROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
E:\DISCO_DE_3\DWLD2\SPYWARE COMBAT STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\yzmzy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uolsinectis.com.ar:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {2D359A42-903E-11D9-8640-00C0F4027A38} - C:\WINDOWS\SYSTEM\LOOPECB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Archivos de programa\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [BPK] C:\PROGRAM FILES\BPK\BPK.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [InoTask] C:\Archivos de programa\CA\eTrust\InoculateIT\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Archivos de programa\CA\eTrust\InoculateIT\InoRT9x.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Archivos de programa\CA\eTrust\InoculateIT\InoRpc.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: iv10.lnk = E:\iv10.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt1_x.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://195.225.177.2...682bf/msits.exe
O18 - Filter: text/html - {CB4BFAC5-90A8-11D9-8640-00C09FE2B234} - C:\WINDOWS\SYSTEM\LOOPECB.DLL
O18 - Filter: text/plain - {CB4BFAC5-90A8-11D9-8640-00C09FE2B234} - C:\WINDOWS\SYSTEM\LOOPECB.DLL
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL

I'm using InoculateIT antivirus.
I also tried to remove the file (se.dll) and the reg keys manually, but they keep appearing whenever I start IE.
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Liederkranz and welcome.
The steps listed to cure this infection as recommended by thatman will work for win98,

Have those tools ready to go on your desktop and post back a fresh HJT log in a new topic started by you please,

Posting into someone else's topic will get your request for help overlooked,

Be sure you know who your getting help from although many well intentioned folks visit this site, Have a quick look at some of the topics the have replied to and just make sure they have shown that they are capable of helping you start to finish,

Good luck, Sorry to babble on a bit,

Don
  • 0

#9
Liederkranz

Liederkranz

    New Member

  • Member
  • Pip
  • 2 posts
Thanks for the welcome, don77. :tazz:

Yes, I know I screwed it up by adding my log to someone else's thread but by the time I was reading that rule I have already posted (yes, being always in a hurry is a bad habit of mine :$), and if that weren't enough, when I tried to edit my post couldn't find the way to do it. So I'd like to apologize for that, most of all to the original author of this thread.

Now, about the infection, I tried out the steps explained by Thatman and apparently got rid of the problem. Later in the day I'll post my new HJT log in a new topic. ;)

Thanks again! I'll stick around, I really like the forum.
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

Thanks again! I'll stick around, I really like the forum


Nice to hear,

I m sure there will be a bit of cleaning up left to do once we see the fresh HJT log,
Just be sure and provide the actions you have already taken so you wont have to start from step 1 all over again :tazz:
  • 0

#11
loucar

loucar

    New Member

  • Member
  • Pip
  • 1 posts
I think I've found the solution to this nagging problem. This was after much study and realizing that this thing was embedding itself deeper than the registry... no Spy Checker, or Hijacker... can solve this, only brute force... similar to the brute way this thing inserted itself to begin with..

The "se.dll" problem is embbeded deeper in the startup of Windows. The culprit is a 'window hook' called "won.---" located in the Windows/ directory. Use Dr. Watson to verify this. This hook intercepts all window activity and periodically recreates the temp/se.dll pest that's been bothering everone in the internet these days, if it is missing or has been deliberately corrupted, which in turn creates the random message generator located in the /system directory and loaded as a Browser Helper Object. This nasty hook also modifies the Registry with the home page and BHO overwrites. I received this pest ungloriously while I was surging a 'p*** site' and didn't have my security level set appropriately...

Booting Windows to "Safe" mode does not work, because this ugly critter loads with the Basic load, before loading the registry.

To remove, you have to DOS boot (or create a "Startup Disk" from the "add/Remove Programs" utility). Re-Boot without starting windows, delete or rename "Windows/won.---". Remove DOS boot diskette, Reboot to windows. You will receive a RunDLL error (saying it cannot find "won.---" on the first boot, but after it will go away after further reboots. Any further problems with SE.DLL should go away and your interaction with windows should be faster since your keystrokes are no longer intercepted by "won.---".

Hope that helps!

-- L

:tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP