Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Stop se.dll, about blank, cool web


  • This topic is locked This topic is locked

#1
window-washer

window-washer

    Member

  • Member
  • PipPip
  • 11 posts
Greetings...

The reason that se.dll is so hard to get rid of is because it automaticlly runs on startup and can't be deleted because it is active...

The way to get rid of it, is to start the PC in safe mode, so that startup files are bypassed.
Then go to >Explorer> Windows> Temp. You will see the SE.Dll inactive, then select it and delete it...
Once that you have deleted it then run your PC cleaning programs and when finished, restart the PC.

Keep in mind that if you open another website that loads SE.dll it will happen again, So don't think that it's still in your PC it was just reloaded from the internet!

Regards...
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi window-washer

Welcome to geekstogo ;)

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Kc :tazz:
  • 0

#3
window-washer

window-washer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry, I guess that I wasn't clear in my post.

Hijack this can't fix a locked file. SE.DLL is loaded on startup, active and locked.
The only way that HiJack this can remove it is in safe mode. As I said it is located in windows>temp...

No need for me to post the log, I have had HJT installed for some time. I'm an A+ tech built this PC and installed everything in it... My post wasn't about my PC.

Regards
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi window-washer

Welcome to geekstogo ;)

We need people like you Join the team at Geeks U and help in the fight with Malware

Kc :tazz:
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Here is a link I am working with it on a Windows 98 Machine:
se.dll

Have to thank the Folks that make those removal tools!!!
  • 0

#6
window-washer

window-washer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Greetings, ThatMan... and thank you for your consideration of me.

Actually all is not as good as it seems.

I have spent many hours in the registry of a win 98 machine searching both automatically and manually struggling with "about:blank, SE.DLL, coolwww.search".
I have manually rewritten registry entries only to have them return to the "Malware"...

The originators of this PC nightmare, are downloading write protected, access denied entries into the windows system.

When the system is cleaned and then restarted in safe mode, and the malware is removed by hand, and the system again recleaned, all seems well, but the techs that are writing this monster, simply change the name of the file probably weekly and it returns with simply a few numbers in the title changed.

It appears that there is a core entry downloaded and embedded into the registry, with a name that has not been identified as of yet. Even if it is discovered and identified it will simply be renamed.

In this PC the programs installed are:
Evidence eliminator.
Spybot search and destroy.
ZoneAlarm.
CWShredder.
Spyguard.
HiJack This.
Spyware Blaster.
and MS RegClean...

IMHO, none of them can deal with this problem by themselves but only in combination.

Best Regards...
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi window-washer

If you still have the problem with SE.DLL TRY THIS TOOL:Download the Backdoor.Agent.B Removal Tool from Symantec.
Follow Symantec's instructions for how to run it.

http://securityrespo...moval.tool.html

Kc :tazz:
  • 0

#8
raybee

raybee

    New Member

  • Member
  • Pip
  • 4 posts
Hi there,

I've recently posted a suggestion in a very similar topic elsewhere on this forum. It seems to fool the about:blank hijacker and you don't get affected anymore. Let me know if it works for you.


What I have done is log in to windows in Safe Mode (F8 while booting up) and then go to the C:\windows\temp directory - Making sure that I can see hidden files I then deleted the SE.DLL file. I then created a new file (right-click - New - Text file) and called it "se.dll". You must be able to see all known extensions or you'll inadvertanly create a "se.dll.txt" file which won't fix anything.

Now the trick is to change the attribute of this file to Read-Only and Hidden. You have now fooled it becuase it won't be able to delete YOUR new file and thus won't get run. Sort of playing the game by it's rules.

While your in safe mode You MUST remove the SP entry in MSCONFIG and fix all related entries in Hijackthis (SP.dll, persistant 'random' dll file).

You should also be able to delete the 'random' dll file from the Windows\System directory as well - Just for good measure.

Good Luck
Raybee
  • 0

#9
window-washer

window-washer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Greetings, thatman and raybee and thank you both for your replies...

It took me a while to get back, because I have been crawling through a clients regedit in win98.

Jeeeezzzz...

thatman I'm going now to download the symantec program...

and raybee, I really like your "Ninja" approach to this, I will run checks over the next few days on these methods and get back with the results...

Best Regards!
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi window-washer

It will speed up the process if you posted a HJT.log.

Two heads are better than one.

Kc :tazz:
  • 0

#11
NStudent

NStudent

    New Member

  • Member
  • Pip
  • 3 posts
Please do not post in window-washer thread

If you wish to place Adverts on to our forum please contact admin.

If you are found placing any more comment our referances to spyware programs you may find that you will be banned from this site.

Kc :tazz:
  • 0

#12
window-washer

window-washer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK, "That"...

I will post the clients HJT log both before and after the cleaning, as soon as the "Malware" returns, which will be shortly.

I setup a fake se.dll in C:\windows\temp and locked it (read-only & hidden), it's greyed out with zero bytes, but no help there... the malware returns at random intervals.
I also entered this entry @ the command prompt...> REN se.dll se.dll(255), held down the Alt key and typed 255. To lock the file, but no help, perhaps I have written the entry incorrectly?

Backdoor.Agent.B... search returned none-present.

Regards, Windows...
  • 0

#13
window-washer

window-washer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK, here are the logs... the first is dirty, the second cleaned...

Logfile of HijackThis v1.97.7
Scan saved at 9:07:31 AM, on 4/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jacque's Internet Explorer V 6.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {1AA4E228-A27F-11D9-8075-4445E688000E} - C:\WINDOWS\SYSTEM\MFPKI.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab

--------------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 9:09:00 AM, on 4/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Jacque's Internet Explorer V 6.0
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
  • 0

#14
window-washer

window-washer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
C:\WINDOWS\SYSTEM\DLLHOST.EXE is missing in the clean log but actually it's in there... oops!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP