I Just Took Out Se.dll On Xp

[primemover]

I just took this bad boy out on my XP box... the current version here appears to have morphed just a bit... none of the removal tactics I found on the net worked.

 

It either set up folders for Search Assistant, or incorporated itself into Search Assistant folders in the registry... May seem extreme, but I deleted everything in the registry that contained a referrence to Search Assistant.

 

...next step.

 

I used Hijack this to create a log... and it gave me the following.

 

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\PRIMEM~1\LOCALS~1\Temp\se.dll,DllInstall

 

It was running the se.dll in the program startup, so, by the time the browser got up and running, it was already locked in.

 

So, I went to the Documents and Settings\username\local settings\temp

 

(if you can't see this folder, you need to right click on "tools" and then "folder options", then select the "view" tab and put a check in the "Show Hidden Files and Folder" check box.)

 

I found se.dll there... but you won't be able to delete it...

 

Go to the Task Manager (cntrl-alt-del) and select the Processes tab... shut down rundll32.

 

Go back the the temp directory and delete the se.dll file.

 

Then use something like Hijackthis to remove the se.dll install reference from the startup.

 

Reboot.

[Guest David Nelson]

Thank you so much. I have had a tremendously difficult time removing this trojan.

 

Adaware does not seem to work at all.

[Guest Well]

Well this is bull crap. I cant find any of those files yet i get virus warnings about it constantly (se.dll) and I constantly cant run programs due to it. This is just.. awfull..

[Guest Random dude]

SE.DLL is only half the problem - you have to turf the program calling it, which seems to morph names, so it's hellish to figure out. I've been looking at it for hours and still can't seem to pin it down.

 

Try Kapersky Personal Trial Edition. Seems to be the only anti-virus that removes it.

 

I read a different forum that said it works. I'm about to go try it now. If it does, i'm switching once my current subscription expires!

[Guest Anti-Hijacker]

I used this method, and apparently found the hidden file:

 

When windows is running normally, run the Hijackthis application and select "Run scan only". Browse through the scan results, and you should se a line like this:

 

O4 - BHO (no name) ................................ xxxxxx.dll

 

Further down there will be some O17 lines containing the same dll name. I then closed HiJackThis and PULLED THE PLUG on my computer. I didn't shut it down, I pulled the plug! Very important you do it this way.

 

I then rebooted into safe mode, and ran HijackThis again + scanned. It still referred to the same dll, so I located this file and deleted it. I also deleted the se.dll file from the windows/temp directory, and then fixed all the R1/R0 lines + the O4 and both O17 lines via HijackThis.

 

I rebooted the computer, and ran Hijackthis. It didn't find anything, so the problem seems to be gone. However the "Search Assistant Removal" still appears in the "Add/remove programs", but nothings happens when I click remove on it, so I guess it is just a dead link or something. Anyway: Good luck with it!

[Guest Debo]

The procedure that the previous poster suggests worked longer than most things I've done, but lo and behold a couple of days later the popups returned, and se.dll had found its way into my local settings/temp folder again.

 

Last night I went through my windows and windows/system32 folders with a fine-toothed comb -- i sorted by date and looked at all the most recently modified files there (within the last month or so) and googled them all -- most were spyware of some sort or another. Then I sorted by type and googled any unrecognizable .exe files... again, mostly spyware. I then reiterated through the previously suggested routine of finding the `parent' program that seems to continually change names and wiped it out after cutting the power etc. Hopefully the lil pest will stay away this time, but I have my doubts.

[Guest MicroBell]

I'm still trying to pin this down on an XP system with this infection. You have to understand on the latest version of this hijacker you can't get rid of it until you ID, locate, and remove the "Spawner" file. If not...You'll remove it..and it all reappears in a few reboots or after a few days. The "Spawner" file is located in C:\Windows on Windows 98/ME. I'm still trying to locate it in XP.

 

If you use startdreak (Utility) using these settings...

 

Press 'Config'

Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:

Press 'Ok'

 

You'll get a log. IN the top portion the "Spawner" is ID in this section..RunServicesOnce

 

»RunServicesOnce

**wwd=rundll32 C:\WINDOWS\TIKS.TXT,DllGetClassObject

RunServicesOnce

**rtdt=rundll32 C:\WINDOWS\HLPXD.GIF,DllGetClassObject

»RunServicesOnce

**h=rundll32 C:\WINDOWS\BACKGRRD.GIF,DllGetClassObject

»RunServicesOnce

**adtw=rundll32 C:\WINDOWS\CLOAD.GIF,DllGetClassObject

»RunServicesOnce

**dz=rundll32 C:\WINDOWS\HPDJ61R2.INI,DllGetClassObject

 

Those files above are the "Spawners". They can be named anything. You need to REMOVE this first...as if you don't...it all gets reinstalled. As I said this is what I have found on Windows98/ME systems. You may need to remove the files hidden Attribs and delete if from DOS mode.

 

Once thats gone....you can then run hijackthis..fix the entrys..attack the se.dll (and the other DLL's it created) and empty the temp folders. I'm still in the process with a few users on ID'en this on an XP PC..since the startdreck log..doesn't show that entry for some reason. This is one of the threads I'm on now.. http://www.techsupportforum.com/showthread...?t=39220&page=5

 

With over 6000 views...you can see everyones looking for an answer. I have not yet..come accross a fix for this on an XP system but am working on it.

[Guest Paul]

Hi, I read a few postings on here yesterday about removing se.dll and it's associated spawners. I appear to have removed this from my machine (win2k), using Kapersky AV Pro (Free Trial) and HijackThis. When I say appear that is to say that a day has passed since I no longer saw it in my registry or in my temp file area, or thru HijackThis.

 

The steps involved were:

1 Run HijackThis and blow away all references to minn.dll, se.dll & about:blank

2 Run Kapersky and delete all trojans (min.dll & se.dll are the particular ones we are after, but there could be others). Kapersky cannot completely delete the se.dll, as it is jammed in memory, and regsvr32 /u does not cut the mustard either. However Kapersky does seem to remove all traces of the spawner from my system.

3 Remove the power cord from the back of the computer, forcing it to shutdown without flushing the memory buffers to disk.

4 Restart, rerun HijackThis & Kapersky.

5 You should now be sorted.

 

Don't thank me, just throw money:

 

PayPal pauldavis2000@hotmail.com

[Guest Paul]

(min.dll & se.dll are the particular ones we are after, but there could be others).

 

Correction of typo:

Sorry - That should be minn.dll and not min.dll

[Guest MicroBell]

Paul:

 

Post back in a few days and let us know. This hijack can reappear within a few reboots or days. There is a hidden file in the system and a hidden service in the registry on XP/2000 OS's. I'm not sure Kapersky AV can see these..and if it can't and hasn't removed the hidden file..this hijack will reinstall itself in a matter of days. To confirm on your system...download this script..

 

Copy the contents of the quote box to Notepad.

Name the file Appinit.bat

Save as type All Files

Save on the Desktop

 

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv ren windows1.hiv windows.txt

 

Double click on Appinit.bat

This will create a file on the desktop named windows.txt

 

The log will look like so...

 

(The log will contain a bunch of unreadable code but will ID the hidden DLL or file like so)

 

Ðÿÿÿvk € ' zGDIProcessHandleQuota" þðÿÿÿ9 0 ë=tÀàÿÿÿvk X °ºSpooler2ðÿÿÿy e s

Ñ_åàÿÿÿvk € 5swapdisk ° ø 8 h Ðÿÿÿvk ( . TransmissionRetryTimeoutÐÿÿÿvk € ' b USERProcessHandleQuota3 àÿÿÿ° ø 8 h Ð Øÿÿÿvk < H fùAppInit_DLLsÖæGÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ c o m f l . d l l x

 

If you see a file at the end..the PC is still infected.

[mrybaben]

Hi, this is my first post......

 

I think i finally cleaned my machine of this trojan. (se.dll) it was absolutely brutal and it took FOREVER!! i think i finally found the spawner file. the file i found and deleted was WUCLIENT.EXE. Then i rebooted and ran all my anti-spyware stuff and Norton. It seemed to be gone at that time and also, I left the file in my recycle bin just in case it was a legit EXE and Norton found something in there. The message Norton gave was

 

"C:\RECYCLED\DC8.exe

is infected with the Trojan dropper virus.

Unable to repair this file."

 

Anyway, I found the WUCLIENT.EXE in my startup section of my registry so, i researched it and it seemed malicious. That was several days ago and so far, my machine has been totally clean! So, hope that helps......

 

M

[Guest Guest]

 

Copy the contents of the quote box to Notepad.

Name the file Appinit.bat

Save as type All Files

Save on the Desktop

Double click on Appinit.bat

This will create a file on the desktop named windows.txt

 

Hi Microbell,

I tried to create the DOS Batch file and it did not work.

 

When I double click I do see a black box for a brief second and then it dissappears.

 

No windows.txt file can be seen on the desktop

 

I am using Windows 2000

 

Thanks in advance for your help

[Guest TheLoneSeraph]

when you create the batch file hit enter an start the ren windows1.hiv windows1.txt on a new line, otherwise the command will have too many parameters on one line

 

like this

 

 

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" c:\windows1.hiv

ren c:\windows1.hiv c:\windows.txt

 

This will work and save it to you c:\drive, this method help me track down my spawner file.

[Guest TheLoneSeraph]

note the first c:\windows1.hiv on the post above is part of the first reg save line, it just got wrapped.

[Luke_Wilbur]

Blacksun has found the culprits of this Trojan.

 

http://www.dcpages.com/forums/index.php?showtopic=3633