?
Solved

Hwo to remove se.dll.

Posted on 2005-03-09
11
Medium Priority
?
1,013 Views
Last Modified: 2013-12-04
Hi.. Helpppppppppppp..

I cant get rid of se.dll on a pc at work. Tried numerous apps to get rid of it, but all to no avail.

MS AntiSpyware
CW Shredder
HIjack THis.

Thanks in advance.

Here is my log file.
Logfile of HijackThis v1.99.1
Scan saved at 09:54:50, on 07/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Oracle\OUIHome\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\QUESTS~1\questc~1\QCUpdate.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\Hostex32.exe
C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
C:\TEMP\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\g2341\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://portal/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.PG.EON.NET;*.POWERGEN.INT;*.COP.EME.UK;ret*;RMM*;iandcarchive*;10.*;<local>;*QSP*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37CA6835-C928-4418-BAD7-85C8EBBFFE4D} - C:\WINDOWS\System32\cgde.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O12 - Plugin for .vrd: C:\Program Files\Internet Explorer\PLUGINS\npvrd001.dll
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\Software\..\Telephony: DomainName = retail.pg.eon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: Domain = corp.pg.eon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: NameServer = 10.81.192.12,10.85.3.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O18 - Filter: text/html - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O18 - Filter: text/plain - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\OUIHome\bin\omtsreco.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\bin\ONRSD.EXE
O23 - Service: OracleOUIHomeAgent - Oracle Corporation - C:\Oracle\OUIHome\bin\agntsrvc.exe
O23 - Service: OracleOUIHomeClientCache - Unknown owner - C:\Oracle\OUIHome\BIN\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Application Vantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
0
Comment
Question by:EONUK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 13494743
Can’t Delete a File

You need permissions to delete a file are you a member of the Administrators group?
(you need a minimum of {modify} to delete.
**********
1.      Try to take ownership of the file. Right click the file > Select the security Tab
Select properties > Select Advanced > Select Owner
Find the User or group you wish to give ownership to and select > Click apply
Now try and delete the file
http://support.microsoft.com/default.aspx?scid=kb;en-us;268019
**********
2      Is it telling you the filename is too long? Then Delete the file in DOS mode
Start >Run >cmd {enter}
Navigate to the folder the file is in, i.e. if its in c:\folder\anotherfolder\file, type "cd c:\folder\anotherfolder" {enter} The command prompt should change to let you know you are in
the correct directory. Type "dir /x" {enter}
The offending file will be listed like (filena~1.xxx)
Take note of the name and type "del filena~1.xxx" {enter}
**********
3.      Is the file flagged as ‘System’? Start > Run > type CMD >Click OK
Navigate to the folder in which the file resides (i.e. cd c:\folder\folder\ {enter})
Type attrib -r -s -a -h filename.extension {enter}
Del filename.extension {enter}
**********
4.      Is the file in use? If either the OS or another program is using the file you cannot
delete it You can with ZAP Included with the Microsoft SMS 2.0 Resource Guide and the
Microsoft BackOffice Resource Kit 4.5. or you can download it here
http://helpdesk.kixtart.org/KixUtilsTasks.asp
WARNING make sure you know what your deleting first!
**********
5.      If your hard drive is formatted with FAT32 you can boot with a boot disk and Delete
the file from DOS. (del filename.extension) If your hard drive is formatted with NTFS you
can boot with a boot disk and, if you lucky enough to have a copy of NTFSPro from http://www.sysinternals.com/ntw2k/freeware/ntfsdospro.shtml you can boot to DOS mount the
NTFS volumes and delete it from there.
**********

**Other Options**
Use this on the file/folder in question
http://www.jrtwine.com/Products/DelFXPFiles/

Use GiPo@MoveOnBoot
http://www.gibinsoft.net/gipoutils/bin/moveonb.exe
Instructions for use http://www.download-free-games.com/removing_dm_exe.htm

Try using "KillBox" on the file
http://www.broadbandmedic.com/download/VbStuff/TheKillBox.zip

Try using TAKEOWN from the resource kit to force ownership and delete the file
http://www.dynawell.com/support/ResKit/win2k.asp

"Access Denied" When You Delete Folders from a Mounted Drive
http://support.microsoft.com/default.aspx?scid=kb;en-us;243514
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13494755
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 13494759
Fix immediately

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 57

Expert Comment

by:Pete Long
ID: 13494782
Possibly dodgy

(unless you use Oracle a lot)

O23 - Service: Application Vantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
O23 - Service: OracleOUIHomeClientCache - Unknown owner - C:\Oracle\OUIHome\BIN\ONRSD.EXE
O23 - Service: OracleOUIHomeAgent - Oracle Corporation - C:\Oracle\OUIHome\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\bin\ONRSD.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\OUIHome\bin\omtsreco.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

Possible dodgy

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O18 - Filter: text/plain - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O18 - Filter: text/html - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: NameServer = 10.81.192.12,10.85.3.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: Domain = corp.pg.eon.net
O17 - HKLM\Software\..\Telephony: DomainName = retail.pg.eon.net
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O14 - IERESET.INF: START_PAGE_URL=http://portal
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll,DllInstall  
O2 - BHO: (no name) - {37CA6835-C928-4418-BAD7-85C8EBBFFE4D} - C:\WINDOWS\System32\cgde.dll
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\Hostex32.exe
C:\PROGRA~1\QUESTS~1\questc~1\QCUpdate.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 450 total points
ID: 13494785
Browser Hijacking/Spyware/Adware/Malware Removal instructions

Full removal and Prevention instructions are available on my website,

http://www.petenetlive.com/Tech/Browsers/hijack.htm

Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english

The EE Official Link to info is,
 http:Q_20975384.html#10973783
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13494833

A quick add-on to the excellent comments above, this tool takes care of some of the about:blank versions:

http://www.downloads.subratam.org/AboutBuster.zip

Download, install, UPDATE and run.

Zee
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13529369
Hi!

se.dll is often, VERY difficult to remove.
There's a beta tool out that's proving to be effective.
Download from here(it's from the German security board trojanerinfo.de):
http://www.derbilk.de/SpSeHjfix_Beta7.zip

I would boot into safe mode and fix and then delete the O18 entries there.

Start SpSeHjfix_Beta7.exe click on " Desinfecton starten" (the other button means close) -
then it will reboot and finish the cleaning.
Run HijackThis and remove leftovers.

Good luck!

RF
0
 

Author Comment

by:EONUK
ID: 14200241
Hi. I tried all the above none were effective, after using a multitude of apps CWShredder, MS Antispyware, Hijack this it did eventually vanish.

Im not sure what to do as to close this question, do i award points, split points..

Your advice would be appreiciated.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 32644643
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month9 days, 21 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question