Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Hwo to remove se.dll.

Posted on 2005-03-09
11
Medium Priority
?
1,040 Views
Last Modified: 2013-12-04
Hi.. Helpppppppppppp..

I cant get rid of se.dll on a pc at work. Tried numerous apps to get rid of it, but all to no avail.

MS AntiSpyware
CW Shredder
HIjack THis.

Thanks in advance.

Here is my log file.
Logfile of HijackThis v1.99.1
Scan saved at 09:54:50, on 07/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Oracle\OUIHome\bin\omtsreco.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\QUESTS~1\questc~1\QCUpdate.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\Hostex32.exe
C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
C:\TEMP\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\g2341\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://portal/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.PG.EON.NET;*.POWERGEN.INT;*.COP.EME.UK;ret*;RMM*;iandcarchive*;10.*;<local>;*QSP*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37CA6835-C928-4418-BAD7-85C8EBBFFE4D} - C:\WINDOWS\System32\cgde.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O12 - Plugin for .vrd: C:\Program Files\Internet Explorer\PLUGINS\npvrd001.dll
O14 - IERESET.INF: START_PAGE_URL=http://portal
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\Software\..\Telephony: DomainName = retail.pg.eon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: Domain = corp.pg.eon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: NameServer = 10.81.192.12,10.85.3.13
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O18 - Filter: text/html - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O18 - Filter: text/plain - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\OUIHome\bin\omtsreco.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\bin\ONRSD.EXE
O23 - Service: OracleOUIHomeAgent - Oracle Corporation - C:\Oracle\OUIHome\bin\agntsrvc.exe
O23 - Service: OracleOUIHomeClientCache - Unknown owner - C:\Oracle\OUIHome\BIN\ONRSD.EXE
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Application Vantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
0
Comment
Question by:EONUK
9 Comments
 
LVL 58

Expert Comment

by:Pete Long
ID: 13494743
Can’t Delete a File

You need permissions to delete a file are you a member of the Administrators group?
(you need a minimum of {modify} to delete.
**********
1.      Try to take ownership of the file. Right click the file > Select the security Tab
Select properties > Select Advanced > Select Owner
Find the User or group you wish to give ownership to and select > Click apply
Now try and delete the file
http://support.microsoft.com/default.aspx?scid=kb;en-us;268019
**********
2      Is it telling you the filename is too long? Then Delete the file in DOS mode
Start >Run >cmd {enter}
Navigate to the folder the file is in, i.e. if its in c:\folder\anotherfolder\file, type "cd c:\folder\anotherfolder" {enter} The command prompt should change to let you know you are in
the correct directory. Type "dir /x" {enter}
The offending file will be listed like (filena~1.xxx)
Take note of the name and type "del filena~1.xxx" {enter}
**********
3.      Is the file flagged as ‘System’? Start > Run > type CMD >Click OK
Navigate to the folder in which the file resides (i.e. cd c:\folder\folder\ {enter})
Type attrib -r -s -a -h filename.extension {enter}
Del filename.extension {enter}
**********
4.      Is the file in use? If either the OS or another program is using the file you cannot
delete it You can with ZAP Included with the Microsoft SMS 2.0 Resource Guide and the
Microsoft BackOffice Resource Kit 4.5. or you can download it here
http://helpdesk.kixtart.org/KixUtilsTasks.asp
WARNING make sure you know what your deleting first!
**********
5.      If your hard drive is formatted with FAT32 you can boot with a boot disk and Delete
the file from DOS. (del filename.extension) If your hard drive is formatted with NTFS you
can boot with a boot disk and, if you lucky enough to have a copy of NTFSPro from http://www.sysinternals.com/ntw2k/freeware/ntfsdospro.shtml you can boot to DOS mount the
NTFS volumes and delete it from there.
**********

**Other Options**
Use this on the file/folder in question
http://www.jrtwine.com/Products/DelFXPFiles/

Use GiPo@MoveOnBoot
http://www.gibinsoft.net/gipoutils/bin/moveonb.exe
Instructions for use http://www.download-free-games.com/removing_dm_exe.htm

Try using "KillBox" on the file
http://www.broadbandmedic.com/download/VbStuff/TheKillBox.zip

Try using TAKEOWN from the resource kit to force ownership and delete the file
http://www.dynawell.com/support/ResKit/win2k.asp

"Access Denied" When You Delete Folders from a Mounted Drive
http://support.microsoft.com/default.aspx?scid=kb;en-us;243514
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 13494755
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 13494759
Fix immediately

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll/sp.html
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 58

Expert Comment

by:Pete Long
ID: 13494782
Possibly dodgy

(unless you use Oracle a lot)

O23 - Service: Application Vantage Agent (VantageAgent) - Compuware - C:\Program Files\Compuware\Application Vantage Agent\OPTSA.exe
O23 - Service: OracleOUIHomeClientCache - Unknown owner - C:\Oracle\OUIHome\BIN\ONRSD.EXE
O23 - Service: OracleOUIHomeAgent - Oracle Corporation - C:\Oracle\OUIHome\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - C:\oracle\ora90\bin\ONRSD.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\Oracle\OUIHome\bin\omtsreco.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

Possible dodgy

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\SYSTEM32\ckpNotify.dll
O18 - Filter: text/plain - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O18 - Filter: text/html - {BC80B2D4-AF11-4C0E-A184-6BB7DE201860} - C:\WINDOWS\System32\cgde.dll
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retail.pg.eon.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: NameServer = 10.81.192.12,10.85.3.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{532888C8-5969-4551-945D-3C594E8F2F19}: Domain = corp.pg.eon.net
O17 - HKLM\Software\..\Telephony: DomainName = retail.pg.eon.net
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://hindi.india-today.com/tdserver.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cab
O14 - IERESET.INF: START_PAGE_URL=http://portal
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\g2341\LOCALS~1\Temp\se.dll,DllInstall  
O2 - BHO: (no name) - {37CA6835-C928-4418-BAD7-85C8EBBFFE4D} - C:\WINDOWS\System32\cgde.dll
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
C:\PROGRA~1\HUMMIN~1\CONNEC~1\8.00\HOSTEX~1\HEOleAut.exe
C:\Program Files\Hummingbird\Connectivity\8.00\HostExplorer\Hostex32.exe
C:\PROGRA~1\QUESTS~1\questc~1\QCUpdate.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
0
 
LVL 58

Accepted Solution

by:
Pete Long earned 450 total points
ID: 13494785
Browser Hijacking/Spyware/Adware/Malware Removal instructions

Full removal and Prevention instructions are available on my website,

http://www.petenetlive.com/Tech/Browsers/hijack.htm

Please don't "Gum up" the TA's here by posting Hijack This Logs
go here and have it analysed.
http://www.hijackthis.de/index.php?langselect=english

The EE Official Link to info is,
 http:Q_20975384.html#10973783
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 13494833

A quick add-on to the excellent comments above, this tool takes care of some of the about:blank versions:

http://www.downloads.subratam.org/AboutBuster.zip

Download, install, UPDATE and run.

Zee
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13529369
Hi!

se.dll is often, VERY difficult to remove.
There's a beta tool out that's proving to be effective.
Download from here(it's from the German security board trojanerinfo.de):
http://www.derbilk.de/SpSeHjfix_Beta7.zip

I would boot into safe mode and fix and then delete the O18 entries there.

Start SpSeHjfix_Beta7.exe click on " Desinfecton starten" (the other button means close) -
then it will reboot and finish the cleaning.
Run HijackThis and remove leftovers.

Good luck!

RF
0
 

Author Comment

by:EONUK
ID: 14200241
Hi. I tried all the above none were effective, after using a multitude of apps CWShredder, MS Antispyware, Hijack this it did eventually vanish.

Im not sure what to do as to close this question, do i award points, split points..

Your advice would be appreiciated.
0
 
LVL 58

Expert Comment

by:Pete Long
ID: 32644643
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Screencast - Getting to Know the Pipeline
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question