MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: SE.DLL
November 12, 2019, 04:38:01 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 12, 2019, 04:38:01 PM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: SE.DLL  (Read 5871 times)
DaDdY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« on: March 04, 2005, 02:53:07 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows ME
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



Hi, AntiVir is giving me anotice more or less like: C:\...\TEMP\SE.DLL

The Trojan horse TR/StartPage.qr.DLL

i'm unable to fix it with AntiVir or something else.  

the problems that gives me are the notice above every time I open Internet Explorer or even a folder. And when it opens an internet page, sometimes starts up with a about:blank search page or sometimes it starts properly, but if i try to acces a link, i'm sent to a search page.

I think this is something like dreanor's problem, so I try to follow the same steps, but the diference is i have windows ME and he had Windows XP, so when i tried to follow the given steps, i couldn't find the files to be removed.

I don't know what I did, 'cause sometimes the messages appear very often, and sometimes they don't, but another thing is that there are increasing the number of popups like "your computer is infected".

My point is: what shoud i do? do i follow anyway the same steps given to dreanor (http://www.mytechsupport.ca/index.php?option=com_smf&Itemid=42&topic=7817) including the second part?

THX for being patient.

Here's HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 08:54:44 p.m., on 03/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\AVPERSONAL\AVGCTRL.EXE
C:\ARCHIVOS DE PROGRAMA\MSN APPS\UPDATER\01.02.3000.1001\ES\MSNAPPAU.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\MAGICKEY.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\V3D.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\MIS DOCUMENTOS\NUEVA CARPETA\PROGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.t1msn.com.mx/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V
Logged

 
DaDdY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #1 on: March 06, 2005, 04:24:35 AM »

Hi Cactus

Pls, help with my problem.  This last days the message doesn't appear so often, but i'm getting a lot of popups about computer infected, and when i open internet explorer, opens an about: blank and search page.

Please, help me.  I don't know so much about computers and i'm desperate.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:07 p.m., on 05/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\AVPERSONAL\AVGCTRL.EXE
C:\ARCHIVOS DE PROGRAMA\MSN APPS\UPDATER\01.02.3000.1001\ES\MSNAPPAU.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\MAGICKEY.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\V3D.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\OSD.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MIS DOCUMENTOS\NUEVA CARPETA\PROGS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.t1msn.com.mx/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #2 on: March 06, 2005, 09:03:53 PM »

Ok DaDdY .. first Let's open a command prompt (Goto Start>All Programs>Accessories>Command Prompt) and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u se.dll
regsvr32 /u MSBE.DLL
regsvr32 /u TWAINTEC.DLL
regsvr32 /u NEM219.DLL
regsvr32 /u PWRSAL01.DLL
regsvr32 /u FIAM.DLL
regsvr32 /u ISTBAR.DLL


It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

Ok now ...

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

ALCHEM.exe
CWPHBKI.exe
dyrfmst.exe
istsvc.exe
bargains.exe
hsfajyl.exe
msnappau.exe
SchedulerV2.exe



Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.t1msn.com.mx/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
DaDdY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #3 on: March 08, 2005, 05:32:50 AM »

Ok, Cactus, I did what u said (http://www.mytechsupport.ca/index.php?option=com_smf&Itemid=42&topic=8101&SearchTerms=,se.dll), and here's my report:

first, from the things to be unregistered, just the second said:  "DllUnregisterServer in MSBE.DLL succeeded".  All the others said "LoadLibrary ("{the name}") failed.  GetLastError returns 0x00000485".

Then, when pressin Ctrl/Alt/Del, there was only msnappau.exe.  Nothing else.  The ones that appeared were:  Versato Retail UI, Explorer, Osd, Pccguide, Pop3trap, Pccclient, Edict, Msnmsgr, MagicKey, Rundll32, Loadqm, Systray, Ptsnoop, Pcciomon, Avgctrl, Winampa and Rundll32, but i just finished msnappau.exe.

When tried to fix with hijackthis, there were all the ones listed, but:
"R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=res://C:WINDOWS\TEMP\se.dll" ;
"R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:WINDOWS\TEMP\se.dll";
"02 - BHO:BHObj Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINDOWS\SYSTEM\MSBE.DLL" ;

Then, at Control panel/add/remove programs, there were:

ALAWAR TOOLBAR
ISTsvc

The others weren't.  There was one that called my attention:  XXXToolBar, but it couldn't be removed, it always reappeared.

When trying to delete the folders/files, i deleted se.dll AND se.dll.vir.  there were both there.  MSBE.DLL was deleted, too.  The others weren't.  There were some approximations, but weren't the same, or the folders were empty.

While doing all these, there was an Antivir message appearing:  "C:\WINDOWS\HTMLHEFP.INI is the Trojan horse TR/Mersting.C  File moved to quarantine directory"

And after rebooted, there was a message more or less like: "Failed loading C:\WINDOWS\TEMP\SE.DLL  System couldn't find the specified file"

Finally, here's HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:37 p.m., on 07/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\ARCHIVOS DE PROGRAMA\AVPERSONAL\AVGCTRL.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\MAGICKEY.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT ENCARTA\BIBLIOTECA DE CONSULTA ENCARTA 2003\EDICT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\V3D.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\OSD.EXE
C:\MIS DOCUMENTOS\NUEVA CARPETA\PROGS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\ARCHIVOS DE PROGRAMA\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\ARCHIVOS DE PROGRAMA\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Magic Keyboard.lnk = C:\Archivos de programa\MagicKey\MagicKey.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab


You'll say what we'll do now.  Thanks a lot again Smiley

DaDdY  Wink
Logged

 
DaDdY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #4 on: March 09, 2005, 04:32:35 AM »

Hi, Cactus, I just wanna tell you that this is coming back.  The first days it was working kind of "normal", but since today some message have been appearing, messages like "C:\WINDOWS\HTMLHEFP.INI Is the Trojan horse TR/Mersting.C File moved to quarantine directory", so I tried to run Panda Scan Online, but it failed when trying to open:  "C:\WINDOWS\SYSTEM\ACTIVESCAN\SETE0E2.TMP Contains signature of the Micro-128 (C) virus.  The file has been moved to the quarantine directory".

Another message is like "Fail loading C:\WINDOWS\TEMP\SE.DLL  System couldn't find specified file".

So I don't know what to do now.  I cannot also access some internet pages.  I hope you can tell me what we can do to fix this, 'cause this is driving me crazy!!

Thanks again, and wait to hear from you.

DaDdY
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #5 on: March 14, 2005, 05:07:51 AM »

Alright DaDdY .. Lips Sealed

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

ALCHEM.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall


Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\ALCHEM.exe
C:\WINDOWS\TEMP\SE.DLL

Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.


In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

Cactus  
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
DaDdY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #6 on: March 20, 2005, 06:16:40 AM »

Hi, it's again me.  I know i'm bothering a lot, but this is doing so to me.  Now it's getting worse, i cannot do anything, 'cause is sending me messages.  I really don't know what to do now, i've done what u told and it worked the first days, but it's getting back.  Some messages are: PANDA SCAN:  c:\WINDOWS\SYSTEM\ACTIVESCAN\SETE#E2.TMP Contains signature of the Micro-128 virus.  The file has been moved to the quarantine directory"  ;  "WARNING:  C:\WINDOWS\ARCHIVOS TEMPORALES DE INTERNET\CONTENT.IE5\I9EF092N\M [ 1 ].BIN  Is the Trojan horse TR/Startpage.215 The file has been moved to the quarantine directory. "  ;  "C:\WINDOWS\SYSTEM\ADCJPK.DLL Is the Trojan horse TR/Startpage - 215  The file has been moved to the quarantine directory".

And the old message:  "C:\WINDOWS\TEMP\SE.DLL  Is the Trojan horse  TR/Startpage.qr.DLL  The file has been moved to the quarantine directory.

Here's the last Antivir scan


Creation date of the report file:  Jueves, 17 de Marzo de 2005  15:03

AntiVir
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #7 on: March 20, 2005, 04:21:19 PM »

Ok first we need to UNREGISTER these DLL files we are going to DELETE

Goto START>RUN
In the Run Box type or Copy/Paste the lines below then hit OK after each:

regsvr32 /u KGGJ.DLL

regsvr32 /u WEBDLG32.DLL


It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the Run Box to save on the typing.


Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

ALCHEM.exe
HBCL.EXE

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


O2 - BHO: (no name) - {531477AD-8E3E-4AF0-97DC-575FFB7943A7} - C:\WINDOWS\SYSTEM\KGGJ.DLL
O2 - BHO: StartBHO Class - {30192F8D-0958-44E6-B54D-331FD39AC959} - C:\WINDOWS\WEBDLG32.DLL

O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe

O4 - HKLM\..\Run: [hbcl] C:\WINDOWS\HBCL.EXE

O18 - Filter: text/html - {4B0BF042-E2FC-4E55-A5E6-7E951D5BC886} - C:\WINDOWS\SYSTEM\KGGJ.DLL
O18 - Filter: text/plain - {4B0BF042-E2FC-4E55-A5E6-7E951D5BC886} - C:\WINDOWS\SYSTEM\KGGJ.DLL


Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\SYSTEM\KGGJ.DLL
C:\WINDOWS\WEBDLG32.DLL
C:\WINDOWS\ALCHEM.exe
C:\WINDOWS\HBCL.EXE


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.


Cactus  
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
DaDdY
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 6


Bookmark and Share

View Profile
« Reply #8 on: March 21, 2005, 07:38:22 PM »

Hi, I followed the instructions and could do everything.  Something that called my attention was a file "sre.dll".  I didn't do anything to it, but the name is similiar to se.dll, that's why I noticed it.  Here's the new Hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 01:25:25 p.m., on 21/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\ARCHIVOS DE PROGRAMA\AVPERSONAL\AVGCTRL.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\MAGICKEY.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT ENCARTA\BIBLIOTECA DE CONSULTA ENCARTA 2003\EDICT.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\V3D.EXE
C:\ARCHIVOS DE PROGRAMA\MAGICKEY\OSD.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MIS DOCUMENTOS\NUEVA CARPETA\PROGS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\ARCHIVOS DE PROGRAMA\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\ARCHIVOS DE PROGRAMA\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Archivos de programa\Trend Micro\PC-cillin 2002\PCCPFW.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Magic Keyboard.lnk = C:\Archivos de programa\MagicKey\MagicKey.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28177.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #9 on: March 24, 2005, 01:57:36 AM »

Alright DaDdY .. Grin.. let's try this again!

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {30192F8D-0958-44E6-B54D-331FD39AC959} - (no file)



Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

If those lines are still there...REBOOT into SAFE MODE and run HJT and REMOVE them again..

Cactus  
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 12, 2018, 07:52:52 PM