Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SE.dll


  • Please log in to reply
21 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:41 AM

Posted 13 February 2005 - 12:41 AM

For anyone having problems with the SE.DLL infection check these two posts.

How to remove About:Blank & About:NavigationFailure & SE.DLL - 95/98/ME

How to remove About:Blank & About:NavigationFailure & SE.DLL - Xp/NT/2000

If that does not help, post a hijackthis log in the HijackThis section and someone will help you.


BC AdBot (Login to Remove)

 


#2 RC2005

RC2005

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 13 February 2005 - 12:44 AM

A McAfee technician referred me to your site earlier for a tutorial solution on an "at home" hijack problem involving Win98 SE IE6. The problem was solved per your site's instructions -thank you! However, several days later, a different problem appeared with annoying pop-ups warning of Trojans and hijackers. The pop-ups would appear randomly in IE and other applications.

I tentatively traced it to SE.dll and disabling it solved the problem until it "reloads itself." It was disabled via MSCONFIG Start Menu and deleting the file from the Windows System directory. Occassionally, it "re-enables" itself in the MSCONFIG Start Menu and re-copies the file to the systems directory and the same pop-up problem re-appears.

Please advise as to how I might rid this annoyance from my system permanently or pursue the true problem if I am chasing a symptom rather than a root cause. Thank you!

Attached Files



#3 pip22

pip22

  • Banned
  • 341 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:41 AM

Posted 13 February 2005 - 10:00 AM

Most browser hijacks add keys and values to the Windows Registry which re-enables
any hijack you disable elsewhere. Since they are in the Registry, these entries are difficult to track down. There is, however, a specialised and free tool for the job called 'HijackThis' from : http://www.bleepingcomputer.com/files/hijackthis.php

It's very effective but requires specialist knowledge to actually know what should be removed from the list of what it finds.

Run it to produce a log-file, then post the log to the 'HijackThis Logs and Analysis' forum
where someone can tell you how to proceed.

Changed to our direct download

Edited by Grinler, 25 February 2005 - 04:43 PM.


#4 nrgeti

nrgeti

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 18 February 2005 - 04:33 PM

I am having the exact same problem with SE.DLL but on a Windows XP Professional PC.

Apparently the virus in this file:
1. Changes the home Internet page to ABOUT:BLANK which is kind of a list of jumps to some porn or other sites.
2. Hijacks the keyboard any time one tries to go on the Internet and at certain words will pop up a spam ad.
3. Seems to block Norton's SystemWorks shortcuts

No matter what I do, it keeps coming back. So far this is what I have done attempting to remove the virus.

1. Symantec has an instruction guide for removal but it did not solve the problem. This guide suggests
a. Disabling System Restore
b. Updating Norton's Antivirus to the latest
c. Rebooting into safe mode and running Antivirus Scan
Norton finds the bad file and first quarantines it then permits deleting. This file contains the trojan.startup virus. However, something prevents it from being deleted even though no message indicates this.
d. Removing some registry keys. I found several that refer to SE.DLL. One was in a Search key and the other in a Command key. After rebooting these keys are restored.
e. Repairing the Hosts file. This was not altered so no problem here.

2. The folder containing SE.DLL is marked hidden but I set it to view mode and found the file. I cannot delete it manually; access is denied.

3. Unchecked all the options in msconfig. One of them is SE but after rebooting this item is now checked again.

4. Tried deleting everything in the Task Manager to see if one of the services is restoring SE.DLL.

5. HijackThis did not list any bad DLLs and hence FixThis had nothing to repair.

#5 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:11:41 PM

Posted 18 February 2005 - 07:48 PM

One trick these trojans use is to create a .reg file that is loaded on reboot. It creates a registry key that makes a connection to a remote server and reloads the trojan. Try doing a search in Find files or folders for *.reg. Make sure you are able to see hidden files and folders. If you get lucky you will find a .reg file in a place that it probably should not be. Opening this file using the Edit command should point you to the registry key and the file that creates the trojan. Do not double click and merge! If you are not sure what .reg file to look at post a list back here and we'll look at it. Post a screenshot of the search results if you like.

How to take and share a screen shot in Windows

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#6 jfarena

jfarena

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 18 February 2005 - 10:46 PM

Hello,

I have a user (Win XP Home, SP2 using IE) who has been fighting this exact same problem on their home computer. I have been onsite three times in the last week for it. I have removed the se.dll file and any other foreign files including ones i found in the system32 directory and cleared all temp items and went through the registry and removed any reference to the se.dll file and also unregistered it. The thing still came back. (by the way, it doesn't come up in adaware, spybot s+d or any other canned anti-spyware app that I have run thus far. Hijack this doesn't come up with anything handy either.)

It seems that has some serious self-preservation tactics. The file appears to be timed or on a schedule (nothing in scheduled tasks, it is probably using its own cron job or something) as I could not get the file to generate on the computer after surfing the web and performing other tasks for over and hour with rebooting and shutting down the computer several times during that time.

I originally had located the se.dll file by noting that it was created at 430a the day after I cleared out the spyware the first time around in the evening. (i deleted it when i cleared out the user temp directory)

The user informs me after each session that this problem has reappeared on the next day. I am ready to format the computer, i've already given four free hours of my time on this and another four of paid time (plus research) and the user isn't interested in why it keeps reappearing only that she can't read her email and horoscopes. :thumbsup:

I didn't see any .reg files on the computer but if I get another chance at this, I will look for one and post back if I find anything.

Anyone got any ideas other than to use firefox, i'm all ears.

I hate spyware :flowers:

Jon
Computer consultant
DE/MD/PA State Lines

#7 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:11:41 PM

Posted 19 February 2005 - 07:34 PM

Look for suchost.exe. That might be the file that generates se.dll.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#8 Coquipaapi

Coquipaapi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 21 February 2005 - 03:01 PM

I am another person that has this problem with se.dll, however I do have one file that seems to be directly related to this problem. It's "mpao.dll". The passage is C:\WINDOWS\SYSTEM\mpao.dll. I use winpatrol to fight spyware, and I have always been successful using it since you can remove programs from your startp file manually. This is the first time I could not remove spyware.using winpatrol. However, when I started noticing the problems, the se.dll appeared, and in my IE helpers section, the mpao.dll file appeared. Everytime I successfully remove the se.dll file it throws it back in my startup, along with the mpao.dll file. However, I have not been successful removing the mpao.dll file.

Matt

#9 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:11:41 PM

Posted 21 February 2005 - 05:58 PM

In the HiJack forum here I noticed that gerald had the se.dll problem and figured it out. He had this to say:

I have removed the above file permanantley its taken me about a week what was basically happening was that there was an exe. mijef. exe stopping me from deleting se.dll. I used anti spy info and located the mijef exe quarantined it and then deleted se.dll and it hasnt come back.


The thread is here. Its worth looking for that file on your computers but many times these files are randomly named so it may be there as something else.

Another area to look at is to open windows explorer and to highlight C:. Look in the right hand window for a file that ends in .exe. You should not have one there in most cases. If you find one or more .exe files there, rather than delete them right away, just move them into a folder where you can remember where you put it in case you need to put it back. Then reboot your computer and wait a few days before deleteing to be sure your programs run properly. If you want to post the name of the .exe file you find at the root of C: we can check it out for you.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 February 2005 - 12:13 PM

Everyone suffering from this problem should submit a HijackThis log for analyses ASAP. General removal guides will rarely be effective--malware is very good now at morhping and using random file names to avoid removal. Also every PC is different and, since malware commonly comes in bunches, what needs to be remedied on each PC is also different.

So I stronly urge all of you to read the following and do this exactly to achieve the best results:
http://www.bleepingcomputer.com/forums/t/956/how-to-submit-a-hijackthis-log/

You should also know that se.dll has reached epidemic proportions and the malware experts are burning the midnight oil to find the most effective solution to this problem. That is best acheived by infecting a test platform with this malware and figuring out what it does and how to fix it. So the sooner we get logs and files submitted the better.

The thing about people

is they change

when they walk away.--Mipso


#11 anders

anders

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 22 February 2005 - 12:52 PM

I've experienced the same problems with this se.dll file...and it has caused me some late nights and frustrating days!!

I found the only way to rid the pesky virus / adware / spyware / devil, was to install kaspersky..

(you can get the trial version from here...http://www.kaspersky.com/trials)

...get the latest update and run a full scan.

Kaspersky seems to detect this and rid it from your system (long live kaspersky by the way!). This seems like a long way round solving the problem (not as long as the hours it took me to find out this solution though!) as you have to uninstall your current virus scanner, install kaspersky, update kaspersky and run a full scan. Becomes a real pain when you have around 20-30 PC's to do ASAP. I cant understand why most respected virus scanners (i.e. Norton Symantec ) and Adware / Spyware removers (Adaware) dont detect and remove this problem, as it seems quite prevalent.

i hope this helps you guys and girls with this problem, and if anyone discovers a quicker solution, please post it here as im sure this problem wont go away!!!

kind regards (this is my first post by the way...i feel a new man!)

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 February 2005 - 02:46 PM

Thanks for that anders. I'm assuming that you're referring to version 5.x of KAV? If so which flavor, Personal, Personal Pro or another?

I'm still running an earlier version since the 5.x has some issues with excessive disk fragmentation and affects System Restore on XP--last time I looked. Had something to do with running Diskeeper also. But if KAV gets rid of it that's good to know. Thanks.

There is another file or two that reinstates the se.dll so just getting rid of it won't do much good. The experts are on it and I expect to see a fix out soon--keep an eye on the Self Help Guides forum:
http://www.bleepingcomputer.com/forums/f/55/spyware-and-malware-removal-guides-and-reading-room/

I'm going to move this Topic to the Privacy forum but will leave a link so you all can get to it. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:41 PM

Posted 22 February 2005 - 10:06 PM

bowlingman, welcome to BC. :thumbsup:

I moved your log into a topic of its own in the HJT Logs forum. You can find it here:
http://www.bleepingcomputer.com/forums/ind...topic=12020&hl=

Anyone else that wants to post a log, please do so, but do post it in that forum:
http://www.bleepingcomputer.com/forums/ind...hp?showforum=22

Please, if you want to have your log looked at, start a new Topic by clicking the New Topic button toward the top right of the HijackThis Logs and Analysis forum index. This will insure that you get the best possible help for your unique situation. Do not post a log into someone else's thread.

The thing about people

is they change

when they walk away.--Mipso


#14 anders

anders

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 23 February 2005 - 07:26 AM

I used the kaspersy 5.0 personal trial edition, which seemed to work a treat!

Hope this has been of some help to you guys

#15 digitek

digitek

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 23 February 2005 - 08:40 PM

This is what I recommend doing if you already have Antivirus software installed - the customer I was working on had NIS'05, so uninstalling was not looking to be a good option in order to do the kaspersky thing ....

Here are the steps I did, which I highly recommend and rather painless ... now at least ... (also please note - the following instructions are only for those that understand the speek - if any of this is unheard of, please do not do it!)

Some of this stuff is probably over kill, but ...
1) Download Microsoft's Antispyware - get it on the PC somehow - dont install yet
2) MSCONFIG - took out all Services and Startup.
3) Boot to safemode with network, ran the regsvr32 /u /s se.dll and deleted the file.
4) Ran Hijack this and took out the stupid reference in IE - that werent right
5) Installed Antispyware and updated over LAN - ran and delete what it finds
6) Re-MSCONFIG the good stuff and all processes (that you trust)
7) Rescan with Adaware/Spybot/AntiSpyware/Hijack this is Normal mode
8) Test, test, test - finally, the stupid page wasn't hijacked and NAV didn't come up with "windows\temp\Se.dll is infected but I cannot delete it"

I think the key here is deleting the file in safemode and running AntiSpyware on there ... I mean, I really like this beta version - it simply found stuff that Adaware and Spybot both did not see - VERY nice!

Good luck,
Jason N.
Digi-Tek Computer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users