Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help Killing se.dll


  • Please log in to reply
11 replies to this topic

#1 MaxxAG

MaxxAG

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 23 February 2005 - 02:09 AM

I really need help killing this virus. Here is my log, and thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 1:04:02 AM, on 2/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trillian\trillian.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\Documents and Settings\Max Goldstein\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\MAXGOL~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\MAXGOL~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {70908262-053D-4EDF-AA72-164962D180E2} - C:\WINDOWS\system32\ahbgef.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\MAXGOL~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Startup: trillian.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {411A9CFC-B7BC-473D-BA79-3D5016CC3363} - C:\WINDOWS\system32\ahbgef.dll
O18 - Filter: text/plain - {411A9CFC-B7BC-473D-BA79-3D5016CC3363} - C:\WINDOWS\system32\ahbgef.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:26 PM

Posted 24 February 2005 - 12:25 AM

Hi. Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#3 MaxxAG

MaxxAG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 February 2005 - 02:43 AM

C:\WINDOWS\System32\msk.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:26 PM

Posted 24 February 2005 - 10:38 AM

Start registrar lite, and double-click on the appinit_dlls key again. Clear the value found in there (msk.dll) and press ok. Then reboot and check that key again and tell me if the value is back

#5 MaxxAG

MaxxAG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 February 2005 - 11:51 AM

The value came back.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:26 PM

Posted 24 February 2005 - 07:54 PM

Step 1:

Please download this file:

http://computercops.biz/modules.php?name=F...ownload&id=1183

and then sign off the internet if you are using a dialup type connection.

Unzip the downloaded file to c:\hiving and you should now have a file hiving.bat in that c:\hiving folder. Double-click on the hiving.bat file and let it run. If you have script blocking enabled you will get a warning about whether or not you should let it run. Allow the entire script to run once. When it is done, the script will produce a message box letting you know.

Now reboot your computer. After it reboots the hidden file that was reinfecting your computer will no longer be visible.

Then continue to the next step.

Step 2:

Restart the Computer.

Find this file:

C:\WINDOWS\System32\msk.dll

If you are using Windows XP Pro or 2000:

Right click on this file and select Properties. When you are in the properties of the file, select the Security tab.

Click on the Users group and then in the permissions section select Full Control. Now do this same thing with the Administrators group.

Now try to delete the file C:\WINDOWS\System32\msk.dll. If that fails go back into the security tab like before, and this time click on the Advanced button and then click on the Owner tab. Select your name in the list, and press the Apply button. Now try to delete it again.

If you are using XP Home:

XP Home does not have the security tab, so just right click on the file, and select Properties. Then uncheck the Read Only checkbox, press OK and try deleting it.

#7 MaxxAG

MaxxAG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 February 2005 - 09:21 PM

it wont let me delete it, "access is denied"

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:26 PM

Posted 24 February 2005 - 11:22 PM

Can you see the file now?

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\System32\msk.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

#9 MaxxAG

MaxxAG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 February 2005 - 11:39 PM

the file is still on my comp.

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:26 PM

Posted 25 February 2005 - 08:51 AM

If you right click on the file and go into properties is it set to read only ? Can you uncheck the read only and delete it? Have you taken ownership of the file as described above?

#11 MaxxAG

MaxxAG
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 25 February 2005 - 09:43 AM

I had to move it out onto the desktop, i finally figured out. Then i was able to disable the read-only and delete the file. I appear to be clean for now, but only time will tell if im really clear of this program. thanks for the help, i really appreciate it! ill be sure to send any people who need help with this bleep your way!

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:26 PM

Posted 25 February 2005 - 03:49 PM

Woah :thumbsup: Not so fast...please post a last log. Also can you submit that file at http://www.bleepingcomputer.com/submit-malware.php.

Just so i got it straight. You move the file to your desktop and then changed the read only attribute on it? Then you could delete it? If it is deleted, please restore it to the desktop submit it, and delete it again.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users