Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Se.dll and others...?


  • Please log in to reply
46 replies to this topic

#1 JaneGurnett1Fan

JaneGurnett1Fan

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 10 March 2005 - 01:11 PM

Hi there,

I'm new here and i was wondering if anyone would be kind enough to help me, i'm really stuck!?! I'm only little so please be nice :thumbsup:

I seem to have this common virus - se.dll and probably quite a few others on my pc, i have no idea how they got there but basically they are being little buggers and so i can't delete them or anything. I don't really know what i'm doing with them so if anyone can help then please, please do!!

I can't go onto internet much because i have this stupid start up page about: blank and also the warning pop ups about my computer being infacted with spyware etc..

I ran a Hyjack This scan because i seen that on here that helps - here is my log if it's a help -

Logfile of HijackThis v1.99.1
Scan saved at 18:06:43, on 10/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D697D5F5-0E47-4A9B-B416-7493EED42B4E} - C:\WINDOWS\SYSTEM\JPKM.DLL
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
O18 - Filter: text/html - {73BE833E-12AC-4134-A01B-4CAD42FF6E02} - C:\WINDOWS\SYSTEM\JPKM.DLL
O18 - Filter: text/plain - {73BE833E-12AC-4134-A01B-4CAD42FF6E02} - C:\WINDOWS\SYSTEM\JPKM.DLL


I really hope someone can help me!!! I can hardly do anything now i have these viruses!!! :flowers:

Best Wishes,
Natalie :-)

BC AdBot (Login to Remove)

 


#2 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 10 March 2005 - 01:14 PM

I also wanted to say, i've tried millions of things to delete all these - i can't delete se.dll, jpkm.dll or kernel32.dll - all say that they are in use and so wont delete, even in Safe Mode. :thumbsup:

Natalie :-)

#3 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 12 March 2005 - 07:04 AM

Can anyone please, please help - it seems that se.dll has been quarantined by my Symnatec and now it can't be found, but it's still there, i know it is!! :thumbsup:

Best Wishes,
Natalie :flowers:

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:42 PM

Posted 13 March 2005 - 09:59 PM

Hello Natalie, and welcome to BleepingComputer. Let's see what we can do.

1. Download Startdreck from the following location:
http://www.niksoft.at/_data/startdreck.zip

2. Unzip the file onto your desktop.

3. Double-click the startdreck.exe program and when it loads, click on the Config button.

4. Press the Unmark All button.

5. Then select the following checkboxes:

- Run Keys under the Registry Section
- Running Processes under the System/Drivers section.


6. Press the OK button.

7. When it is done scanning your computer, press the Save button and then open that log and post its contents as a reply to this message.
Derfram
~~~~~~

#5 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 14 March 2005 - 05:05 PM

Oh thank you so much for replying!!

Here is what it says -

StartDreck (build 2.1.7 public stable) - 2005-03-14 @ 21:59:21 (GMT +00:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as Natalie King at NATALIEK

舞egistry
舞un Keys
翟urrent User
舞un
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
舞unOnce
聞efault User
舞un
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
舞unOnce
腿ocal Machine
舞un
*MMTray=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
舞unOnce
舞unServices
*rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
*defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
舞unServicesOnce
**tp=rundll32 C:\WINDOWS\MSBB_KLF.DAT,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFEF7257=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFB4B7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFD577=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFDF33=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE2FA3=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
+FFFE52B7=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
+FFFEAC6F=C:\WINDOWS\RUNDLL32.EXE
+FFFE26AF=C:\WINDOWS\EXPLORER.EXE
+FFFD234B=C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
+FFFD52DF=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
+FFFD9D13=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFFA20BF=C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
+FFFA0B23=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF9416B=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF9E25B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFE7324B=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFE79F3B=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific

Hope this helps!

Best Wishes,
Natalie :thumbsup:

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:42 PM

Posted 14 March 2005 - 05:54 PM

So far so good Natalie. Our reinfector is C:\WINDOWS\MSBB_KLF.DAT.


Copy the text in the quote box below to notepad. Name the file showhidden.reg and change the save as type to All files. Then save the file to the desktop.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


Now double-click on the showfile.reg file on your desktop and when it asks if you would like to merge the data, click on the Yes or OK button.



We need to make MSBB_KLF.DAT visible and delete it. We cannot continue until that file is gone.


Reboot your computer, and press F8 when Windows is starting. When you come to the menu, select to boot into the safe command prompt mode.

From the command prompt (C:\>) enter the following commands:

attrib -r -s -h C:\WINDOWS\MSBB_KLF.DAT <hit enter key>
Next command:
del C:\WINDOWS\MSBB_KLF.DAT <hit enter key>

If this is succesful, you will get a response similar to "File Deleted". If not, you will get a "File not found", or similar.


If unsuccessful, try the following commands:

move C:\WINDOWS\MSBB_KLF.DAT c:\ <hit enter key>
Next command:
del C:\MSBB_KLF.DAT <hit enter key>

Same success criteria.

Let me know if you were able to delete that file.
Derfram
~~~~~~

#7 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 14 March 2005 - 06:41 PM

I've done down to the rebooting bit. I got to the menu and the options did not include "safe command prompt mode" - they were normal, safe mode, and i think something called "step by step confirmation" thats all i remember seeing though...what will i do?

Also when i saved the showhidden.reg to desktop it didn't ask if i wold like it merged, just said something like - would you like to add this? All okay though i think, said it was okay.

Best Wishes,
Natalie :thumbsup:

#8 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:42 PM

Posted 14 March 2005 - 09:16 PM

I must admit I have very limited experience with WindowsME, and I may be explaining it poorly. What I need for you to do is shown HERE.

My bad... Looks like WindowsME does not have 'Safe mode command prompt only' available from the boot menu. You should be able to get to an MS-DOS prompt by clicking on Start / Shutdown, then selecting "Restart the computer in MS-DOS mode".

Then follow the previous methods to try to delete C:\WINDOWS\MSBB_KLF.DAT

As for the .reg file,
After you saved the .reg file to the desktop, did you double click on it? If so, then 'add' was probably correct.

Edited by ddeerrff, 14 March 2005 - 09:22 PM.

Derfram
~~~~~~

#9 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 15 March 2005 - 11:50 AM

Hi again,

Well i went into Safe Mode on my comp and tried it in the MS-DOS but it wouldn't accept the code thing you gave me. Then i tried in Normal mode and it wouldn't there either. I got the message bad command or path not found. Then it came up Sharing violation reading drive C - Abort, Retry, Fail? Bad Command or File Name.

Thats all it said. :thumbsup:

Best Wishes,
Natalie :flowers:

#10 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:42 PM

Posted 15 March 2005 - 01:08 PM

Those errors do not make sense in this context Natalie. Let's try again:

Boot to an MS-DOS prompt by clicking on Start / Shutdown, then selecting "Restart the computer in MS-DOS mode".

You should be looking at a screen that shows a C:\> prompt.
(Text in blue is the actual command to enter, text in black is action/explanation.)

At the C:\> prompt, enter the command attrib -r -s -h C:\WINDOWS\MSBB_KLF.DAT and hit the enter key.
(in the command there is a space after 'attrib', after -r, after -s, and after -h)
You should be returned to the C:\> prompt. If you receive any error or other text, please report it to me, but continue anyway.

At the new C:\> prompt, enter the command move C:\WINDOWS\MSBB_KLF.DAT C:\ and hit the enter key.
(in the command there is a space after 'move', and after .DAT)
You should be returned to the C:\> prompt. If you receive any error or other text, please report it to me, but continue anyway.

At the new C:\> prompt, enter the command del C:\MSBB_KLF.DAT and hit the enter key.
(in the command, there is a space after 'del')
You should be returned to the C:\> prompt. If you receive any error or other text, please report it to me.

Then reboot normally and report any errors reported during boot.
Derfram
~~~~~~

#11 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 15 March 2005 - 01:13 PM

Boot to an MS-DOS prompt by clicking on Start / Shutdown, then selecting "Restart the computer in MS-DOS mode


I don't have this option...just Shut Down, Restart or Stand By...

Also when i open the MS-DOS prompt screen, it doesn't say C:\> , it says C:\WINDOWS\Desktop>

Best Wishes,
Natalie :thumbsup:

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:42 PM

Posted 15 March 2005 - 01:20 PM

Does 'Restart' give you the option to start with command prompt only? Looks like I may need to find a WindowsME system to look at.

From the DOS shell you can get to,

Enter the command cd \ and hit the enter key.
(there is a space after the 'cd')
This should drop you to a C:\> prompt.

Continue from there.
Derfram
~~~~~~

#13 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 15 March 2005 - 01:22 PM

Ok i've managed to do all the above steps now by entering C:\> then what you said. It took me down to the next C:\> every time. I've just entered the del C:\MSBB_KLF.DAT and hit ok and it's taken me down to the next C:\> and said nothing. Do i now reboot?

Best Wishes,
Natalie :thumbsup:

#14 JaneGurnett1Fan

JaneGurnett1Fan
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Location:Glasgow, Scotland
  • Local time:11:42 PM

Posted 15 March 2005 - 01:23 PM

Does 'Restart' give you the option to start with command prompt only?

No there is no option like that, just the ones i mentioned.

#15 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:10:42 PM

Posted 15 March 2005 - 01:27 PM

Sounds like you may have been successful. Yes, reboot and post me a new HijackThis log.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users