hi, i just got back from vacation, and some one used this computer and got this bug called se.dll, and in avg, startpage.16.m. now i have run all the regular progs, avg, adaware, spybot, but it is still there. when i log into my yahoo messenger, the avg sheild always comes up and tells me C:\windows\temp\se.dll is infected. i looked for the file but it is not there(yea i looked at the hidden files too). now i ran hijack this, and there is about 5 or 6 entries with se.dll and run.dll starting se.dll. msconfig also has an entry called sp that should not be there(i am asuming it is related to se.dll). how do i go about getting rid of this thing? i want to know how to get rid of it permanently, not just a quick fix. i am using mozilla, but everytime i use ie, it quickly hijacks the browser and takes me to some search page, and about 5 pop ups on spyware and virus programs come up. what can i do?

Try AdawareSE from www.lavasoftusa.com/support/download

" IF IT AINT BROKE-LEAVE IT ALONE "

yea i have adaware se, it did nothing. thanx anyway, anyone else got some ideas?

try removing this file in the registry, i use this reg cleaner it works good
REG CLEANER

" IF IT AINT BROKE-LEAVE IT ALONE "

I have been chasing this one of my system for weeks now and it is a beast to remove. In fact I have tried everything from Giantantispy to xsoft and all they seem to do is spot the se.dll file and remove it, but it returns. It recreates itself via another dll file which varies in names from oficea.dll to jengaa.dll and many more. Each time these files are removed they are recreated with another file which I have not quite discovered yet. I believe it has imbedded itself in a windows file, but am unsure which? It causes rundll and kernel32 errors and instability on some systems. No spyware/virus software I know of can remove it. A temporary solution is to change the hex values with the dll file to stop it running properly. If I find a better solution I will let you know.

Interesting, I've got the same exact bug. I'm curious howI got it though. I'm the only one who uses this computer, and I have never used any sort of downloader softerware (I.E. WinMX or Kazza) Where did it come from? Im still going around in circles to delete it too. The only thing I've done so far, was open the se.dll in notepad and look around in it. I found several file names listed and searched for them in the regestry. Any that I found I deleted from there. It helped a little but its still there. O, and dont forget about safe mode, You can delete the file there, o crap I just thought of a solution. When In safe mode The file does not come back when you delete it. Keep adding one more driver or dll file to start up oin safe mode until when you delete it comes back or it says you cant. That file may be the root of our problems. Wow, these logs do help.

Vi ne, Vi de, Vi che.

have you tried to install and run spywareblaster from Javacool ?

if you do you might find that it wont run, so get regmon and monitor spywareblaster when you try to run it, the second entry in regmon refering to spywareblaster is usually the culprit either a dll or ini. which meeds to be removed in dos mode with a boot disk. se.dll problem solved.

Startup in safe mode, delete the se.dll file as well as all your temp files and finally delete the entry form you registration database. That should do it..

REMEMBER not to mess with your registration database if you don't know what you are doing!!!!

I *think* that I finally got rid of it, at least is doesn't come back up after a reboot. I don't have the specifics here with me, but I had to boot to DOS and delete 3 files:

-se.dll
-an exe file c:\qxxxxx.exe (the filename started with 'q' and was followed by some numbers). The file had similar date to se.dll
a dll in c:\windows\system. It has a 4 character name (something like 'kljb.dll').
this file had a timestamp similar to the .exe.

I then rebooted to windows and ran HijackThis and removed all the references to the dll and "about:nothing".
there were also a couple of filters and another unnecessary entry that HijackThis said were suspicious, so I removed them, too.

I'm sorry that I don't have specific file names here with me; I'll sent them in tonight when I get home.

I hope that this helps.

Tom

my computer contain Xp , someone used my computer in 26th,Feb 2005. The system has infected with se.dll . in the registry start key ,there always contains a sp key. by all means , i cant delete the registry. if you use IE , it come up computer screen with alert which means your computer has infected by some virus,you must download software, and so on . i try all ways i can get to fix it ,but it didnt work,such as modiry the computer registry, scan computer with untivirus software,in safe mode.At last i have to back up my files and ghost back to the system,and it work ! I am in China!

The following worked for me:
I have windows xp professional
On another computer I downloaded CWShredder
I copied the exe file in my desktop
I run the program, then emptied the recycling bin
i used windows explorer to check the files in c:\windows\system32
click the date tab
check for any .dll file of about 32k with a recent date (last couple of days or so)
write down the name, in my case it was jocp.dll
Then find the location of the file se.dll with search and write it down.
Restart windows in safe mode (hold down F8 key while rebooting)
now use windows explorer to delete those 2 files. Empty the recycling bin.
Reboot your PC.
That's it....

i got se.dll in a "me" op system and i booted into dos,deleted windows\temp (Contained se.dll and other stuff assotiated with se.dll) and deleted windows\system\kdbl.dll. then rebooted.there were still the registry references left over but the main problem was solved.i used norton utilities to clean up the reg and it froze up. so after manual shutdown i canceled scandisk incase windows wanted to replace the deleted files.worked for me.

I have had the unfortunate pleasure of dealing with se.dll for 1 week now. I have used most of the recommecnded programs (hijackthis, and others)I have Norton 2004 Pro which was the first thing that brought se.dll to my attention. I have even manually deleted the BHOs, dlls, reg keys, startup files and IE settings that are affected. No good it comes back.

One BIG thing I have noticed last night it came back again. I did a search to see what files had been modified in the last 1 day. The newly created se.dll and the random 4-digit dll were created at 17:12 GMT. At exactly the same time Norton tried to check for updates (The files that Norton uses had the same modified date and time), its as if this has sparked off the return of this pest.

If any one can help, it is much appreciated? Is there another file to sort out after the se.dll and the ????.dll in Windows\temp?

Op System: Win98 SE

I recently removed this from my dad's computer.

down load and install winpatrol from downloads.com. this will install a scotty dog icon on your computer. click on the icon go to the active tasks tab and kill task, then go to the IE helper and remove.

The go to your start tab, right click and seach in your entire computer for SE.DLL when located delete and empty your trash can.

Hiya Guys

Try the following,
'Tis a b---tard, but won in the end.
What a waste of an evening!

The se.dll trojan is caused by a piece of software called "Search Assistant" If you go to "control panel" then "add/remove programs" "Search Assistant" shows in the list but the un-install prog doesn't work.

The offending file on my friends system yesterday was called "Fabb.exe" and located in "C:\Window\System". Windows will not let you remove it so try rebooting in safe mode, then delete. If this doesn't work then reboot to dos, map to "C:\Window\System" then enter "Del fabb.exe", reboot and all should be well. You should edit registry or use a reg-cleaner to clean up (remove all refs to "Search Assistant", "se.dll" and "fabb.exe")

If the file name is different to "fabb.exe" try downloading "UltraWinCleaningSuite" from "BLCorp". This suite of progs is V useful. The first tool in the package is the "WinCleaner Wizard", select this. On the window that opens scroll down installed programs to "Search Assistant" and highlight it, then left-click on the checkbox marked "Show Details". The path then displayed will show you where the little 'Beastie' is lurking AND the name of the offending file. Make a note, reboot to dos and delete! Don't forget to clean the reg, especially re-directs in IE sections of registry.

Job done!

Yours,

Phil H

Info:- System security recommendations;

Firewall - Zone Alarm (Free Edition)
Antivirus - Grisoft AVG (Free Edition)
Spyware - Spybot and Adaware
Pop-Ups - Google toolbar
Spam - Am presently trying Spamweed (But having a few probs with multiple connections on laptop - sometimes works, sometimes not)

Good Luck All of ya...

I just cured SE.dll problem from my PC. I will continue to monitor it and see how long I can go before the PC gets infected again.

Step 1 - Go to task manager, close all processes running under the user ID, including Rundll32.exe, Rundll.exe or whatever version of Rundll.exe is running under the user ID.

Step 2 - Locate SE.dll in one or more of the TEMP folders under any one of the User ID folders in Documents and Settings directory.

SE.dll will delete without going into safe mode if rundll32.exe has been stopped from task manager.

After stopping rundll.exe or rundll32.exe from task manager and deleting SE.dll, it has not shown it's ugly face again.

Hope this helps.

its really simple to get rid of the se.dll trouble

wat ya do is:

1. open regedit ..
go to local machine\software\microsoft\windows\current version \ uninstall

2 there go to the search assistant folder ... and in there see which is the dll file which needs to be deleted. it was kkap.dll in my pc

3. now press ctrl.alt.delete then end the run32dll message

4. delete se.dll from windows\temp folder

5. open regedit .. go to local machine\software\microsoft\windows\current version \ run .... there delete the se.dll autorun message ..... do the same in the run- folder

6. restart the pc ... keep pressing F8 ... go to command prompt ..... there delete that wretched dll file from the windows\system folder

7. restart pc ...... and presto everything as fine as it was earlier

....... took me 4 days to figure this out

bye

I think I've found the solution to this nagging problem. This was after much study and realizing that this thing was embedding itself deeper than the registry... no Spy Checker, or Hijacker... can solve this, only brute force... similar to the brute way this thing inserted itself to begin with..

The "se.dll" problem is embbeded deeper in the startup of Windows. The culprit is a 'window hook' called "won.---" located in the Windows/ directory. Use Dr. Watson to verify this. This hook intercepts all window activity and periodically recreates the temp/se.dll pest that's been bothering everone in the internet these days, if it is missing or has been deliberately corrupted, which in turn creates the random message generator located in the /system directory and loaded as a Browser Helper Object. This nasty hook also modifies the Registry with the home page and BHO overwrites. I received this pest ungloriously while I was surging a 'porn site' and didn't have my security level set appropriately...

Booting Windows to "Safe" mode does not work, because this ugly critter loads with the Basic load, before loading the registry.

To remove, you have to DOS boot (or create a "Startup Disk" from the "add/Remove Programs" utility). Re-Boot without starting windows, delete or rename "Windows/won.---". Remove DOS boot diskette, Reboot to windows. You will receive a RunDLL error (saying it cannot find "won.---" on the first boot, but after it will go away after further reboots. Any further problems with SE.DLL should go away and your interaction with windows should be faster since your keystrokes are no longer intercepted by "won.---".

Hope that helps!

-- L

I have been searching countless and countless forums trying to get a true fix on SE.DLL. I can't tell you how many versions there are out there of how to fix this thing. As soon as I feel confident with one person's fix, another comes along and says NOT to do what the last person said.

I will be the first to admit that I am NOT a computer guru and appreciate (very much) those who are. However, it's very difficult to believe these fixes when you are one who doesn't know a lot about computers to begin with.

I don't know how I got this thing? I have a firewall (Zone Alarm), Ad-aware, Spybot, CWShredder, Google toolbar, SpyBlaster, and AVG Virus - so you got me how this made it's way onto my machine.

What I'd like to know is if there is a way to solve this WITHOUT using HijackThis? I find it quite ridiculous that most of the forums out there tell people to "run HijackThis and post the log into the forum." I understand that most computer problems are specific to that particular person; however, this SE.DLL problem seems to be effecting everyone in the same way. There's no need to "run HijackThis" and post your log, etc....

I've read the last days replies and I still don't understand them. I looked at Lou's posted yesterday and I can't find in "Add/Remove Programs" where I can create a startup disk? I'm sure this is due to my computer illiteracy.

Once again, thanks for those who have posted and I hope this problem is solved in a way that all can understand soon.

Peace-

gtrcoop

I think I got this while using limewire. ;) I did the following to remove this. I used Hijackthis and BHODemon. There is a BHO called bfpc.dll that kept reloading itself even when Iexplore wasn't loaded. Also, the se.dll file in my temp file under local settings kept reappearing. Assuming these two were related, I did the following (not necesarily in order). It might also help not to have ANY instances of iexplore or explorer.exe running. Yes, that means your desktop and taskbar disappear but you can use the task manager to restart explorer after you are done.

-I disabled the bfpc.dll in the BHODemon and removed the references to it in Hijackthis.
-I removed all the references to the empty search page in Hijackthis.
-I stopped the rundll32 process in taskmanager and deleted the se.dll file

-After all this, the problem files kept coming back so I also removed all the references to the google toolbar in hijackthis. After that, it didn't some back.

-I could then reinstall my precious google toolbar in peace. Haven't had any more probs so far. We'll see.

Hi guys... been a while since I've last been here. Nice to see all the "regulars" who still hang out at Computing.net. Anyway, I found a guy who had the most simple remedy to get rid of the se.dll trojan. Look at cghost's comments and follow his instructions, located here...
http://forum.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=36291

I tried the whole DOS prompt thing, but didn't get any results from that... so, I simply did the registry modifications, and POOF!!... all fixed!!

This was his instructions for the registry fix...

Copy the text below between the
========
========
lines into notepad. Do NOT include the ===== lines in the notepad file.
Save the file to your desktop as fixprob.reg, filetype all files.
Click on the file, say ok when it asks about merging it to the registry.
=====================
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]
[-HKEY_CLASSES_ROOT\CLSID\{B9C571E2-8438-11D9-9E96-0004A58CF316}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B9C571E2-8438-11D9-9E96-0004A58CF316}]
[-HKEY_CLASSES_ROOT\CLSID\{D55E43D0-8438-11D9-9E96-00044DD7FB1D}]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sp"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
=====================

After I followed his instructions, I rebooted, ran HijackThis, and the se.dll results I usually got back were all gone. Thank goodness!! I hope this helps. This has been one of the most annoying pests that I've ever had to get rid of *sigh*.

"If it was cool to be a fool, I'd be the hippest guy around" -- Joe Nichols

i called microsoft about this sourge.(why are all the smart people who write these things attacking our little computers?)
i also followed the suggestion of doing a ctrl-alt-del to get the windows pop up thing to remove programs which allowed me to remove rundll32 for the moment. i then did a DOS thing using run command and going to the windows temp directory where i deleted everything in it. the se.dll will delete at this point.

then, i followed microsofts temporary solution starting my computer in safe mode and ran ad-aware twice in succession as well as spybot. i also ran avg virus program.

so far no problem. BUT i have not tried internet explorer where i believe the problem exists. i am using Mozilla's firefox and all seems to be well

ei guys just try this, if your pc is infected with this darn trojan (se.dll)
just RESTORE your computer just try it guys coz i did!!!

Simply boot to DOS (not Windowes Safe Mode) and remove file "won.---" from Windows directory... problem will go away...

Oops! Stopped help too soon. Complete solution follows...

This problem is a 'windows hook' that inserts itself into the base kernel. So deleting se.dll in Windows safe mode will not work.

- Simply boot to DOS, *** Windowes Safe Mode.

- Remove file "won.---" from Windows directory... this is the nasty one that keeps spawning se.dll, and the Browser Helper Object (BHO) called 'random'.dll that se.dll creates. This file is identified by running a HijackThis scan beforehand.

- Delete se.dll from Windows/System.

- Delete 'random'.dll from windows/temp

- Reboot to windows

- Cleanup Registry entries for BHO stuff using HijackThis

- Reboot

Problem goes away...

My OS is Windows 98.

I did not have the "won.---" file. Instead I found "Extewd.dat" in my windows system directoty and in "windows hook". I am not sure that it was the sucker. So I removed it anyway, and I did restore last night. I hope this sucker will not come back again.

BTW, I switch to use FireFox instead of IE6 now.

i decided to get brave after i had rid the se.dll thing from my computer. i have just had dsl for a short time now and realized i had not upgraded my ie 5.xx because it takes so long on a dial up connection. so i decided to upgrade to 6. i did and gues what..my little pesty se.dll appeared on my computer.
i shut down, started in safe mode, disconnected first from my dsl line, ran ad-aware and found 15 bugs.

i decided to look through anything that came in at the same time as my new browser and read a reference to the kjoj thing that someone else had written about in this forum. i went int regedit and found three(or 4) referenced to kjoj.dll and deleted those. all seems to be well now

Win 98 users must find the "windows hook" file. This is what keeps it coming back, and causing headaches. :)

This virus takes an existing file and renames only 1 letter (maybe more on other occasions ??) and keeps the extension. So it could be a .dat (Like Boris Response 25), or a .pwl (in my case) or any other file extension.

My case my "richard.pwl" was copied by the virus and became "richaid.pwl". It was dumped in C:\Windows and was hidden, not just a hidden file in the file properties, it is only visible in DOS.

If you are a Win 98 user with this pesky problem the easiest way to find out what your file is called, use Dr. Watson. Simply go to Start>Programs>Accesssories>System Tools and choose "System Information". from the tools menu at the top choose Dr. Watson. Double click on the icon now near your clock and when it has finished checking click on the hook tab and it will show a file in windows, remember it could be any file extension. Make a note of it.

Once you have got rid of the se.dll and the mutant dll it creates in Windows\system (Use the many helpful hints in the above posts to do that) Then boot into DOS. Go to C:\Windows and type dir *.??? (??? being the file extension of the hook file in Dr. Watson) It SHOULD bring up 2 files, one is the original file it has used to create this dodgy hook file (This file is OK DON'T DELETE), the other will probably be very similar in name to the first.

Type attrib -s -h -r *****.???
(*** being the hook file name and again ??? being the extension.)

Now type del *****.???

This will delete it. Type dir *.??? to check if it has deleted if your unsure cos it doesn't prompt when deleting.

You have to sort the se.dll and the mutant one, reset browser startpage and settings etc. first. Then tackle the hook file in the manner above.

Thanks to all who have posted help for this, in particular cghost on another forum, his post was where it all dawned on me how it was happening.

Happy browsing.

Richard

For Windows 2003 Server -

You do not need to boot into DOS to fix this.

Unregister the DLL through the RUN menu command. Stop the RUNDLL32 process. Delete the temp se.dll in your interactively logged on profile. (You will not find se.dll in your %windows%\system32 at all. NOTE- the %jpdn.dll% file (or whatever it decided to call itself) that is associated with the Search Assistant folder in the registry, will not be visible at all in windows. Once you have done the above, run HijackThis and delete all refs to se.dll as well as the %jpdn.dll%. I also deleted references to the google toolbar and reinstalled this.

After this, reboot and check to see that rundll32 process is not running. Check the temp repository for the se.dll file, which should no longer exist. Run SpySweeper and SpyBot - Search and Destroy.

My HijackThis log now comes up clean.
That is fairly much how I rid myself of this problem. I suggest that anyone running Windows XP would do well to follow this advice, as the kernel will operate in the same way for this problem.

I have to say, this was a bugger to get rid of... partly because it's just nasty, and partlt because so many of the "Experts" above, are nothing but hot air who are "good with computers" in their own minds, but should really stay out of anything to do with configuration.

FYI - after the clean the processes look like this... clean as a whistle...

So, a fix is possible. With my info, this should take a person less than 30 minutes to solve this problem.
:)

C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\UltraVNC\vncviewer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hjt\HijackThis.exe

You have been given a 'hook' that intercepts windows interactions at the base level. Going into windows safe mode doesn't cure it. You have to go into DOS boot and remove 'won.---' from the Windows directory. Then cleanup the registry entries using Hijackthis after rebooting back to windows.

With regards & response to David Farr.

It appears, David, tha this particular problem spawns in many different ways on different systems. Maybe with varients.

None of the people who have responded to this thread have said they are experts!
Also, who can ever say that they are an expert? With so many variables in an IT environment who can say that they know it all? (the reckless?)

If you look at my response of March 4th, this worked on Win98se. I do not know if it would work on any other machine or operating system as I REALLY do not want to infect yet another machine. This trojan has not re-appeared. I do not consider myself an expert but am more confident at problem solving than some people I know who are employed in IT Support positions!

With regards to everyone who has replied positively to this thread, well done and thankyou.

How about an apology to us all, David?

Yours,

Phil H

Many of these 'fixes' look reliable, but there are too many. I am unaware of what will work and what won't. I tried 'Dr. Watson' but it statred everything is fine.
I have Windows 98, and I can't find this 'windows hook' or anything else. All I can really find is se.dll which is in C:\Windows\Temp.
I am unaware of what to do and what option would be best for me.
Thanks,
shazza

Explanation of hook and how to remove it follows for Windows ME..

In Dr. Watson you have to go to 'Advanced View ' and click on the 'Hooks' tab. If you do not see 'won.---' in the list, then this fix does not apply. But look for any other unusual hook that doesn't look like it should be there....

How to remove the 'won.---' hook follows...

I think I've found the solution to this nagging problem. This was after much study and realizing that this thing was embedding itself deeper than the registry... no Spy Checker, or Hijacker... can solve this, only brute force... similar to the brute way this thing inserted itself to begin with..

The "se.dll" problem is embbeded deeper in the startup of Windows. The culprit is a 'window hook' called "won.---" located in the Windows/ directory. Use Dr. Watson to verify this (Advanced View/Hooks). This hook intercepts all window activity and periodically recreates the temp/se.dll pest that's been bothering everone in the internet these days, if it is missing or has been deliberately corrupted, which in turn creates the random message generator located in the /system directory and loaded as a Browser Helper Object. This nasty hook also modifies the Registry with the home page and BHO overwrites. I received this pest ungloriously while I was surging a 'porn site' and didn't have my security level set appropriately...

Booting Windows to "Safe" mode does not work, because this ugly critter loads with the Basic load, before loading the registry.

To remove, you have to DOS boot (or create a "Startup Disk" from the "add/Remove Programs" utility). Re-Boot without starting windows, delete or rename "Windows/won.---". Remove DOS boot diskette, Reboot to windows. You will receive a RunDLL error (saying it cannot find "won.---" on the first boot, but after it will go away after further reboots. Any further problems with SE.DLL should go away and your interaction with windows should be faster since your keystrokes are no longer intercepted by "won.---".

Hope that helps!

-- L

As stated before, I am on Windows 98. In this boot I see Defacqt.sfc with C:\Windows with the application RUNDLL32.exe

Could this be the equilevent of won.---?

ok, i got most of the files, .dlls, etc. associated with se.dll, and i am ready to delete it. now im scared to do this in dos, becaue ive only used it once to delete something using deltree, and i dont want to accidently delete windows or something. can anyone give me some advice or a tutoriol on using dos? also, when i go into safe mode, after about 4 or 5 minutes IE starts to open up and opens continuouslly, until it freezes my machine or i reboot. does this happen to anyone else? i know i cant delete it in safe mode anyways, but that was interesting to me. thanx for all the replies guys, lates.

Hi guys & gals

Thanks for your postings I beleive I have gotten rid of my se.dll problem, thank you very much.

I contracted this se.dll problem last week, I am running winNT4 (dont ask me why) and avg7. Like everyone else, avg flagged it up when I connected to the net, despite healing, deleting or quaranteening, the pesky critter kept returning each time.

I tried running adaware, spybot, xraypc, xsoftspy, etc but it kept coming back.

The fix that seems to have worked for me is that suggested by sumeet (response 16 above) but slightly modified as follows:

1. open regedit
2. go to localmachine\software\ microsoft\windows\currentversion\uninstall\ searchassistant
3. In here was a reference to ncnd.dll, which is presumably the random filename that the bug creates. I noted this filename but didn't delete it because I'm a scaredy-cat when it comes to playing around with registrys!
4. Close regedit without changing anything
5. "Find" this ncnd.dll file and delete it
6. reboot as normal

Note that I didnt have to boot to dos, or modify the registry in anyway.

This seems to have solved my problem, as I have rebooted and reconnected to the net with no probs, several times now.

Thanks again to everyone who contributed, reading all your replies helped me to understand (slightly!) my problem, and has hopefully cured my pc. I hope my posting helps someone as much as your postings have helped me.

cheers

Nick

This forum has been a great help. I've just finished removing this little tramp from a client's pc.
Win98
IE 5.5

COMMANDS FOR DOS ARE IN CAPS

1. Find the hook with Dr.Watson:
Start>Programs>Accessories>System Tools>System Configuration
Go to Tools>Dr. Watson
Click on the thingy next to the time.
After it runs, go to View>Advanced
Look for the tab marked Hooks
Hooked by: will show your hooker. Mine was readm_s1.htz
write down the path and filename, i.e.
c:\windows\readm_s1.htz
you'll need it to delete it in dos

2. Reboot the PC, pressing F8 on bootup to get boot menu.
Pick Safe Mode Command Prompt Only

3.Go to the offending file.
CD \WINDOWS
DIR *.HTZ
(replace *.HTZ with whatever your particular offending hooker is)
4. Delete only the hook (as mentioned earlier, the file will be similar to "good" files.
DEL READM_S1.HTZ

5. Make sure you deleted it.
DIR *.HTZ

6. Delete everything in windows\temp
CD \WINDOWS\TEMP
DEL .

7. Find other "Bad" dll's.
CD \WINDOWS\SYSTEM
DIR /O-D /P
CTRL-C
(press the control key and C at the same time)
This will list the files in order of most recently modified. There should not be any "new" dll's, but there are.

mine were:
gfpf.dll
atlxh.dll

8. Rename the dll's just in case they aren't really "bad"
REN GFPF.DLL GFPF.BAD
REN ATLXH.DLL GFPF.BAD

9. Reboot

10. Clear the crap from your registry. If you don't know how, you might mess up your computer if you try, so be careful.
Others here have described how.
I searched for se.dll and removed all instances of it.

11. Breathe freely, and use firefox next time. :)
dean

Ya i also have that spyware you can try all you what but it will come back. What i always do when i get this is i restore my computer to date before you got this spyware.

It should be under --
all programs,Accessories,system tools

you shold see it that what i laways do and works.

Hi,
I have Mcafee Security Suite 2005 on win98.
As you probably know this antivirus software starts its "Antivirus Center" (but not antivirus program) actually in an IE window. Obviously I have the se.dll trojan. Mcafee antivirus is a separate program from the security center and it starts normally and detects the problem (se.dll) but it is unable to delete it(no permission). So I tried to clean up the registry (using regedit) and I managed to remove the home page but the banners and pop-ups still remain. As I mentioned my security center is loaded in an IE window and the homepage there also remains. After that I deleted the se.dll using a start-up disk, removed the infected registries again and all was fine untill I started my security center and the se.dll was recreated and the home page was again redirected to some searchengine. Also my se.dll is located in c:/windows/temp. If anyone has a complete reliable solution please post it because I have very important info on my hard drive and I cannot afford a windows reinstall.

Thanks, T. Iliev

Windows 98, Windows ME

Download: "StartDreck", from here:
http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Look for an entry like this
:
»RunServicesOnce
**gyrk=rundll32 C:\WINDOWS\NEGH.MSG,DllGetClassObject

Look for and fix lines similar to these in hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {CE8131EB-93D9-11D9-A684-CF4B7211BE33} - C:\WINDOWS\SYSTEM\JPPGFIA.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {6356CBA7-93B0-11D9-A684-9987B9EA0A74} - C:\WINDOWS\SYSTEM\JPPGFIA.DLL
O18 - Filter: text/plain - {6356CBA7-93B0-11D9-A684-9987B9EA0A74} - C:\WINDOWS\SYSTEM\JPPGFIA.DLL
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(If you fix an O2 line, hijackthis is supposed to delete the related dll file, add it to the deletion list below if you want to.)

=Backup the registry to give a recovery point in case there is a problem.
** How to: http://support.microsoft.com/kb/256419/EN-US/

Replace the clsids in the registry file below with the clsids from the O2 and O18 lines in your log.

=Copy the text below between the
========

========
lines into notepad. Do NOT include the ===== lines in the notepad file.

Save the file to your desktop as fixprob.reg, filetype all files.

Click on the file, say ok when it asks about merging it to the registry.

=====================
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]

[-HKEY_CLASSES_ROOT\CLSID\{CE8131EB-93D9-11D9-A684-CF4B7211BE33}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE8131EB-93D9-11D9-A684-CF4B7211BE33}]

[-HKEY_CLASSES_ROOT\CLSID\{6356CBA7-93B0-11D9-A684-9987B9EA0A74}]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sp"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
=====================

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reboot the system to a dos prompt:
=In Windows 98:
==Using the start button at the lower left of the screen, use the shutdown menu to reboot to the dos prompt.
=In Windows Millenium:
==Use a startup/boot disk.
*** How to make one:
*** http://www.microsoft.com/windowsme/usin...otdisk.asp

In my instructions below:
[space] = press spacebar to put in one space.
[enter] = press the enter key.

=Delete the problem files:
** You should be at c:\windows>
*** Type in: attrib[space]-r[space]-s[space]-h[space]C:\WINDOWS\NEGH.MSG[enter]
*** Type in: del[space]C:\WINDOWS\NEGH.MSG[enter] {The case of the entries does not matter.}
*** Type in: attrib[space]-r[space]-s[space]-h[space]C:\WINDOWS\temp\se.dll[enter]
*** Type in: del[space]c:\windows\temp\se.dll[enter] {The case of the entries does not matter.}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Killbox is an alternative file deletion method.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=Reboot the computer to normal mode.

=Scan with hijackthis.

** Look for R1 R0 lines that contain about:blank.

** Look for O2 and O18 lines similar to these:
** O2 - BHO: (no name) - {72C1E790-83E5-11D9-B9CA-444521736B49} - C:\WINDOWS\SYSTEM\MBJ.DLL
** O18 - Filter: text/html - {72C1E78F-83E5-11D9-B9CA-4445AC01E737} - C:\WINDOWS\SYSTEM\MBJ.DLL
** O18 - Filter: text/plain - {72C1E78F-83E5-11D9-B9CA-4445AC01E737} - C:\WINDOWS\SYSTEM\MBJ.DLL

** Look for an O4 line similar to this:
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Fix any of those lines that are present.

=Reboot the computer to normal mode.

=Hopefully the hijackthis and startdreck logs are now clean.

[If you are using registry and file protection utilities you may need to get offline, disconnect your internet cables, and disable the utilities while you do the repairs, then reenable protection and reconnect cables to get back on internet and have protection.]

Regards.

Thanks to reply 16 for indicating where to find in the registry the name of the second program that re-creates se.dll. Once I knew that it was straight forward to eliminate the creature.

I had spent a lot of time trying to find the second program and had even resorted to searching likely programs in hex for the characters "se.dll". How do they hide it? Do they encrypt the text within the program?

Hi everyone, this forum has been great help to me as well to successfully get rid of se.dll on a Windows 98 system. I have struggled almost every evening for the last 2 weeks to get rid of se.dll which Norton AV identified as trojan.StartPage.
I read all the posts and gathered valuable information but mainly used the instructions in Responses #36 and #27. Thanks a lot guys! Btw, once the cleanup was done the Dr Watson Advanced view DID NOT have a Hooks tab.
Since I am no Windows expert, for the last step, I used Adware from Lavasoft which I believe did the job of cleaning up the registry...it worked fine for this purpose. I also used the Windows Explorer Repair tool(Accessories-System Information) as a precaution. I was so happy to see that I could check my Yahoo mail for the first time in weeks...Thanks everyone once again. - Heen

Dr Watson?
I started in Windows XP Home Edtion Dr Watson via the systeminfo tool and I get a screen from dr watson where the logfiles can be stored, the nr of instructions etc etc. But there is no advanced or so called hook tab.
I dont have se.dll myself on the PC but for a friend I study into this to get the thing solved in his PC.

So how to find the hook? I did find in the uninstall registry key the filename of the dll that is loaded, I even edited this file in safe mode and deleted the filecontents but still it comes back with another filename.

HI
i have the same problem Se.dll is badly Corrupted my pc my OS is Win 2000 PE.
plz help me which otion is best to remove
this hell se.dll.

see symantec page about trojan.startpage.m

I got rid if this re response 35 but the trojan kept coming back. The symantec page hepled me finally get rid of this.

I found that this file is being launched by a rundll32 process. Once I killed that process, I was able to delete the se.dll file, and it would not replace itself in the registry. I wasted several hours on this issue before going back over the process list.

In my post 39 above,

When windows ME users boot from a startup diskette, they will be making their entries at the A:\> prompt.

Windows 98 users will be at c:\windows>
Windows ME users will be at a:>

Windows ME users should not try to do the dos deletion commands from the dos prompt found in the start-accessories location within windows because this will not work.

Regards.
cg

1: Login in safemode with dos command prompt

2: Delete "Local Settings/Temp" and "Local Settings/Temporary Internet File" underneath each user's folder "C:/Documents and Settings/Administrator"

3: Goto "C:/windows/system32" use "Dir *.dll /OD" to list all dll file with the latest at the end. Delete those suspecious dll's with lastest dates.

4: Goto "C:/windows/system32" use "Dir *.exe /OD" to list all exe file with the latest at the end. Delete those suspecious exe's with lastest dates.

Usually these dll or exe have very weired name.

there are so many people who think they know everything about computers. all these sites i visited gave a load of crap i have used 25 spyware softwares and all they done was to show what is going wrong. it did not help with the root of the program after spending a whole day i have sorted this spyware on my own. heres how i got rid of it

you will need 2 softwares to deal with this spyware

1)pill box
2)hijack

first of all run the hijack and you will find out that a number of registries have been changed for you now what you have to do is find the one that shows the root of your problem to a file in c:\\windows\systems\... the file should end with a .dll e.g. mine was dkmf.dllafter using the hijack program an locating the where the actual root of the problem is run the other software called pillbox then using this software browse the file that u would like to remove and remove it then restart your computer and run the hijack one more time and delelte the rest of the registries from there by selecting it all and clikcing on fix. and guess what???

ure done the spyware should be remomved now. if u have any problem do email me im no expert but i will try my best to help you. if u ask me why im helping its because i wonna get back at this spyware creaters :D

UGI

Thank you to everyone above for their advice on removing this absolute b---tard of a trojan. I found the best advice was from Richard in response 27. Once I had brushed up on my dos commands everything he said about this pest fell into place. It has made my life a misery since 11/02/05 and now I have been free of it for 4 days.

Hey all, thanks for all the advice! What worked for me was this:

1. See what recently created looked suspicious in c:\windows\system. In my case, it was inbf.dll.

2. Create a Windows ME Startup Disk.

3. Use the startup disk to boot into DOS.

4. Delete c:\windows\system\inbf.dll and c:\windows\temp\se.dll.

5. Reboot into Safe Mode. Run Hijack This, and remove anything relating to se.dll, inbf.dll, and various other spywarey items. Run AdAware and Spybot S&D.

6. Reboot back into normal mode, et voila! I've been using IE for an hour or so now, and no recurrence. Maybe I could have done the deletions and run the spyware busters from normal mode, I dunno. I believe in doing things the most sure way the first time....

I've had the same problem for at least two weeks. I've gone to safe mode andrun Ad-aware, Spybot, CWshredder & Hijackthis, removed and modifed all registry entries on se,dll & about:blank, located & deleted the random .dll in windows/system. All to no avail. The bugger came back b\next day. What finally & conclusively worked was following Ricahrd's suggestions on response 27. Went to safe mode, ran Dr. Watson & found the hook, in my case it was winuud.ico, one off from winupd.ico. Going to DOS, changing the attributes, then deleting winuud.ico finally did it. Thanks to all for your posts.

Richard821 and Lou Caraballo's solution has worked for me. thanks to your and everyone from the first post to have lead me to my final solution.

From my experience of using spywares and trying out stuff from this webpage and trying to remove se.dll for over 20 days now I have come to the comclusion that NO ANTI-SPYWARE can remove this. at least none that i tried.

So I did find the "hook" on using Dr. Watson. It was a file Winlogo.gif which was duplicated as Winlovo.gif. As Richard said one letter was changed. I could not find Winlovo.gif on doing a simple search. I rebooted in dos mode and changed the attributes to Winlovo.gif and deleted it. Also deleted Se.dll from windows\temp

Now, i found the randomly named dll file that sits in windows\system By using Hijakthis. In Hijakthis i used the Uninstall feature, selected Search Assistant and in the Uninstall Command i found the location and name of this file. I also deleted this. This can be deletd either by using the Delete on Boot feature in Hijakthis or in dos mode. I did the dos mode deletion just to be safe. Also removed the reg changes by scaning and fixing any reference to search assistant using Hijakthis.

Thanks all. Am now free of Se.dll

NOTE to Whoever made SE.dll: Dude u got brains, u proved it but i would really appreciate if you did something that wud b of help to me and others.

Thanks to all again! thanks a lot.

BTW, I have changed my browser usage from 100% IE to 99% Firefox and 1% IE just when some websites dont run on Firefox. Firefox is great with its 'tab' feature

i found se.dll in my temp folder becuz its causing me problems with About:Blank as my homepage and cwshredder says it removes cw:hidden.dll and then i go to delete se.dll and it says its written protected? wat can i do?

Ty

also a respones from above says go into system 32 and find a recent .dll file over 32K. and when i did the hijack scan it found a .dll called kdkj.dll and it was 39 kbs and was put on the PC the day i started seein the spyware. but i also cant delete that cuz it says its written protected so if i can delete both of those i should be ok but how do i delete those.

Ty

TY, i'd ask you not to go by that procedure.
Follow Richard821 and Lou's instructions. You will need to delete se.dll from windows\temp in dos mode. Also use Hijakthis, go to its Misc Tools, click on Uninstall and select Search Assistant to note the Uninstall Command. Note down the name of that file, it will rest in your windows\system folder or System32 if XP. You must delete this too in the dos mode. To find out the hook file, read Lou and Richard's posts.

10101