se.dll/sp.html - Solution

[Ruby]

Description:

Trojan "se.dll" is installed on a system by other programs. Upon execution, it drops the file SE.DLL in the temporary folder of the system. This DLL file is used to create another file, SP.HTML. It modifies the Internet Explorer.

Solution for all Windows Systems:

(%system% is the Windows System folder and is usually C:\Windows\System on Windows 9x/ME,
C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

Disable System Restore if you're using Windows XP or Me.

Make sure you set windows to see the hidden files and folders.

(MUST!) Turn to safe mode.
Close all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\xxx\LOKALE~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOKUME~1\xxx\LOKALE~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {34D43062-D421-4175-AAA9-4FB0491CFBC3} - C:\WINDOWS\%system%\any.dll
O4 - HKLM\..\Run: [sp] rundll32 C:\DOKUME~1\xxx\LOKALE~1\Temp\se.dll,DllInstall
O18 - Filter: text/html - {23F66D69-75BA-404F-88E3-C50F48187964} - C:\WINDOWS\%system%\any.dll
O18 - Filter: text/plain - {23F66D69-75BA-404F-88E3-C50F48187964} - C:\WINDOWS\%system%\any.dll

Fix all entries: "C:\DOKUME~1\xxx\LOKALE~1\Temp\se.dll"
which you will find in O2 - BHO: and O4 - HKLM\..\Run:
Fix all entries of the two "018 - Filter" here: "C:\WINDOWS\%system%\any.dll"
which you will find back in O2 - BHO:

Reboot your system into normal mode.

Delete this files:

"C:\DOKUME~1\xxx\LOKALE~1\Temp\se.dll"
"C:\WINDOWS\%system%\any.dll"

Delete the content of this folder "C:\DOKUME~1\xxx\LOKALE~1\Temp":
START -> RUN -> type %temp% -> [enter] of 'ok': delete the content.

Use Windows Search for "se.dll" -> look for "se.dll" -> delete "se.dll".

How to prevent it:

-> Make sure Windows and the IE are fully up-to-date: www.windowsupdate.com.
-> Check/set your IE settings
-> Use IE-Spyad to enhance your privacy and security
-> Use SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
-> Use alternate browsers: Mozilla, Firefox, Opera.

[Ruby]

Removing Entries from the Registry*

Removing malware entries from the registry prevents malware from executing when you open Internet Explorer.
Disable System Restore if you're using Windows XP or Me.
For the greatest safety, it is recommended that if registry shall be edited, registry first must be back uped.
Restarting in safe mode.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

2. In the left panel, double-click the following:
HKEY_CLASSES_ROOT>PROTOCOLS>Filter>

3. Still in the left panel, locate and delete the keys:
* text/html
* text/plain

4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Internet Explorer>Main

5. In the right panel, locate and delete from the following entries those you can find:
* HOMEOldSP = "about:blank"
* Search Bar = "%Temp%\se.dll/sp.html"
* Use Search Asst = "no"
* Use Custom Search URL = "dword:00000001"

(Note: %Temp% is the default temporary folder, which is usually C:\Documents and Settings\<user name>\Local settings\Temp.)

6. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Internet Explorer>Main

7. In the right panel, locate and delete from the following entries those you can find:
* HOMEOldSP = "about:blank"
* Search Bar = "%Temp%\se.dll/sp.html"
* Use Search Asst = "no"
* Use Custom Search URL = "dword:00000001"

8. Close Registry Editor.

Resetting Internet Explorer Home Page and Search Page*

This procedure restores the Internet Explorer home page and search page to the default settings.

1. Close all Internet Explorer windows.
2. Open Control Panel. Click Start>Settings>Control Panel
3. Double-click the Internet Options icon.
4. In the Internet Properties window, click the Programs tab.
5. Click the “Reset Web Settings…” button.
6. Select “Also reset my home page.” Click Yes.
7. Click OK.

Deleting Malware File*

1. Right-click Start then click Search… or Find…, depending on the version of Windows you are running.
2. In the Named input box, type: SP.HTML
3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
4. Once located, select the file then press Delete.


*In analogy to TREND MICRO TROJ_STRTPAGE

[Ruby]

Description
Solution for all Windows Systems

(%system% is the Windows System folder and is usually C:\Windows\System on Windows 9x/ME,
C:\WINNT\System32 on Windows NT/2000, or C:\Windows\System32 on Windows XP.)

Disable System Restore if you're using Windows XP or Me.
Make sure you set windows to see the hidden files and folders.

STEP 1
Download:

FIX TOOL
SpHjfix.exe
CWShredder.exe
mwav.exe: update it.
Cleanup
IE Privacy Keeper 2.3
Starter
install and update also Ad-Aware SE

Unzip them to their own folder.

STEP 2
Please print out the instructions of safe as a textfile,
since we ask you to work in Safe Mode. Disconnect to the net.

STEP 3
Run FIX TOOL-Trend Micro, then SpHjfix.exe. Push button: "Desinfektion starten"

STEP 4
Close all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {C3332D49-88A6-11D9-B31D-00E0910F19F0} - C:\WINDOWS\%system%\ANY.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {C3332D48-88A6-11D9-B31D-00E0FE43BC6B} - C:\WINDOWS\%system%\ANY.DLL
O18 - Filter: text/plain - {C3332D48-88A6-11D9-B31D-00E0FE43BC6B} - C:\WINDOWS\%system%\ANY.DLL

STEP 5
For the greatest safety, it is recommended that if you edit the registry, you
back up the registry.

STEP 6
Start-Run, type/copy: regsvr32 /u SE.DLL Push OK button

STEP 7
Removing Entries from the Registry

Removing malware entries from the registry prevents the malware from
executing every time you open Internet Explorer.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.

2. In the left panel, double-click the following:
HKEY_CLASSES_ROOT>PROTOCOLS>Filter>

3. Still in the left panel, locate and delete the keys:

* text/html
* text/plain

4. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Internet Explorer>Main

5. In the right panel, locate and delete from the following entries those
you can find. If you have some files in searchpage/searchbar which end with
…\sp delete them. Delete everything ending with about:blank and all entries with HOMEOldSP

* HOMEOldSP = "about:blank"
* Search Bar = "%Temp%\se.dll/sp.html"
* Search Page = about:blank*
* Use Search Asst = "about:blank"
* Use Custom Search URL = "anything"

6. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Internet Explorer>Main

7. In the right panel, locate and delete from the following entries those
you can find. If you have some files in searchpage/searchbar which end with
…\sp delete them. Delete everything ending with about:blank and all entries with HOMEOldSP

* HOMEOldSP = "about:blank"
* Search Bar = "%Temp%\se.dll/sp.html"
* Search Page = about:blank*
* Use Search Asst = "about:blank"
* Use Custom Search URL = "anything"

8. Close Registry Editor.


STEP 8
Run Ad-aware SE
Click Start. Choose: Use Perform full Systemscan options.
Click Next and Ad-aware SE will scan your hard drive(s) with the options you
have selected. Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on
any of the entries and choose Select All from the drop down menu, click Next).

STEP 9
Run Cwshredder-Fix

STEP 10
Run the mwave scanner: (Help:STEP 10/11)
Put a checkmark in: Memory, Startup folders, drive, Registry, System folders and Services.
And: All local drives / Scan all files. Push: Scan Button. The scan can take about some hours

STEP 11
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp
folder and go to Edit > Select All then Edit > Delete the entire contents of the
Temp folder.

STEP 12
Go to Start > Run and type %temp%. The Temp folder will
open. Click Edit > Select All then Edit > Delete the entire contents of the
Temp folder.

STEP 13
Finally go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a checkmark by "Delete
Offline Content" and click OK. Click on the Programs tab then click the "Reset
Web Settings" button. Click Apply then OK.

STEP 14
Run CleanUp: The Temp folders should now be cleaned.

STEP 15
Run IE Privacy Keeper 2.3

STEP 16
Reboot.

STEP 17
Install winfiles,
if you get error messages about missing files.


With many Thanks to this Pages:

TROJ_STRTPAGE - castlecops - techguy - spywarefri - dcpages
www.hijackthis.de - net-integration - lockergnome - www.trojaner-info.de

[Ruby]

www.sophos.com
Virus information: Troj/Ablank-D:

* Trojan.Win32.StartPage.qr
* StartPage-DU.dll
* Trojan.Startpage-215


Description
Troj/Ablank-D is a browser hijacking Trojan. Troj/Ablank-D changes settings for Internet Explorer and intercepts attempts to view the home page, instead showing a custom start page. Troj/Ablank-D provides an uninstallation option via the Add or Remove Programs dialog in the Windows Control Panel. Troj/Ablank-D drops a file SE.DLL in the Windows Temp folder. This is a component of the Trojan which also contains the custom start page.

Solution
The Trojan sets the following registry entry in order to run the dropped component on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
sp = rundll32 <temp>\se.dll,DllInstall

The Trojan makes the following changes to the system registry:

HKCU\Software\Microsoft\Internet Explorer\Main
HOMEOldSP = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main
Search Page = about:blank

HKCU\Software\Microsoft\Internet Explorer\Main
Search Bar = res://<Temp>\\se.dll/sp.html

HKCU\Software\Microsoft\Internet Explorer\Main
Use Custom Search URL = 1

HKCU\Software\Microsoft\Internet Explorer\New Windows
PopupMgr = no

HKCU\Software\Microsoft\Internet Explorer\Search
SearchAssistant = about:blank

HKLM\Software\Microsoft\Internet Explorer\Main
HOMEOldSP = about:blank

HKLM\Software\Microsoft\Internet Explorer\Main
Start Page = about:blank

HKLM\Software\Microsoft\Internet Explorer\Main
Search Bar = res://<Temp>\\se.dll/sp.html

HKLM\Software\Microsoft\Internet Explorer\Search
SearchAssistant = about:blank

HKLM\Software\Microsoft\Internet Explorer\Main
Use Search Asst = no

HKLM\Software\Microsoft\Internet Explorer\Main
Use Custom Search URL = 1

HKLM\Software\Microsoft\Internet Explorer\New Windows
PopupMgr = no

The Trojan also creates two entries for itself in HKCR\CLSID with randomly chosen CLSID values and registers itself as a Browser Helper Object with one of these values. Troj/Ablank-D provides an uninstallation option via the Add or Remove Programs dialog in the Windows Control Panel.

[Ruby]

-> Please have a look here for more information: se.dll/sp.html - Die Lösung

[raman]

Yes, it seems that the cleaner has some bugs if using it with WinME.

It deletes the hidden file(after restart) and the BHO DLL, but did not delete the se.dll and the entries in the registry.

You have to kill the rundll32 Task with the Taskmanager, fix the "O4" sp, the "O2" and the two "O18" entries shown in hijackthis. After that delete the se.dll in the temp folder and restart. That should do it.

[Ruby]

Please note:

Yes, it seems that the cleaner has some bugs if using it with WinME.

It deletes the hidden file (after restart) and the BHO DLL, but did not delete the se.dll and the entries in the registry.

You have to kill the rundll32 Task with the Taskmanager, fix the "O4" sp, the "O2" and the two "O18" entries shown in hijackthis. After that delete the se.dll in the temp folder and restart. That should do it.

Since I close threads I must take a copy that people are able to talk at the right place ......