Does
this look familiar??
res://C:\DOCUME~1\<username>\LOCALS~1\Temp\se.dll/sp.html
rundll32 C:\DOCUME~1\<username>\LOCALS~1\Temp\se.dll,DllInstall
or
res://C:\WINDOWS\TEMP\se.dll/sp.html
rundll32 C:\WINDOWS\TEMP\se.dll,DllInstall
This virus is quite similar to the
Home Search virus seen in February
It took me
3 hours to kill this thing off.
It is infuriating. I was editing the
registry to get rid of the bad stuff and as soon as I exited the
registry editor, IT WAS ALREADY CHANGED BACK TO THE BAD STUFF!
You will also find that many of the bad files, executables, and dlls
CANNOT BE DELETED in the normal mode of operation - only in Safe Mode.
- 1. What does this thing do?
- a) It installs a local service which monitors its own health.
- The service is installed in your registry
at the following key:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
- You will find something like the
following:
-
sp rundll32
C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
- sp
rundll32 C:\WINDOWS\TEMP\se.dll,DllInstall
- This service reinstalls registry
entries which YOU try to change.
- It also starts the
service every time you reboot your machine.
- Hence this entry must be
removed from the registry.
b) For Windows ME
- It puts dlls into the C:\Windows\system\ directory.
- It puts dlls into the C:\Windows\temp\ directory.
c) For Windows XP
- It puts dlls into the C:\Windows\system32\ directory.
- It puts dlls into the following directory:
- C:\Documents and settings\<username>\Local
settings\temp\
d) It registers protocol filter classes to get
permission to change IE displays.
-
key location = HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
-
key location = HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
e) It registers Browser Helper Objects (BHOs) in the class id area
-
key location = HKEY_CLASSES_ROOT\CLSID\{bunch
of letters and numbers}
-
These classes contain links to dlls which have random names.
-
These dlls can be found in your C:\Windows\system32\ directory
or
in C:\Windows\system\ for Windows ME.
f) The bad IE entries point to the dlls
g) The dlls display the search crap.
2. Outline of how to get rid of it.
- Turn off "system restore" (if it is
on) using #4 below.
- (critical) Stop the local service as given in #3.a
below
- You may want to disconnect your internet cable
so no replacement files can be downloaded without your knowledge
or permission. (*new*)
- Use explorer to find all copies of the "se.dll"
file.
-
Write down the full paths (because you can't delete them).
-
You only need to search c:\documents and settings\ for Win XP or
- c:\windows\temp\ for Win
ME
- Use #3.b or #3.c below to find the other dlls - and write
them down.
- Use #6 below to find all the bad class ids in the
registry (write down)
- Delete as many of the BAD executables and dlls
as you can.
- You will need to reboot in "Safe mode"
to delete those files, executables, and dlls which you could not
delete in normal mode.
- You can rename them even if you can't delete
them. Use something like xxxse.dll so that you can still
find it easily when you want to delete it (*new*)
- When in "safe mode" navigate to each
directory and delete the files which you could not delete in
normal mode.
- Next you will need to clean up your registry. Follow
#5 below.
- Finally you need to run Internet Explorer again
to see if it is gone.
- If it is gone, you can turn "system
restore" back on.
3. How do I find the bad guys.
- a) Finding (and stopping) the local service.
-
Hit <cntrl><alt><del> to open the
Task Manager window
-
Click the top of the left column to sort the entries
alphabetically
-
Scan down the list to find "rundll32"
-
Rundll32 is a system service and should NOT run constantly
-
click "End Process"
- b) (Win ME) Finding the bad executables in the C:\Windows\
directory
-
Use explorer to navigate to the C:\Windows\system\ directory
-
Click at the top of the "date modified" column
to sort the list by date.
-
Click again to bring the most recent dates to the top.
-
Scan all dlls or executables which have dates in the last month.
-
Write down the names of any which are suspicious.
- Move the cursor over each name in your list.
- If you wait a few seconds a "Tooltip" message
will appear.
- Good programs will have a real message telling who they
are (like Microsoft or McAfee or Norton)
- Bad programs will have no such info.
- c) (Win XP) Finding the bad dlls in the C:\Windows\system32\
directory.
-
Use explorer to navigate to the C:\Windows\system32\
directory
-
Click at the top of the "date modified" column
to sort the list by date.
-
Click again to bring the most recent dates to the top.
-
Scan all dlls which have dates in the last month.
-
Write down the names of any which are suspicious.
- Move the cursor over each name in your list.
- If you wait a few seconds a "Tooltip" message
will appear.
- Good programs will have a real message telling who they
are (like Microsoft or McAfee or Norton)
- Bad programs will have no such info.
4. Turning off "system restore"
-
click "start" (bottom left of your screen)
-
select "control panel"
-
select "system"
-
right click & open
-
select "system restore" tab
-
check "turn off system restore on all drives"
-
click "apply"
-
click "ok"
-
close "control panel"
5. Cleaning up your registry.
-
To open your registry do the following:
-
click "start" (bottom left of your screen)
-
select "Run"
-
type "regedit"
-
ok
-
You need to fix the following four things:
-
You need to remove all references to all files,
executables, and dlls in the lists you made in step
#3 and step #6.
-
You need to fix all Internet Explorer links which
contain "\temp\se.dll" Simply modify
them to http://www.google.com/ or whatever you want. Just search for "\temp\se.dll".
-
You need to remove all copies of all the BAD class
ids you found in step #6 (and the dlls they point
to).
-
You need to make sure the service is removed from the
key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
- i.e. sp = rundll32
C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
- To remove any name do the following
-
Drag the scroll bar to the top
-
Click on "my computer" - this points you to
the top
-
Edit & Find the name you want to delete.
-
delete or fix the entry
-
press F3 to find the next occurence of the same name.
-
repeat until no further occurences are found.
6. Finding the bad class IDs and dll names in your registry
- Open your registry as follows:
-
click "start" (bottom left of your screen)
-
select "Run"
-
type "regedit"
-
ok
-
Navigate to HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html
- Click the "+" to open and see the
class ids inside.
- Repeat the following for each class id.
-
Copy the name = bunch of letters and numbers
-
Scroll to the top of the registry.
-
Find the class id (use only the letters and numbers)
-
Open it by clicking on the "+"
-
You should see "InProcServer32" or similar.
-
Select it to open it.
-
In the right panel you will see a full path name.
-
If it is C:\windows\system32\xxxxx.dll
it is bad.
-
You can also check if its on your previous bad list.
-
If bad, write it down because you will need to remove it later.
-
Navigate to HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain
- Click the "+" to open and see the
class ids inside.
- Repeat the following for each class id.
7. Useful downloads
-
CWShreader
will help prevent these in the future. (its FREE)
- Download and install it.
8. Who is doing this to us?
- Here are the URLs and IP addresses which I
have found.
- looking-for.cc 195.225.176.27
- lookingfor.cc 195.225.176.3
- netcasthost.com 195.225.176.0 - 195.225.179.255
- coolwebsearch.com 66.250.74.150
- cogent communications 66.250.0.0 - 66.250.255.255
- onlythebest.com 209.55.83.12
- shoppingwizard.com 208.254.3.160
- easy-search.biz 69.50.170.18
- standard shells 69.50.170.0 - 69.50.170.255
- Go into your FIREWALL and BLOCK all the above IP addresses.
9. IP tools to help you find these guys.
Comments? Email me at crwillis@androidworld.com
|