TechSpot

How do you speak in DOS??

By ILovePopcorn
Aug 6, 2005
  1. I'm new Here, Hi Everyone!

    Like five thousand persons before me, Yes I have spyware and I'm not ashamed to admit it. I am here because I need help. I know that no----I speak honestly here no Spyware removal tool..works. So I want to go into Dos and kill the file specifically the dll, file, which spawns itself silly into my registry and laughs in my face when I delete everything only to come back!!

    So please someone out there tell me how to you go into DOScommands and delete a file. Please..Help !

    Thanks,
    Nick.
    yes I'm from Canada.

    :knock:
     
  2. joman2055

    joman2055 TS Rookie Posts: 19

    (if you know where the file is) go into windows safe mode and trry to delete it. i have done this few times cuz it wont let me delete the file because it is in use.
     
  3. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  4. ILovePopcorn

    ILovePopcorn TS Rookie Topic Starter

    I have done all that you have said, I have Webroot, I have Norton, I have Hijack this, I have Spybot, they will not get rid, no software can get rid of this nasty se.dll, file. I has to be done in safe mode, in DOS file, somehow I cannot open in DOS file, to del C:\windows\temp\se.dll..I have done this is this the wrong way of telling the program that I want to delete this file?

    Thanks,

    Nick, :knock:
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Put your HJT-log up as an attachment.
    Tell us which Windows version you have; both W2K and XP don't have real DOS anymore.
    And DOS will only work if your harddisk is FAT32 formatted, NTFS does not.
     
  6. ILovePopcorn

    ILovePopcorn TS Rookie Topic Starter

    here is my HJT....log file..

    Sorry but the attachment will not work..since my computers javascript seems to be affected by this spyware..
    :knock:

    And because I saw the post on not adding to this thread. I have not posted my HJT..
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Since you don't post a log, not much I can do. Not adding is meant for OTHER people.
    You (ILovePopcorn) can add to your thread as wanted or required.
    Try this to remove SE.DLL
    http://www.androidworld.com/prod91.htm

    You still have not told us your Windows version, or how the disk is formatted!
     
  8. ILovePopcorn

    ILovePopcorn TS Rookie Topic Starter

    Ok, Here it is my ...............

    Logfile of HijackThis v1.99.1
    Scan saved at 9:15:17 PM, on 8/8/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
    C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {FE592603-0695-11DA-82FE-00D07612C280} - C:\WINDOWS\SYSTEM\OLL.DLL
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_20_0.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - (no file)
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: ConferenceRoom Java Client - http://216.152.65.174:8000/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3ca.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Filter: text/html - {B1ECB649-0741-11DA-82FE-00D04A4355CE} - C:\WINDOWS\SYSTEM\OLL.DLL
    O18 - Filter: text/plain - {B1ECB649-0741-11DA-82FE-00D04A4355CE} - C:\WINDOWS\SYSTEM\OLL.DLL



    I understand you can take out a file in DOS, because my se.dll file is 'writer protected' this is the only way I can delete it. My Webroot or Spyboot is unable to get rid of the many files this thing spawns in my registry....so my only way out is getting into DOS and deleting it...however..it's hard to know how to do this..It's been about fourt months of getting rid and deleting this spyware redirects itself to porn sites..which is not good ..especially since I have kids.. :cool: :knock: :knock:
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Move HJT from C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
    to: c:\Program Files\HJT\HIJACKTHIS.EXE before you continue!

    Boot in Safe Mode.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Next, open Windows Task Manager.

    On Windows 95/98/ME, press CTRL+ALT+DELETE.
    On Windows NT/2000/XP, press CTRL+SHIFT+ESC.
    Click the Processes tab, select the process (if there), click End Process for:
    PSTORES.EXE

    Next, click Start/Run and type in:
    regsvr32 -u OLL.DLL and click OK, do the same for:
    regsvr32 -u SE.DLL and click OK
    (try regsvr32 /u if the above does not work)

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {FE592603-0695-11DA-82FE-00D07612C280} - C:\WINDOWS\SYSTEM\OLL.DLL
    O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - (no file)
    O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - (no file)
    O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - (no file)

    FIX all your O16 - DPF: entries

    O18 - Filter: text/html - {B1ECB649-0741-11DA-82FE-00D04A4355CE} - C:\WINDOWS\SYSTEM\OLL.DLL
    O18 - Filter: text/plain - {B1ECB649-0741-11DA-82FE-00D04A4355CE} - C:\WINDOWS\SYSTEM\OLL.DLL
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    Open Windows Explorer, go to and right-click C:\WINDOWS\SYSTEM\OLL.DLL
    Select Properties. If marked Read-Only, remove it, then delete OLL.DLL
    Do the same for C:\WINDOWS\TEMP\se.dll
    Do the same for C:\WINDOWS\SYSTEM\PSTORES.EXE
    Delete all files and directories from: C:\WINDOWS\TEMP
    Boot normal.
     
  10. ILovePopcorn

    ILovePopcorn TS Rookie Topic Starter

    Thanks I will be trying this later on.

    :p
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...