Jump to content
Washington DC Message Boards


Guest Snowcrash

Recommended Posts

Guest Snowcrash

This is a very deep rooted spyware


What Is It?

IEPlugin Removal - se.dll


What Does it Do?

IEPlugin is an IE BHO that monitors web site addresses you visit, form contents and even your local file browsing! It also automatically updates and adds a few items to your favorites list. On top of this it will display ads when it finds certain keywords in your browser.

Link to comment
Share on other sites

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Win Server

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Win Server Updt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Server Updt [C:\WINDOWS\wupdt.exe]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Server Updt



Reboot your system then:


Make sure you click start --> Run and type in msconfig. Then select the startup tab. Any references to the processes below should be deleted


End Processes (may or may not exist):








Unregister DLLs:

Link to comment
Share on other sites

Guest Snowcrash

You can use the Regsvr32 tool (Regsvr32.exe) to register and unregister object linking and embedding (OLE) controls such as dynamic-link library (DLL) or ActiveX Controls (OCX) files that are self-registerable. This may be necessary to troubleshoot some issues with Windows, Microsoft Internet Explorer, or other programs. It is also frequently used by program hacks.


1.) Copy the files you would like to register to [C:\WINDOWS\system32]

2.) Go to the command prompt Start --> Run --> cmd

3a.) To install/register the file type in: regsvr32 file.dll or regsvr32 file.ax

3b.) To uninstall the files type: regsvr32 -u file.dll or regsvr32 -u file.ax

4.) Some type of message should be displayed that says you successfully registered or unregistered the file


Extra info:

Regsvr32 [/u] [/n] [/i[:cmdline]] dllname


/u - Unregister server<BR/>

/i - Call DllInstall passing it an optional [cmdline];

when used with /u calls dll uninstall

/n - do not call DllRegisterServer; this option must

be used with /i

More information @ MS

Link to comment
Share on other sites

According to Symantec here is what you can do



Adware.IEPlugin is an Internet Explorer (IE) Browser Helper Object that monitors Web site addresses, content entered into forms, and local file names that are browsed.


Adware.IEPlugin displays an advertisement when it sees a targeted keyword. It will also install a running process to update itself by contacting servers every few minutes. This adware may also add a few bookmarks to your Favorites menu.



Note: LiveUpdate virus definitions, which were released on December 10, 2003, may erroneously trigger a detection of Backdoor.Imiserv on files that behave in a manner similar to the behavior of files detected as Adware.IEPlugin.


To correct this, virus definitions released on December 15, 2003 will detect such samples as Adware.IEPlugin.





The files are detected as Adware.IEPlugin.



Active-X, drive-by downloads, which may be on pop-up ads, install this adware.




File names: Wupdt.exe


When this adware is executed, the installer performs the following actions:



Installs several files in the %Windir% folder.



Starts a running process (usually Wupdt) that can make calls to various servers to update its code.



Adds the value:


"Win Server Updt" = "%WinDir%\Wupdt.exe"


to the registry key:





May add the value:


"Win Server" = "%WinDir%\winserv.exe"


to the registry key:




Symantec Security Response has developed a removal tool for Adware.IEPlugin. Use this removal tool first, as it is the easiest way to remove this threat.


The tool can be found here: http://securityresponse.symantec.com/avcen...er/FxIeplgn.exe


The current version of the tool will have a digital signature timestamp equivalent to 16/12/2004 02:42 AM PST.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...