# Removing about:blank se.dll hijack



## Byteman (Jan 24, 2002)

Hi all, I am posting this for those of you who run into the about:blank/CWS hijack with the se.dll returning even after a good removal process....

Working on a computer here with ME installed, user had a bad recurring infection being seen a lot right now with the se.dll
refusing to be deleted, access denied stuff... I put it through the standard about:blank removal for the sp.html variant, and it did work, except it came back in minutes...so, I hunted around and found a mention of doing some Registry editing in regard to a couple of things loading from the Registry:

HOSFS.SAM--- these do not exist in any Windows file

SUCHOST.EXE ---only in the Registry!!

The spelling of HOSFS.SAM is correct...

Will be found in a Registry search as that entry.
The suchost.exe will be right beneath HOSFS.SAM. There were no further entries found for either.

I did this in Safe Mode> as part of the fix, and deleted those two entries...as soon as I did, about 100 Internet Explorer windows started popping up....remember, I was in Safe Mode, WITH the Network cable pulled out of the computer....I closed all the windows one after another, and finished the Hijackthis removal of the about:blank entries, AND>> used the Misc Tools feature of Hijackthis to Delete a File Upon Reboot and selected se.dll, the random .dll file from the filter/text and filter/plain items of the scan with hijackthis...ran the other parts of the fix, AboutBuster, CWShredder, replaced the HOSTS file, etc and restarted...and all is still OK after 2 hours.

Without removing those two Reg entries it will always come back. Just thought I would put this up here because I see quite a few logs with se.dll tonite...hope someone can make use of this.

NOTES: AVG detects se.dll as Trojan.Startpage.16 or something like that...it can heal it, but the Reg entries bring it right back.

With the infection loaded, Housecall online scan would not run, nor would Panda, it would scan for a second and tell me "Scan completed" 

I tried a couple of other removers, none detected it.



When the se.dll is simply fixed or deleted, the error about Rundll32.exe C:\Windows\Temp\se.dll comes up immediately, but did not after I finally found how to fix it.

I have restarted several times, and been doing Windows Updates OK, nothing has come back. Will post if it does...

Edit: It's still doing just fine, nothing at all came back.


----------



## catsonic (Feb 26, 2005)

Hi

I am having the same problems. I have read your post but am so confused. I have no idea how to edit the registry or anything like that.

I know you put it in simple terms the first time but is there any way you can condense it down any further into step by step idiot proof instruction?

Im using win me and internet explorer


----------



## thymekiller (Jan 29, 2004)

maybe at least where these items are located in the registry?? I tried to find them by typing the names in the find box, but found neither one.


----------



## bustagut (Feb 26, 2005)

I have been chasing this one of my system for weeks now and it is a beast to remove. In fact I have tried everything from Giantantispy to xsoft and all they seem to do is spot the se.dll file and remove it, but it returns. It recreates itself via another dll file which varies in names from oficea.dll to jengaa.dll and many more. Each time these files are removed they are recreated with another file which I have not quite discovered yet. I believe it has imbedded itself in a windows file, but am unsure which? It causes rundll and kernel32 errors and instability on some systems. No spyware/virus software I know of can remove it. A temporary solution is to change the hex values within the dll file to stop it running properly. If I find a better solution I will let you know.


----------



## catsonic (Feb 26, 2005)

what does it actually do apart from redirect my startup page and sometimes redirect me to some strange places?

How is it passed on? and how did it get past my avg and firewall? both up to date?

Is it worth all the headache trying to remove it or can it be safely left alone until an easier removal method is found?


----------



## bustagut (Feb 26, 2005)

I personally believe this se.dll file is created from another dll file which goes under many different names. The se.dll file and the hidden file respawns itself even after it is removed and all associate registry keys. I am convinced the spawner has embedded itself in files within windows, perhaps even excel files. I have run a program that watches changes in the registry and it queries several of my excel files as having malicious coding. This may or may not be the case, but as yet I have not found a solution via adware/virus removers. Its about time these adware/virus companies starting doing what they are paid for and find a solution to get rid of this beast.


----------



## catsonic (Feb 26, 2005)

hi bustagut

I think im going to leave this one alone until hubby decides to reformat the comp, which wont be long.

As long as i cant pass this via email then i wont worry.


----------



## bustagut (Feb 26, 2005)

OK I have just been on another forum and this may be a final solution. It is worth a try. First of all have a look at a hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:02:17 AM, on 02/24/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ACS495\MIXGHOST.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.aum.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.knology.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E38207D-80D9-11D9-95C9-0040BF50C8DC} -
C:\WINDOWS\SYSTEM\NAFGIB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [vptray] c:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1
\zlclient.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -
atboottime
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [rtvscn95] c:\Program Files\Norton
AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector]
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton
Utilities\NPROTECT.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no
file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-
00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! PagerLite - http://jpager.yahoo.com/jpager/y/pg3_x.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) -
http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: Yahoo! Chat 1.3 - http://cs3.chat.yahoo.com/c134/chat.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A5DF5E1-6EA9-494C-98A8-8A0534C5D03F} (TMSCTL.SSDLoad) -
http://broadcast.microsoft.com/code/schdata/tmsct2000.CAB
O16 - DPF: {F7A42F5D-C82A-4680-B2C1-4E530BC72C23} (PostalCodePicker
Control) - http://broadcast.microsoft.com/code/schdata/tbpcctl.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload
Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.224 -
http://66.28.246.1:9000/Java/cfs31224.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 -
http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
http://media.memphiszoo.org/AxisCamControl.ocx
O16 - DPF: {4B55FE21-325E-48D5-9B39-9B430D639EE8} (ScanFile.FileScan) -
http://www.contentpurity.com/ScanFile.CAB
O16 - DPF: {FCE90474-8B60-445B-A2B5-57E289BCEA42} (SmartDownloader
Control) - http://www.downloadcoach.com/SmartDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) -
http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: Yahoo! Freecell Solitaire -
http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) -
http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/house
call/xscan53.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) -
http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O18 - Protocol: wavetop - (no CLSID) - (no file)
O18 - Filter: text/plain - {B93AFD82-85EB-11D9-95C9-0040AF81A84D} -
C:\WINDOWS\SYSTEM\NAFGIB.DLL
O18 - Filter: text/html - {B93AFD82-85EB-11D9-95C9-0040AF81A84D} -
C:\WINDOWS\SYSTEM\NAFGIB.DLL

Delete all R1 listing to remove se.dll from the registry

Delete 018 listing with nafgib.dll (yours may have a different name

Now run startdreck (here was my log)

StartDreck (build 2.1.7 public stable) - 2005-02-26 @ 20:49:25 (GMT +00:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 5.50.4134.0100
Logged in as Mervyn at COLINS

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
*Regrun2=C:\PROGRA~1\GREATIS\REGRUN~1\WatchDog.exe
»RunOnce
+ApprovedByRegRun2
»Default User
»Run
*ctfmon.exe=ctfmon.exe
*Regrun2=C:\PROGRA~1\GREATIS\REGRUN~1\WatchDog.exe
»RunOnce
+ApprovedByRegRun2
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
*RegRun WinBait=C:\WINDOWS\winbait.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
+ApprovedByRegRun2
»RunServices
*pcAnywhere Agent=C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
*MDM7="C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*NPFMonitor=C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
*SchedulingAgent=mstask.exe
»RunServicesOnce
**dz=rundll32 C:\WINDOWS\HPDJ61R2.INI,DllGetClassObject
+ApprovedByRegRun2
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FFEF529F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF24A3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF2CCB=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFC447=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE664B=C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
+FFFE333F=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
+FFFE86FF=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
+FFFE9C3F=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
+FFFEA4C7=C:\WINDOWS\RUNDLL32.EXE
+FFE14167=C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
+FFE17693=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE5737=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFE0B637=C:\WINDOWS\EXPLORER.EXE
+FFE3025B=C:\WINDOWS\TASKMON.EXE
+FFE32697=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFE3DE17=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
+FFE3A583=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFE3B91F=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
+FFE26EA7=C:\WINDOWS\SYSTEM\CTFMON.EXE
+FFE477BF=C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
+FFE4BDFF=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFE6AFB3=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\EXCEL.EXE
+FFE990EF=C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\AWHOST32.EXE
+FFEB1DD7=C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE
+FFE781DB=C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
+FFEB517F=C:\MY DOCUMENTS\STARTDRECK\STARTDRECK.EXE
»Application specific

look for dz=rundll32 C:\WINDOWS\HPDJ61R2.INI,DllGetClassObject
(your file will likely be called something else

WRITE THE NAME DOWN

Boot into dos mode with a boot disk

goto c:\windows\temp and delete the se.dll file
goto c:\windows\system and delete second spawner in this case NAFGIB.DLL
then follow these instructions of his to remove a hidden spawner in my case HPDJ61R2 which cannot be found even in dos (his is Backgrrd.gif)

c:\windows>attrib -s -h -r backgrrd.gif

c:\windows>del backgrrd.gif

(*nothing happen, no message or stuff so i tried this....*)

c:\windows>attrib -s -h -r backgrrd.gif
file not found - backgrrd.gif

c:\windows>del backgrrd.gif
file not found

and then i went back to windows, when it is loading the windows main screen a warning windows appeared said:

----Error loading c:\windows\backgrrd.gif
----The system cannot find the file specified

and now when i open a new IE windows, there is no "Iexplore" appears in the taskmanager menu anymore!!!! i guess that problem is fixed then...... yeah! but now how do i get rid of the above warning?

I hope this work for you

Regards,

Bustagut


----------



## Byteman (Jan 24, 2002)

Hi, Regarding my HOSFS.SAM and Suchost.exe items found on winME> those will probably not be what you will have, there are quite a few variants of this malware and it is a royal pain to get rid of, if not impossible. 
What worked for me, as I said, was the standard CWS About:blank hijack removal process...plus the Registry item removal. And, some ideas found at another forum where I found the suchost.exe and HOSFS.SAM tips, I looked, and those were there in the Registry of the machine I worked on...I do not have it here now, but it is still working OK.
I had no luck in using the Registry find tool for se.dll, doing merely that will find every entry in the Registry that contains the LETTERS se.dll and there are many legitimate ones that do....
I did search the Registry for HOSFS.SAM, and just below that was suchost.exe (in other words, under the same Registry key, just those two values on the right side appeared) I am sorry, did not record the exact location.
Not everyone has the HOSFS.SAM item to find it appears, and I have not seen any others of the hundreds of logs I read with the se.dll problem, so the one I worked on may have been unique or less common.


----------



## CarlBarker (Feb 28, 2005)

I have recently got this virus, I tried AVG and Ad-aware etc. Nothing cleared it then I searched on the net and found here. I found HOSFS.SAM and suchost.exe what do I do now to solve the problem? do I delete them or is there somethnig else that needs to be done. Sorry if it has been answered but I am really trying to get rid of it as I do not really want to format my PC.


----------



## CarlBarker (Feb 28, 2005)

you also mentioned startdreck where can I get this from?


----------



## Byteman (Jan 24, 2002)

Hi, If you really need to work on this yourself, feel free, but I don't really advise it.

StartDreck: http://www.niksoft.at/_data/startdreck.zip

You will need AboutBuster, too. 
And DelDomains if you have the Trusted Sites type of entries... by now I think you have read through plenty of other logs and seen all that. Good luck!

There is a step by step way to use these tools, and you have to do it in Safe Mode mostly... as well as using Hijackthis as part of the total fix.... my advice would be to post a Hijackthis log in a NEW THREAD, not tag onto someone elses, even if you see the same problem in one, it is just too confusing, simply start a new thread and post your log to it.


----------



## CarlBarker (Feb 28, 2005)

I have made a new thread with my log


----------



## Toet (Feb 28, 2005)

Thanks a lot bustagut, that worked fine. The file I had to delete was "wininkt.sav". I found out, while in DOS, that this file was in the same folder (c:\windows) as "wininit.sav", of which it had also taken over the "last modified" date. The file was completely invisible in Windows. Very strange. Taking into account the "hosfs.sam", which is an alteration of the legit "hosts.sam" file, it seems that this thing takes the name of a random file within the "c:\windows" directory, changes one letter of that name into something else, takes over the creation and/or last modified date of that file and finally finds a way to hide from us really well.

Anyway, I got rid of it, and everything is working OK now. Like you, I also encountered an error message at startup, I hope someone here knows how to get rid of that. The reference to the file doesn't show up in Startdreck anymore, though.

Edit: After a reboot, the error message didn't pop up a second time. It looks like I'm clean now.


----------



## Byteman (Jan 24, 2002)

Hi, Those who are reading or posting here may also want to try out the free trial of Kaspersky antivirus, as I have been reading that program or higher can remove the infection. I would say it means the underlying hidden files, not the basic about:blank hijack... if anyone does want to try it>

http://www.kaspersky.com/downloads


----------



## Byteman (Jan 24, 2002)

Hi, Regarding removing se.dll infection and using the free trial version of Kaspersky> you may need to look through this help guide on setting up Kaspersky antivirus correctly:

http://forums.subratam.org/index.php?showtopic=3466

has good screenshots and a lot of help to get you installed correctly. If anyone does try Kaspersky against the se.dll bug, please post whether it found and removed the problems or not...and if the bug came back or any comments in general. We need more information about getting rid of this malware.


----------



## JDBuzz (Mar 8, 2005)

1. open regedit .. 
go to local machine\software\microsoft\windows\current version\uninstall 

2. Go to the search assistant folder ... and in there see which is the dll file which needs to be deleted - it was ghch.dll on my pc.

3. now press ctrl.alt.delete then end the run32dll process

4. delete se.dll from windows\temp folder

5. open regedit .. go to local machine\software\microsoft\windows\current version \ run .... there delete the se.dll autorun entry..... do the same in the run- folder

6. restart the pc ... keep pressing F8 ... go to command prompt ..... there delete that wretched dll file from the windows\system folder

7. restart pc ...... and hey presto everything shpould be back to normal - unless you have another problem that is.


----------



## cghost (Mar 15, 2005)

bustagut left out the registry fix file that accompanied the fix instructions. The clsids change to correspond to the O2 entry and the O18 entries. If you have already done a bunch of fixing on your log and dont have the O2 and O18 lines anymore, delete the 3 clsid lines from the registry fix because they wont change anything in your registry.

This may help with some of your error messages.

=Backup the registry to give a recovery point in case there is a problem. 
** How to: http://support.microsoft.com/kb/256419/EN-US/

Replace the clsids in the registry file below with the clsids from the O2 and O18 lines in your log.

=Copy the text below between the 
========

======== 
lines into notepad. Do NOT include the ===== lines in the notepad file.

Save the file to your desktop as fixprob.reg, filetype all files.

Click on the file, say ok when it asks about merging it to the registry.

===================== 
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]

[-HKEY_CLASSES_ROOT\CLSID\{CE8131EB-93D9-11D9-A684-CF4B7211BE33}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE8131EB-93D9-11D9-A684-CF4B7211BE33}]

[-HKEY_CLASSES_ROOT\CLSID\{6356CBA7-93B0-11D9-A684-9987B9EA0A74}]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
"sp"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] 
=====================

Regards.
cg


----------

