About:Blank..se.dll..hijacker..etc

Hi there,

As like most who post here, I'm at my wits end with this annoying little critter!

I have a DEll precision 530 with single partitioned HD..C (XP SP2),D (Progs)& E (Data). Nvidia Quadro pro 980 XGL graphics card and 1Gb of ram. Also have the usual CD-R/RW and DVD readers.

I am having persistant trouble with a search page hijacker /pop-ups & (Trojans?).

I run/ have fully updated Norton AV profess. 2003, XP SP2, Spybot SD 131TX, Adaware SE, Spyware Blaster, CWshredder,Stinger, Ccleaner, About Buster & HS Remove.

I'm pretty sure I've read all your "before posting" knowledge base and followed the instructions to the letter (hence the great number of apps!)

After many hours spent frustratingly trying to sort this out myself I have decided to admit defeat and give the pro's a go.

After booting into safe mode, dissabling Sys Restore, emptying internet temp folder, cookies, history etc I ran all of the above mentioned apps. Norton AV -full sys scan-no virus found, the items found in Adaware, Spybot SD related to Coolwebsearch and I "fixed" those. Once finished I rebooted into normal mode.

Then the first thing I did was to double click My Docs (E:\) icon to access Hijack This. Immediately I got a Norton AV warning (detection and deletion of Trojan.StartPage) and a Rundll error loading warning - se.dll module could not be found. They relate to one another. Then when I start IE of course I get a redirection to a search page (About:Blank), Pop-up Spyware warning appears and the two previous messages flag up again. Even though I had set IE to block pop-ups the icon on the bottom right says pop-ups where not blocked!

I think I probably have a resonably healthy PC but this particular little b*****d is proving annoying and troublesome.

I have two Hijack this logs. One before and one after the cleaning attempt.
Also a few screen grabs showing the various search pages, warnings etc.

I understand that you guys/ gals probably have your plates full but I would appreciate any help & advice about removing and protecting against future infections.

Thanks for the great resource and site. Keep it up.

Best regards,

Jovo

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Hi bjgarrick,

Thanks for your prompt reply.

Attached please find my log file...hopefully!

Br

Jovo

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

TeaTimer.exe (Disable this because it will effect my fix below)


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {FDCC65A0-C829-4A12-AE07-670FD95B2D1D} - C:\WINDOWS\system32\kjedj.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O18 - Filter: text/html - {6E678E93-AFC5-4ED2-A4C3-612229CBB64C} - C:\WINDOWS\system32\kjedj.dll
O18 - Filter: text/plain - {6E678E93-AFC5-4ED2-A4C3-612229CBB64C} - C:\WINDOWS\system32\kjedj.dll

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\kjedj.dll

se.dll ←–– Search for this file and delete if found!


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Now, Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Thanks for your reply.

Ok, I followed your instructions to the letter. Attached is my log file. Looks like the critter came back?

As soon as the desktop appeared Spybot SD flagged two BHO change messages both of which I denied. Then I ran Hijack This. Once starting IE the blank start page came up. I typed in google.com and got the usual "attack" with the warnings from NAV , Spybot SD and Rundll error as previously described

Other info I thought you might need. I am networked with a Dlink wireless ADSL router (DSL-G604T). I have one other PC networked (wired) running Win98 SE and a new (Sept 2004) Dell laptop (XP SP2) which is sometimes wireless networked. The Win98 can only see Shared Docs on Precision 530, but the 530 can see all of Win 98.
Laptop and 530 can only see each others shared docs.

Below follows my actions and findings in relation to your instructions.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

TeaTimer.exe (Disable this because it will effect my fix below) Done


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {FDCC65A0-C829-4A12-AE07-670FD95B2D1D} - C:\WINDOWS\system32\kjedj.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O18 - Filter: text/html - {6E678E93-AFC5-4ED2-A4C3-612229CBB64C} - C:\WINDOWS\system32\kjedj.dll
O18 - Filter: text/plain - {6E678E93-AFC5-4ED2-A4C3-612229CBB64C} - C:\WINDOWS\system32\kjedj.dll

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - D:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing

Again, make sure All Browser Windows are Closed when you Click FIX. Done


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\kjedj.dll .Found and deleted

se.dll ←–– Search for this file and delete if found! Not found

Your e-mailed instructions included regestry cleaning, none of the targets where found.

NEXT:
Run CCleaner , Done


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK. Done, and with very little to delete


Reboot to Normal Windows

FINAL STEP This part was omitted in the e-mailed instructions.

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Now, Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

What do you mean by email instructions?


Follow every step in this fix, step by step!

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8D9C36F1-2B1D-408D-88ED-3C052D26E11F} - C:\WINDOWS\system32\kjedj.dll (file missing)

O18 - Filter: text/html - {A756DFD3-D0E5-4CF2-AAFB-CC94ECA1863B} - C:\WINDOWS\system32\kjedj.dll
O18 - Filter: text/plain - {A756DFD3-D0E5-4CF2-AAFB-CC94ECA1863B} - C:\WINDOWS\system32\kjedj.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

BE SURE YOU HAVE VIEW HIDDEN FILES AND FOLDER ENABLED!

C:\WINDOWS\system32\kjedj.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\se.dll

NEXT:
Run CCleaner
Note: Run the first two scans only!


Reboot to Normal Windows


YOU MUST DO THIS STEP!

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Now, Scan with HijackThis and attach the new log.

 

Hi,

What I mean is I received a copy of your response by e-mail late last night. I printed it from there this morning and followed the instructions and when I came the forum to post the log file noticed that some of the detail of your forum reply was missing (Reboot to normal windows section including Web and security settings) and also the e-mail reply contained a whole section relating to specific registry targets that was not evident in the forum reply?

I will follow these latest and any future instructions from the forum to avoid my confusion.

Sorry for the trouble

I'll post back shortly.

Br

Jovo

 

Okay! Will be awaiting new log

 

Hi bjgarrick.

Question regarding the quote below:

I understand you mean the "Windows" and "Applications" tabs.
Must I check/ tick every box on "Windows" tab? All the boxes are checked on the "Apps" tab.

Br

Jovo

 

Just run the two scans, checked items are set by default.

 

Hi bjgarrick,

Ok, here it is. Looks better. I'll let you know how things go.

Thanks for all your help, much appreciated .

Br

Jovo

 

Hi bjgarrick,

All went well for a few hours then bam! the usual attack. After scanning, the first lot of R0 & R1 items are all present. There is no bad 02 BHO relating to the 018 Filter items which now refer to a kodo.dll

I'm using the method you've described to remove/ fix it. How can I prevent these sorts of attacks permanently? Or is this the Holy Grail?

Br

Jovo

 

Are you still having the about:blank redirect problem?

 

Hi there,

Yep, I'm afraid so. It has happened three times so far in the past 5 hrs. I have managed to remove/ clean the the system using your method. I'm able to browse for a while and then out of the blue it happens. The last time I was actually not running IE. I was running Outlook Express. Also I'm not downloading music, warez, cracks etc. I'm merely browsing large commercial sites like Vodafone and use Google.co.uk as my search engine of choice.

Any miracle cures?

Br

Jovo

 

I have requested a second set of eyes on this, please allow some time for him to join us. Hang in there!

In the mean time, attach a current HJT log from normal mode.

Also, Download and run the following programs. Attach these logs as well.

HSRemove. & About:Buster

 

I'm logging out now. Be back in the morning approx. 10 hrs.

L8r...

Jovo

 

Thanks again for your efforts.

Ok, I'll do that now before I slumber.

Back in five...

Jovo

 

Here you go. HJT and AB log. Next message will contain HSremove screen grab of result.

Br

Jovo

 

HSremove result screen grab attached...no log file creation option.

I'm sorry but I have to get my beauty sleep now. Your efforts are greatly appreciated. Speak to you later.

Br

Jovo

 

Go ahead and follow Chaslangs instructions and post that log. Then you can go and we will get your fix posted!

Did any of the 2 programs remove anything?

 

Hi Chaslang,

Thanks for the suggestion. If you don't mind I'll follow that up in the morning (for me).
I have to hit the sack now.

L8r..

Br

Jovo

 

Ok chaps,

Hang five & I'll be back with that log.

Jovo

 

Here it is guys. I'll speak to you later.

Thank you.

Br

Jovo

 

Thats whats I figured, but I was trying the last thing I knew to try before I requested help

 

Hi Chaslang,

"Value: c:\windows\system32\hlpadm.dll"

Was that StartDreck log of any help.

Ok, speak to you later.

Thanks

Jovo

 

Oops, I've inadvertantly renamed HKLM\Software\Microsoft\NotWindows and now it won't let me change it back after I realised my mistake. Spybot SD flagged up many messages after changing Windows to Not Windows to which I answered deny change.

Sorry for amateur hour but do you have any suggestions on how to fix my mistake since you seem to know Reglite well?

Thanks

Jovo

 

nowfind.net and se.dll on an XP system

NOWFIND.NET
Nowfind.net seemed to load in a variety of viruses, locks the home-page in Internet Explorer, enters a variety of sexual bookmarks, it also does not permit you to go to any location that you type in. It will only allow searching to previous bookmarks.

SE.DLL
I found that SE.DLL seemed to reside in the local document/temp folder. Efforts to delete it or remove it were not permitted even though nothing showed up locked when the properties were checked. HOWEVER, it would let me CUT & PASTE it to another location. In the other location (I set up a dummy folder to move it to) the se.dll would let itself be RENAMED or DELETED. This proved very helpful in taming the virus enough to start to get the upper hand.

ANTIVIRUS DID NOT WORK
Like many people, when my antivirus program could not clear up the problem, I thought it had been corrupted. I later found out it was not. I too used CWShreader, SpyBot Search&Destroy 1.3 and Ad-AwareSE. They did not seem to be doing their normally fine work. Each of these would say they removed all items, but several would show up on the very next scan again and again. I found it was necessary to use Windows Explorer and regedit to manually remove the files found by those three great programs.

FIREFOX
I installed FireFox1.0.1 and used it to get a variety of bookmarks. I had wanted to run Norton's (or Panda) off the internet with FireFox (where I knew it would not be corrupt) but Norton's & Panda will only do its check through Internet Explorer (which of course was locked in this wonderful loop). I copied bookmarks from FireFox and then loaded them into IE using Windows Explorer. Now I had a bookmark that I could tell IE to go to (circumventing nowfind.net's no type in rule). Norton did not fined the main virus, but it did confirm se.dll as the main area of focus. Norton's (on the Internet) does not remove viruses from your computer, but it does give you a nice list of their locations. I used Windows Explorer to remove all of those listings (of course you have to set the view so you can see all the hidden files) and then used regedit to remove any references to those same programs in the registry. Using this process a few times, I finally got it down to se.dll and one other virus.

HOW TO FIND VIRUS
From one of the postings I found information that the main virus exhibits no virus activity except to check to see if SE.DLL has been removed and then replace it which explains why the anti virus programs have not been finding it. When he said that the master program changed its name randomly and lived in the Windows\System32\ directory and would be close to the size of the se.dll file (32k) I started to have hope. Looking for a less than 50K file that has a very recent date brought up a file with a random name that just begged to be removed (moved it to my dummy folder first, just as a precaution). At this point, I could now rename or remove se.dll from its home in the temp folder (without having to move it to another folder first). This gave me the proof that I needed that the proper file had been removed.

At this point, it was time to again remove se.dll from the StartUp using msconfig and go into the registry and remove all of the references to se.dll and nowfind.net and also any references to the randomly named parent virus file. This time they stayed removed.

I had read many postings regarding this virus, but none were as helpful as the response by one of the Major Geek members (wish I could remember his name) Again thanks for the great detective work.

 

Howdy,

No, I renamed HKLM\software\microsoft\windows to HKLM\software\microsoft\NOTwindows! Now when I try and rename it back an error message appears saying "Error renaming" !!

Any suggestions?

Jovo

 

It is a windows error message. I've dissabled teatimer and unchecked the only one IE tweak in SBSD.

I've quit Reglite and restarted it again and the key is renamed to NotWindows!! Also if I right click on NotWindows and go properties, then permissions the two checks at "Read" & "Full control" are greyed out. Whereas other keys have these checks active (green).

Can I make some sort of complete registry backup as it is now. Then edit it in a text editor and restore this modified/ corrected registry back? I'm a muppet because I hadn't thought of making a backup before starting to screw with it. And ofcourse my Sys Restore is turned off because I've been advised to do this.

Am I up a creek without the proverbial paddle good buddy? :^)

Jovo

 

Ok, It is too big at 213kb! The StartDreck one is attached though. It seemed to go missing last night?

Also In Windows Explorer, "My Doc's" folder has moved to below the listings on the left side whereas it was just below Desktop previous to my blunder. I tried accesing my network to try and copy this zip flie over and Windows prompted me for the "Windows XP profess and Front page disc". I cancelled out and transferred the file via floppy disc rather!

I will try the permissions option next.

Jovo

 

I clicked Take Ownership and the message confirmed that Administrator had succesfully taken ownership.

No joy yet on the permissions attempt, I'm still getting the same error after rename attempt! I'm really in the dark here! I don't have a clue what effect my actions are going to have. Ideally I need precise instructions on how to undo this.

If I had correctly followed through with your instructions I guess I would have had the same problem? Have you never heard of this happening before? Where do I go from here?

 

After reading the posted spyware problems for a few months now, here goes my first Reply. I have been cleaning malware from people's systems as part of my day job for three months now. To get rid of se.dll, I use Pocket Killbox (Google it).

Hope this helps,

Shambala

 

Chaslang,

Any advice on what I should do?

 

Thank you for your response but we have the situation under control. Thanks!

 

Please be patient, Chaslang is really busy at the moment and will be back when time permits. I requested him for assistance in this thread so I want him to finish up with it, I dont want to barge in the middle of his fixes. I hope you understand

Hang in there!

 

Yep, no worries. I didn't mean to break protocol! Just very anxious.

I bet you guys are very tied up. Keep up the good work.

I'll be here.

 

Thanks Chaslang,

Before I proceed, how confident are you that this will work on a scale of one to ten?

I could leave my pc on until such time as you or someone else you may know can be sure of success! Do you know someone in support at resplendence.com who you could get advise from?

 

Right, again thanks for your efforts!

 

Hi,

I did as you suggested and replaced all NotWindows with Windows in notepad.
Saved file as Windows.reg and double clicked it to add it to the registry. Seems to have worked. At least, Reglite shows it after a couple of exits and reloadings.

Now then, I've not deleted the NotWindows Key...should I?

I am going to leave my PC on over night so that tomorrow when I come to the forum I can see what new/ different advice there may be.

See you guys later. Many thanks.