About:Blank..se.dll..hijacker..etc

Are you sure you properly changed ALL occurrences of NotWindows to Windows?

Do not delete the other key yet and do not reboot yet?

I want you to try the below first. We were trying to rename the HKLM\software\microsoft\NOTwindows key by taking permission of it. Adrynalyne suggested to me that we select HKLM and take ownership at that level. Try that! But obviously since you already merged in a new Windows registry hive you cannot rename NotWindows to Windows. So try changing it to OldWindows and see what happens.

 

Okay! At some point we will have to delete the OldWindows registry hive but not yet. It would be a good idea to use Erunt to backup your registry since you are familiar with this program.

You still have the original problem we were trying to fix. I need you to go back to what I gave you in message #27 and what you answered in message #28 to see if the AppInit_DLL still exist and to see what it is named now (it could have changed).

Then you would procede to msg #29 and be careful to execute that step properly.

Let me know when you complete this.

 

Did you erase the AppInit_DLLs entry while it was renamed to Not Windows?

 

Yes I remember. We need to get the AppInit_DLL entry removed.

Try fixing it again but this time do it in the real key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and in the one we named OldWindows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OldWindows NT\CurrentVersion\Windows\\AppInit_DLLs

Then reload reglite. Is it gone in either of them?

Also try this:
Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file appfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the appfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes

Now use Registrar Lite again and tell me if the same filename appears in AppInit_DLLs or is it gone.

 

NO!!! Only the value that it there is to be erased. The AppInit_DLLs key is required.

Read all of the below before proceding.

I think it is time we reboot this system and run the same commands to erase that AppInit_DLLs entry from safe mode.

And while in safe mode after erasing the entry but before renaming the registry key back to Windows. Locate the c:\windows\system32\hlpadm.dll file. And first right click on it and get Properties and Version information. Let's see if there is a company name associated with it. Then try renaming the file (by right clicking on it and selecting rename) to hlpadm.ddd.

Then change the registry key back to Windows. Now see if the AppInit_DLLs field is empty.

Then reboot in normal mode and post a new HJT log and tell me what happened. Double check the AppInit_DLLs field after reboot too.

 

Did you look for it in safe mode after changing the Windows registry key to NotWindows?

Are you using this PC to send messages here now?

 

Okay rename the Registry Key back! And tell me if you can see the file now.

Windows Search will not show hidden/system files unless setup correctly (similar to what we did for Windows Explorer).


If you use Search, you need to do the following:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

 

Okay while still in safe mode look for the below two files and if found, try to delete them:

C:\Documents and Settings\Administrator\Local Settings\Temp\se.dll
C:\WINDOWS\system32\fipa.dll

Tell me the results. Then reboot to normal mode and post a new HJT log.

 

Do you see this file now:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll

 

Since NAV is apparently not doing a complete job in fixing the problem all it ends up doing is getting in the way of us properly fixing the problem. I think we are going to have to uninstall NAV and maybe Spybot too (if it is blocking things) so we can bring everything to the surface and fix it. We are not seeing what we need to see. And I'm surprised we could not fix the AppInit_DLL we saw. Perhaps Symantec was blocking that too. I would recommend leaving the PC physically disconnected (unplug cable) from the internet while we work on this since you have another PC to communicate with. Then uninstall NAV and Spybot. Reboot and post a new HJT log. And run Registar Lite and find out what is in AppInit_DLLs now.

 

Yes! It would look like you re-installed it and you would have to get any updates. But it is preventing the removal of this problem because it is not fixing the source. It is only seeing the symptom. The other approach would be for you to call them and ask them why they do not fix the problem properly. You paid for the program and expect it to work. Ask them when they are going to have a real fix.

This kind of problem happens often in trying to fix some malware infections. Sometimes the cleaning tools themselves can get in the way causing conflicts with each other or with the manual removal steps. This happens because the see the actions of the other program (or our manual steps) as typical malware actions and they block them.

 

Thanks for getting back to us with this info Jovo. Quite often we do use regsvr to unregister DLL files. For some reason I just did not think of it here. Most of the time it has not been necessary to unregister these AppInit_DLLs inorder to remove them. Your may have been a new breed that we now have come to understand.

So have you deleted the DLL file and all the SE.DLL file? And all associated bad lines are now gone from your HJT log?

 

Your log is clean. Below is the standard guideline that I recommend:

How to Protect yourself from malware!