ewizard.cc popups and se.dll

How do I get rid of both?
I can't play games anymore because that annoying popups come every 5 minutes!!!!

And I just can't get rid of them...

 

se.dll is usually part of the about:blank hijacker!

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

here is my log.........

 

Just as I suspected, you have the AB Hijacker!

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

DO THE ABOVE BEFORE YOU PROCEDE TO THE REST OF THIS FIX!

Please look in Add or Remove Programs for the following and Uninstall them if found:

Messenger Plus! 3

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

MsgPlus.exe

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {35CF99DB-6F31-4A5C-B5E8-47CA27682860} - C:\WINDXP\System32\mhbde.dll

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll,DllInstall

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O18 - Filter: text/html - {7A8B4DAA-B436-4EBE-931D-2B7725BDF8B1} - C:\WINDXP\System32\mhbde.dll
O18 - Filter: text/plain - {7A8B4DAA-B436-4EBE-931D-2B7725BDF8B1} - C:\WINDXP\System32\mhbde.dll

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Download Pocket KillBox

Now, Copy and Paste C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDXP\System32\mhbde.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Archivos de programa\Messenger Plus! 3 ←–– Delete this whole folder if it exist!

se.dll ←–– Search for this file and delete if found!

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Here's the log

 

Log is clean!

Are you having any further problems?

 

Nope, I guess Msn Plus was causing all of this!!

Thanks!!!!

 

Yeah, thats a real baddie!

Glad things are running better.

You should see this article on How to Protect yourself from malware!

 

I guess that it's back again!!! =(

Do I post my HJT log?

 

If you dont update your OS you will continue to have these problems. Go ahead and attach a HJT log.

 

should I install the Windows XP SP2?

 

Yes, its a required update, until you update you will continue to have problems.

 

Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested. Run this procedure from start to finish with no interruptions

Okay, unplug your internet connection and exit browsers now!!!!
Please run HijackThis and click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {FD02DC24-250E-446B-A217-9E534164D6CF} - C:\WINDXP\system32\ondjb.dll (file missing)

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Javier\CONFIG~1\Temp\se.dll,DllInstall

O18 - Filter: text/html - {B4FDBF68-BA64-47BA-B7F2-90ECC835256B} - C:\WINDXP\System32\ondjb.dll
O18 - Filter: text/plain - {B4FDBF68-BA64-47BA-B7F2-90ECC835256B} - C:\WINDXP\System32\ondjb.dll


Then exit HJT after clicking FIX (make sure you clicked Fix)

Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification Date or Date Created and look for possibly other similarly name files from the same date - let me know if you find others even if they have different 3 character extensions like .dat, .ini, .dll, .exe but DO NOT delete anything on your own.):

C:\WINDXP\System32\ondjb.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here - not now - later).

- Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

- NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

- After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

- Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run CCleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

- Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

- Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

- Plug your cable to the internet back in now.

- Open and close a couple of IE sessions and then with IE closed get a new HJT log.

- Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure. Do not reboot or shutdown after posting your log!

Let me know anything else that you notice.

 

ok, i'll try this when i get a printer!!!

 

Okay! Because ALL browsers MUST be closed or this will be impossible to remove.

Will be awaiting a response.