I have a few comments here, then I am going to post a fix step in a separate post.

I have been looking at this on win98. This is typical of what I have been seeing. A file in this key with a random value, random file name, and varying extensions. I am going to offer a fix step based on work done by another first responder at CastleCops.

»RunServicesOnce
**dz=rundll32 C:\WINDOWS\HPDJ61R2.INI,DllGetClassObject

 

The instructions I will post have windows 98 dos boot instructions. I am assuming you have created an ME boot disk and know how to use it, so you will need to substitute those steps for getting to the dos prompt. If you do not know how to do that, post back and I will give you a set of instructions to try based on killbox because I don't have the time right now to research and write up boot disk creation and dos bootup for ME.

 

If you feel like you are having a lot of trouble with the se.dll, another step you can add, right before rebooting to dos is

regsvr32 /u c:\windows\temp\se.dll

 

Since I don't have an hjt log to look at, comments in that regard.
First be sure you are using the most current version 1.99.1
If you are not, install it before going further.
If you type in merijn on google, you can get to his site and download links.

 

Second, you are going to have to review the log, both before you boot to dos and after the rest of the fix and fix some lines. These may not all be present but the pattern you are looking for, and you will need current hjt versions to see it all, is
R0, R1 lines with about:blank, oldhomesp, or assorted cws pages.
An O2 line with an odd dll. The clsid on that line will likely come up on google with no hits. (Fixing this line usually deletes the related dll file - see the hjt tutorial at bleeping computer-which is why I have not asked you to hunt it out and delete it. I have also had feedback a number of times that that dll is not available to delete when the user looked for it.)
An O4 line with se and or sp dll in it.
Two O18 lines with the same dll file in the O2 line.
You will want to have hjt fix all of those lines.

 

Also, if you have the registry locked with a protection program, it will probably prevent these steps from working. It would be best if you disable programs of that nature before attempting to fix this problem.

 

 

Regards.
cg

Hi,

If you want to unregister se.dll,
use the start button, go to run, type in the command, click ok.

Run hjt, find and fix any lines like I discussed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(substitute you me boot disk steps)

=Using the start button at the lower left of the screen, use the shutdown menu to reboot to the dos prompt.

** You should be at c:\windows>
*** Type in ren C:\WINDOWS\HPDJ61R2.INI HPDJ61R2.III  [enter] [case doesn't matter]

*** Type in: cd temp  [enter]

** At c:\windows\temp>
*** Type in:  ren se.dll se.ddd    [enter]

----------------------------------

** Reboot to normal mode.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=Backup the registry to give a recovery point in case there is a problem.
** How to:  http://support.microsoft.com/kb/256419/EN-US/

=Copy the text below between the
========

========
lines into notepad. Do NOT include the ===== lines in the notepad file.

Save the file to your desktop as fixprob.reg, filetype all files.

Click on the file, say ok when it asks about merging it to the  registry.

=====================
REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]

[-HKEY_CLASSES_ROOT\CLSID\{B9C571E2-8438-11D9-9E96-0004A58CF316}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B9C571E2-8438-11D9-9E96-0004A58CF316}]

[-HKEY_CLASSES_ROOT\CLSID\{D55E43D0-8438-11D9-9E96-00044DD7FB1D}]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sp"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
=====================

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

=Reboot the computer to normal mode.

=Scan with hijackthis.

** Look for R1 R0 lines that contain about:blank.

** Look for O2 and O18 lines similar to these:
** O2 - BHO: (no name) - {72C1E790-83E5-11D9-B9CA-444521736B49} - C:\WINDOWS\SYSTEM\MBJ.DLL
** O18 - Filter: text/html - {72C1E78F-83E5-11D9-B9CA-4445AC01E737} - C:\WINDOWS\SYSTEM\MBJ.DLL
** O18 - Filter: text/plain - {72C1E78F-83E5-11D9-B9CA-4445AC01E737} - C:\WINDOWS\SYSTEM\MBJ.DLL
 
** Look for an O4 line similar to this:
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Fix any of those lines that are present.

=Delete the two files which you renamed above.

=Reboot the computer to normal mode.

=Run and post new hjt and startdreck logs.

Regards.
cg

Hi,

I have edited this post to try to make it more useful to others reviewing this thread.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Obtaining startdreck:
Download: "StartDreck", from here:
http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

The problem file revealed by startdreck:
»RunServicesOnce
**dz=rundll32 C:\WINDOWS\HPDJ61R2.INI,DllGetClassObject

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Based on some feed back I have received, I have modified my post to delete the files in dos mode instead of renaming them.
 
Fix these lines in your hijackthis log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D5F192C2-8AB6-11D9-BDE5-0020B41CE7A5} - C:\WINDOWS\SYSTEM\FAFAKLA.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {D5F192C1-8AB6-11D9-BDE5-002044CE79D2} - C:\WINDOWS\SYSTEM\FAFAKLA.DLL
O18 - Filter: text/plain - {D5F192C1-8AB6-11D9-BDE5-002044CE79D2} - C:\WINDOWS\SYSTEM\FAFAKLA.DLL

-----------------------------
I did not realize this when I made my original post, but the clsid entries in the registry file should also be changed.
Changing clsid entries in the registry fix file:
Take note of the clsids in the O2 and O18 lines above. The clsid in the O2 line goes in the first two registry file lines below.
If the O18 lines have a different clsid, that should be entered in the third line, otherwise you can remove it.
(If you do delete the line, be sure to keep one blank line between each information line.)

So in bustagut's case, I should have modified the clsids to correspond to those presented in his HijackThis log.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reboot the system to a dos prompt:
=In Windows 98:
==Using the start button at the lower left of the screen, use the shutdown menu to reboot to the dos prompt.
=In Windows Millenium:
==Use a startup/boot diskette.
*** How to make one:
*** http://www.microsoft.com/windowsme/using/computerhealth/tips/bootdisk.asp

 

In my instructions below:
[space] = press spacebar to put in one space.
[enter] = press the enter key.

 

=Delete the problem files:
** If you are using windows98 you should be at c:\windows>

** If you are using windows ME you should be at a:\>

** (Windows ME users-do NOT do this at the dos prompt you can get in the accessories menu within windows-It will not work from that location.)
*** Type in:  attrib[space]-r[space]-s[space]-h[space]C:\WINDOWS\HPDJ61R2.INI[enter]
*** Type in:  del[space]C:\WINDOWS\HPDJ61R2.INI[enter] {The case of the entries does not matter.}
*** Type in:  attrib[space]-r[space]-s[space]-h[space]C:\WINDOWS\temp\se.dll[enter]
*** Type in:  del[space]c:\windows\temp\se.dll[enter]      {The case of the entries does not matter.}

----------------------------------

 

** Reboot to normal mode.

(windows 98 users can type exit at dos prompt and press enter.)

(windows ME users remove startup diskette and restart machine.)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

=Backup the registry to give a recovery point in case there is a problem.
** How to:  http://support.microsoft.com/kb/256419/EN-US/

 

=Copy the text below between the
========

========
lines into notepad. Do NOT include the ===== lines in the notepad file.

 

Save the file to your desktop as fixprob.reg, filetype all files.

Click on the file, say ok when it asks about merging it to the  registry.

 

=====================
REGEDIT4

 

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]

 

[-HKEY_CLASSES_ROOT\CLSID\{B9C571E2-8438-11D9-9E96-0004A58CF316}]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B9C571E2-8438-11D9-9E96-0004A58CF316}]

 

[-HKEY_CLASSES_ROOT\CLSID\{D55E43D0-8438-11D9-9E96-00044DD7FB1D}]

 

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

 

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sp"=-

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
=====================

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

=Reboot the computer to normal mode.

 

=Scan with hijackthis.

** Look for R1 R0 lines that contain about:blank.

** Look for O2 and O18 lines similar to these:
** O2 - BHO: (no name) - {72C1E790-83E5-11D9-B9CA-444521736B49} - C:\WINDOWS\SYSTEM\MBJ.DLL
** O18 - Filter: text/html - {72C1E78F-83E5-11D9-B9CA-4445AC01E737} - C:\WINDOWS\SYSTEM\MBJ.DLL
** O18 - Filter: text/plain - {72C1E78F-83E5-11D9-B9CA-4445AC01E737} - C:\WINDOWS\SYSTEM\MBJ.DLL
 
** Look for an O4 line similar to this:
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

Fix any of those lines that are present.

 

=Reboot the computer to normal mode.

 

=Run and post new hjt and startdreck logs.
=======================================================

 

If you have trouble deleting the files in the dos mode above, you can try this as an alternative:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=Please go here and download the killbox program:
**   http://www.subratam.org/?page=removal

 

=Be sure you can see hidden files and folders:
**  [How to: http://www.bleepingcomputer.com/forums/tutorial62.html
**  [or here: http://www.xtra.co.nz/help/0,,4155-1916458,00.html ]
**  [When you finish repairs, it is important to rehide your system files so you do not accidentally delete one later.]

 

=Open Killbox that you previously downloaded.

 

=First pass:
** Check the following boxes:
*** Standard File Kill
*** End Explorer Shell While Killing file

Copy & paste the full path of each of the files below into the Killbox topmost box.

C:\WINDOWS\(your file from startdreck)
C:\WINDOWS\TEMP\se.dll

With the full path to the file name in the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes

Do this for each of the files listed above. If any of those are not deleted make a list of them.

After you have gone through the list once, go to second pass if there were any files you were unable to delete.

 

=Second pass:
** Reopen Killbox.

** Check the following boxes:
*** Delete on Reboot

With the full path to the file name in the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? Answer No until you have entered the last file which you need to reenter for the second pass.

Click Yes for reboot when you have entered the last file which you need to reenter.

Then reboot to normal mode.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

If you happen to have other coolwebsearch variants on your machine too, this site contains some tutorials for removing some of the other variants:
http://www.bleepingcomputer.com/forums/forum55.html

There is a good hijackthis tutorial here:
http://www.bleepingcomputer.com/forums/tutorial42.html

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

When you start trying to fix your computer, if you need help, there are many good forums out there.
Here are three that I can recommend:
http://forum.malwareremoval.com/
http://www.bleepingcomputer.com/forums/forum22.html
http://computercops.biz/forum67.html

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

And to help with improving your security after you get the system cleaned up:
Here are a couple of threads you can read for additional security comments:
http://computercops.biz/postt7736.html
http://www.security-forums.com/forum/viewtopic.php?t=14711
Check out additional firewall notes here:
http://www.mvps.org/winhelp2002/security.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Regards.
cg