Hi there: I’ve got this Trojan Win32:startpage-076 that just doesnt want to be erased. I've tried Spy boot, Trojan Hunter, McAfee, Ad-Aware and Avast 4.6 and it doesnt clean the pc.
I’ve got win 98 on a omnibook.
Avast and Ad Aware detects the trojan (the others didn’t) but neither can delete it.
With Avast, it says it can be moved to the chest becasue it is a protected file.
With Ad-Aware, it starts to delete it and the program stays with the delete window open and never finishes.
I tried deleting te TEMP files, nope, still there. I tried to do it myself with the pc explorer, nope. Any suggestions wil be definitely appreciated. Thks.

What was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?

You might also try booting into safe mode and run avast and see if it can be moved/deleted then.

Download HijackThis.zip - HiJackThis Tutorial
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

I believe its C:\windows\temp\se.dlll

Can you boot in Safe Mode and try to delete there?
SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Can you try to send the infected file to the virus chest?

Also note: Do you have McAfee and Avast! running at the same time? Best if you disable one of them to prevent any conflict.

I put the pc on safe mode deleted it through crtl-alt-spr and after rebooting its still there.
I tried to send it to the virus chest and it says it can’t because the file is protected. (!!)

I trying to copy the log here but it says the message is to big (help)

This is the log

Logfile of HijackThis v1.99.1
Scan saved at 12:36:41 p.m., on 16/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\REAL\UPDATE_OB\REALSCHED.EXE
C:\ARCHIVOS DE PROGRAMA\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARCHIVOS DE PROGRAMA\ACCESORIOS\WORDPAD.EXE
C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL (file missing)
O2 - BHO: (no name) - {DE0A05A1-C2DD-11D9-881D-00108C3260C0} - C:\WINDOWS\SYSTEM\FMDM.DLL
O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL (file missing)
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [internat.exe] internat.exe
O4 - HKLM..\Run: [Control Panel] smctrlw.exe
O4 - HKLM..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM..\Run: [USBMonit.exe] “C:\WINDOWS\SYSTEM\USBMonit.exe”
O4 - HKLM..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast! Web Scanner] C:\ARCHIV~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mov: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .asp: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/304f6832a1fc41d1bb22/netzip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O18 - Filter: text/html - {DE0A05A0-C2DD-11D9-881D-0010E37EC55B} - C:\WINDOWS\SYSTEM\FMDM.DLL
O18 - Filter: text/plain - {DE0A05A0-C2DD-11D9-881D-0010E37EC55B} - C:\WINDOWS\SYSTEM\FMDM.DLL

puo,
maybe you are using WinXP. In this case, disable the system restore. The same if you are running Norton GoBack or any other restore-backup utility. After disabled, try again the same steps said by my friends of forum.

Nope, I’m not in winxp, mine’s 98. BTW I’m only running Avast, I disinstalled McAfee before.

I tried the options suggested before and the trojan still hangs in there.

hey by the way, thanks for the patience and help

You could try an online scan like http://housecall.trendmicro.com/

and follow their advise on removal.

Try an online spyware scan and another online virus scan

The reason I gave you the link to an on-line analysis site was so you could use it and not have to await an answer here and use hijackthis to FIX the problem (see the HJT tutorial link).

This is an analysis of your HJT log - http://hijackthis.de/logfiles/bc4ef299262ab5435c7b67c346c9cbae.html
Use the analysis to fix the nasty and investigate the unknown (and possibly nasty) using a google search for the file name. There may well be items marked as unknown that will be programs you installed and know are ok, such as avast.

I would also suggest you upgrade your browser to IE6 and better still use another browser, such as firefox as your primary browser.

I hijacked the files which the log analysis told me to, and the se.dlll keeps coming on again and again. I scan it, fix it, reboot the pc, and it keeps coming up ??? ???
I ran an online scan and it didn’t detect anything.
I ran the highjack in safe mode, fixed the files the log analysis said were nasty, rebooted, and they are still there. what should i do now?

http://forum.hijackthis.de/archive/index.php/t-2381.html

Backup first registry etc. and have a look at this site

Dear Puo,

This is a dll of a malware searchtool, it is a BHO, a browser helper object. Run the program BHO demon, and this will let you clean it out. If I am right you can find the BHO in win98SE in WINDOWS and click to seee all program files and it is in Downloaded Program Files.

Greetings,

polonus

Hi Polonus the only “unkown” I have in download file/windows is a control house call & some thing which only has this number.

{32564D57-0000-0010-8000-00AA00389B71}

Is this anything similar to what you said?
Thks

Hi, I was able to remove the trojan following the stpes in this link

http://forum.hijackthis.de/archive/index.php/t-2381.html

Thanks all for the help (and patience).

Hi Puo,

Nice you have cleansed it, it was se.dll, and I was right, it was on your system. Keep a good check on your system. XP does this automatically, win 98 SE there you need sfc.exe, scan and later check the logs, and if you find new ones, look on the net if they should be there, scan with FileAlyzer or a Bintscan. If you are into the P2P stuff, which is lively dangerous because of the free scamware you also load down from there, use a program like Peer Guardian. It is free, it is good, and work on preventing crap and malwareinstalls onto your OS. Be aware, for the good old English saying says Curiosity killed the Cat, but on the other hand he who has made all possible mistakes within a very small area of interest, he is a genuine EXPERT`. So you are entitled to learn from things you did not know.

Have a nice and virusfree day,

POLONUS