Pls help

Just now i recvd a warning message that my system is infected by a trojan Horse. Avast was unable to delete it or move it to chest or rename it. What to do? I had used a previous antivirus which showed that the specific file was infected by trojan Startpage.16.BD But avastdidn’t recognised it. Now only it shows that the file is infected.Why is it so. Now what to do?
I had uninstalled the previous antivirus i used before installing Avast. Here is the details of the trojan that was found.

File name: C:\WINDOWS\Temp\se.dll
Malware name: Win32:startPage-076[Trj]
Malware type: Trojan Horse
VPS version: 0510-0, 03/08/2005

What should i do now?

Try with Ad-aware- www.Ad-aware.com
Install it and maybe it will find the problem

After trying what neron suggested, post a Full hijackthis log here please, so we can confim your clean.

You can get hijackthis from here: http://www.merijn.org/files/hijackthis.zip

–lee

Your browser has been hijacked. Since this happened there is likely more malware on your system. Click on the link in my signature and follow the instructions in the malware removal section.

I used ad-ware and now i can’t see the se.dll in my hijack this log file. So i thought it might have gone. But again the browser is showing the same webpage. So when i looked the C:\Windows\Temp\ folder i found the se.dll there. But was unable to delete that. So i checked the registry and the

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

contained, res://C:\WINDOWS\TEMP\se.dll/sp.html

Any way i am also here by copying the log file

Logfile of HijackThis v1.99.1
Scan saved at 4:31:03 PM, on 3/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\REGEDIT.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: NetAnts.IE.Monitor - {57E91B41-F40A-11D1-B792-444553540000} - E:\PROGRAM FILES\NETANTS\ANTAPI.DLL
O2 - BHO: (no name) - {D067C001-80B0-11D9-8253-44451AEC6486} - C:\WINDOWS\SYSTEM\NFMI.DLL
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\encoder\WMENCAGT.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by NetAnts - E:\PROGRA~1\NETANTS\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - E:\PROGRA~1\NETANTS\NAGetAll.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.60-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.60-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.60-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.60-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.60-DELEON.DLL/cmtrans.html
O8 - Extra context menu item: &Add to IncrediMail Style Box - E:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra ‘Tools’ menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - E:\PROGRA~1\NETANTS\NetAnts.exe
O9 - Extra ‘Tools’ menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - E:\PROGRA~1\NETANTS\NetAnts.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B1} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/find.htm (file missing)
O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C04F7956B2} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/av.htm (file missing)
O9 - Extra button: PILLS - {0B5F1910-F111-11d2-BB9E-00C04F7956B3} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/med.htm (file missing)
O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C04F7956B4} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A/check.htm (file missing)
O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C04F7956B5} - http://zw.com.tw:3128@DF809JOW4WJ2304LFD0SF9FSD0A2T4LDF809JOW4WJ2304LFD0SF9FSD0A2T4LD%2E%42%49%5A (file missing)
O12 - Plugin for .ps: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O18 - Filter: text/html - {C709A441-8E86-11D9-8253-94FCBB4A9D71} - C:\WINDOWS\SYSTEM\NFMI.DLL
O18 - Filter: text/plain - {C709A441-8E86-11D9-8253-94FCBB4A9D71} - C:\WINDOWS\SYSTEM\NFMI.DLL

Why can’t i see the dll file specified above in this log or is it there with other name?

Copy/paste the log here → http://hijackthis.de/ and see the results.
You have some nasties.
You’re using an outdated version of Internet Explorer & you have no firewall!


CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hkcu\software\microsoft\internet explorer,searchurl = about blank
r1 - hkcu\software\microsoft\internet explorer\main,default_page_url = about blank
r1 - hkcu\software\microsoft\internet explorer\main,default_search_url = about blank
r1 - hkcu\software\microsoft\internet explorer\main,search page = about:blank
r1 - hklm\software\microsoft\internet explorer\main,search page = about:blank
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = about:blank
r1 - hkcu\software\microsoft\internet explorer\search,customizesearch = about:blank
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = about:blank
r0 - hkcu\software\microsoft\internet explorer\main,local page = about blank
r1 - hkcu\software\microsoft\internet explorer\main,homeoldsp = about:blank
r0 - hklm\software\microsoft\internet explorer\main,local page = about:blank
r1 - hklm\software\microsoft\internet explorer\main,homeoldsp = about:blank
r3 - default urlsearchhook is missing
o3 - toolbar: (no name) - {2318c2b1-4965-11d4-9b18-009027a5cd4f} - (no file)
o9 - extra button: net2phone - {4b30061a-5b39-11d3-80f8-0090276f843f} - http://www.net2phone.com/ (file missing)
o9 - extra ‘tools’ menuitem: net2phone - {4b30061a-5b39-11d3-80f8-0090276f843f} - http://www.net2phone.com/ (file missing)
o9 - extra button: search - {0b5f1910-f111-11d2-bb9e-00c04f7956b1} - http://zw.com.tw:3128@df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld%2e%42%49%5a/find.htm (file missing)
o9 - extra button: entertainment - {0b5f1910-f111-11d2-bb9e-00c04f7956b2} - http://zw.com.tw:3128@df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld%2e%42%49%5a/av.htm (file missing)
o9 - extra button: pills - {0b5f1910-f111-11d2-bb9e-00c04f7956b3} - http://zw.com.tw:3128@df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld%2e%42%49%5a/med.htm (file missing)
o9 - extra button: security - {0b5f1910-f111-11d2-bb9e-00c04f7956b4} - http://zw.com.tw:3128@df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld%2e%42%49%5a/check.htm (file missing)
o9 - extra button: search - {0b5f1910-f111-11d2-bb9e-00c04f7956b5} - http://zw.com.tw:3128@df809jow4wj2304lfd0sf9fsd0a2t4ldf809jow4wj2304lfd0sf9fsd0a2t4ld%2e%42%49%5a (file missing)
o16 - dpf: {1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (fun web products installer start) - http://ak.imgfarm.com/images/nocache/funwebproducts/cursormaniainitialsetup1.0.0.6.cab
o16 - dpf: {f281a59c-7b65-11d3-8617-0010830243bd} (acpreview control) - file://d:\program files\autocad 2002\acpreview.ocx
o16 - dpf: {78af2f24-a9c3-11d3-bf8c-0060b0fcc122} (acdctoday control) - file://d:\program files\autocad 2002\acdctoday.ocx
o16 - dpf: {ae563720-b4f5-11d4-a415-00108302fdfd} (noxlate-banr) - file://d:\program files\autocad 2002\instbanr.ocx
o16 - dpf: {c6637286-300d-11d4-ae0a-0010830243bd} (instafred) - file://d:\program files\autocad 2002\instfred.ocx
o16 - dpf: {5d9e4b6d-cd17-4d85-99d4-6a52b394ec3b} (wsdownloader control) - http://www.webshots.com/samplers/wsdownloader.ocx
o16 - dpf: {1d0d9077-3798-49bb-9058-393499174d5d} - file://c:\counter.cab
o16 - dpf: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
o16 - dpf: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
o16 - dpf: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
o16 - dpf: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (yinststarter class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
o16 - dpf: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hklm..\run: [loadqm] loadqm.exe
o4 - hklm..\run: [mdac_runonce] c:\windows\system\runonce.exe
o4 - hklm..\runservices: [machine debug manager] c:\windows\system\mdm.exe
o4 - startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe


WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

o2 - bho: (no name) - {d067c001-80b0-11d9-8253-44451aec6486} - c:\windows\system\nfmi.dll
o18 - filter: text/html - {c709a441-8e86-11d9-8253-94fcbb4a9d71} - c:\windows\system\nfmi.dll
o18 - filter: text/plain - {c709a441-8e86-11d9-8253-94fcbb4a9d71} - c:\windows\system\nfmi.dll

Just now i recvd a warning message that my system is infected by a trojan Horse. Avast was unable to delete it or move it to chest or rename it. What to do? I had used a previous antivirus which showed that the specific file was infected by trojan Startpage.16.BD But avastdidn’t recognised it. Now only it shows that the file is infected.Why is it so. Now what to do?
I had uninstalled the previous antivirus i used before installing Avast. Here is the details of the trojan that was found.

File name: C:\WINDOWS\Temp\se.dll
Malware name: Win32:startPage-076[Trj]
Malware type: Trojan Horse
VPS version: 0510-0, 03/08/2005

What should i do now?

Click on the link in my signature and follow the instructions in the malware removal section.

Thanks Avast.

As referred by the experts i did the procedures and now i can’t see the trojan. I checked the folder. It was deleted. Thanks for your support.

Which firewall is good to use in a home P.C?

Any way thanks for your support.

Depends on what you are looking for: Free or paid? Rule or application based? Do you have any experience with firewalls?
A good start would be the free ZoneAlarm. You can find links in my web-page (see the link in my signature).

I’m talking about free ones. Actually i’m not experienced with firewalls. So as you have said let me try from Zone Alarm.

Thanks

Is there any problem in using a Spyware Blaster or other spy detecting tools along with Zone Alarm

I'm talking about free ones. Actually i'm not experienced with firewalls. So as you have said let me try from Zone Alarm.

Good plan, its a good place to start :wink:

I'm talking about free ones. Actually i'm not experienced with firewalls. So as you have said let me try from Zone Alarm.

Most work fine, however you should really use the avast BETA as described here: http://forum.avast.com/index.php?topic=11828.0

This is just until the official update to avast is out, so there is no conflics between Zonalarm and Avast.

–lee

Hi Maestro!

Can you send me the solution for remove Win32:StartPage-076, please? I have the same problem but I can’t remove it…

Thanks and best regards!
matt

Hello,

The easiest way that I have found to remove this malware from other peoples computer is:

1-Go to us.mcafee.com and make a freescan from their web page. (Mcafee is the only AV that I know that detect all the components of this malware)

2- Write the name and location of every file that it founds as being infected on a paper… (Actually the start page-076 is only a part of the malware… Do you will have at least an htm, sometimes called sp.html, and an .exe or dll with random name…)

3- Enter in safe mode, delete every file by hand that mcafee found (the files that you wrote on a paper)… Then run a full system scan with Avast! just to be sure that do you have anything else…

I hope that it helps,

Elminster

Ps–> Also you could save the files that were detected in a floppy and test them with Avast, if Avast miss a file, you could send to alwil in virus [at] avast.com

You may also try this one:
http://www.thespykiller.co.uk/forum/index.php?topic=156.0