Help please one tough Trojan

[puo]

Hi there: I've got this Trojan Win32:startpage-076 that just doesn`t want to be erased. I've tried Spy boot, Trojan Hunter, McAfee, Ad-Aware and Avast 4.6 and it doesn`t clean the pc.
I've got win 98 on a omnibook.
Avast and Ad Aware detects the trojan (the others didn't) but neither can delete it.
With Avast, it says it can be moved to the chest becasue it is a protected file.
With Ad-Aware, it starts to delete it and the program stays with the delete window open and never finishes.
I tried deleting te TEMP files, nope, still there. I tried to do it myself with the pc explorer, nope. Any suggestions wil be definitely appreciated. Thks.

[DavidR]

What was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?

You might also try booting into safe mode and run avast and see if it can be moved/deleted then.

Download HijackThis.zip - HiJackThis Tutorial
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

[puo]

I believe its C:\windows\temp\se.dlll

[Lisandro]

With Avast, it says it can be moved to the chest becasue it is a protected file.

Can you boot in Safe Mode and try to delete there?
SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

[MFB]

Hi there: I've got this Trojan Win32:startpage-076 that just doesn`t want to be erased. I've tried Spy boot, Trojan Hunter, McAfee, Ad-Aware and Avast 4.6 and it doesn`t clean the pc.
I've got win 98 on a omnibook.
Avast and Ad Aware detects the trojan (the others didn't) but neither can delete it.
With Avast, it says it can be moved to the chest becasue it is a protected file.
With Ad-Aware, it starts to delete it and the program stays with the delete window open and never finishes.
I tried deleting te TEMP files, nope, still there. I tried to do it myself with the pc explorer, nope. Any suggestions wil be definitely appreciated. Thks.

Can you try to send the infected file to the virus chest?

Also note:  Do you have McAfee and Avast! running at the same time?  Best if you disable one of them to prevent any conflict.

[puo]

I put the pc on safe mode deleted it through crtl-alt-spr and after rebooting its still there.
I tried to send it to the virus chest and it says it can't because the file is protected. (!!)

I trying to copy the log here but it says the message is to big (help)

[puo]

This is the log


Logfile of HijackThis v1.99.1
Scan saved at 12:36:41 p.m., on 16/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARCHIVOS DE PROGRAMA\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\REAL\UPDATE_OB\REALSCHED.EXE
C:\ARCHIVOS DE PROGRAMA\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\ARCHIVOS DE PROGRAMA\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARCHIVOS DE PROGRAMA\ACCESORIOS\WORDPAD.EXE
C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL (file missing)
O2 - BHO: (no name) - {DE0A05A1-C2DD-11D9-881D-00108C3260C0} - C:\WINDOWS\SYSTEM\FMDM.DLL
O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Control Panel] smctrlw.exe
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast! Web Scanner] C:\ARCHIV~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Software Kodak EasyShare.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mov: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .png: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin5.dll
O12 - Plugin for .asp: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/304f6832a1fc41d1bb22/netzip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O18 - Filter: text/html - {DE0A05A0-C2DD-11D9-881D-0010E37EC55B} - C:\WINDOWS\SYSTEM\FMDM.DLL
O18 - Filter: text/plain - {DE0A05A0-C2DD-11D9-881D-0010E37EC55B} - C:\WINDOWS\SYSTEM\FMDM.DLL

[kamulko]

puo,
maybe you are using WinXP. In this case, disable the system restore. The same if you are running Norton GoBack or any other restore-backup utility. After disabled, try again the same steps said by my friends of forum.

[puo]

Nope, I'm not in winxp, mine's 98. BTW I'm only running Avast, I disinstalled McAfee before.

I tried the options suggested before and the trojan still hangs in there.

[puo]

hey by the way, thanks for the patience and help

[TedNelly]

You could try an online scan like http://housecall.trendmicro.com/

and follow their advise on removal.

[xistenz]

Try an online spyware scan and another online virus scan

[DavidR]

The reason I gave you the link to an on-line analysis site was so you could use it and not have to await an answer here and use hijackthis to FIX the problem (see the HJT tutorial link).

This is an analysis of your HJT log - http://hijackthis.de/logfiles/bc4ef299262ab5435c7b67c346c9cbae.html
Use the analysis to fix the nasty and investigate the unknown (and possibly nasty) using a google search for the file name. There may well be items marked as unknown that will be programs you installed and know are ok, such as avast.

I would also suggest you upgrade your browser to IE6 and better still use another browser, such as firefox as your primary browser.

[puo]

I hijacked the files which the log analysis told me to, and the se.dlll keeps coming on again and again. I scan it, fix it, reboot the pc, and it keeps coming up 
I ran an online scan and it didn't detect anything.
I ran the highjack in safe mode, fixed the files the log analysis said were nasty, rebooted, and they are still there. what should i do now?

[TedNelly]

http://forum.hijackthis.de/archive/index.php/t-2381.html


Backup first registry etc. and have a look at this site