HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

trojan.startpage

by bgginarl / January 22, 2005 9:28 AM PST

I'm having the same problem - Symantec sees the Virus - but doesn't delete - keeps coming back. Have cleaned up cache, editing registry, SpyBot, Ad Aware, etc. No luck...any ideas?

Discussion is locked
You are posting a reply to: trojan.startpage
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: trojan.startpage
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Try this
by roddy32 / January 22, 2005 10:17 AM PST
In reply to: trojan.startpage
Collapse -
trojan.startpage
by bgginarl / January 22, 2005 11:04 PM PST
In reply to: trojan.startpage

Sorry - didn't mean to hijack the other thread.

I've been infected with trojan.startpage as caught by symantec. I have win xp, the file it says is infected is sp.dll. I have since tried to clean temp files, downloaded trendmicro (didn't fix), tried McAfee Virus (didn't fix), edited registry to remove reference (didn't fix), updated hosts files, have done work in Safemode. Additionally, the virus seems to not allow me to change the security setting in IE because I cannot install any Active X controls (used to try and check for virus on AOL).

Any help is greatly appreciated.

Collapse -
OK, If you have done all that and
by roddy32 / January 22, 2005 11:13 PM PST
In reply to: trojan.startpage

you still have the problem I would suggest downloading HijackThis and posting your log in a HijackThis expert forum.
HijackThis download locations:
http://castlecops.com/zx/Merijn/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://downloads.subratam.org/hijackthis.zip

Current version of HijackThis is 1.99

Where to put and how to use HijackThis:

It is important that you run HijackThis.exe in its own folder so the backup files that HijackThis file will create will not be accidentally deleted.

Open 'My Computer', then double-click to open C:\ (or the drive letter that your Windows is installed)
In the menu bar, click File-->New-->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ or C:\HijackThis\ folder. Put your HijackThis.exe there, and double click to run it.
Click 'Scan' button. Click 'Save log' button. Save the 'hijackthis.log' in your desktop. Copy and paste the content of 'hijackthis.log' and post it any of these forums. You will have to join the forum and please be patient and follow their rules as they are very busy.
HijackThis expert forums
http://castlecops.com/HijackThis.html

http://forum.aumha.org/viewforum.php?f=30

http://forums.spywareinfo.com/index.php?b=1

Collapse -
the file it says is infected is sp.dll.
by dawillie / January 23, 2005 12:30 PM PST
In reply to: trojan.startpage

what is the EXACT location of this file?

FYI a *.dll is a Dynamically Linked Library file and will be in use as soon as you boot, nothwithstanding that you are in SafeMode.

You need to perform whatever task you did to arrive that the conclusion that you have arrived at, and carefully need to note file path.

post back with that informaton and we can look at removing it.

Collapse -
File Location and Update
by bgginarl / January 23, 2005 10:05 PM PST

I had done a full backup with Microsoft System Tools about 2 months ago so I just restored to that and it removed the virus. Of course, I lost some data/files, but I was able to burn most to CD before the restore. I know that this wasn't the best solution, but after a few hours of getting back most of my stuff I think it got me going again.

However, in efforts to help others if they get this virus the location was: C:\Documents and Setting\Bruce\Local Settings\Temp\sp.dll

I had to show hidden files to see this in XP and I deleted ALL files in this directory as well as under Administrator.

Thanks for everyone's help - never posted before - and glad to see the responses.

C:\My Docume

Collapse -
(NT) (NT) Glad it's solved. Thanks for posting back.
by roddy32 / January 23, 2005 10:28 PM PST
Collapse -
IF You SEE the exact settings ......
by Marianna Schmudlach / January 24, 2005 12:36 AM PST

the latest cwshredder is able to remove it !

Download the stand-alone CWShredder V2.12.0.0:
http://cwshredder.net/bin/CWShredder.exe

Close all other programs and run CWShredder.exe.

Click Fix, OK, let it fix anything it finds, click Next, then exit

HTH

Collapse -
CWShredder
by bgginarl / January 24, 2005 7:32 AM PST

Do you think I should run this even though the problem seems to have gone away? I'd hate to start this process all over again.

Thanks

Collapse -
Keep cwshredder handy
by Marianna Schmudlach / January 24, 2005 8:06 AM PST
In reply to: CWShredder
IF the problem should show up again Wink
Collapse -
sp.dll and Startpage trojan
by Bren.A / March 8, 2005 11:50 AM PST

I have the problem with these two files constantly popping up everytime I bootup. Can anyone provide me with a solution to get rid of them.

Thanks

Bren.A

Collapse -
please provide the EXACT location of these files.
by dawillie / March 8, 2005 12:13 PM PST

and we will attempt to help you resolve the problem.....

Collapse -
re: Removal of Trojan Startpage - This works
by yasso1 / February 17, 2005 10:04 PM PST
In reply to: trojan.startpage

Do the following exactly and it will remove Trojan.startpage variants:-
1. Browse Windows/system32 .dll files sorted by date last modified.
2. Select the file that has the date/time stamp of when the attack happened. The file usually will be around 36-41Kb. Move the file to desktop.
3. Turn off System restore from Control panel/system properties.
4. Log into Windows Safemode. (Pess F8 at launch)
5. Go to desktop and delete the file u selected earlier.
6. Run Registry Editor - Regedit
7. Do the following for both HKEY_LOCAL_MACHINE and repeat for HKEY_CURRENT_USER:-
7.1 Go to \Software\microsoft\internet explorer\main and reset home page to what u want. Remove key HOMESP and remove any link to sp or se.dll.
7.2 Go to \software\microsoft\windows\run and reset homepage and remove any links to sp or se.dll if any.
8. Restart PC in normal mode
9. Reset system restore back on
10. launch IE and reset homepage again

That should work. If anything let me know..
Best!

Collapse -
Worked Like a Charm!!! Thanks
by Chuck546 / February 23, 2005 2:46 AM PST

This worked great. I was up and running in 20 minutes. I recommend this fix for all those infected with the Trojan.Startpage. Thank you! Thank you! Thank you!

Collapse -
I'm puzzled
by Cache22 / February 25, 2005 4:20 AM PST

I've seen this idea proposed quite a few times over the last couple years, but I'm not quite sure how it can work, at least in the most aggressive cases of infection. Assuming the absence of a boot sector virus, those periodically reoccurring attacks are initiated by a "hidden" file located in the registry. Since these show no time or date information, one could not easily determine when they activated any dll which you might find on a file search. Deleting that dll, in that case, would do nothing more than removing the symptom rather than the infection. It would appear that recent infections include "hidden" registry files which look to be named by something approaching a random generator, potentially offering the infected file on each computer its own unique identity, which would make anti-spyware programs which rely on known definitions, virtually usless.

Does anyone have any further thoughts on this? Am I missing something obvious here that someone might know something about?

Collapse -
Thank you for the solution
by oinomaos / March 2, 2005 5:08 PM PST

Work now my computer without problem.
I have some differents but the point is all over
thanks GOD bless you

Collapse -
Which operating system is it?
by renal / March 4, 2005 12:03 PM PST

Wich operating system is it? Windows 98, 2000 or XP?

Please informed me, thanks.

Regards,
Renal

Collapse -
I'm not sure who the question was directed to...
by trancooo / March 4, 2005 4:57 PM PST

but just in case, I'm using Win XP

cheers

Collapse -
I'm using Windows XP SP2
by Chuck546 / March 5, 2005 12:28 AM PST

I'm using Windows XP SP2

Collapse -
Thanks, your advise helped a lot!!!
by binatog / March 10, 2005 3:05 PM PST

I followed your instructions to the letter and found the suspect .dll files. The kind that hit me could not be deleted though and I had to use ad-aware to remove it. But you got me there quicker. Thanks so much.

Collapse -
A Definite solution
by Sangeos / February 12, 2005 10:11 PM PST
In reply to: trojan.startpage

While you move across many forums, you may be adviced to

download loads of adware & spyware detectors. My personal

experience is none of them are going to help kill this issue.

If you truly want to get rid of this startpage.trojan, will

have to put some effort of your own.

Startpage.trojan is the result of a file "sp.dll" in the temp

folder which opens a startpage with caption "search for....".
The file sp.dll is created by a dll file and an application

file in system 32 folder both which differs in name from

machines to machines. So there you are left with little

chances to search by name.

The only option remains is search by date (guess the date when

symptoms started). There should be two files; a dll file which

is associated to Explorer.exe and an exe file for which the

date of creation would be same.

Delete or move both the files.

The problem should be resolved.

Collapse -
I am having the same problem...
by trancooo / March 3, 2005 3:47 AM PST
In reply to: A Definite solution

Hi everyone,
My OS is Win XP SP1, I have Norton Antivirus 2004.
In my case it finds the virus in c:/windows/sehlp.dll.
I've tried organizing by date (and deactivating norton to kill the virus alert nag that never goes away) and there were 3 files that had the same description: sehlp.dll, SHLPUI.exe and SEHLP.exe, which was AnalyzeIE Module, Version 1.0.0.1.
I can delete them no problem, the thing is that they just reappear after a couple seconds... I suppose that's why Norton keeps deleting the sehlp.dll file, cause it just keeps reappearing! I've run AdAware and Spybot like 5 times each and it finds some garbage, but doesn't fix the problem (they are able to kill the annoying taskbar and homepage the virus embedds in explorer, though). I suppose the problem is that it has another file hidden somewhere that keeps telling it to generate those files (I've also tried looking for all the dll's that have been modified within a week, no 4 letter one's though Sad ). Like someone said before, deleting those 3 is merely eliminating the symptom, and not the sickness...
I've also tried searching for se.dll but no luck Sad

Collapse -
Hi trancooo
by roddy32 / March 4, 2005 8:18 PM PST

I would suggest posting a HijackThis log in one of the forums that had experts to deal with those logs. This way they can see exactly what is going on with your computer. Please read the first 3 posts on this link which will tell you where to get HJT, how to make a log and where to post it. Please be patient with whoever to bring it to, they are very busy and good luck to you.
http://reviews.cnet.com/5208-6132-0.html?forumID=32&threadID=27234&messageID=306550

Collapse -
hi Roddy32
by trancooo / March 4, 2005 9:00 PM PST
In reply to: Hi trancooo

thanks a lot man, I think I'll do just that. I just hope they'll be able to fix it.... c-ya!

Collapse -
(NT) (NT) You're welcome and good luck.
by roddy32 / March 4, 2005 9:10 PM PST
In reply to: hi Roddy32
Collapse -
ur right
by yattey / April 10, 2005 6:18 PM PDT
In reply to: A Definite solution

My OS is win98 sec yes there is a file called SP.dll in temp folder but there is no file in system32 this attack happen in 2005 all files in System32 is created in Oct 2004.
So where else this other files will be

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.