26 total posts
Sorry - didn't mean to hijack the other thread.
I've been infected with trojan.startpage as caught by symantec. I have win xp, the file it says is infected is sp.dll. I have since tried to clean temp files, downloaded trendmicro (didn't fix), tried McAfee Virus (didn't fix), edited registry to remove reference (didn't fix), updated hosts files, have done work in Safemode. Additionally, the virus seems to not allow me to change the security setting in IE because I cannot install any Active X controls (used to try and check for virus on AOL).
Any help is greatly appreciated.
OK, If you have done all that and
you still have the problem I would suggest downloading HijackThis and posting your log in a HijackThis expert forum.
HijackThis download locations:
Current version of HijackThis is 1.99
Where to put and how to use HijackThis:
It is important that you run HijackThis.exe in its own folder so the backup files that HijackThis file will create will not be accidentally deleted.
Open 'My Computer', then double-click to open C:\ (or the drive letter that your Windows is installed)
In the menu bar, click File-->New-->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ or C:\HijackThis\ folder. Put your HijackThis.exe there, and double click to run it.
Click 'Scan' button. Click 'Save log' button. Save the 'hijackthis.log' in your desktop. Copy and paste the content of 'hijackthis.log' and post it any of these forums. You will have to join the forum and please be patient and follow their rules as they are very busy.
HijackThis expert forums
the file it says is infected is sp.dll.
what is the EXACT location of this file?
FYI a *.dll is a Dynamically Linked Library file and will be in use as soon as you boot, nothwithstanding that you are in SafeMode.
You need to perform whatever task you did to arrive that the conclusion that you have arrived at, and carefully need to note file path.
post back with that informaton and we can look at removing it.
File Location and Update
I had done a full backup with Microsoft System Tools about 2 months ago so I just restored to that and it removed the virus. Of course, I lost some data/files, but I was able to burn most to CD before the restore. I know that this wasn't the best solution, but after a few hours of getting back most of my stuff I think it got me going again.
However, in efforts to help others if they get this virus the location was: C:\Documents and Setting\Bruce\Local Settings\Temp\sp.dll
I had to show hidden files to see this in XP and I deleted ALL files in this directory as well as under Administrator.
Thanks for everyone's help - never posted before - and glad to see the responses.
(NT) Glad it's solved. Thanks for posting back.
IF You SEE the exact settings ......
the latest cwshredder is able to remove it !
Download the stand-alone CWShredder V220.127.116.11:
Close all other programs and run CWShredder.exe.
Click Fix, OK, let it fix anything it finds, click Next, then exit
Do you think I should run this even though the problem seems to have gone away? I'd hate to start this process all over again.
Keep cwshredder handy
IF the problem should show up again
sp.dll and Startpage trojan
I have the problem with these two files constantly popping up everytime I bootup. Can anyone provide me with a solution to get rid of them.
please provide the EXACT location of these files.
and we will attempt to help you resolve the problem.....
re: Removal of Trojan Startpage - This works
Do the following exactly and it will remove Trojan.startpage variants:-
1. Browse Windows/system32 .dll files sorted by date last modified.
2. Select the file that has the date/time stamp of when the attack happened. The file usually will be around 36-41Kb. Move the file to desktop.
3. Turn off System restore from Control panel/system properties.
4. Log into Windows Safemode. (Pess F8 at launch)
5. Go to desktop and delete the file u selected earlier.
6. Run Registry Editor - Regedit
7. Do the following for both HKEY_LOCAL_MACHINE and repeat for HKEY_CURRENT_USER:-
7.1 Go to \Software\microsoft\internet explorer\main and reset home page to what u want. Remove key HOMESP and remove any link to sp or se.dll.
7.2 Go to \software\microsoft\windows\run and reset homepage and remove any links to sp or se.dll if any.
8. Restart PC in normal mode
9. Reset system restore back on
10. launch IE and reset homepage again
That should work. If anything let me know..
Worked Like a Charm!!! Thanks
This worked great. I was up and running in 20 minutes. I recommend this fix for all those infected with the Trojan.Startpage. Thank you! Thank you! Thank you!
I've seen this idea proposed quite a few times over the last couple years, but I'm not quite sure how it can work, at least in the most aggressive cases of infection. Assuming the absence of a boot sector virus, those periodically reoccurring attacks are initiated by a "hidden" file located in the registry. Since these show no time or date information, one could not easily determine when they activated any dll which you might find on a file search. Deleting that dll, in that case, would do nothing more than removing the symptom rather than the infection. It would appear that recent infections include "hidden" registry files which look to be named by something approaching a random generator, potentially offering the infected file on each computer its own unique identity, which would make anti-spyware programs which rely on known definitions, virtually usless.
Does anyone have any further thoughts on this? Am I missing something obvious here that someone might know something about?
Thank you for the solution
Work now my computer without problem.
I have some differents but the point is all over
thanks GOD bless you
Which operating system is it?
Wich operating system is it? Windows 98, 2000 or XP?
Please informed me, thanks.
I'm not sure who the question was directed to...
but just in case, I'm using Win XP
I'm using Windows XP SP2
Thanks, your advise helped a lot!!!
I followed your instructions to the letter and found the suspect .dll files. The kind that hit me could not be deleted though and I had to use ad-aware to remove it. But you got me there quicker. Thanks so much.
A Definite solution
While you move across many forums, you may be adviced to
download loads of adware & spyware detectors. My personal
experience is none of them are going to help kill this issue.
If you truly want to get rid of this startpage.trojan, will
have to put some effort of your own.
Startpage.trojan is the result of a file "sp.dll" in the temp
folder which opens a startpage with caption "search for....".
The file sp.dll is created by a dll file and an application
file in system 32 folder both which differs in name from
machines to machines. So there you are left with little
chances to search by name.
The only option remains is search by date (guess the date when
symptoms started). There should be two files; a dll file which
is associated to Explorer.exe and an exe file for which the
date of creation would be same.
Delete or move both the files.
The problem should be resolved.
I am having the same problem...
My OS is Win XP SP1, I have Norton Antivirus 2004.
In my case it finds the virus in c:/windows/sehlp.dll.
I've tried organizing by date (and deactivating norton to kill the virus alert nag that never goes away) and there were 3 files that had the same description: sehlp.dll, SHLPUI.exe and SEHLP.exe, which was AnalyzeIE Module, Version 18.104.22.168.
I can delete them no problem, the thing is that they just reappear after a couple seconds... I suppose that's why Norton keeps deleting the sehlp.dll file, cause it just keeps reappearing! I've run AdAware and Spybot like 5 times each and it finds some garbage, but doesn't fix the problem (they are able to kill the annoying taskbar and homepage the virus embedds in explorer, though). I suppose the problem is that it has another file hidden somewhere that keeps telling it to generate those files (I've also tried looking for all the dll's that have been modified within a week, no 4 letter one's though ). Like someone said before, deleting those 3 is merely eliminating the symptom, and not the sickness...
I've also tried searching for se.dll but no luck
I would suggest posting a HijackThis log in one of the forums that had experts to deal with those logs. This way they can see exactly what is going on with your computer. Please read the first 3 posts on this link which will tell you where to get HJT, how to make a log and where to post it. Please be patient with whoever to bring it to, they are very busy and good luck to you.
thanks a lot man, I think I'll do just that. I just hope they'll be able to fix it.... c-ya!
(NT) You're welcome and good luck.
My OS is win98 sec yes there is a file called SP.dll in temp folder but there is no file in system32 this attack happen in 2005 all files in System32 is created in Oct 2004.
So where else this other files will be