Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What the bleep is...


  • Please log in to reply
6 replies to this topic

#1 omrivers

omrivers

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 22 March 2005 - 12:24 PM

Every so often my McAfee tells me that it has detected and cleared the Start-Page-DLL.dll.dr. I have run HiJackThis several times and cannot find anything unusual that might be starting this thing?
Also I have searched via Google and found virtually nothing about Start-Page-DLL.dll.dr.
Anyone help me with this?

Thanks,

Jack



Mod Edit: This will be moved to a more appropriate Forum.

Edited by scarlett, 22 March 2005 - 12:36 PM.


BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:11:04 PM

Posted 22 March 2005 - 12:41 PM

Hi Jack and welcome to BC

What is your operating system? If you are using XP you need to disable system restore, do a scan with McAfee, AdAware and Spybot S&D and reenable system restore again.

Perhaps post your HiJack log in the HiJack forum and let the experts have a look.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 22 March 2005 - 01:32 PM

Hi omrivers,

I have to disagree with Leurgy about System Restore. I recommend you leave that on, but do run your McAfee in Safe Mode and if it detects any malware in the sytemvolumeinformation folder don't worry that you can't delete it.

What you describe sounds like a Hijacker and your best bet would be having our HijackThis team guide you thru a general cleanup. We need to see a HijackThis log in order to help you get that junk off your system and whatever else that doesn't need to be there, trojans/virus included. Please do this:

Click on the link below and follow the steps in that tutorial so you can get a log posted:
How to post a HijackThis Log

You can of course skip step 1. But be sure to follow all the other steps and use the links in the tutorial to:

1. Download the self-extracting HijackThis.
2. Open the HijackThis Logs and Analysis forum to start a new Topic in that forum. It is important that you post your log into a new topic in that forum. If you have any problems here is a link again:
http://www.bleepingcomputer.com/forums/ind...?act=SF&s=&f=22

It may be a day or two before you get an answer. But it is also important that you not post again to the topic you started asking for help or wondering if you will get help or otherwise "bumping" your thread/topic. In order to work on a first come-first served basis, helpers look for the oldest topics with zero replies.

BUT, once you receive a reply, stay in the topic that you have started. Do not start another thread.

Thanks and see you in the forum. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#4 omrivers

omrivers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 24 March 2005 - 10:09 AM

Okay, it must be my vision... I misspelled the name of the Trojan in the previous posting.

McAfee detects, every couple of days, a Trojan called Startpage-DU.dll.dr. McAfee's Trojan database has an entry but doesn't offer enough details to solve the problem -- it's removal.

Any help out there?

Jack

#5 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:11:04 PM

Posted 24 March 2005 - 10:24 AM

Theres help if you reply to the questions asked.

What is your operating system?


If its XP*Grinler see the Additional ME/XP removal considerations on this McAfee page that talks about StartPage-DU. Your McAfee will remove it if you follow those instructions.

Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder.


Edited by Leurgy, 24 March 2005 - 10:28 AM.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:04 PM

Posted 24 March 2005 - 01:02 PM

If you really want help you should post a HijackThis log as recommended. According to that web page Leurgy linked to you have a CoolWebSearch about: blank infection. I also suspect that it is the new se.dll variety. There are over a thousand versions of CWS, several versons of about: blank and those constantly change what they do to make removal more difficult. A: B is already one of the most difficult to remove.

Until recently McAfee had some success removing some of these A:B infections. But in the case of se.dll, CWS changed a method of reinfection by means of a hidden file so unless McAffee has updated its definitions, you'll be beating your head against a wall by depending on it to remove this malware.

No one can tell you what to remove without seeing a log, A:B files are randomly named, are different names on indvidual systems and will change their name on reinfection. Along with a description of the problem, a log will tell us what operating system you have (removal methods are often OS dependant) and much other information we need to help you.

The HijackThis team has spent countless hours of their free time with no compensation other than a thank you (if that) in training to know what to do to help you. You've already tried to use HJT but if I'm right about this being se.dll (and I'm just guessing without seeing a log) there is a hidden file that HJT doesn't see. You can fix what does show up there, but without getting rid of the hidden file it will come back after a day or so and some reboots. Sounds like what you've been going thru. By looking at a HJT log, asking for other detection tools to be run, and using special tools designed for specific infections like this the HJT Team is your best bet. You have to take the first step and submit a log. That's as much help as I can be right now.

As regards Sytem Restore--yes all the AV companies recommend that it be turned off before running a full system scan with their product. That's because they can't remove infected restore points because those are protected system files. As it stands right now, infected restore points aren't the active infection that needs to be removed. They would only infect you if you used System Restore to return your machine to an earlier time. So users who are successful in having an infection cleaned up via their AV, but see they still have infected restore points that can't be cleaned will think they are still infected. Also there is a chance that they could use System Restore and reinfect themselves, so AV companies recommend that it be turned off before a scan to avoid confusion and possible reinfection. But if you understand how it works, you can ignore the files that can't be cleaned in System Restore and wait til after the scan and cleaning to disable then re-enable System Restore to delete ALL Restore Points to prevent reinfection. I prefer to do it this way to make Restore Points on a clean system.

So if you are going to depend on an AV, go ahead and turn off System Restore off beforehand.

Bit if you are going to use HijackThis or other manual means of removing malware it is advisable to leave it on until you are sure your system is clean. There is risk involved in manual (or really any) removal of malware, and it is better to have SR to fall back on--better to be able to go back to a usable infected state than an unusable one.

This is debated all the time and there are some boards and individuals that ask you to turn off SR before beginning work on malware removal, but the policy of this board is to wait until you are clean before you purge restore points. This may change if we find that malware is using restore points for active infections, but that has not been proven as of yet that I know of. However, there is some inconclusive evidence that the se.dll infection may actually do this.

The thing about people

is they change

when they walk away.--Mipso


#7 omrivers

omrivers
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 26 March 2005 - 11:51 PM

Having read all your responses, I appreciate the input.
The only reason, I haven't posted my HijackThis log is that I have experience with using it and have a pretty good understanding of the registry.
BTW, the computer I am encountering this on is a Win98SE.
But let me tell you what I did and found -- and what happended subsequently.
I ran an adware detector and found the listing for the Startpage-DU.dll.dr in the registry. I ran regedit and eliminated it. It worked.
Then I rebooted the system and re-ran IE. Two new Trojans showed up almost immediately. They are Downloader.XH and Startpage-DU.dll (no .dr sufix on this one).
McAfee showed three new infections. Those two plus another.
It seems apparent to me that something is embedded in my hard drive that is in some form that defies detection by ordinary means. I mean, that the AV giants find the resulting files of the Trojan opening. But none have shown me the point of origin.
Frustrating.
Back to the HJT log for a moment, I have been able to justify the existence of each item on the log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users