cancel
Showing results for 
Search instead for 
Did you mean: 

Repeat Virus Infection

Rourkefamily
Grafter
Posts: 241
Registered: 01-09-2007

Repeat Virus Infection

Everytime I open up IE, my AVG Virus scanner picks up the same (probably repeat ) virus infection in my Windows\Temp\ file in a file called 'SP.DLL' . The Vius is a Trojan Horse Start Page 16.BD.

While it is great that AVG picks it up, it is a pain to have it reoccuring.

I think it must be connected to the fact I can't change my home page. No matter what (Full Virus Scan, Full Adaware scan and reloading windows), when I change my homepage, close down and reopen back to a URL 'about:blank' , which is blank for a few moments and then switches to a page entitled Search for.... with hundreds of links including some slight undesirables!

Also using Firefox and gives no problems..

Any ideas?
23 REPLIES
N/A

Repeat Virus Infection

Hi there,

What O/S are you using?

If it is Win XP or ME, you will have to turn off System Resore. The virus is probably residing there and whils you remove it with AVG it immediately reinfects your PC from system restore.

Turn off System Restore. Scan your system thn turn it back on again.

Problem should be resolved.
lowry
Grafter
Posts: 478
Registered: 08-04-2007

Repeat Virus Infection

As Mark quite rightly says, it is likely that System Restore's stored data is causing it to keep re-occurring. Go to Start > All Programs > System Tools > System Restore and then click on the "system restore settings" link in the window that appears. This will bring up a dialog box which will allow you to turn the feature off, thus deleting all restore points.

Whilst System Restore is a very useful application in Windows XP and ME it can be a nuisance after a virus infection because it makes a back-up of the registry and all of your system settings and program files (and so any virus which has made its way in there too).

Some anti-virus applications can detect viruses located in the System Restore folder (which is under C:\System Volume Information) but some can not. McAfee VirusScan 9.0 (which I use) does this, so if I do a full system scan and see a virus detected in the C:\System Volume Information I know that I will need to temporarily disable system restore.

Try a couple of the Free online scans online in future aswell which may be able to detect if System Restore is causing the issue after the virus has been dealt with. Try Trend Micro's Scan and McAfee FreeScan.

I hope that helps,
matt Wink
Rourkefamily
Grafter
Posts: 241
Registered: 01-09-2007

Repeat Virus Infection

Thanks for the reply folks.

I am using Me.

Tried running Trend Micro Scan but keep getting an error that closes down explorer :x

Matt,

Pulled up System Restore, but appear to have no option for a dialogue box :?

Is this somewhere different on Me?
N/A

Repeat Virus Infection

ME, uses system restore as well. The option to turn this function off which is maybe what you need is within the system icon, from the Control Panel.

Aaron
Alecto
Grafter
Posts: 2,886
Registered: 30-07-2007

Repeat Virus Infection

To turn it off in ME, you need
Control Panel
System
Performance
File System (under Advanced at the bottom)
Troubleshooting
and check the Disable System Restore box
Rourkefamily
Grafter
Posts: 241
Registered: 01-09-2007

Repeat Virus Infection

Disable System Restore box is checked.

Also now getting an error message when I open IE title RUNDLL and a message Error loading C:\Windows\Temp\se.dll. Access is denied.

This is the file that contains the virus. Each message I get from AVG I use heal.
N/A

Repeat Virus Infection

You need to use Hijack This to remove it from your start up and IE settings.
N/A

Repeat Virus Infection

Just read about this problem. I have the same issue. I have run AVG ( free) with the System restore off but the virus is still active with the "about blank" homepage overiding my usual google. Most frustrating to say the least.

Bill
N/A

Repeat Virus Infection

The problem is that it's removed by your anti-virus, and then you reboot and it re-installs.

You need to use hijack this to remove the startup link, and any connection with the virus and IE
Rourkefamily
Grafter
Posts: 241
Registered: 01-09-2007

Repeat Virus Infection

After a few other problems with IE I have run Trend Micro Scan. A couple of interesting things here. First could not run Trend Micro Scan from Firefox. Followed the directions, but it kept thinking it was looking at Netscape :?
When it did run in IE only checked half the number of file that Adaware does. Can't see how to set up to pick up the extra files. Even repeated the scan selecting 'My Computer' but no different. :? :?
Anyway nothing found and still got the same problem. :x

Aaron,

Looked up 'Hijack This' on Google and from the link downloaded an .exe. Ran this and found undesirables. Went to remove them and had to put in a code. When I went to get the code, would have to pay $40. Is this correct or have I downloaded the wrong .exe? Have you got a good link?

Frustrated Jim :x
N/A

Repeat Virus Infection

Hi Jim,

Here's the original site of the software, and it's where I've got mine from.

Merijn

When using this program, make sure you select the backup option , it's a tick box which you can get to by pressing the options tab.

Only remove the entries your 100% about, and feel free to post the scan here if your not 100% sure about which ones to remove.

Aaron
N/A

Repeat Virus Infection

Try this link for info. There is some v nasty spyware around at the moment :

http://forums.subratam.org/index.php?showtopic=2946&hl=sp\.dll
Rourkefamily
Grafter
Posts: 241
Registered: 01-09-2007

Repeat Virus Infection

Aaron,

Thanks for the reply and taken your advice.
Done a sytem scan only and this is what was found (Apologies for the length)

Logfile of HijackThis v1.99.1
Scan saved at 19:23:16, on 21/02/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\BIN\WDM\FULL\MIXER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ShprRprts - {2A8A997F-BB9F-48F6-AA2B-2762D50F9289} - C:\PROGRAM FILES\SHOPPERREPORTS\BIN\1.0.0.1\SMRTSHPR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {1A99D9DF-C37B-463C-ACEB-E0CCF95D048E} - C:\WINDOWS\SYSTEM\KFANGAA.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe"
O4 - HKLM\..\Run: [belyvmh] C:\WINDOWS\belyvmh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bmp: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int4.exe
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn298.exe
O18 - Filter: text/html - {5CE89B48-79EF-4E1C-A60D-DBDDC165A720} - C:\WINDOWS\SYSTEM\KFANGAA.DLL
O18 - Filter: text/plain - {5CE89B48-79EF-4E1C-A60D-DBDDC165A720} - C:\WINDOWS\SYSTEM\KFANGAA.DLL

As the warnings say I need to take advice. I would target the se.dll dat (where the virus is) and the data that references about:blank. But that might be a mistake!

I guess to remove, I check the box and then 'Fix checked'?
Rourkefamily
Grafter
Posts: 241
Registered: 01-09-2007

Repeat Virus Infection

Cliff,

Followed the instructions on the subratam forum. Very detailed and did the job (so far so good). I can now keep the home page and don't get the virus back. Wanted to have one final run with Trend Micro but get an error message
"Iexplore has caused an error in SMRTSHPR.DLL Iexplore will now close"

Any ideas? If not I will reinstall Windows at the Weekend.

Aaron, Cliff,
Thanks for all the help.

Jim