Just come back from my friend’s- his computer was a mess (from, amongst other things, going to broadband, surfing Kazaa and other similar sites, and not using his Anti-Virus and Spy ware on a regular basis. Ran Spybot and Adaware, and picked up, respectively, 30 and 120 malware objects. Ran AVG, and came up with a virus that won’t go away.

Having successfully run AVG with nothing detected, I successfully connected to the internet. However, whenever I tried to connect to Internet Explorer, AVG flagged up, again and again, a Trojan horse virus by the name of Startpage.16.bd.

On deleting it each time, a box with the white cross in the red circle comes up reading:

RUNdll

Error loading C:Docume~\Richard\locals~-1\Temp\se.dll

Access is denied

Trying again and again came up with the same result. I would try Hijack this, and post on this pprune thread, but he doesn’t have it. I presume I can copy my version on a memory stick, and transfer it to his, and then copy the results for posting?

Anyone any suggestions?

Looks like it's in the internet explorer temporary files area, which can be a pig to get things out of.

It might be worth bringing the machine up in safe mode, then doing a search for the file name, and deleting it that way. Make sure that system restore is turned off temporarily if it's an XP machine. Can't be completely sure, as it's not showing the full file path.

Safe mode will hopefully prevent it from being loaded at startup, which is probably what's preventing it being deleted now, as it's being accessed.

You can remove it with your registry editor. First, be certain you are deleting the correct file. In the unfortunate event that you delete the wrong one, iIt can be a bigger problem than you started with!

Press start, go to run. type REGEDIT. A page similar to windows explorer pops up.

click the plus sign to expand at HKEY LOCAL MACHINE. Find your file. Right click and delete.

If this still denies you access, you need to change permissions. Right click file select PERMISSIONS. Change to allow full access, then delete.

Good luck!

Thanks for the replies,

Presumably I'm looking in the registry for a file called Startpage.16.bd? Should I be backing up the registry beforehand?

Tosh

can be fixed with a bit of fiddling.

Go to the directory listed, and rename se.dll to something else like gone.beast (anything meaningless).

Run msconfig, and uncheck se.dll in the startup list.

Turnoff system restore in the settings panel.

Restart computer

you will now be able to delete the renamed se.dll.

restart system restore,

everything should now work ok. (at least as far as se.dll goes.

the same trick works for a few other similar things.

Thanks for the advice. Unfortunately, having got back on the infected computer today, I went through the procedures suggested, found the Startpage entry in the registry, deleted it, restarted the computer, and- the little booger keeps coming back every time I started Internet Explorer. AVG detected it as I tried to open IE, but it comes back at each new try!

Any more suggestions?

Thanks,

Tosh

Try this, but first do a google on se.dll and have a bit of a read.

this info should help.

Overview:
IEPlugin is an IE BHO that monitors web site addresses you visit, form contents and even your local file browsing! It also automatically updates and adds a few items to your favorites list. On top of this it will display ads when it finds certain keywords in your browser.

brought to you by: http://www.ieplugin.com

Destroy Autorun:
Delete the following keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run\Win Server
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run\Win Server Updt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\Win Server Updt [C:\WINDOWS\wupdt.exe]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\Win Server Updt
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run\conscorr

Reboot your system then:

Make sure you click start --> Run and type in msconfig. Then select the startup tab. Any references to the processes below should be deleted

End Processes (may or may not exist):
extract.exe
se.exe
systb.exe
wdskctl.exe
wupdt.exe
winserv.exe

Unregister DLLs:
Tip: this is only a list of known files/locations. You will want to do a search by the name of the file to see if they're on your system.
A while back I wrote a guide to Register/remove DLL or AX files which you will need if you don't know how to unregister these files.

Each file is in several locations so you'll need to search for them and unregister + delete them in every location you find.

ieplugin.dll
se.dll
systb.dll
winobject.dll

. You could also obtain Hijack this and post a copy of the log here for analysis. Disable smileys first or the post will reject.

Good luck

P.S. ther are a few files to clear to get rid of this.

You could always install Firefox or Mozilla, and use these instead of IE, not affected by this stuff.

Anyone any suggestions?

Use Opera 8 or Firefox (personally I prefer Opera) :ok:

Use Opera 8 or Firefox (personally I prefer Opera)

Another vote for Opera 8 here.
Been using Opera for years, never had a pop-up, and found it vastly better than IE in just about every way possible.

Well, just to balance things out, I vote for Firefox! And it's free too!

Seriously, the more I get to know Firefox, the more charmed I am - and once upon a long time ago I did actually give Opera a try ..

I'm trying to post a HijackThis log for this problem, but keep getting this message:

"Bulletin Message
You have included too many images in your signature or in your previous post. Please go back and correct the problem and then continue again.

Images include use of smilies, the vB code [img] tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator."

It's just a regular HijackThis log. What's happening?

Tosh

You need to disable smilies in your post before posting, otherwise much of the log is accidentally automatically "translated" into smilie images.

Just check the appropriate box ("Disable Smilies in This Post") before clicking Submit Reply.