Hi friends....

My comp running on windows XP is infected with Trojan startpage...........

I am using Norton Antivirus..... The software program is able to detect the virus... the virus has infected ctrlpan.dll file under system32 folder.....

I am not sure if ctrlpan is a valid dll file required by windows XP.. I also tried Trojan remover... But it could detect any torjan....

I am using adware.... But I guess it is not able to come to my rescue........

Guys.. if someone knows how to tackle this problem please guide me...........

Thanks in advance

Kalp

Do you mean Norton doesn't detect the trojan?
A Trojan cleaner should do the job.
Adware isn't for removing Trojans it's to remove spyware (well a spyware program can be a trojan sometimes but mostly I think spyware is simply installed)

Norton detects... But it is unable to repair it says access denied.. may be b'cos it is a sytem32 file...., the infected file is in c:/windows/system32/ctrlpan.dll

Frankly I am not sure if ctrlpan.dll is a valid windows file.......

Could u suggest me some good trojan remover program..

I have tried trojan remover..... It could not even detect the trojan....

Regards

Kalp

Access denied, could also be because the file is currently in use, have you restarted your computer since you got infected? (Make sure Norton scans on booting)

Yes I followed the instructions for Windows XP i.e disable auto restore stareted in safe mode and ran the complete antivirus scan... Norton detected the virus but was unable to delete it.....

I have tried all the remedies the antivirus site had to offer..... But my Norton antivirus is unable to delete the trojan for some reasons....

Please help me with this problem

anjli i dont think ctrlpan.dll is a valid system file. try deleting the file and scanning again. but i don't get it if sometimes norton is not able to clean a file it generally quarntines it

try something like cleaner...think its available at www.moosoft.com(I think)..I dont think its a system dll file either...try deleting it..true that bout Norton's w0lverine...lol

I think this just might be what you are talking about :
TROJ_SMALL.DB (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SMALL.DB)

Sometimes it's also a good idea to use one of the free on-line antivirus scanners. Try this one out I use it to scan my computer every week.
TrendMicro-HouseCall (http://housecall.trendmicro.com/housecall/start_corp.asp)

If you want to know if it's a valid *.dll for your Microsoft product try this out :
DLL Help Database (http://support.microsoft.com/default.aspx?scid=/servicedesks/fileversion/dllinfo.asp)

This database contains information about DLL files that ship with selected Microsoft products.

DLL Help exists to assist developers, system administrators, and other IT professionals who face file version conflicts with Microsoft software. Use DLL Help to identify which software installed a specific version of a DLL.


I hope that helps...

What I usually do for things like that is to boot into DOS (boot disk), or in the case of my laptop I boot into Linux (SuSE). That way, I can rename the file, see if everything still works, and then delete it.


Edit: Don't forget about SpybotSD. It's pretty good.

Thank you all....

Agent Steal many thanks 2 u for those supportive links.. I guess trend micro has detailed procedure for deletion of this malware.....

This trojan relatively seems harmless but it simply changes the start page of Internet Explorer.....

But I was not sure if it is programmed to bomb at specific dates....and anyways knowing that u have virus on ur systems is not a very healthy feeling.... U somehow want to get rid of those junk code.....

Thanks a lot... I shall try the suggestions offered so far.. I am confident one of them would work.. shall try renaming ctrlpan.dll and see if it effects my PC.....

Bye

Kalp

Just like el-half said access is denied because its in use so you also might wanna try ctrl+al del and go under the precess tab and see if you can find the ctrlpan.dll file...if so end its process and delete it manually right away
peace

You might wanna install these programs as well. Just a few more programs to keep your computer safe and healthy. That's if you dont have them and it is up to you if you want to.
Browser Hijack Blaster (http://www.wilderssecurity.com/bhblaster.html)
Ad-aware Standard Edition (http://www.lavasoftusa.com/)
Spybot - S&D (http://spybot.safer-networking.de/)

Hi Agent steal .. I was unable to download Browser Hijack blaster..... It seems the file was not found on the server.....

Also .. I tried all the suggestions mentioned here.. but I am still unable to get rid of the trojan....

I tried stopping all the relevant processes... But still when I try to delete this file it says access denied as the file may be in use.....

I am not aware of how u boot XP in dos mode.... XP at times is strange.. and i could not find any option to restart in dos mode.....

Also there is no process like ctrlpan.dll

Could someone help me with process to unregister dll files...

I already have

Norton Antivirus 2003
Ad-aware standrad edition (Free ware)
Spybot
Trojan remover.....

I guess Norton is succesful in identifying the trojan but is unable to delete the file.. as the access to file is denied.....

Could someone please help me with a solution to get rid of this annoying trojan.......

Regards

Kalp

If u are running Windows (95/98/2000/NT)OS then just boot ur system win98 bootable. goto system32 folder and "del ctrpan.dll". this should do it. try updating ur norton virus def file.

yes good point made by grov almost forgot the regestries if u have a reg cleaner then valent good othervise as grov said u would have to do it manually

groovicus the name is "trojan startpage (http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.html) ". it is a harmless trojan just changes the defaultstart page of ur IE. see the title of the forum man

Trojan.StartPage may present itself as a valid program, and it may be run-time compressed. When this Trojan is run, it changes the registry to set your Internet Explorer home page to a Web site, which the creator of the Trojan chose.

anjali , if you are still having difficulty, (after shutting down system restore), find ctrlpan.dll, rename it to ctrpan.ded. Search the registry for any reference to ctrlpan.dll and delete any reference. Reboot, let us know what happens.

When a .dll is in use, you won't be able to delete it, but I have never once been unable to rename it...that should keep it from running next time you reboot. If you missed any registry keys, it will let you know when you boot up also.

Also, in order to prevent malware that uses .dlls and hooks into the registry, do a search for RegProt...

Sorry about that. This link will work.
Browser Hijack Blaster (http://www.pcworld.com/downloads/file_download/0,fid,22955,fileidx,1,00.asp)

Another thing if Norton is able to detect it but not remove it. Alot of times you should just write the virus name down that Norton says it has detected. And then pay a visit to their website :
Symantec (http://www.symantec.com/ )

Then next you can do a search for the name of the virus and alot of the times they will have manual work arounds for them Hope that helps.

Anj,
you may also be suffering from TROJ_NORYB.B, which is detected as TROJ SMALL.DB.

From Trend Micro
"On systems running Windows 2000, XP and NT, it drops the following file, detected as TROJ_SMALL.DB: NETRUN.EXE
This malware arrives in a 16-bit DOS file format and utilizes a self-extracting and executing UU decoder. "

Check to see if you have NETRUN as one of your running tasks. If so, this is the culprit. You'll have to remove this as well.

I am not aware of how u boot XP in dos mode.... XP at times is strange.. and i could not find any option to restart in dos mode.....

I think they meant recovery console. Go to your boot menu and you can go to your recovery console. Your going to need your admin password (if you didnt set one or dont remember setting one, its probably the default password)

Shag devil.. I checked the processes there is nothing like netrun.exe process in my task manager...

The list of tasks in my comp are as under......

Nmain.exe
taskmgr.exe
obc.exe
sgbhp.exe
wmiapsrv.exe
sgmain.exe
webshotsTray.exe
zonealarm.exe
FreeRam XP Pro 1.40.exe
CTFMON.exe
Rundll32.exe
MSMSGS.exe
VSMON.exe
NOPDB.exe
SMAgent.exe
QUCIKEN.exe
NVSVC32.exe
NProtect.exe
NAVAPSVC.exe
MDM.exe
MWSOEMON.exe
DAP.exe
CCEVTMGR.exe
SPools.exe
ccapp.exe
InCd.exe
Iexplore.exe
SVCHOST.Exe
LSASS.exe
Services.exe
winlogon.exe
CRSS.exe
Explorer.exe
SMSS.exe
SYMUNDO.exe
SYSTEM
system idle process

need ur help to identify the trojan process.........

Regards

kalp

seems to me that you probably have a few different ones.. there are processes there that I've never heard of.. just googling each one could tell you more. For example, I picked "SMSS.exe" , googled it and found this link.. http://www.viruslist.com/eng/viruslist.html?id=51071.. which shows that you have Worm.Win32.Ladex.. as you'll see by that link, the CRSS.exe is also part of that worm. read that link please because there's good info in there.. I'll just quote the last part.. Invisibility

Using the additional components SMSS.EXE and CSRSS.EXE the worm tries to mask (hide)itself in the system. Both files ensure the functioning of the main module LMHSVC.EXE if for any reason it appears unloaded from memory. Besides these components it looks for REGEDIT - if REGEDIT is open it temporarily removes the keys in the system registry and restores them upon the closure of the REGEDIT application. Thus the worm achieves invisibility in the system registry.

Payload

The worm starts the joke program LADY.EXE which displays a set of creeping flies which can be "killed" with the mouse cursor.

as for hijacking, since no one has mentioned it yet.. try hijackthis, but be careful of what you delete. posting a log of it either at tomcoyote's forum or here would be advisable.

hijackthis : http://www.tomcoyote.org/hjt/
log tutorial : http://www.spywareinfo.com/~merijn/htlogtutorial.html

Anj, I'd recommend checking your running tasks against a couple lists. check:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm (or)
http://www.liutilities.com/products/wintaskspro/processlibrary

These may not have everything but it's a good start. good luck.

Another goody program is called " hijackthis " you can find this program at any search engine
but read some forums first and make sure you do not delete any windows registry's
I personally had a trojan called .hogle the only I could remove it was with hijackthis ,and I still had to disable system restore becuase system restore kinda takes a picture of your windows configuration and the bios and then protects it.But you should be able to find what your looking for when you scan with the hijackthis program and i mean usually there is the words like ctrlpan.dll in the line that you would want hijackthis to delete...hope this helped
pZargs

umm.. errr.... eh ..

How do i start a tread and where can i find a place to post it???

anyway i wanna know how to crack a damn cd check cuz i broke the cd

Hi All,

I have download Spyguard and hijack this....

Although Spyguard ensure that the trojan can no more change my default IE page....

But my Antivirus program still cannot delete the ctrlpan.dll file from system32 folder....

I am herewith copying the Log file generated by Hijack this.... Request you all to help me identify the torjan thread....

Hi Boardwalk_angel,

Pls. find here the logfile that i could generate after running hijack this....

Pls. See me if u could help me get rid of this Trojan.Startpage virus...


Logfile of HijackThis v1.97.7
Scan saved at 22:40:44, on 18/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Kalpesh\Local Settings\Temp\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kalpesh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.indiatimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.indiatimes.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file:///C:\WINDOWS\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.indiatimes.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [UPSUtl] C:\WINDOWS\web.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Kalpesh\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A823B2BB-7332-4A3C-A236-3F455659B499}: NameServer = 202.9.136.6 202.71.144.67
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)



Thanks in advance.....

Regards

Kalpesh

Thanks a ton AO for helping me get rid of this trojan....

I read abt Merijin and coolwebsearch .. I found that I 2 was infected by same virus....

Merijins CWShredder is a wonder product.. I must agree merijin is doing a wonderful job......

It just deletes all the variants of virus so easily... Infact i had more than 5 variants of the above virus......

But glad to have got rid of them now..... Its been atleast 3 weeks since I was trying to figure out a solution to get rid of this idiotic virus..glad that I have finally been succesful....

All thanks to AO.... Long live AO.. Long live merijin

Bye