Posted on 2004-11-30
Last Modified: 2010-04-12
I have a client that has, according to Norton, Trojan.startpage. Norton deletes it, then it reappears. Have run Norton in normal mode, but cannot run it in safe mode. It cannot delete this silly virus. I've run SpybotS&D and Ad-aware in safe mode. Last step is to get rid of the trojan. Below is my info from Hijackthis. Please advise!

Logfile of HijackThis v1.98.2
Scan saved at 7:18:57 PM, on 11/30/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\documents and settings\brett bonner\local settings\temp\rZS6.exe
C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Digital Line Detect\DLG.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C0E590F8-92A7-8A8F-B621-507AEDA3404F} - C:\WINDOWS\sdktc32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ipcx32.exe] C:\WINDOWS\system32\ipcx32.exe
O4 - HKLM\..\Run: [mfczb32.exe] C:\WINDOWS\system32\mfczb32.exe
O4 - HKLM\..\Run: [pduvHX] C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
O4 - HKLM\..\Run: [rZS6] C:\documents and settings\brett bonner\local settings\temp\rZS6.exe
O4 - HKLM\..\Run: [msnf32.exe] C:\WINDOWS\system32\msnf32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [mspm.exe] C:\WINDOWS\system32\mspm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [rZS6.exe] C:\documents and settings\brett bonner\local settings\temp\rZS6.exe
O4 - HKLM\..\Run: [pduvHX.exe] C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vqlugjg] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
O19 - User stylesheet:  (file missing)

Question by:wdfore03
    LVL 65

    Expert Comment

    Hello wdfore03 =)

    Post that log at this site >>
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >>

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

    After using hijackthis use msconfig to untick unwanted progrmas as described here >>
    Then Download these tools and install them:
    AdAware ==>
    SpyBot  ==>
    CoolWebShredder ==>
    LSPFix ==>
    Stinger ==>

    Turn off ur System Restore >>
    Then Disable ur Messenger Service if its running >>
    After that here are some "canned" Instructions of mine, If u want u can follow them to check if they can work for u or not :)

    1. Restart ur machine in safemode and Login as Administrator
    2. Run the AntiVirus tool and delete all viruses it found
    3. Run the Spyware Removal tools and delete everything they detect
    4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
    5. Goto C:\Documents and Settings\your username\Local Settings\Temp and delete all files present here
    6. Goto C:\Documents and Settings\your username\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
    7. Goto C:\Documents and Settings\your username\Cookies, and delete all cookies present here
    (ofcourse im assuming that u have already saved all the login passwords for ur websites :)
    8. Goto C:\Windows\Temp and delete all files present here
    9. Run LSPFix to remove those aklsp.dll & calsp.dll files
    10. Reboot back in Normal Mode and check if problems are gone or not

    Post Back and Good Luck :)
    LVL 65

    Expert Comment


    Author Comment

    Have used symantec's recommendations and no luck so far. The biggest issue is running AV in safe mode!
    LVL 65

    Expert Comment

    You can run Stinger there..... and have you tried the suggestions from my first comment already... you are having too many other junks also which cannot be removed by running Norton only.... !!

    Author Comment

    running stinger and lspfix now. Get back to you.
    LVL 65

    Expert Comment

    I will request to follow each step in the order i posted and make sure that system restore is turned off.... otherwise running the tools here and there is not gonna have a good effect on the problem..... =\

    Author Comment

    have already run highjackthis. Trying to fix the entries shown. Researching them! Running lsfix and stinger now. Already have run ad-aware and spybot.
    LVL 65

    Expert Comment

    wdfore03 been almost 12 hours..... any progress... ?? :)

    Author Comment

    Progress!! Yes, I've had progress. I finally got the trojan.startpage off. Running what you gave me above. I'm still coming up with a couple of spyware, home search assistent among others. Trying to deal with those now.

    These flat rate fixes are going to kill me!

    I'll award the answer a bit later today. Thanks for you help. You have answered a couple of my questions in the past. This site is a great resource.

    LVL 65

    Expert Comment

    >> home search assistent among others

    here is a remaval tool for it >>
    and run About:Buster also >>
    ** run both of them in saefmode**

    these two tools are very well known to get rid of Home Search Assistant pest :)

    Author Comment

    I'll try them and let you know.

    Just a rant - I would like to get hold of some of these people that produce this stuff!!

    Author Comment

    unfortunatley that didn't remove it from the add/remove programs in control panel. Ran it in safe mode. Going to run HJT again.
    LVL 65

    Expert Comment

    >> unfortunatley that didn't remove it from the add/remove programs in control panel
    this you have to do it manually in safemode.... if you cannot get ird of it, then try to remove its entry from registry as described here :)

    How to Manually Remove Programs from the Add or Remove Programs Tool

    Author Comment

    Unfortunatley, Homesearch keeps popping up. I ran both removal tools in safe mode, but that did not delete them. Both said that they deleted several files. Removing the uninstall reg values did nothing, as they regenerated themselves. Going to run both again in safe mode and ada and spybot again too.  :(
    LVL 65

    Expert Comment

    analyse your fresh HJT log at that site, hit analyse, scroll down, hit Save Analyse, a new page will opne, post here its address !!
    and im sure that the system restore is already turned off?? :)

    Author Comment

    Crap!!!!!!!!! I turned it back on this morning!!!!!!!!!!
    LVL 65

    Expert Comment

    awwww!! =\
    LVL 6

    Expert Comment


    Alias: SearchCentral

    Description: Internet Explorer start page URL hijacker.
    Redirects StartPage to search pages, believed to be a variant of CoolWebSearch

    Running Process Signatures:
    >> process: rundll32.exe : MD5 Hash: 67c83f5d2ec691bac84...
    >> process: startpage.exe : MD5 Hash: 806f0a889807cd872ed...
    >> process: startpage.exe : MD5 Hash: 9afb4de72d4a0472b6c...
    >> process: rundll32.exe : MD5 Hash: 38ce2ba785b31a37c5d...
    >> process: csrss.exe : MD5 Hash: e3f12cbc1df8c07bcb6...
    >> process: soundmx.exe : MD5 Hash: e433d1bff22dd7790c2...

     File Signatures:
    >> file: rundll32.exe : MD5 hash: 67c83f5d2ec691bac84...
    >> file: startpage.exe : MD5 hash: 806f0a889807cd872ed...
    >> file: startpage.exe : MD5 hash: 9afb4de72d4a0472b6c...
    >> file: win32.dll.old : MD5 hash: 71ec71ddd305d152212...
    >> file: rundll32.exe : MD5 hash: 38ce2ba785b31a37c5d...
    >> file: csrss.exe : MD5 hash: e3f12cbc1df8c07bcb6...
    >> file: soundmx.exe : MD5 hash: e433d1bff22dd7790c2...
    >> file: pdf3f9d.dll : MD5 hash: 18065e5b96b30eb7f10...
    >> file: remove_me.dll : MD5 hash: 49699f743219b907bf8...
    >> file: %system%\remove_me.dll
    >> file: remove_me.dll : MD5 hash: 8f517c68617502013a8...

     Registered Dll (Dynamic Link Library) Signatures:
    >> dll: win32.dll.old : MD5 hash: 71ec71ddd305d152212...
    >> dll: pdf3f9d.dll : MD5 hash: 18065e5b96b30eb7f10...
    >> dll: remove_me.dll : MD5 hash: 49699f743219b907bf8...
    >> dll: %system%\remove_me.dll
    >> dll: remove_me.dll : MD5 hash: 8f517c68617502013a8...

     Internet Explorer Integration:
    >> Browser Helper Object: {a23ab93d-6cff-442c-bb8a-41f6145f47e7}

     Registry Signatures:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A23AB93D-6CFF-442c-BB8A-41F6145F47E7}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

    Author Comment

    here's the latest after running everything suggested here, in safe mode with system restore turned off.
    LVL 65

    Accepted Solution

    awww your are infected with that res:// hijacker.... it needs special treatment... plzz follow the instructions here >>

    Author Comment

    Mr SheharyaarSaahil,
    You are the man. After working for about $13 dollars an hour for the last 2 days, I finally got it! Had to get rid of trojan.startpage. Then "onlythebest" spyware - that one was tough. My hat is off to you sir - you kept helping me as I posted my issues. I used every resource you posted!!

    Thanks very much.

    I learned several valuable lessons here:
    - Be persistent
    - Spyware makers need a life
    - There is a site out there that has the answer to any spyware / virus issues
    - Make sure you know what you're quoting a customer - I said I would remove a virus - didn't include the spyware
    - Be thankful for the help you receive

    David :)
    LVL 65

    Expert Comment

    Excellent job David..... glad i could help you and happy that you are satisfied with this site...... Cheers ^_^

    Author Comment

    Thanks again!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now