[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 506
  • Last Modified:

trojan.startpage

I have a client that has, according to Norton, Trojan.startpage. Norton deletes it, then it reappears. Have run Norton in normal mode, but cannot run it in safe mode. It cannot delete this silly virus. I've run SpybotS&D and Ad-aware in safe mode. Last step is to get rid of the trojan. Below is my info from Hijackthis. Please advise!

Logfile of HijackThis v1.98.2
Scan saved at 7:18:57 PM, on 11/30/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\winvr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
C:\WINDOWS\system32\msnf32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\documents and settings\brett bonner\local settings\temp\rZS6.exe
C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\l?ass.exe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\WINDOWS\System\MSMSGSVC.exe
C:\PROGRA~1\COMMON~1\tsa\ts.exe
C:\Program Files\Digital Line Detect\DLG.exe
F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.e-finder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.e-finder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C0E590F8-92A7-8A8F-B621-507AEDA3404F} - C:\WINDOWS\sdktc32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [ipcx32.exe] C:\WINDOWS\system32\ipcx32.exe
O4 - HKLM\..\Run: [mfczb32.exe] C:\WINDOWS\system32\mfczb32.exe
O4 - HKLM\..\Run: [pduvHX] C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
O4 - HKLM\..\Run: [rZS6] C:\documents and settings\brett bonner\local settings\temp\rZS6.exe
O4 - HKLM\..\Run: [msnf32.exe] C:\WINDOWS\system32\msnf32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [mspm.exe] C:\WINDOWS\system32\mspm.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [rZS6.exe] C:\documents and settings\brett bonner\local settings\temp\rZS6.exe
O4 - HKLM\..\Run: [pduvHX.exe] C:\documents and settings\brett bonner\local settings\temp\pduvHX.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Vqlugjg] C:\WINDOWS\System32\l?ass.exe
O4 - HKCU\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKCU\..\Run: [MSMsgSvc] C:\WINDOWS\System\MSMSGSVC.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095711573018
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O19 - User stylesheet:  (file missing)

0
wdfore03
Asked:
wdfore03
  • 11
  • 11
1 Solution
 
SheharyaarSaahilCommented:
Hello wdfore03 =)

Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)

After using hijackthis use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
Then Download these tools and install them:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
LSPFix ==> http://www.spychecker.com/program/lspfix.html
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off ur System Restore >> http://www.pchell.com/virus/systemrestore.shtml
Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
After that here are some "canned" Instructions of mine, If u want u can follow them to check if they can work for u or not :)

1. Restart ur machine in safemode and Login as Administrator
2. Run the AntiVirus tool and delete all viruses it found
3. Run the Spyware Removal tools and delete everything they detect
4. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
5. Goto C:\Documents and Settings\your username\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\your username\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\your username\Cookies, and delete all cookies present here
(ofcourse im assuming that u have already saved all the login passwords for ur websites :)
8. Goto C:\Windows\Temp and delete all files present here
9. Run LSPFix to remove those aklsp.dll & calsp.dll files
10. Reboot back in Normal Mode and check if problems are gone or not

Post Back and Good Luck :)
0
 
SheharyaarSaahilCommented:
0
 
wdfore03Author Commented:
Have used symantec's recommendations and no luck so far. The biggest issue is running AV in safe mode!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
SheharyaarSaahilCommented:
You can run Stinger there..... and have you tried the suggestions from my first comment already... you are having too many other junks also which cannot be removed by running Norton only.... !!
0
 
wdfore03Author Commented:
running stinger and lspfix now. Get back to you.
0
 
SheharyaarSaahilCommented:
I will request to follow each step in the order i posted and make sure that system restore is turned off.... otherwise running the tools here and there is not gonna have a good effect on the problem..... =\
0
 
wdfore03Author Commented:
have already run highjackthis. Trying to fix the entries shown. Researching them! Running lsfix and stinger now. Already have run ad-aware and spybot.
0
 
SheharyaarSaahilCommented:
wdfore03 been almost 12 hours..... any progress... ?? :)
0
 
wdfore03Author Commented:
Progress!! Yes, I've had progress. I finally got the trojan.startpage off. Running what you gave me above. I'm still coming up with a couple of spyware, home search assistent among others. Trying to deal with those now.

These flat rate fixes are going to kill me!

I'll award the answer a bit later today. Thanks for you help. You have answered a couple of my questions in the past. This site is a great resource.

David
0
 
SheharyaarSaahilCommented:
>> home search assistent among others

here is a remaval tool for it >> http://www.snapfiles.com/get/hsremove.html
and run About:Buster also >> http://www.snapfiles.com/get/aboutbuster.html
** run both of them in saefmode**

these two tools are very well known to get rid of Home Search Assistant pest :)
0
 
wdfore03Author Commented:
I'll try them and let you know.

Just a rant - I would like to get hold of some of these people that produce this stuff!!
0
 
wdfore03Author Commented:
unfortunatley that didn't remove it from the add/remove programs in control panel. Ran it in safe mode. Going to run HJT again.
0
 
SheharyaarSaahilCommented:
>> unfortunatley that didn't remove it from the add/remove programs in control panel
this you have to do it manually in safemode.... if you cannot get ird of it, then try to remove its entry from registry as described here :)

How to Manually Remove Programs from the Add or Remove Programs Tool
http://support.microsoft.com/?kbid=314481
0
 
wdfore03Author Commented:
Unfortunatley, Homesearch keeps popping up. I ran both removal tools in safe mode, but that did not delete them. Both said that they deleted several files. Removing the uninstall reg values did nothing, as they regenerated themselves. Going to run both again in safe mode and ada and spybot again too.  :(
0
 
SheharyaarSaahilCommented:
analyse your fresh HJT log at that site, hit analyse, scroll down, hit Save Analyse, a new page will opne, post here its address !!
and im sure that the system restore is already turned off?? :)
0
 
wdfore03Author Commented:
Crap!!!!!!!!! I turned it back on this morning!!!!!!!!!!
0
 
SheharyaarSaahilCommented:
awwww!! =\
0
 
caza13Commented:
Trojan.StartPage

Alias: SearchCentral

Description: Internet Explorer start page URL hijacker.
Redirects StartPage to search pages, believed to be a variant of CoolWebSearch

Running Process Signatures:
>> process: rundll32.exe : MD5 Hash: 67c83f5d2ec691bac84...
>> process: startpage.exe : MD5 Hash: 806f0a889807cd872ed...
>> process: startpage.exe : MD5 Hash: 9afb4de72d4a0472b6c...
>> process: rundll32.exe : MD5 Hash: 38ce2ba785b31a37c5d...
>> process: csrss.exe : MD5 Hash: e3f12cbc1df8c07bcb6...
>> process: soundmx.exe : MD5 Hash: e433d1bff22dd7790c2...


 File Signatures:
>> file: rundll32.exe : MD5 hash: 67c83f5d2ec691bac84...
>> file: startpage.exe : MD5 hash: 806f0a889807cd872ed...
>> file: startpage.exe : MD5 hash: 9afb4de72d4a0472b6c...
>> file: win32.dll.old : MD5 hash: 71ec71ddd305d152212...
>> file: rundll32.exe : MD5 hash: 38ce2ba785b31a37c5d...
>> file: csrss.exe : MD5 hash: e3f12cbc1df8c07bcb6...
>> file: soundmx.exe : MD5 hash: e433d1bff22dd7790c2...
>> file: pdf3f9d.dll : MD5 hash: 18065e5b96b30eb7f10...
>> file: remove_me.dll : MD5 hash: 49699f743219b907bf8...
>> file: %system%\remove_me.dll
>> file: remove_me.dll : MD5 hash: 8f517c68617502013a8...


 Registered Dll (Dynamic Link Library) Signatures:
>> dll: win32.dll.old : MD5 hash: 71ec71ddd305d152212...
>> dll: pdf3f9d.dll : MD5 hash: 18065e5b96b30eb7f10...
>> dll: remove_me.dll : MD5 hash: 49699f743219b907bf8...
>> dll: %system%\remove_me.dll
>> dll: remove_me.dll : MD5 hash: 8f517c68617502013a8...


 Internet Explorer Integration:
>> Browser Helper Object: {a23ab93d-6cff-442c-bb8a-41f6145f47e7}


 Registry Signatures:
HKEY_CLASSES_ROOT\clsid\{A23AB93D-6CFF-442c-BB8A-41F6145F47E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A23AB93D-6CFF-442c-BB8A-41F6145F47E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

http://www.spynet.com/spyware/spyware-Trojan.StartPage.aspx
0
 
wdfore03Author Commented:
here's the latest after running everything suggested here, in safe mode with system restore turned off.
http://hijackthis.de/logfiles/d1ab9e0b7a11a6e8fa3cba9fad3f9117.html
0
 
SheharyaarSaahilCommented:
awww your are infected with that res:// hijacker.... it needs special treatment... plzz follow the instructions here >> http://www.pchell.com/support/onlythebest.shtml
0
 
wdfore03Author Commented:
Mr SheharyaarSaahil,
You are the man. After working for about $13 dollars an hour for the last 2 days, I finally got it! Had to get rid of trojan.startpage. Then "onlythebest" spyware - that one was tough. My hat is off to you sir - you kept helping me as I posted my issues. I used every resource you posted!!

Thanks very much.

I learned several valuable lessons here:
- Be persistent
- Spyware makers need a life
- There is a site out there that has the answer to any spyware / virus issues
- Make sure you know what you're quoting a customer - I said I would remove a virus - didn't include the spyware
- Be thankful for the help you receive

David :)
0
 
SheharyaarSaahilCommented:
Excellent job David..... glad i could help you and happy that you are satisfied with this site...... Cheers ^_^
0
 
wdfore03Author Commented:
Thanks again!
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 11
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now