Microsoft
Software
Hardware
Network
Question : trojan.startpage keeps coming back
Hi I have a startpage trojan norton finds it and deletes file sp.dll that I can never find. I have run 3 adware programs cleans everything up but after restart going anywhere near IE starts the hole process over again here is the hijack this scan log
help please
Logfile of HijackThis v1.99.0
Scan saved at 10:50:23 AM, on 1/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc3
2.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
e
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THot
key.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.
exe
C:\WINDOWS\System32\TPWRTR
AY.EXE
C:\Program Files\TOSHIBA\TouchED\Touc
hED.Exe
C:\WINDOWS\System32\ezSP_P
x.exe
C:\Program Files\MUSICMATCH\MUSICMATC
H Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Logitech\MouseWare\s
ystem\em_e
xec.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\A
OLSPY~1\AO
LSP Scheduler.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
BackWeb-88
76480.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wuaucl
t.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\acsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\toshiba\ivp\ism\ivpsvmg
r.exe
C:\Documents and Settings\Mark Bickmore\My Documents\hijack\HijackThi
s.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://start.earthlink.net
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Default_Sear
ch_URL =
http://www.earthlink.net/p
artner/mor
e/msie/but
ton/
search
.html
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar = res://C:\DOCUME~1\MARKBI~1
\LOCALS~1\
Temp\sp.dl
l/sp.html
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://www.toshiba.com
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://www.toshiba.com
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar = res://C:\DOCUME~1\MARKBI~1
\LOCALS~1\
Temp\sp.dl
l/sp.html
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.ht
m
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\In
ternet Connection Wizard,ShellNext =
http://www.symantec.com/te
chsupp/ser
vlet/Produ
ctMessages
?
product=L
U&version=
1.90&langu
age=Englis
h&module=L
U&
error=18
06&build=S
ymantec
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
06D7942484
F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {86C6E8B6-690D-4B72-93C2-7
4AFADA2C1A
C} - C:\WINDOWS\System32\mdpcdg
.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
ADC6B08487
2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WINDOWS\System32\msdxm.
ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
859DF00B1D
6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THot
key.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\Touc
hED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P
x.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.
exe /run
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC
H Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
n.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\
AOLSPY~1\A
OLSP Scheduler.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
BackWeb-88
76480.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -noauth
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
LDMConf.ex
e
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - C:\WINDOWS\System32\Shdocv
w.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
dll
O14 - IERESET.INF: START_PAGE_URL=
http://www.
toshiba.co
m
O16 - DPF: {11010101-1001-1111-1000-1
1011234567
8} - ms-its:mhtml:file://C: oo.mht!
http://cellaphone.n
et/helps/0
79057/iehe
lp.chm::/w
in.exe
O16 - DPF: {11111111-1111-1111-1111-1
1111111345
7} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-1
1119111345
7} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-5
1111111345
7} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-5
1111111345
8} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-5
1111119345
7} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-5
1111119345
8} - file://c:\x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3
C54734667F
E} (LSSupCtl Class) -
https://www-secure.symante
c.com/tech
supp/asa/L
SSupCtl.ca
b
O16 - DPF: {6414512B-B978-451D-A0D8-F
CFDF33E833
C} (WUWebControl Class) -
http://v5.windowsupdate.mi
crosoft.co
m/v5consum
er/V5Contr
ols/
en/x86
/client/wu
web_site.c
ab?1102958
288050
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
F47A330807
8} (ActiveDataInfo Class) -
https://www-secure.symante
c.com/tech
supp/asa/S
ymAData.ca
b
O17 - HKLM\System\CCS\Services\T
cpip\..\{6
6A5737F-AF
3C-48D2-93
92-2117063
90567}: NameServer = 205.188.146.145
O18 - Filter: text/html - {F1C11CA4-CD69-4BE8-9C2C-F
DBDEAA3B9B
A} - C:\WINDOWS\System32\mdpcdg
.dll
O18 - Filter: text/plain - {F1C11CA4-CD69-4BE8-9C2C-F
DBDEAA3B9B
A} - C:\WINDOWS\System32\mdpcdg
.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9
F4543D3454
5} - C:\WINDOWS\System32\vbsys2
(file missing)
O23 - Service: AOL Spyware Protection Service - Unknown - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
2.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMAN
T~1\SCRIPT
~1\SBServ.
exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
e
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Answer : trojan.startpage keeps coming back
Before cleaning the system make sure that you have disabled the System Restore >>
http://www.pchell.com/viru
s/systemre
store.shtm
l
After that Download these tools, install and update them:
==========================
==========
==========
==========
AdAware ==>
http://www.spychecker.com/
program/ad
aware.html
SpyBot ==>
http://www.spychecker.com/
program/sp
ybot.html
MS Antispyware ==>
http://www.microsoft.com/a
thome/secu
rity/spywa
re/softwar
e/
default.
mspx
CoolWebShredder ==>
http://www.softpedia.com/p
ublic/cat/
10/17/10-1
7-150.shtm
l
Stinger ==>
http://vil.nai.com/vil/sti
nger
==========================
==========
==========
==========
Then Run all of them one by one in safemode and delete everything they detect.
Then delete the temporary internet files and history of IE
and run Disk Cleanup on your hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
Random Solutions
icmp ,snmp
Activating HTML link in lotus notes
Configuring two NIC's
SSL Certificate renewal on exchange 2007 sp1 server
RPC Error on ISA 2004
Netware 5.0 - NICI CSS Fatal Initialization Error
Need to set up a Default User Account
DTMF Problem accessing external IVR and/or Asterisk Voicemail (*97) using a Linksys SPA 942 on a Trixbox 2.6.1.13
Email server using Xchange
GPO for users when they log into Terminal Servers
