Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

startpage-du


  • Please log in to reply

#1
Moyo

Moyo

    New Member

  • Member
  • Pip
  • 6 posts
Sorry, I posted this in the WIN98 forum, because almost all posts i've seen about HJT were from WinXP. Here's the repost
Hello,
I hope you can help me. This is my last resort before i format the HD.
For some time now i've been having this problem: every day, when i open my Internet Explorer browser for the first time, my Mcafee AV detects a dll file infected with "startpage-du". The file is randomly named, like ojkkl.dll or asccnf.dll. I delete it but then the next day, it happens again. Even if i change the date of the computer manually, the next time i open the browser, it happens. I've tried scans with my updated Mcaffe, Lavasoft Adaware (updated), Spybot S&D (updated), Xoftspy (updated) and TrojanHunter (updated). Also online scans in Panda and other sites. (I can't do an online scan in trendmicro. IE closes when installing the update). All the above failed to detect anything strange. I've also tried reading all the posts in several forums to see if anything matches my problem, to no avail. My startpage is set to Google, and if i click the IE icon on the task bar, it opens there, but if i righ-click the IE icon on the desktop and click "open", it sends me to http://296f8.ilxt.in...x.php?aid=20038, a bogus search page that i've already seen some people asking about in this forums. Pretty strange. I hope you can help me. It's driving me nuts and if this doesn't work, i'll have no other choice but to format the HD. Here's my HJT log:
Logfile of HijackThis v1.98.0
Scan saved at 16:31:31, on 27/07/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LOADSETTINGS.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE97\OFFICE\OSA.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEHEIL/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadUserSettings] C:\WINDOWS\SYSTEM\LoadSettings.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = isds
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.115.106.31,192.115.106.35

Cheers!!
  • 0

Advertisements


#2
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Try searching for a CWS. Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants. Afterwards, Please Post a fresh Hijack This log.
  • 0

#3
Moyo

Moyo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ditto,
Thanks for your reply.
I forgot to mention in my post that I also use CWshredder, almost on a daily basis. I have the latest version available, i think it's 1.59.1 and everytime i run it, it says my system is completely clean.
Maybe any other ideas?
  • 0

#4
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.
  • 0

#5
Moyo

Moyo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ditto,
Again, thanks for your time.
As I said in my original post, i have been reading what's posted in this forums on the subject. I've also read other forums about it. Whenever i encounter a possible solution that maybe could help me, try it. I tried already the deleting of the temp files and the temporary internet files also, including offline content. I am now deleting temp files and temp. internet files everyday when i sign off. That hasn't helped either.
Cheers
  • 0

#6
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
Ok there is a removal on the McAfee site for the startpage-du.

You can find it here-> http://us.mcafee.com...&virus_k=126530

scroll to the bottm. Let me know of any problems.

ditto
  • 0

#7
Moyo

Moyo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Heyas ditto,
Tks for the link you sent. It's the Mcafee update site, which i use once a week to keep my AV updated. I already had those DAT's installed. Those are the ones identifying the *.dll file infected. Anyway, I ran 2 scans today, one in Safe Mode and one in regular mode, but the AV still says no infected files were found.
I had the problem again this morning when i opened the browser for the first time. And now i see also that one of the program icons in the Start menu has changed. It's MS Photo Editor, and it has the icon for Macromedia Flash. I'm not liking this at all, and i think the best thing (and the only solution i have left) is to format the HD and reinstall fresh copies of the software.
I thank you very much for you time and help efforts, and i'll be sure to keep visiting this site to get help and gather up tips, and who knows, maybe chip in once in a while if i see something i can help with.
Have a great one!!
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Welcome Moyo,

Try this. Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in here
http://updates.ls-se...lvx2cleaner.exe

How to use Lavasoft's VX2 Cleaner plug-in

- Close Ad-Aware 6 build 181 and Ad-Watch (if running)
- Download the free VX2 Cleaner at http://updates.ls-se...lvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware 6 build 181
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".


If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log, and let us know how your system's working. <_<
  • 0

#9
Moyo

Moyo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Heyas admin,
Thanks for your post but I already formated de HD and reinstalled all the software needed. It went smoother than I thought and everything is running great now. At least I know now my system is 100% clean (unless there is a bug out there that's inmune to format??).
Anyways, i'll keep your suggestions present in case I have problems again, which I hope I don't.
Again, thanks for all you help. Keep up the great work. It's good to know there's is a place where we can go for good, quality help when needed.
Rock ON!!!
  • 0

#10
ditto

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
hey moyo,

thanks for your kind words. We always enjoy having feedback, whether positive or negative. Talk to you later!
  • 0

#11
dinger

dinger

    New Member

  • Member
  • Pip
  • 2 posts
The Startpage-Du trojan is not as easy to remove as McAfee would have you believe, their instructions for removing it are completely inadequate and even the latest updates of McAfee do not fix it. Also Adaware does not delete it... See the following link for the complete low-down on Startpage-Du....

http://www.bullguard...rst-S_2076.html

It actually involves removing no less than 50 - that right 50! - keys in the registry. Unless you delete them all the trojan reinstalls itself everytime you startup IE.

Dinger
  • 0

#12
dinger

dinger

    New Member

  • Member
  • Pip
  • 2 posts
I've since had two other computers brought into my department by users from home infected with Startpage DU - have found that running the latest Adaware (downloaded since 4th Aug) fixed the problem but left behind an "infected" dll (seemingly randomly named) which McAfee always detects on startup - This file is unable to be deleted even when you boot into Safe mode with System restore off - Even taking ownership of the file had no effect - In the end had to install the XP System Recovery Console and boot into that to delete the dll file.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP