cancel
Showing results for 
Search instead for 
Did you mean: 

trojan......startpage-du!htm

cookie141
Grafter
Posts: 51
Registered: 16-09-2007

trojan......startpage-du!htm

hi ...infected with this trojan and have tried all means of removal.
running mcafee security suite and it states that it has cleaned it but it still remains.... my virus protection is upto date.. this is what it does to the registry...any ideas on removal please..

When executed, this trojan modifies the following registry settings:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "HOMEOldSP" = "about:blank"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "sp.html"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "no"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "sp.html"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
RunMRU "e" = "hhk.dll"
The following file is dropped:

sp.html (7,976 bytes)
Note: This file is dropped in the user's temporary file area. For example: c:\Documents and Settings\%username%\Local Settings\Temp\
8 REPLIES
N/A

trojan......startpage-du!htm

yes, use hijackthis.

if you can't downloaded it, PM and i'll send it to you.

download from here Hijackthis
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

trojan......startpage-du!htm

Don't forget that if you are running Windows Xp then you will need to shut down the system restore utility before trying to remove a virus.
Otherwise it will keep coming back :shock:
cookie141
Grafter
Posts: 51
Registered: 16-09-2007

trojan

no joy with hijack this
it deletes the offending items but when i reboot they re appear
any other ideas
cookie141
Grafter
Posts: 51
Registered: 16-09-2007

trojan

by the way i am running win 2000 pro
N/A

trojan......startpage-du!htm

can you post a copy of your report from hijack this. you must have an item still in there that is constantly re-infecting your machine.
cookie141
Grafter
Posts: 51
Registered: 16-09-2007

trojan

heres the log as you asked 4Logfile of HijackThis v1.97.7
Scan saved at 17:56:43, on 08/08/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {09B4A83D-39A4-4CA5-88A5-B05346AE5DDA} - C:\WINNT\System32\ghjndga.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\SpyHunter\PopupBlocker\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtectorPro.exe" /stealt
O4 - HKCU\..\Run: [MSSVC] "C:\WINNT\System32\svcsys.exe" 8192
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA20599D-F91D-4528-B56C-172903FD01A7}: NameServer = 212.159.13.49 212.159.13.50
N/A

Re: trojan

Fix the following using hijack this, but first ensure the items are backed with hijack this.

Select Config (you might need to perform a scan first)
and ensure "make backup before fixing items" is ticked.

select the following, and fix them.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\COOKIE~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {09B4A83D-39A4-4CA5-88A5-B05346AE5DDA} - C:\WINNT\System32\ghjndga.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe


Restart your computer to you should be ok.

It wouldn't hurt to run spybot and adware as well.
cookie141
Grafter
Posts: 51
Registered: 16-09-2007

trojan

thanks gadget boy... for the input..
i have got rid of the pest.....now i can relax Smiley

Cheers Cookie