Help - troj_startpge.fl virus!

[Emmanuel2005]

Hi

Still no sign of those files. I went manually through Windows Explorer down to the individual file and did a search too. Have therefore not posted a new hijackthis log.

Emmanuel

[Ried]

Alright then, we'll go into the registry.

Reboot into Safe Mode as User.

Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {5C24F68F-330D-3834-5594-F52CB787AE93}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {7E519B7D-60F7-36E0-6009-671EAD1F7C44}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {849E652D-E279-49D1-44C6-6C7123362280}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ipxk.exe"="C:\\WINDOWS\\SYSTEM32\\IPXK.EXE"
"B5.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B5.t mp.exe"
"B7.tmp"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\B7.t mp.exe"
"B5.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ B5.tmp.exe"
"B7.tmp.exe"="C:\\DOCUME~1\\user\\LOCALS~1\\Temp\\ B7.tmp.exe"
"netgf.exe"="C:\\WINDOWS\\NETGF.EXE"

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Reboot back into Normal Mode.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

*Save it to your desktop.
*Double-click the new icon on your desktop (tmas-web-scan.exe)
*It will say "Loading TrendMicro definitions".
*Once the definitions are loaded, the program will appear to close then re-open.
*Click "Start Scan"
*After it's done scanning, click "Scan Results"
*Make sure all items found have a check next to them, then click "Clean Threats Now".

Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post along with a new HijackThis log.


Run another scan with HijackThis and post the log here

[Emmanuel2005]

Hi Ried

I'm afraid that I couldn't see any of those things in the registry. Any suggestions?

Emmanuel

[Ried]

That's good that they were not there. I wanted to be certain they were gone since you have not been able to find the files yet they were still apparent in the HijackThis log.

From Normal Mode:

Open HijackThis>Config>Misc Tools>Delete a File on Reboot. copy/paste elcad.dll into the box. Do not allow the reboot yet.

Run the scan with HijackThis and fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\elcad.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\elcad.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing

Reboot and run another scan with HijackThis and post it here.

[Emmanuel2005]

Hi

Here's the latest hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:08:33 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\nMtsk.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 840\dslmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCTLCOM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD

Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nMTaskBarService] nMtsk.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet

Security 14\pccguide.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program

Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe

/IMGSTART
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast

840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsu...ient/wuweb_sit

e.cab?1133080125656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)

- http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro

Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro

Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega

Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Ried]

Looking much better. One final scan to be certain nothing is lurking:

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm *Requires Internet Explorer.
Make sure you click the "Free Online Virus Scan" in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[Emmanuel2005]

Good news Ried thanks.

Here the Panda Activescan report:

Incident Status Location

Adware:Adware/SearchAid Not disinfected C:\WINDOWS\addyl32.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\apiql.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\syski.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\addfm.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\ipdz.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\mfcfg32.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\nettj.exe
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\system32\sysvn32.exe

[Ried]

Hi Emmanuel,

Some stragglers here. We're not going to take any chances on not finding these files to delete, so please download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

Reboot into Safe Mode.(tapping F8 or F5)

Start KillBox.
Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\addyl32.exe
C:\WINDOWS\apiql.exe
C:\WINDOWS\syski.exe
C:\WINDOWS\system32\addfm.exe
C:\WINDOWS\system32\ipdz.exe
C:\WINDOWS\system32\mfcfg32.exe
C:\WINDOWS\system32\nettj.exe
C:\WINDOWS\system32\sysvn32.exe

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

From Normal Mode, run the Panda scan again. It should come up clean so please continue with these important final instructions: If it should find any infected files, post that report here again. Also, please let me know how your system is running now.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from any previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

[Emmanuel2005]

Hi Ried

The Panda scan came up clean! Your the best ! Thank you so much for your help and the additional advice in your last post. I'll be downloading that software first thing tomorrow and making a donation to this forum.

Thanks again,

Emmanuel

[Ried]

You are quite welcome, and any donation would be most welcome.

Happy computing, Emmanuel!