Newbie dot Org HomePage
Visit one of our web buddies
Startpage.CZ resists all attempts to remove!
Graeme
graeme-jones@btconnect.com
08/22/04 		Can anyone please help?!

I am plagued by the Startpage.CZ trojan -- I have used AboutBuster, Adaware, Spybot Search and Destroy, Webroot Spysweeper, Coolweb Shredder etc., but all to no avail.

AboutBuster scan logs show it removed and all clear (see below), but having rebooted as it suggests and starting up IE, Norman Virus Control is sending me 10 or more messages (every 5 minutes!) that Startpage.CZ is back and it can't remove it!

Here are the AboutBuster and Hijack This logs --can anyone see the problem (some at the beginning of the HJT log look obvious -- but are there any others?).

Thanks in anticipation...

FIRST SCAN

-- Scan 1 --
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Error Removing! : C:\WINDOWS\System32\emjd.dll
Removed! : C:\WINDOWS\System32\emjd.dll
Error Removing! : C:\WINDOWS\System32\fbmbpj.dll
Removed! : C:\WINDOWS\System32\fbmbpj.dll
Error Removing! : C:\WINDOWS\System32\fhhi.dll
Removed! : C:\WINDOWS\System32\fhhi.dll
Error Removing! : C:\WINDOWS\System32\hpmnaj.dll
Error Removing! : C:\WINDOWS\System32\hpmnaj.dll
Error Removing! : C:\WINDOWS\System32\hpmnaj.dll
Removed! : C:\WINDOWS\System32\hpmnaj.dll
Error Removing! : C:\WINDOWS\System32\njpkj.dll
Removed! : C:\WINDOWS\System32\njpkj.dll
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.2
Scan saved at 13:43:57, on 22/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NVATray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\MSOffice\Office\FINDFAST.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Graeme\LOCALS~1\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {437E4B72-56BB-4BA0-90BD-3714BF513623} - C:\WINDOWS\System32\hpmnaj.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {AA63B7EE-A218-4B25-94BE-E6B198A7CAC4} - C:\WINDOWS\System32\hpmnaj.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/144000s/download.opistat.com/opistat/activex/opinstall_en_4.1.8.0.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://F:\PCFormat\IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0AA438A-EB09-4086-B0CB-0DE681B9C332}: NameServer = 213.1.119.103 213.1.119.104
O18 - Filter: text/html - {871A3482-D95A-43CA-959B-A22A5D9E3459} - C:\WINDOWS\System32\hpmnaj.dll
O18 - Filter: text/plain - {871A3482-D95A-43CA-959B-A22A5D9E3459} - C:\WINDOWS\System32\hpmnaj.dll
-4CEA-91B5-64D36A94F76B} - C:\WINDOWS\System32\bcdf.dll

Anti-SpyWare: SpySweeper, Adaware, etc. etc.
Anti-Virus: Norman Virus Control
Browser: IE
OS: Win XP Home Edition

© Copyright 1998-2004 Newbie dot Org -- All rights reserved --
This site maintained by Galaxy Website Design


--|--