TB1RedShoe

51 Posts

1865

February 25th, 2008 19:00

Blondie needs HELP w/Trojan.StartPage

Dear Community,

Well, I have seen better days then this. First I slip in the bathtub (broken left foot + Spinal Slipped disc & pinched nerve), at a time when I am in-between health insurance carriers (ergo all out-of-pocket expenses), and now Norton Internet Security informs me I have 2 Trojan.StartPage viruses on my harddrive which it failed to remove. Can't a girl catch a break! ;o(

To make matters worse I have already paid Symantec to address this issue by removing these 2 Trojan.StartPage viruses (non-negotiable $99.95 for premium service) via remote control, yet I suspect their tech support did not remove them in their entirety (because I keep getting rundll32.exe files in my prefetch folder...more then 30 days after Symantec first tackled this problem...ergo they now expect me to pay them again to finish the job...its a mad, mad, world). So, "no money, no fixy" according to Symantec (I've been a loyal customer of theirs for the last 4 years).

I would normally opt to take the computer (Dell Dimension 4600C) to BestBuy and have GeekSquad repair the registry there (price $199), yet with a broken foot & slipped spinal disc I can't drive (GeekSquad in-home is $349 which is too rich for me...had to max out my credit card for hospital bills as is). So, I'm hoping that a kind soul on this board might be in a position to help me out. "There is always our old friend hope!" :o)

The Problem started more then a month ago with a downloader built into a website (I was researching geneology on the Web via Google) next thing I know I got a pop-up from Norton stating it had blocked the action (Trojan.StartPage) only to later find out that was not so (via Norton Internet Security 2008 Full System Scan).

The Norton Security Risks Log stated that they were in c\documents and settings\blondie\local settings\temp\ealp.dat & c\documents and settings\mickey c\local settings\temp\pofo.dat. So, I clicked Start/run/temp = deleted temp folder (I did the same for the prefetch folder). Alas there are still remnants of the Trojan.StartPage on my harddrive (probably somewhere in the registry [system 32?], yet I have no idea where exactly/or what file or files).

I have a Desktop PC (Dell Dimension 4600C) which runs on Windows XP Home Edition. I also use Norton Internet Security 2008 (for Firewall + Virus Scan) and Webroot SpySweeper (for adware/spyware/cookies). Hmmm, what else?

Ah, Ja...

If it merely were a matter of the Trojan.StartPage changing my homepage then I wouldn't be that worried (although my present situation is bad enough), yet according to the Norton "View History" log there have been some changes made to Firewall rules.

Among other...

* C:\Program Files\Internet Explorer\ieexplore.exe (Microsoft Internet Explorer was allowed to communicate with 216.10.195.7 (Outbound TCP, 653)

* xrun (now on my harddrive)

* xpre (Removed manually)

So, all that having been said, just how worried should I be?

Oh, yes, lest I forget here is...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://support.dell.com/support/index.aspx?c=us&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {1A9062A7-5B71-4239-8777-005703385CF0} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1A9062A7-5B71-4239-8777-005703385CF0} - C:\WINDOWS\System32\intlmain.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160695144578
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6367 bytes

I wish, at times like these, that I had studied Computer Programing in college (and paid more attention to math) rather then theology (as is I'm currently praying an awful lot). I TRULY would be grateful for any and all help (God Bless You).

Blondie (whose native language is German, hence please forgive any grammatical errors)

Responses(37)
Solutions(0)

TB1RedShoe

51 Posts

0

February 25th, 2008 20:00

"Guten Abend,"

Well, when you have a broken left foot (and a slipped spinal disc + pinched nerve) you're not going anywhere, hence I read some more threads on these great boards of yours.

I read that ComboFix can also be of good use, hence I downloaded the software and ran it. Here is the log...

ComboFix 08-02-25.3 - Blondie 2008-02-25 14:29:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.203 [GMT -5:00]
Running from: C:\Documents and Settings\Blondie.DARTHVADER.000\My Documents\My Pictures\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\BHO
C:\Program Files\newdotnet
C:\Program Files\newdotnet\readme.html
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa17yy
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\win
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z2

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 10:14 . 2008-02-25 10:14

d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-25 10:14 . 2008-02-25 10:14 d-------- C:\Documents and Settings\Blondie.DARTHVADER.000\Application Data\Malwarebytes
2008-02-25 10:14 . 2008-02-25 10:14 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-25 04:06 . 2008-02-25 07:41 2,148 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 19:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-25 18:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-23 21:15 --------- d-----w C:\Program Files\QuickTime
2008-01-18 08:13 230 ----a-w C:\vrqtoolSREnable.reg
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2008-01-10 23:43 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-01-10 23:38 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-01-10 23:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 23:34 --------- d-----w C:\Program Files\FaxTools
2008-01-10 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-01-10 23:32 --------- d-----w C:\Program Files\Dell A920
2008-01-10 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-24 03:07 61,224 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-23 21:18 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-12-23 18:31 514 ----a-w C:\SymTechDec07.reg
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
2007-12-14 22:09 164 ----a-w C:\install.dat
2007-12-08 05:21 3,592,192 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-12-06 04:59 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\SYSTEM32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\oleaut32.dll
2007-06-22 21:41 6,369 --sha-w C:\WINDOWS\SYSTEM32\gjkmp.bak1
2007-06-23 00:13 6,627 --sh--w C:\WINDOWS\SYSTEM32\gjkmp.ini2
2007-08-07 20:03 6,421 --sh--w C:\WINDOWS\SYSTEM32\lnnmp.bak1
2007-08-06 19:36 6,447 --sh--w C:\WINDOWS\SYSTEM32\qrqss.bak1
2007-08-07 00:03 6,517 --sh--w C:\WINDOWS\SYSTEM32\qrqss.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 22:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 15:52 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 22:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 13:15 51048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40 5367608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2008-01-10 16:11 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2004-04-15 03:32 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-03-15 01:04 122933 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 11:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 11:06 110592 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-08-24 23:53 714608 C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 20:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-10-01 16:40 5367608 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-10-05 18:42 185784 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--a------ 2006-02-09 19:52 331776 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"RetroWDSvc"=2 (0x2)
"Retrospect Helper"=2 (0x2)
"RetroLauncher"=2 (0x2)
"LexBceS"=2 (0x2)
"DSBrokerService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" [2008-01-31 13:15]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 18:32]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []
S3 krdpdre;krdpdre;C:\DOCUME~1\MICKEY~1\LOCALS~1\Temp\krdpdre.sys []
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" [2008-01-29 16:09]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-09 19:27]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 01:00:00 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - CedricS.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2007-12-22 03:37:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Blondie.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-19 01:00:26 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Mickey C.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-25 11:08:23 C:\WINDOWS\Tasks\User_Feed_Synchronization-{BF28DA98-58CB-4F5B-9041-C1EE45D11C23}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 14:48:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

So, is this the point where I say "Help me Obi Wan Kenobi...you're my only hope?"

Blondie

TB1RedShoe

51 Posts

0

February 25th, 2008 20:00

Hello "Good People,"

So, I've had a little time to read through some of the threads (although I'm still sick to my stomach with worry over the Trojan.Startpage issue and the damage it may be causing to my computer [not to mention Identity Theft]) here on this board and am hopeful that someone can help me.

I read a suggestion regarding Malwarebytes' Anti-Malware (since a Trojan.StartPage is a malware I thought give it a try). I downloaded the software and ran it. It found 7 infected files and folders on my harddrive (alas there STILL are remnants of the 2 Trojan.StartPages on my computer).

Here's the log...

Malwarebytes' Anti-Malware 1.05
Database version: 403

Scan type: Full Scan (C:\|)
Objects scanned: 141353
Time elapsed: 59 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\intelvideodivx.intelvideocodec (Rogue.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{33a12beb-3219-4ca8-99b4-733192704c62} (Rogue.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{33a12beb-3219-4ca8-99b4-733192704c62} (Rogue.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8388594e-d5c0-4933-a977-867d32d8ff19} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{eaeddca3-3989-4ff4-a773-3ac188c70a16} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ultra soft (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\IntelVideoDivX.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xpdx (Rootkit.Rustock) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e9bd0828-1fd9-410c-a50f-43ebe65d310f} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\f02WtR (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\ISM2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\A1 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\IntelVideoDivX.dll (Rogue.Adware) -> Quarantined and deleted successfully.
C:\Program Files\ISM2\dictionary.gz (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM2\targets.gz (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\INF\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\INF\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wr.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\d.exe (Malware.Trace) -> Quarantined and deleted successfully.

I went into the Quarantine tab and deleted all files there, yet there are still traces of the 2 Trojan.StartPages on my computer.

Blondie

Bugbatter

4 Apprentice

•

20.5K Posts

0

February 25th, 2008 20:00

Hello :)

From one blondie to another, I will say that I'm not sure where to begin because I cannot tell exactly what Symantec did and you should not be using Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer: http://img.photobucket.com/albums/v666/sUBs/NewDisclaimer.gif

Therefore, we can try to continue where ComboFix left off, but I cannot guarantee that I can find all remnants of the infection due to the fact that there were so many attempts at different fixes.

I will work on writing some script for ComboFix for you, but it is suggested that you install the Recovery Console. I'm surprised Symantec did not have you do that. Please print these instructions and refer to the steps for installing the Recovery Console:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After you have done that, please reply so we can continue cleaning.

Bugbatter

4 Apprentice

•

20.5K Posts

0

February 26th, 2008 02:00

"Sorry, you must be slapping yourself on your forehead right about now"

That is downright spooky! How can you see me? Or maybe you are psychic?

Let's do it this way:
Delete ComboFix from here: C:\Documents and Settings\Blondie.DARTHVADER.000\My Documents\My Pictures\ ComboFix.exe

Download a fresh copy from the link provided in the instructions at Bleeping Computer. Please follow those instructions for running ComboFix again. Following that, post your NEW ComboFix log with a fresh HijackThis log.
Then we will be on the right track for the next steps. :)

Edit: Don't forget to disable SpySweeper and anti-virus before running ComboFix.
To disable SpySweeper:
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

Message Edited by Bugbatter on 02-25-2008 11:41 PM

TB1RedShoe

51 Posts

0

February 26th, 2008 02:00

"Gute Nacht,"

Well, for starters, THANK YOU VERY MUCH for responding!

Maybe its somewhat difficult for you to appreciate my position (as you can write code and I cannot...I'm more of the plug-n-play person that lately relies on remote assistance to have problems fixed). I have, until this past New Year's, also been rather lucky in dodging viruses (alas now I find myself under constant bombardment, and overwhelmed, due to downloaders built into websites).

So, that having been said, THANK YOU EVER SO MUCH for giving this a try. I apologize for the many software remedies I tried (I panicked...and I blame the painkillers...which I take for my injuries...lest you think I'm a junkie...or is that simply an easy excuse for a naive, young, WASP, female...I mean the luddite thing?). Alas I didn't even install the ComboFix in the right place (the default on this account is My Pictures...did I screw this up even worse?), hence my e-mailing you already.

Lest I proceed and make more mistakes...

Should I uninstall ComboFix and re-install it in the right place Windows Desktop)? Or move the icon from My Pictures to Windows Desktop (cut-and-paste)? Sorry, you must be slapping yourself on your forehead right about now (on the upside...I DO NOT use whiteout on the monitor screen).

I have, however, managed to print out the ComboFix Guide without screwing that up!

So, once again, thank you for taking the time to respond (and for trying to spread some good cheer...I sure could use some right about now).

I hope this message finds you in better shape than I'm in.

Hugs & Kisses,

Blondie

TB1RedShoe

51 Posts

0

February 26th, 2008 04:00

Good Morning (once again),

Well, it appears the recycle bin is now empty and start/search/combofix & start/run/combofix also comes up empty, hence is it now safe to assume that its gone in its entirety and that it is NOW also safe for me to download a new version of ComboFix from the Net (this time following the instructions verbatim and downloading directly to Windows Desktop)?

From the Germanic Luddite (they'd never let me live this down back home...what with our reputation for perfection & precision...the Germans that is) LOL

Blondie

TB1RedShoe

51 Posts

0

February 26th, 2008 04:00

Good Morning,

So, I see I'm not the only insomniac on this board (my excuse for being awake at this hour is the excruciating pain I'm in).

Well, for your amusement, I even managed to screw up the deleting the ComboFix (which just goes to say that there really is such a condition as being TOO blonde and blue-eyed). Doped up on the painkillers I entered "C:\Documents and Settings\Blondie.DARTHVADER.000\My Documents\My Pictures\ComboFix.exe" under Search and right-clicked and deleted it (Did I mention German was my FIRST language?). So, now the ComboFix is in the recycle bin and wont allow me to delete ("empty recycle bin" is no longer in bold).

I swear...I did NOT drink out of the same cup as the village idiot!

I am, because of my medical/financial situation, down to my last nerve which, as you might guess, is raw and exposed and, as such, for the life of me cannot remember (coherently) how to go about finding "C:\Documents and Settings\Blondie.DARTHVADER.000\My Documents\My Pictures\ComboFix.exe" (normally I just right-click icon and choose delete or I do the Add/Remove Program thing). Now the mature thing would have been for me to have admitted as much (regardless of how embarrassing it might have seemed at the time).

Am I proving to be TOO blonde for You? I assure you this is not a bad prank (and no...no one makes me wear a helmet either). I am sadly becoming ever the more insecure (or maybe I'm just now realizing how much luck I've had these last few years when it comes to Computers and viruses...and my avoiding them).

Thank you for bearing with me (I promise, solemnly, that I shall NOT screw up downloading ComboFix...once I get to it...still have to figure out how to delete the version in the recycle bin first).

Please feel free to have a good laugh (you have my express permission).

Blondie (Who , at this rate, seems to becoming her own worst enemy)

TB1RedShoe

51 Posts

0

February 26th, 2008 06:00

Good Morning (once more),

Well, as I'm off to bed...I noticed that my Norton Internet Security 2008 is acting oddly. There usually are around 205,000 files on the harddrive, yet in the last few days the scan results come back as a maximum of 145,545. Can this be related to the Trojan.StartPage?

Oh, and by the way, thank you for your tip on how to disable Webroot SpySweeper.

I hope you have a great Day! :o)~

Blondie

Bugbatter

4 Apprentice

•

20.5K Posts

0

February 26th, 2008 14:00

(which just goes to say that there really is such a condition as being TOO blonde and blue-eyed) I hope not.

You may have to reinstall Norton if it continues to act weird. Unfortunately, it was Symantec's tech who was messing around with that, and I have no idea what he did.

I'm looking forward to seeing your latest logs from Combofix and HijackThis.

TB1RedShoe

51 Posts

0

February 26th, 2008 20:00

Hello "My Prince" (or so it goes in fairytales when a girl kisses a frog),

So, for a change, all is quiet on the Eastern front and, following a few hours of sleep/rest, "Yours Truly" feels (emotionally) MUCH better!

Yes, sadly, Norton Internet Security 2008 is a headache compared to its previous versions (the previous four never caused any problems and worked admirably). Alas it took 4 technicians in India (Symantec/Norton Tech Dept.) to install NIS over the course of 3 days (I kid you not) via remote control. Thereafter, after it was "successfully" installed, several other programs on my computer did not work (such as Internet Explorer and my printer).

Your, best guess, do YOU think that a Trojan.StartPage CAN be the source of problems regarding Norton program at this point (I'm only asking because I assume YOU have more experience with trojans then I do). In either case, or so I hope, this, at least, is a service that Symantec offers for free (should I require their help in re-installing NIS 2008).

Speaking of re-installing and making changes to the computer when can/should I undo the changes to the WebrootSpySweeper et all?

So, as promised, I downloaded ComboFix and followed the instructions verbatim!

I do not recall which windows disc was the right one (have dozens of these in the family's home office), hence I followed the instructions and downloaded a Win XP Home Edition Service Pack 2 file (directly onto the desktop). Therafter dragged it over the ComboFix icon, with curser, and let go. I got a pop up run or cancel (chose run).

Then there was a auto-scan (took a few minutes with a mini log for Recovery Console).

After waiting for that to be over I followed the instructions and double-clicked the desktop ComboFix icon and sat back while it did its magic. The ONLY odd thing I noticed is that it seemed to have skipped the "ComboFix Disclaimer" and the "ComboFix is backing up the Windows Registry" (I swear I followed the instructions verbatim and double-checked along every step and did not touch the keyboard or mouse once ComboFix was working). So, is this a not so good sign?

Here, by the way, is the CombFix log...

ComboFix 08-02-25.3 - Blondie 2008-02-26 16:43:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.232 [GMT -5:00]
Running from: C:\Documents and Settings\Blondie.DARTHVADER.000\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 15:15 . 2008-02-25 15:15

d-------- C:\Program Files\Trend Micro
2008-02-25 10:14 . 2008-02-25 10:14 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-25 10:14 . 2008-02-25 10:14 d-------- C:\Documents and Settings\Blondie.DARTHVADER.000\Application Data\Malwarebytes
2008-02-25 10:14 . 2008-02-25 10:14 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-25 04:06 . 2008-02-26 16:49 2,148 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-26 20:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-26 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-23 21:15 --------- d-----w C:\Program Files\QuickTime
2008-01-18 08:13 230 ----a-w C:\vrqtoolSREnable.reg
2008-01-15 14:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 10:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-12 23:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-10 23:43 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-01-10 23:38 --------- d-----w C:\Program Files\ABBYY FineReader 5.0 Sprint
2008-01-10 23:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 23:34 --------- d-----w C:\Program Files\FaxTools
2008-01-10 23:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-01-10 23:32 --------- d-----w C:\Program Files\Dell A920
2008-01-10 21:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2007-12-24 03:07 61,224 ----a-w C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
2007-12-23 18:31 514 ----a-w C:\SymTechDec07.reg
2007-12-14 22:09 164 ----a-w C:\install.dat
2007-06-22 21:41 6,369 --sha-w C:\WINDOWS\SYSTEM32\gjkmp.bak1
2007-06-23 00:13 6,627 --sh--w C:\WINDOWS\SYSTEM32\gjkmp.ini2
2007-08-07 20:03 6,421 --sh--w C:\WINDOWS\SYSTEM32\lnnmp.bak1
2007-08-06 19:36 6,447 --sh--w C:\WINDOWS\SYSTEM32\qrqss.bak1
2007-08-07 00:03 6,517 --sh--w C:\WINDOWS\SYSTEM32\qrqss.ini2
.