Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT - SPDDVM


  • Please log in to reply
23 replies to this topic

#1 spddvm

spddvm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 27 February 2005 - 06:26 PM

My Win 98SE machine is infected with the Trojan program that hijacks IE to the About Blank page - I think it is called StartPage DU and also is associated with CoolWebSearch. This occurred despite the fact that I run SpyBot Search and Destroy as well as McAfee anti-virus. I have figured out (via the internet) how to remove individual instances of the infection (CWShredder works well for that purpose) but the Trojan reloads every time the computer is rebooted. Based on the noise the computer makes I think this occurs when I start IE. Some detailed instructions about how to remove this infection were posted by SClyde at the BullGuard.com Forum but I was reluctant to make changes to the Win registry without further advice. Below is a Hijack This log from the infected machine. I suspect a number of these entries but wanted some professional guidance before removing anything. I do not have a disk to boot the computer from if anything major goes wrong with the operating system. Thanks for any help you can provide.
SPDDVM
==================
Logfile of HijackThis v1.99.1
Scan saved at 1:45:57 PM, on 2/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DVZCOMMON\DVZMSGR.EXE
C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAM DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.250.57.9 view.atdmt.com
O1 - Hosts: 66.250.57.9 click.atdmt.com
O1 - Hosts: 66.250.57.9 leader.linkexchange.com
O1 - Hosts: 66.250.57.9 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 880C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 28 February 2005 - 09:01 AM

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#3 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 28 February 2005 - 02:34 PM

Dear Grinler,
Thanks for your advice on how to remove StartPage DU - I assume you knew from my Hijack Log that I am running Win 98SE on the infected machine - I wasn't sure if your fix applied to Win 98SE or XP or both. I thought it might help if I posted the instructions for removal that were posted to BullGuard.com by "SClyde" - it seems like a "simpler" approach (or at least one I could do without downloading another utility). However I know that people who went about removing all the "CLSID" entries (whatever those are) ending up crashing their machines - although "SClyde" never recommended that - only those listed below. So, if I follow the "SClyde" approach I was only going to remove the entries shown below. Any additional suggestions or advice from you or others about the simplest and safest way to remove StartPage DU is appreciated. I know you're probably wondering why I didn't just do what you recommended the first time but I am relatively ignorant about these things and am trying to collect as much info as possible before making changes to the computer.
SPDDVM
PS (addendum): I will follow your instructions and get the data tonight on my home (infected) machine. Thanks ...
==================
POSTED TO BULLGUARD.COM by "SCLYDE" ...

Here is how to delete it [REFERRING TO STARTPAGE DU]

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following: HKEY_CLASSES_ROOT>Protocols>Filter>text/html
In the right panel, locate and delete the entry:
CLSID
In the left panel, double-click the following: HKEY_CLASSES_ROOT>Protocols>Filter>text/plain
In the right panel, locate and delete the entry:
CLSID
In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Classes>
Protocols>Filter>text/html
In the right panel, locate and delete the entry:
CLSID
In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Classes>
Protocols>Filter>text/plain
In the right panel, locate and delete the entry:
CLSID
In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>
Internet Explorer>Search
In the right panel, locate and delete the following entries: SearchAssistant Search Page Search Bar
In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>
Internet Explorer>Main
In the right panel, locate and delete the following entries: HOMEOldSP Use Search Asst Use Custom Search URL
In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>
Internet Explorer>Search
In the right panel, locate and delete the following entries: SearchAssistant Search Page Search Bar
In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>
Internet Explorer>Main
In the right panel, locate and delete the following entries: HOMEOldSP Use Search Asst Use Custom Search URL
Search CLSID, there should be approximately 30 of them, DELETE all 30.
Search HomeOld, change about :blank to www.msn.com(or anything you want) then go Start, SEARCH, type sp.html and Delete it. Restart your computer. If you fail to succeed to fix it once, don't give up, try again.

Edited by spddvm, 28 February 2005 - 02:41 PM.


#4 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 28 February 2005 - 06:41 PM

Dear Grinler,

Here is the information you requested in STEP 1:
Hook type: Windows Procedure
Hooked by: bubblss.bmp
Application: RUNDLL32.EXE
DLL path: C:\WINDOWS\bubblss.bmp
Application path: C:\WINDOWS\RUNDLL32.EXE
----------
Here is the information you requested in STEP 2 (the Start Dreck log):
StartDreck (build 2.1.7 public stable) - 2005-02-28 @ 18:36:20 (GMT -05:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Veterinary Medicine at XDIBART

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*CreateCD50="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
*AdaptecDirectCD="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*MMTray=C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*McAfeeVirusScanService=C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
舞unServicesOnce
**p=rundll32 C:\WINDOWS\BUBBLSS.BMP,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F8D67=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFD9DB=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFCE4B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE677B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE2BE7=C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
+FFFE8F9F=C:\WINDOWS\RUNDLL32.EXE
+FFFEF6C3=C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
+FFFED627=C:\WINDOWS\EXPLORER.EXE
+FFFD5B03=C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
+FFFD5A4B=C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
+FFFC12A3=C:\WINDOWS\TASKMON.EXE
+FFFCE553=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCDA73=C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
+FFFB7703=C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
+FFFBBA47=C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
+FFFC6CCB=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFFBF9B7=C:\WINDOWS\DVZCOMMON\DVZMSGR.EXE
+FFFA1113=C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
+FFFACFF7=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
+FFFA0677=C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
+FFF9332B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF92087=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF96AF7=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF8936B=D:\PROGRAM DOWNLOADS\STARTDRECK\STARTDRECK.EXE
翠pplication specific

-----------
It appears that the bubblss.bmp file may be a culprit in the process. I had previously noted it as a file I didn't recognize when checking running processes but given the filename extension I thought maybe it was some kind of image, perhaps a screensaver one of my kids may have loaded. I will check the date it appeared on my computer to see if it was around the time I first noticed the infection (around 2/6/05).

----------
Please let me know what I should do next.
Thanks for your ongoing help.
SPDDVM

#5 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 28 February 2005 - 06:51 PM

Dear Grinler,

Sorry for the ongoing posts but I thought you might find this helpful. The following file with no version number and no description was found by Process View when checking Explorer DLLs:

BUBBLSS.BMP 61b80000 81920 C:\WINDOWS\BUBBLSS.BMP

The file doesn't show up on a file search of the computer despite the fact that I have checked "show hidden files" in Windows 98.

I'll let you know if I figure out more about this file.

SPDDVM

PS A previous Google search of the filename didn't help me.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 28 February 2005 - 06:58 PM

As you will see, those instructions on bullguard are not accurate.

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter C:\WINDOWS\BUBBLSS.BMP into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone. Then fix these entries with hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

and then reboot and delete c:\windows\temp\se.dll.

Then post a new log

#7 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 28 February 2005 - 06:58 PM

Dear Grinler,

OK, last post for the evening, really!

I rebooted the machine in DOS command prompt mode and found the following file in the C:\WINDOWS directory:

bubblss.bmp 31,232 04-23-99 10:22 PM

I guess whatever the origin of that file, it was created a long time ago.

The infection became apparent around 02-06-05

Thanks again for your efforts.

SPDDVM

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 28 February 2005 - 07:07 PM

It may have set its date to an earlier one. Its possible to do that.

#9 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 01 March 2005 - 07:24 AM

Grinler,
Thanks very much for your insightful and professional replies. I am at work now but will follow the fix you recommended tonight on the infected machine and will post a reply (or replies!) describing what happens. I thought about the possibility that the file date on bubblss.bmp could have been set to an earlier date - also it occurred to me that the filename extension may not necessarily accurately describe the function of the file (i.e. this is not your ordinary bitmap file). If this works, hopefully others will find the approach useful because I found little on the internet about how to fix this Trojan - in fact many people seem to have had a lot of difficulty.
Thanks again,
SPDDVM

#10 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 01 March 2005 - 09:37 PM

Grinler,
I followed the directions from your 2/28/05 6:58 PM post and I am now keeping my fingers crossed that all is well! Here is what I did:
1. Deleted c:\windows\bubblss.bmp using "delete on reboot".
The only thing different here was that the Killbox program didn't automatically reboot the computer. I had to close the program and manually reboot.
2. I ran Hijack this and only found 3 of the 5 R1 lines indicated (those with the word "about blank") and the 1 R0 line with "about blank" in it. Then I realized that a couple of days ago, McAfee virus scan found the se.dll file mentioned in the other 2 R1 lines and (because I had determined it was not a normal part of Win 98 via the internet and the IT people where I work) I deleted it. So, that is probably why it didn't come up.
3. I rebooted in the "command prompt mode" and looked in the root directory, c:/windows and c:/windows/temp for the se.dll file and it was not present as far as I could tell.
4. I rebooted the computer without incident.
I VERY MUCH appreciate your clear and excellent advice.
Perhaps you would consider submitting a tutorial showing others how to get rid of Start Page DU as I am sure others have had this problem (based on what I've seen on the internet). And, as you pointed out, not all of the advice on the internet about how to get rid of it is accurate.
Again, you were a phenomenal resource! Mission hopefully accomplished.
SPDDVM

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 02 March 2005 - 12:47 AM

You may want to post a new log to be safe so we can take a look and give a final review

#12 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 02 March 2005 - 09:26 AM

Grinler,
Assume you mean another Hijack This log, right? OK - will do so tonight. If there's anything else I need to post (to hopefully help others with this Trojan) please let me know. Again, the support is very much appreciated.
SPDDVM

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:47 AM

Posted 02 March 2005 - 10:06 AM

Yup..the hjt log

#14 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 02 March 2005 - 06:31 PM

Grinler,
Here is a HijackThis log of the computer after following the removal process for the Start Page DU Trojan. From what you see here can you give it a clean bill of health? Seems to be working okay. Again, thanks for your efforts and I made a small contribution to Bleeping Computer via PayPal in appreciation for the site and its participants.
SPDDVM
===================
Logfile of HijackThis v1.99.1
Scan saved at 6:30:47 PM, on 3/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DVZCOMMON\DVZMSGR.EXE
C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
D:\PROGRAM DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O1 - Hosts: 66.250.57.9 view.atdmt.com
O1 - Hosts: 66.250.57.9 click.atdmt.com
O1 - Hosts: 66.250.57.9 leader.linkexchange.com
O1 - Hosts: 66.250.57.9 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 880C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#15 spddvm

spddvm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 02 March 2005 - 09:37 PM

Grinler,
Oh no! Trouble in paradise. After thinking that StartPageDU was gone - it seems to be back. I was planning to copy some of the utilities we've been using to put on another machine when I noticed neither of the CD drives would read my data CDRW. So I put in a commercial music CD in the drive - MMJB opened up and the CD tracks showed but no sound. Then McAfee came up warning me that StartPageDU was present and indicated several (3 I think) files in different locations - one was the infamous SE.DLL file and another was the XXXX.DLL where the file name is random letters. Frankly I was so frustrated at that point that I didn't pay close attention to the locations of the various files. McAfee couldn't clean them or get rid of them. When I went back and looked at the system using msinfo32 it showed the system hooked by c:\windows\bubblss.bmp again and Process View (another utility) showed bubblss.bmp in the active processes (explorer dll's). At this point I rebooted in safe mode command prompt and deleted the bubblss.bmp file in c:/windows. After that, it was no longer visible in msinfo32 or process view. Next I tried a commercial music CD in one of the drives (G:) and the CD played with sound this time. Tried the CD in the other drive (E:) and MMJB opened okay and recognized the CD but no sound. I tried the data CDRW in both CD drives and neither recognized the it. Drive E is showing as completely full (no free space) when I check it in control panel. At this point I'm totally confused but obviously something about putting a CD in one of the CD drives and MMJB opening triggered reinfection because I had just rescanned my computer with SpyBot Search and Destroy and CWShredder right after posting the previous Hijack This log and got a clean bill of health. Below is another HJT log that I ran after the above events. Sorry to be an ongoing thorn in your side but this problem is enormously frustrating. Somehow the reloader is still lurking on my system somewhere. Any advice will be appreciated.
SPDDVM
==================
Logfile of HijackThis v1.99.1
Scan saved at 9:23:59 PM, on 3/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DVZCOMMON\DVZMSGR.EXE
C:\PROGRAM FILES\HP DESKJET 880C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\PROGRAM DOWNLOADS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O1 - Hosts: 66.250.57.9 view.atdmt.com
O1 - Hosts: 66.250.57.9 click.atdmt.com
O1 - Hosts: 66.250.57.9 leader.linkexchange.com
O1 - Hosts: 66.250.57.9 pagead2.googlesyndication.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 880C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users