trojan horse startpage.4.ao

Discussion in 'adware, spyware & hijack cleaning' started by bongo, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. bongo

    bongo Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    2
    Hi I'm having a problem with my computer everytime i turn my computer on Avg detects a virus, this time it was C:\windows\nbgbbaa.dll and it tells me i have the trojan horse startpage.4.ao virus. I use adaware and spybot and i still keep getting this virus everytime i start my computer but the dll always changes. Also i noticed that my spywareblaster doesn't work anymore and everytime i try to scan my computer with trendmicro free scan the page closes or redirects me to http://th.msie.tv/index.php?aid=20038. I'm just wondering if anyone can help me. Oh yeah i also used cws shredder and it said i had the cwssearchx and it cleaned it. Here is my hijack this log. Thanks for your time and your help.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:20:24 PM, on 09/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.highspeed.rogers.com
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.highspeed.rogers.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.highspeed.rogers.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O9 - Extra button: @Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    first download http://download.broadbandmedic.com/HostsFileReader.exe

    run the program and click on search for hosts, any found will be listed in the bottom window, select any and press restore defaults

    that should get rid of the redirects

    then
    download startdreck from http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm

    and download http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

    unzipstartdreck to the desktop
    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Check specificly for this entry in the log :

    »Local Machine
    »RunServicesOnce
    **ozkc=rundll32 C:\WINDOWS\SYSTEM\XXXXX.DLL,StreamingDeviceSetup


    After identifying the dll, proceed with :

    use the win9xfix you downloaded earlier, also unzip that to the desktop
    -DoubleClick on: 'RunFix.reg' file, hit 'yes'
    on the prompt!
    -Restart computer!
    -File should be visible!
    -Do 'find files' for dll listed on log, delete.
    *Note: Be sure to Save the StartDreck log before, so
    you you'd be able to find the file later!
    If lost (Since nothing else will find it when not hooked)
    Simply run the included: "who.bat", file
    will be found & listed
    in "Badfile.txt".

    It should be located in C:\WINDOWS\SYSTEM\XXXXX.dll

    any queries post back and we'll talk you through it in small steps
     
  3. bongo

    bongo Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    2
    Hey, Thank you very much for your help i did all the steps you told me and everything seems to be fine. I can do the trendmicro virus scan and my spywareblaster is working again. No more redirects. Thanks again. You guys are very helpful.
     
Thread Status:
Not open for further replies.