Startpage-006 virus

I, too, have this Startpage-006 virus. I fixed whatever was changing my startpage but avast tells me that I have been infected with this virus (Win32:Startpage-006 [Trj]) everytime I log on to the internet. I have run avast several times to no avail, avast doesn’t find any virus. I have also run CSWshredder with nothing found, ad-aware with nothing found, and spy-bot with nothing found. How do I get rid of this virus without having to re-do my entire system???
*I am running Windows XP Home Edition, all service packs are up to date
*the virus is found in C:\Windows\System32[i]somefilename[/i].dll and
C:\Documents and Settings\Tank\Local Settings\Temporary Internet Files\Content.IE5[i]variouslettersandnumbers[/i]\m[1].bin
*I have run Disk Cleanup several times and it doesn’t help.
*I turned off System Restore and booted into Safe Mode then ran avast and still no virus was found.
What do I do now???

Hi,

please read here:
http://forum.avast.com/index.php?board=4;action=display;threadid=4796
and use the board-search above on other tools to use,
e.g.
post a hijackthis-Log & use:
SPHJfix
ESCAN
clrav
:wink:

Here’s my hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 2:15:40 PM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\System Snapshot\Syssnap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BFD19EBB-F62E-41E3-9B32-B49116F801EB} - C:\WINDOWS\System32\anjgga.dll (file missing)
O2 - BHO: (no name) - {F5FA6929-4D25-41B9-84C6-B1DCF49EBC2A} - C:\WINDOWS\System32\kif.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [System Snapshot] C:\Program Files\System Snapshot\Syssnap.exe
O4 - HKCU..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: ICQ 4.0.lnk = C:\Program Files\ICQLite\ICQLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra ‘Tools’ menuitem: PartyPoker.com (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ Lite (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38007.1673263889
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4370/mcfscan.cab

the above are bad, check & fix them in hijackthis…

do you still experience problems on the pC ?
If so, what are the results of the scanners in my 1st posting ?

Thanks for the help!
The only problem I have is when I log on to the Internet. Avast pops up and says I have the Startpage virus in a temporary internet file and then it comes up again and says I have one in a System32 .dll file.
I tried to downlaod eScan but for some reason i can’t. Nothing happens when I click on the download link. I haven’t tried the others yet.

please give the exact name…

& just move those files to the chest…
and secure your system, or it will always come back…
→ see VirusRemoval below in my sig…

The latest warning to come up from avast was that I had "Sign of Win32:Startpage-006 [Trj] has been found in “C:\WINDOWS\System32\jpe.dll” file
The one before that was “C:\WINDOWS\System32\agb.dll” file
I get at least four warnings every time I log onto the Internet so I have tons in my log viewer in Avast.

try to get Escan downloaded & running,
also secure your system (see “VirusRemoval”) o those stuff will always get back…

I got escan to run finally. It didn’t find anything in regular or safe mode. I downloaded and have been using Mozilla for the past few days but still get the same virus warnings every time I log onto the internet.

Well,
@1)
some szenarios:

  • you deleted the trojan before with avast, then of course Escan won’t find anything. Then the trojan will always reappear, because you didn’t secure your WIN & IE
  • you didn’t set the options correctly in Escan, e.g. to scan all drives & all files; see screenshot here: http://www.trojaner-board.com/showthread.php?t=6083
  • there’s still something else hidden on your system, which recreates the startpage-trojan & Escan doesn’t know/detect it (pretty unlikely, but possible)

@2) of course, becuase you’ve either not got rid of it properly, or your system is not secured

There are still lots of links/tools where you didn’t give detailed reports of what they found etc…
If you want to resolve this, please work through the above topics/links/tools again & report more details,
and also use the board-search again on “startpage-006”