Win32:Startpage-006 [Trj]

Hi.

Avast found the trojan: Win32:Startpage-006 [Trj] in my computer. Yet it cannot repair it, not in windows and neither in the boot virus scan. If I move or deleted the infected files, other will appear.

This trojan is damaging the internet explorer, basically making the work with this browser impossible. It constantly goes to some anonymous search page instead of the requested page.

I have tried many adware removal programs, most of them find this trojan, and even repair it, but then it returns.

I also searched this forum for help, and found several topics, but none helped.

If this trojan occured to anyone, or you know how to repair it, please reply.

Thanks.

why not ? what did you try exactly ?

  • if you can’t remove it: read “VirusRemoval” below and come back with more info, e.g. location, filename, windows-version, hijackthis-Log

  • if it comes back: read “VirusRemoval” on how to secure your systeM & browser better :wink:

Well, I’ll assemble this information. Here is the HijackThis log:
The trojan redirects me to: "http://nkvd.us/1525/ ", and indeed I see such entries in the log. However removing them probably won’t help, I guess this is what Adaware did, but then it returned.

Logfile of HijackThis v1.98.2
Scan saved at 2:45:02 AM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\freescan\freescan.exe
C:\WINDOWS\system32\mapiicon.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.0.exe
C:\Program Files\CiDial\CiDial.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINNT\notepad.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Zend\bin\ZDE.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trillian\users\default\downloads\ICQ\45258545\SpaceMonger.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\eMule\eMule.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\Nero\nero.exe
C:\WINDOWS\System32\imapi.exe
C:\WINNT\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1525/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1525/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\EugeneK\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1525/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E64E4902-D59E-4428-B5FC-F45D6A7468E8} - C:\WINDOWS\System32\ilaiocl.dll
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [ADSL_A2] A2Installed
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - Startup: CiDial 2.3.lnk = C:\Program Files\CiDial\CiDial.exe
O4 - Startup: Shortcut to eMule.lnk = C:\Program Files\eMule\eMule.exe
O4 - Startup: Shortcut to startup.lnk = C:\IBDB\BuildDb\commands\startup.bat
O4 - Global Startup: ADSL Diagnostic Tools.LNK = C:\WINDOWS\system32\mapiicon.exe
O4 - Global Startup: EPSON CardMonitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/1525/
O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/1525/
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/1525/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/1525/
O17 - HKLM\System\CCS\Services\Tcpip..{14E8DCDA-3A62-416B-A113-B8301B8BBA98}: NameServer = 212.150.49.10 206.49.94.234
O17 - HKLM\System\CS1\Services\Tcpip..{14E8DCDA-3A62-416B-A113-B8301B8BBA98}: NameServer = 212.150.49.10 206.49.94.234
O18 - Filter: text/html - {40BB00FF-04B9-4547-80F5-D8469E6621BF} - C:\WINDOWS\System32\ilaiocl.dll
O18 - Filter: text/plain - {40BB00FF-04B9-4547-80F5-D8469E6621BF} - C:\WINDOWS\System32\ilaiocl.dll

read the analysis here…
http://hijackthis.de/logfiles/2eab7223145e1c5dd4a561dbc10b0e01.html

reboot to safeMode (F8-Boot) and kill ONLY the RED entries with hijackthis…
(maybe cidial.exe, too ?).
fix yellow items only if you’re absolutely sure you don’t need them, or if onlinescanners KAV or RAV confirmed them as nasty…

where applicable, go to config → misc Tools and check for & kill the respective BAD processes first with hijackthis’s built-in processmanager

reboot normally and update ad-aware and SPYBOT S&D

reboot to safeMode again

-run updated ad-aware and SPYBOT S&D and fix with them, reboot normally and come back with a new HJT-log…

:wink: :wink:

I’m no expert but wouldn’t disabling system restore and a boot time scan help here?

I’ll get my coat and leave if this has already been tried btw!

SysRESTORE should probably be disabled, yes… Forgot about this nice XP-feature :slight_smile:

P.S.: imho if the detected Startpage-006 would be in sysRESTORE, then avast shield should alert to this, but maybe some other stuff in the HJT-Log is recreating this…

I’m quite sure RAMAN had posted quite good instructions to clean startpage-006, but I’m too lazy too search (it’s late… :wink: )

Well, just for you…:
http://forum.avast.com/index.php?board=4;action=display;threadid=4796

If all else fails, use CLRAV, SPHJFIX and/or ESCAN

if during the cleanup process,
you encounter any malicious files that UPDATED avast doesn’t detect, please send them to virus (at) avast.com
(password-encrypted)

:wink: :wink:

Whocares: Your response to Eugene on 14 Aug about the Restore feature in XP had me intrigued. Would it be your recommendation to turn this feature off, and leave it off? You can send a private e-mail if yu like, since this thread is rather old.

Hi Spartan48,

well …
-when cleaning active malware from your PC, it MUST be switched OFF prior to Cleaning…; when the PC is Cleaned & secured, you can switch it on again…

  • if you secure your System reasonably well so that you don’t attract malware, then sysrestore imho is a good feature for easy restore, if you/a software/ EL Niño bungled something up in your machine…

But there are way better ways to backup/restore your system, e.g. an IMAGE and/or ERUNT

:wink: