StartPage.6.BF & StartPage.6.BQ

Wotcha dudes,

Whilst considering myself to be somewhat proficient in the arcane computing arts I find myself stumped. Recently my reasonably high powered system has been slowing to a crawl as soon as the dial-up connection is made. I have adaware'd and AVG'd till my monitor flows red with blood yet cannot seem to fix the problem.

AVG found two viruses, listed above, which it claimed to have fixed. No change in system speed however once the little computer screens start flashing in the system tray. Most odd.

Could anyone of greater intellect and ability than myself spare a few moments for analysis?

Hijackthis log follows:

Logfile of HijackThis v1.98.0
Scan saved at 12:59:13 AM, on 7/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.telegraph.co.uk/
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDIEHLP.DLL
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.111-deleon.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.111-deleon.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\Program Files\Network Associates\McAfee VirusScan\WEBSCANX.EXE
O4 - HKLM\..\Run: [NB Window Patterns] C:\PROGRA~1\NETWOR~1\NUTS&B~1\WINDBKGD.EXE
O4 - HKLM\..\Run: [NB Start Menu] C:\PROGRA~1\NETWOR~1\NUTS&B~1\STARTM.EXE
O4 - HKLM\..\Run: [NB Common Dialog Enhancements] C:\PROGRA~1\NETWOR~1\NUTS&B~1\COMDLGEX.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.111-DELEON.DLL/cmtrans.html

Hi Chaffers,

Your log is clean.

Please update Windows and Internet Explorer. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available". http://v4.windowsupdate.microsoft.com/

I see you have two anti virus programs running. They may interfere with each other. It's considered best to uninstall one of them.

These are tools that will help keep you from getting infected again:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard is a real-time spyware scanner.
http://www.wilderssecurity.net/spywareguard.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

All are very small free programs. Occasionally check for updates.

Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"
http://v4.windowsupdate.microsoft.com/

Tom

Hi Tom,

Thank you for your time. I have, previously to initiating this thread, installed all IE updates, run the Trojan detectors mentioned in the sticky on this forum (one of which appeared to find a trojan in the JDK v1.3.1_01 in one of the RMI classes) and independantly used every virus, and ad, detection program that I can get my hands on. The ActiveX controls have always been set as you describe.

Whilst several virusses have been found it appears that something malevolent is still making my computer run like a sick dog.

Personally I use Mozilla but have only recently set up this computer for the kids use, in other words anything nasty must have been contracted in the last couple of weeks, through IE naturally. I've now downloaded the programs you kindly mentioned yet cannot find any trace of malware. I have cleaned out other people's computers which display the same symptoms. Startpage was the comon factor, though generally earlier iterations of Startpage.

As I said ealier, I am still clueless as to how to rid my machine of this bug....

Have you tried any online virus scans?

Choose at least two from the following list:

Trend Micro Housecall
http://housecall.trendmicro.com/

Panda Active Scan
www.pandasoftware.com/activescan/activescan

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

Bitdefender
http://www.bitdefender.com/scan/licence.php

Personally, I like Bitdefender



Have you tried TDS3 for trojan scanning?

DiamondCS TDS-3
http://tds.diamondcs.com.au/

Let me know how it goes.....

Tom

Edited for clarity

Hi Tom,

Already tried the Housecall online virus scanner, which found a single harmless joke virus. Currently downloading TDS-3 and running the other online checkers...

Thak you for your help, will keep you posted successful or no.


Mike

Keep us posted.

TDS-3 (latest database used) and BitDefender have found nothing. Other online checkers are in the offing but due to a slow evening only connection and sprogs demanding their MSN 'rights' it is taking a while.

In short still nothing found.

Any chance of a false-positive detection on these two virus'?

I cannot find any credible information related to StartPage.6.BF or StartPage.6.BQ even on AVG's pages.

Tom

Neither I. I have seen various iterations of the StartPage virus on other people's computers previously, which appear to exhibit the same behaviour. On later Windows OS they merely change the homepage however it would appear that on 98 they cause even more of a nuisance by constantly attempting to do the same without success. This slows one's pooter down to a crawl the moment that the internet connection is enabled.

It would appear that the virusses mentioned may have been successfully cleaned however it is also apparent that there is still something on my system which exhibits the same behaviour. If IE, or Mozilla, is loaded before the connection (from Dial-up networking) is made then operations appear normal. However when the initial prompt to connect from the browser is used the system exhibits the symptoms stated. Whilst I have found the above workaround to minimize the problem I am still rather concerned to remove the infection.

The lack of documentation surrounding the mentioned, on the title of this thread, virusses leads me to belive that these are new iterations which have yet to be formally documented. I suspect that my system is still infected with an as yet undetectable iteration.

Thanks again for your help. Do you have any other avenues of approach that I could persue? Is there anywhere I could submit my findings to further the anti-virus cause? I could search the history (those kept in registry at any rate as I have already deleted the internet related files) for the potentially dodgy websites visited.....

Mike

Mike,

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

In your initial log indicates you are behind on Windows Updates.

Did you install IE SP1 and all the other critical updates?

Then....

Open HijackThis > click Config button > click Misc Tools button > click Generate Startuplist Log > click Yes

Copy and past the Startup list log with a fresh HijackThis log into your next post.

Tom

Hi Tom,

Sorry for the delay, I've had a frightful week or so at work. I did download the IE6 update but did not install it before posting the HJT log. As you recommend here is the revised log....


StartupList report, 8/15/04, 9:11:38 PM
StartupList version: 1.52.2
Started from : C:\HIJACKTHIS.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
C-Media Mixer = Mixer.exe /startup
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
POINTER = point32.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
LoadQM = loadqm.exe
THGuard = "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Vshwin32EXE = C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mozilla Quick Launch = "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/8/2004, 18:48:52)

[rename]
nul=C:\WINDOWS\TEMP\~ef7194.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\BOOTSCAN.EXE C:\
IF ERRORLEVEL 1 PAUSE
SET PATH=%PATH%;C:\PROGRA~1\NETWOR~1\MCAFEE~1;d:\jdk1.3.1_01\bin;C:\PROGRA~1\GRISOFT\AVG6

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDIEHLP.DLL - {206E52E0-D52E-11D4-AD54-0000E86C26F6}
(no name) - (no file) - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
(no name) - c:\windows\downloaded program files\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[HouseCallButton.setup]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HOUSECALLBUTTON.DLL
CODEBASE = http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SOLITAIRESHOWDOWN.DLL
CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab

[Checkers Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSGRCHKR.DLL
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\AVXOSCAN\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 6,384 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Sorry for the delay.

The startuplist log looks OK.

I noticed you have two antivirus programs running. They may conflict. It's considered best practice to uninstall one of them.

How's your computer behaving?

Tom

Hi Tom,

Still the same.... Me thinks all I can do is run the latest virus updates until the l'il bug is caught. Do you recommend unistaling Trojanhunter? It has certainly found a few nasties that AVG missed.....


Mike

I would use the full 30 day trial of Trojan Hunter and then decide if you like it enough to purchase it. It's up to you.

Feel free to post a final HijackThis log for review. Please use the updated version:

Please update HijackThis, you are using an outdated version:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.98.2 at:

http://www.majorgeeks.com/download3155.html

Tom