For Nellie2 please read

  erkmatrix 10:42 04 Apr 2005
Locked

Hi Nellie2

You helped us out on this thread below about moy brothers PC and that dreaded virus Trojan Startpage.FH

click here

Well it returned, dunno how it did it but he reckoned it was ok for a couple of weeks, although he doesn't use his machine much I don't think, then the virus was there again.

I went round on Friday night and put him on firefox to use as his browser, the homepage wasn't changed but we did still get pop ups saying click to get rid of malware etc.

Did as you suggested downloaded FxAgentB tool when used in conjunction with CWShredder and Adaware and FXAgentB did find the virus and supposivly got rid only when reboot there the blasted thing was again. Now when I ran the FXAgentB again it didn't find anything, but the virus still changes his homepage and still has these pop ups so still there, so will have to ask for you help to manually remove or would you suggest anything else.

I got a fresh hijackthis log here as you suggested.


Logfile of HijackThis v1.98.2
Scan saved at 21:10:58, on 01/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Simon\Desktop\HijackThis.exe

cont on next post

  erkmatrix 10:44 04 Apr 2005

> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Simon\LOCALS~1\Temp\se.dll/sp.html
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Simon\LOCALS~1\Temp\se.dll/sp.html
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
> R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
> R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
> O2 - BHO: (no name) - {2EAED660-598D-4B00-A706-4E75500EE2EF} - C:\WINDOWS\system32\jbpa.dll
> O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
> O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
> O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
> O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
> O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
> O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
> O4 - HKLM\..\Run: [etlogonn] C:\WINDOWS\System32\etlogonn.exe
> O4 - HKLM\..\Run: [cpl] C:\WINDOWS\deamon.exe /i
> O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\ssvr.exe /i
> O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
> O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
> O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
> O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
> O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Simon\LOCALS~1\Temp\se.dll,DllInstall
> O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\system32\deinst_qfe001.exe
> O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
> O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
> O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
> O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
> O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
> O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
> O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
> O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
> O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
> O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
> O14 - IERESET.INF: START_PAGE_URL=click here
> O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - click here
> O17 - HKLM\System\CCS\Services\Tcpip\..\{2CF7671E-2173-48F1-8B9C-9AE90BED9D03}: NameServer = 194.168.4.100 194.168.8.100
> O17 - HKLM\System\CS1\Services\Tcpip\..\{2CF7671E-2173-48F1-8B9C-9AE90BED9D03}: NameServer = 194.168.4.100 194.168.8.100
> O18 - Filter: text/html - {ECE2F6B5-8B9F-4FEA-A46D-F08223DAE3F0} - C:\WINDOWS\system32\jbpa.dll
> O18 - Filter: text/plain - {ECE2F6B5-8B9F-4FEA-A46D-F08223DAE3F0} - C:\WINDOWS\system32\jbpa.dll

  pj123 10:52 04 Apr 2005

Not meaning to offend you but please read this thread: click here

  pj123 10:54 04 Apr 2005

As you addressed it to one particular member others on the Forum may feel they are not invited to respond.

  erkmatrix 11:29 04 Apr 2005

sorry I didn't know about that forum rule, I should of asked from anyone, its just Nellie2 was sort of running me through on that last thread I posted about this matter.

Should I post this again retitled

  gudgulf 11:52 04 Apr 2005

Until Nellie2 sees this I would follow her previous instructions again.Run the Microsoft beta antispyware tool as well.I would also download and run CleanUp click here which will really clear out all temporary files where malware can lurk unseen.



I wonder if IE has been used at all as Nellie2 did mention that reinfection might occur if it was.You can't use Firefox for Windows updates for example.


It might be worth ticking this and reposting with a similar title to your original thread but I would be inclined to wait and see if she picks up on this one for a little while yet.

  pj123 13:54 04 Apr 2005

On this occasion (unless the FE deletes it) I would be inclined to let it run as gudgulf suggests. If it does get deleted then by all means repost it.

  ChrisRLG 14:33 04 Apr 2005

To get nellie2's attention for any HIJACKTHIS log you would be better posting at this forum where she is teaching this (along with myself).

click here
(Malware Removal Forum)

The forum software here is such that I do not even try to read a log posted here, they are so garbled.

Post at that forum and nellie2, myself or one of our trainees or other experts will assist you.

  erkmatrix 15:23 04 Apr 2005

Thanks Chris

I'll go and post there.

  GroupFC 16:10 04 Apr 2005

^

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

Best of the Grad Shows 2017: UAL Central Saint Martins

MacBook Pro 15-inch (2017) review

Comment connecter un MacBook à une TV ?