Solved: Startpage.re Trojan and PC Cillin 2005

[RSmith4026]

Whilst installing PC Cillin internet Security 2005 on my computer I was (and still am) infected by Troj STARTPAGE.RE. My desktop has been replaced with a warning concerning viruses and a link to an antivirus product – antivirus Gold.

I undertook a scan utilising PC Cillin and a further scan after disabling system restore. After each event PC Cillin Real time scan intercepted a reoccurrence of this Trojan and a couple of others which PC Cillin dealt with (PC Cillin logs available).

I restarted in safe mode and upon clicking PC Cillin received the following message:

No network device was found, or there is a conflict with existing anti virus or security software. [I use webroot spysweeper]. Only the virusscan, spyware and security check functions will be available. Further text suggests uninstalling conflicting software.

When I click ok to this message I receive the following message;

Read configuration Restart your computer and start again. (hr=0x8007043c,loc=7413,num=234)

When I click OK to this I am taken to the main PC Cillin screen which has the statement Services are potentially unsafe!

(a) Should I be able to use PC CIllin Internet security 2005 in safe mode?

(b) I don’t want to uninstall Webroot Spysweeper – it seems to be holding at bay about twenty unknown .exe files and various hijack attempts on Internet Explorer.

I have attached a log from Hijackthis – if anyone can help restore sanity to my machine I’d be grateful for the help!

 

[cybertech]

Hi , Welcome to TSG!!


* Click here to download smitRem.zip.

• Save the file to your desktop.
• Unzip smitRem.zip to extract the four files it contains.
• Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

* Go here to download CCleaner.

• Install CCleaner
• Launch CCleaner and look in the upper right corner and click on the "Options" button.
• Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
• Click OK
• Do not run CCleaner yet. You will run it later in safe mode.

* Download the trial version of Ewido Security Suite here.

• Install ewido.
• During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido
• It will prompt you to update click the OK button and it will go to the main screen
• On the left side of the main screen click update
• Click on Start and let it update.
• DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:

Click Start - Run - and type in:

services.msc

Click OK.

In the services window find: Workstation NetLogon Service

Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"


R3 - Default URLSearchHook is missing
O2 - BHO: Class - {058C410D-7FA2-8B13-FF31-393FF18E6171} - C:\WINDOWS\system32\crog.dll
O4 - HKLM\..\RunOnce: [msnn32.exe] C:\WINDOWS\msnn32.exe
O4 - HKLM\..\RunOnce: [atlku.exe] C:\WINDOWS\system32\atlku.exe
O4 - HKLM\..\RunOnce: [sysnd32.exe] C:\WINDOWS\system32\sysnd32.exe
O4 - HKLM\..\RunOnce: [ntfi.exe] C:\WINDOWS\ntfi.exe
O4 - HKLM\..\RunOnce: [addft.exe] C:\WINDOWS\addft.exe
O4 - HKLM\..\RunOnce: [d3an.exe] C:\WINDOWS\system32\d3an.exe
O4 - HKLM\..\RunOnce: [javamd.exe] C:\WINDOWS\javamd.exe
O4 - HKLM\..\RunOnce: [atldp32.exe] C:\WINDOWS\system32\atldp32.exe
O4 - HKLM\..\RunOnce: [iecd32.exe] C:\WINDOWS\iecd32.exe
O4 - HKLM\..\RunOnce: [addkw.exe] C:\WINDOWS\system32\addkw.exe
O4 - HKLM\..\RunOnce: [sdkzz.exe] C:\WINDOWS\system32\sdkzz.exe
O4 - HKLM\..\RunOnce: [d3nz.exe] C:\WINDOWS\system32\d3nz.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkpd32.exe (file missing)


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:

• Click on scanner
• Click the Start Scan and the scan will begin.
• During the scan it will prompt you to clean files, click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan

 

[RSmith4026]

Dear Cybertech
many thanks for the swift response and help!

Please find attached the following:

Hijackthis log file:

Activscan log file:

Ewido scan

The first to lines marked 23 in the Hijackthis log file seem to be different from the rest. Similarly C:\WINDOWS\system32\Ati2evxx.exe Any advice ?

Many thanks

Bob Smith

 

[cybertech]

Click here to download KillBox.
Save it to your desktop.



* Restart your computer into safe mode now. Perform the following steps in safe mode:


Reconfigure Windows XP to show hidden files:
Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.




Click Start - Run - and type in:

services.msc

Click OK.

In the services window find: Workstation NetLogon Service

Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


Run HJT again and put a check in the following:

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkpd32.exe (file missing)

Close all applications and browser windows before you click "fix checked".


Run Killbox
Select the Delete on Reboot option.
In the Full Path of File to Delete field paste the following:
C:\WINDOWS\system32\sdkpd32.exe

Click the red circle with the white X in it, when it asks you to delete the file on reboot click Yes, when it asks you to reboot click Yes.

 

[RSmith4026]

Dear Cybertech

many thanks for coming back so soon.

Please find attached Highjackthis log and log from ewido.

I have ran an activescan from pandasoftware which has come up with no virus or malware. It certainly looks like things are back under control - unless you can spot anything that's still a miss.

Many thanks

Bob Smith

 

[cybertech]

I think you are in the clear!

Create a new System Restore point.

Good free tools and advice on how to tighten your security settings.

Security Help Tools

 

[RSmith4026]

Dear Cybertech

One last final nigle. Webroot Spysweeper is showing the following warning of a programme starting up on windows startup. It says:

KernelFaultCheck

Provider name not provided: name not provided: Copyright info is not provided.

location:%systemroot%\system32\dumprep0-K

Registery or start up HKLIM:Run

Sorry for the paranoia - but before I create a restore point should I be worried about this or is it something that will vanish when I create a restore point ?

many thanks for all of your help

Bob Smith

 

[cybertech]

Use msconfig
http://netsquirrel.com/msconfig/
and remove that from your startups.