1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Startium/SpyWare

Discussion in 'Virus & Other Malware Removal' started by riker, Apr 27, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. riker

    riker Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    11
    Hi Gang!

    Here's yet another Startium problem for all of those that are far smarter than me. My machine has recently become home to all sorts of interesting adware/spyware - you name it. I've installed "Spyware Blaster", "Spybot" and "Spyware Guard" - and they have helped clean things up a bit. But the Startium searchbar that appears truncated on the left side of my ie window appears immune so far to all efforts to remove it. Following the lead of previous threads that I've been studying, I've installed & run HiJackThis and am attaching the log. Any advice or assistance on which items should be removed would be greatly appreciated! I'm running XP, IE-6 - if that helps.

    I also plan on going into the computer registry & trying to eliminate the various "Downloader.Trojan" files that my latest Norton virus scan detected. I've got directions on how to do this from Norton, but any advice from the members here would be very welcomed of course.

    Thanks in advance for any help!
    -Riker
     

    Attached Files:

  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Welcome to TSG riker !!

    The log....

    file of HijackThis v1.97.7
    Scan saved at 3:44:45 PM, on 4/27/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\atiptaxx.exe
    C:\WINDOWS\GWMDMMSG.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\documents and settings\sara\local settings\temp\5MGF.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\rundll16.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common files\updmgr\updmgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\America Online 7.0\aoltray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Documents and Settings\Rod\Application Data\DownloadPlus.exe
    C:\WINDOWS\System32\StsJCISp.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\EpaGV5.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\ntfsu.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Rod\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=tut
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://opti.riviera.cc (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=tut
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://opti.riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://opti.riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://opti.riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {f760cb9e-c60f-4a89-890e-fae8b849493e} - C:\WINDOWS\madise.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: IE Search Bar - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINDOWS\System32\Hcj2s6.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [5MGF] C:\documents and settings\sara\local settings\temp\5MGF.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
    O4 - HKLM\..\Run: [sys] regedit -s sysdll.reg
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
    O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [ntfsu] C:\WINDOWS\System32\ntfsu.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Windows Internet Protocol] C:\WINDOWS\system32\winproc32.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Rod\Application Data\DownloadPlus.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: CTCBridge UTS - https://gw-r5.airline.compuserve.com/http://as-r5.airline.compuserve.com:8080/juts/classi/jutsi.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://E:\Installers\AuthorwareWebPlayer\awswax.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38092.2726273148
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D18B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/remove/ist_remove.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} (IRDIXAObj Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A9CE9E77-14E4-4543-ADE1-6AE0189BA899}: NameServer = 151.203.0.84 151.202.0.84
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    First run this uninstaller to get rid of the peper trojan:

    Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

    Reboot:

    Click on the link below to download CWshredder.
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    Run the program and let it do it's thing. Make sure to click on "Fix" and not scan only.

    Next:

    Download Spybot http://www.sherrylynn.us/privacypolicy.htm

    Make sure to follow the instructions for updates prior to running the scan.

    Click on "Search For updates" After the search has completed, the available Updates will be listed. Choose which Updates you would like to Download. Click "Download updates." The Updates will self install. The screen will change and the program will come back and be ready to use.

    Sometimes the default Download Location will produce an Error. If that happens, look in the right panel. There you will find a small arrow next to the name of the current Download site. Click on it for a list of alternate sites. One of those should be able to retrieve the files you have selected.

    Scan, click on fix problems then reboot.

    Next:

    Download AdAware http://www.lavasoftusa.com/support/download/

    Before you scan with AdAware, check for updates of the reference file by clicking

    on "Check for updates now", connect.


    Click on Start, Use custom scanning options, Customize.

    Make sure the following settings are made and on -------"ON=GREEN"

    "Scan within archives"
    "Scan active processes"
    "Scan registry"
    "Deep scan registry"
    "Scan my IE Favorites for banned URL"
    "Scan my host-file"

    Click on Tweak,
    Select scanning engine and click on "Unload recognized processes during scanning"
    Select cleaning engine and click on "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    Then click "proceed" to save your settings.

    Click on Next

    Run the scan and fix everything.

    Post another HJT log for review.
     
  4. riker

    riker Thread Starter

    Joined:
    Apr 27, 2004
    Messages:
    11
    Thanks Cybertech,

    I've followed your directions detailed previously, and here are the results so far: Downloaded & ran the "uninstaller"; ran Spybot & CWshredder(which I had previously installed & ran) - fixing whatever problems found. Installed & ran AdAware(which I had not previously used) - customizing as directed.

    Upon completing the scan & fix, AdAware indicated that several objects could not be removed:

    C:\program files\iesearchbar\iesearchbar.dll
    C:\program files\incredifind\bho\incfindbho.dll
    C:\windows\system32\bridge.dll
    C:\windows\system32\msiefr40.dll
    C:\windows\system32\stlbdist.dll
    C:\windows\madise.dll
    C:\docume~1\rod\locals~1\temp\incredifindbholog.tmp

    I should mention that while AdAware was deleting the various objects that it could remove, my "SpywareGuard" program alerted repeatedly an "attempt to change IE homepage" from my default setting - a total of 5 times. IE also opened automatically to a "Blazefind" page(had not seen that before...). This scenario was repeated each time I scanned & fixed w/ AdAware - both with a live connection & no connection respectively; my browser was not open in either instance.

    The good news - if there is any(?), is that "Startium" seems to have vanished - or at least gone into hiding! And the # of pop-up windows has been noticeably reduced. Also, I do have firewalls enabled(dsl). Should I provide another HJT log at this time?...

    Thanks again for your thoughts...

    -Riker
     
  5. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Re-start your computer and post another log.
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Did it tell you it would remove them on reboot? If so did you do that?
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Startium SpyWare
  1. rjay13
    Replies:
    0
    Views:
    231
  2. dano_61
    Replies:
    14
    Views:
    805
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/224388

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice