1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Startpage.JY

Discussion in 'Virus & Other Malware Removal' started by kdd9, Jun 20, 2005.

Thread Status:
Not open for further replies.
  1. kdd9

    kdd9 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    516
    I did a Panda Active Scan online yesterday and it said that I may be infected with Startpage.JY. (It found nothing else.) On the scan results, it said "No disinfected," which I took to mean that it wasn't able to fix it, though I had the disinfect (or whatever it's called) option checked before the scan. Panda then refered me to some data on Startpage.JY from their virus encyclopedia. The following is copied from one of those pages:

    How to remove Startpage.JY?

    If Panda Antivirus or Panda ActiveScan detects StartPage.JY during the scan, it will automatically offer you the option of deleting it. Do this by following the program's instructions.

    Finally, restore the original configuration of your computer by following the instructions below:

    Delete the entries that StartPage.JY has created in the Windows Registry:

    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    dllhelp = %windir%\ dllhelp.exe
    where %windir% is the Windows directory.

    HKEY_LOCAL_MACHINE\ Software\ Software\ TMKSoft\ XPlugin

    Restart the computer.
    In order to make sure that StartPage.JY is completely eliminated from your computer, carry out a full scan of your computer using Panda Antivirus or Panda ActiveScan


    Note that in begins by saying that it will automatically offer me the option of deleting it. I never saw an offer to delete it. I also did not see either of those entries in my registry.
    I ran the same scan again today and it came up perfectly clean, though I had not fixed anything.

    Let me stop here and give a link to these pages that I'm talking about.
    http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=51503

    Under the "Tech details" tab, it lists a bunch of entries that this trojan is known to create. I haven't checked for all of them, but I did find only this one in the registry:

    HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ SearchUrl
    provider = gogl

    I am wondering if I should delete this, change it to something else, or just leave it alone. My computer shows no signs of being hijacked, though I have noticed a few other little quirks lately (desktop icons rearranged when I boot up, folder view settings mysteriously changed, etc.).

    I do have my IE address bar customized to use Google as the search engine and that still seems to work fine.

    I am running Windows 98SE.

    I will close out this browser now and run a HijackThis scan and post the results in a moment.

    Thanks.


    kdd9
     
  2. kdd9

    kdd9 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    516
    Here is the log:



    Logfile of HijackThis v1.99.1
    Scan saved at 11:48:30 PM, on 6/20/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\STARTER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Grandma Joan
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: spywareblaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O15 - Trusted Zone: http://*.windowsupdate.com
    O15 - Trusted Zone: http://www.techguy.org
    O15 - Trusted Zone: http:// www.techsupportguy.com
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {5E8FD788-C323-4357-AB76-7CBCEFBA573C} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader.ocx
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



    BTW, Grandma Joan is my mother. I am responsible for that hack.

    kdd9
     
  3. kdd9

    kdd9 Thread Starter

    Joined:
    Mar 24, 2005
    Messages:
    516
    Bump.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/373658

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice