PDA

View Full Version : trojan horse startpage.16.m



drcspy
11-03-2005, 09:07 PM
this thing has been giving me a major migraine.........I've tried EVERYTHING I can think of..........does anyone have a DEFINITIVE method of getting rid of this thing.........???? o/s is winME

Myth
11-03-2005, 09:08 PM
What have you tried so far?

Speedy Gonzales
11-03-2005, 09:18 PM
Get hijackthis, make a folder C:/HJT and unzip the highjackthis file into it, and run it do a scan.

And post the log here.

So, we can see what the prob is.

Metla
11-03-2005, 09:21 PM
Format it,then charge em double.

Safari
11-03-2005, 09:24 PM
Format it,then charge em double.

Preferably with OS X

Have you done a scan in safe mode.
Tried CWShredder

drcspy
12-03-2005, 06:56 AM
WHAT have I done so far ?.....slaved it run a scan with norton....no virus (lol) same with avg picked up a couple.....run cws.....run hijack this and removed almost everything in the list (lol) ......run adaware.......run ccleaner.......run stinger .......run vcleaner.........run trojan remover...no virus......(grrrr).......run process explorer and identified that its rundll32.exe thats causing the probs......gone thru the reg as per norton instructions and found bugger all.....and done several other things I cant even remember.......I kinda like Metlas suggestion but it's gonna be a real pain in the ass to do that cause it's a business pc and I've no idea wether they 've got the cd's for their original apps etc .......probably dont.....then it'd need to be reset up on their network etc etc......real annoying.....run a few other things.....cant remember now done a LOT and still it comes back........oh yep run about:buster......installed spyware blaster and tried to lock the system down.....run rapid blaster killer......installed spybot1.4 with teatimer reg protection........GRRRRRRRRRRRRRR

FoxyMX
12-03-2005, 10:07 AM
You have done all that, they say you have no virus and you still have the trojan? How do you know that?

beama
12-03-2005, 10:07 AM
one thing missing from the "done" list, did you disable system restore before doing any of the done list.

Metla
12-03-2005, 10:52 AM
A business pc?

My mistake, format it, sell them a new OS, Charge em triple.


Sometimes you just have to cut your/there losses and take a different approach, Time is money after all, and it sounds like you have spent a few hours doing work you will have problems charging for, as the machine isn't fixed.


I take the same approach, everything is fixable and a format is the very last resort.....But deciding when to take the last resort is all down to timing.

That said, Don't think I have come across any malicious code I wasn't able to remove, Maybe you should send it my way, I'll fix it, charge em quadruple.


Muhahahaha.

Just yankin ya leg.

Myth
12-03-2005, 11:25 AM
did you disable system restore before doing any of the done list

You should turn off sys restore...
(for XP its ... control panel>system>system restore tab) and then (I think ME can do the following, I know XP can) clean out your restore files ..
Go to my computer>right click an go to properties>click on disk cleanup> let that do its thing then there might be a tab with More Options. Click on System Restore Cleanup.
Then run all your virus scans, reboot, then turn sys restore back on

drcspy
12-03-2005, 06:42 PM
LOL YEP i love that view Metla.........and yes i agree ....deciding when to cut the losses is the key....anyway Im running some other prog now.....damn I've forgotten what it is....probably the couple of bourbons I've had hehehe......so we'll see what happens..........ah as for 'disable system restore'.....those who suggest it ....................WHY ?....

FoxyMX
12-03-2005, 06:51 PM
ah as for 'disable system restore'.....those who suggest it ....................WHY ?....FAQ #19 - How do I get rid of a virus in the Restore Directory? (http://pressf1.pcworld.co.nz/faq.php?faq=pressf1_faqs_security#faq_pressf1_faq_ 19): Read the explanation.

drcspy
12-03-2005, 07:26 PM
and who said the virus was in the restore directory ?..........in other words ......unless you KNOW it's in there WHY disable system restore and wipe it. ?......of course it likely is in there, (not now cause i have wiped the restore files) but the other VERY VALID point is...............what damage can a virus do when it's just sitting in the restore directory unless the user chooses to restore that particular date ?.............again......theres NO point in just deleting yoru restore files as many tend to suggest just because there MAY be a virus in there and even if there is it wont remove the ACTIVE virus on the system ........so.......why do a couple of the previous posters seem to suggest that deleting the restore folders may help the situation with the ACTIVE virus ?..........this often annoys me .....folks give out suggestions without any real knowledge of the reasons/consequences.............

lazydog
12-03-2005, 07:43 PM
i just got rid of one of those trojans today.
It was "trojan horse startpage.17.u" (without the quotes".
I got rid of it like this......,

Scan with adaware, spybot.....
Scan with AVG so you can find out where the trojan is hiding.
Write down the trojans name and address.
Turn off system restore.
Restart in "Safe Mode"
Open Windows Explorer.
Find trojan and delete.
Empty rubbish bin.
Scan with AVG.
Turn on System retore
and that was it....
It's probably an arse about face way of doing it but seems to have worked for me.
Give it a try, lazydog

Metla
12-03-2005, 07:49 PM
and who said the virus was in the restore directory ?..........in other words ......unless you KNOW it's in there WHY disable system restore and wipe it. ?......of course it likely is in there, (not now cause i have wiped the restore files) but the other VERY VALID point is...............what damage can a virus do when it's just sitting in the restore directory unless the user chooses to restore that particular date ?.............again......theres NO point in just deleting yoru restore files as many tend to suggest just because there MAY be a virus in there and even if there is it wont remove the ACTIVE virus on the system ........so.......why do a couple of the previous posters seem to suggest that deleting the restore folders may help the situation with the ACTIVE virus ?..........this often annoys me .....folks give out suggestions without any real knowledge of the reasons/consequences.............



Because any infection on the machine IS going to be in there,rendering any cleanup a complete waste of time,Flushing the system restore is a 100 percent nesercary step.

Plus it halves the scan time,removing the need to go through quite a few gig of bloat.

drcspy
12-03-2005, 09:23 PM
thanks lazydog however I've done all that and still it keeps reappearing......

ninja
12-03-2005, 11:55 PM
WHAT have I done so far ?.....slaved it run a scan with norton....no virus (lol) same with avg picked up a couple.....run cws.....run hijack this and removed almost everything in the list (lol) ......run adaware.......run ccleaner.......run stinger .......run vcleaner.........run trojan remover...no virus......(grrrr).......run process explorer and identified that its rundll32.exe thats causing the probs......gone thru the reg as per norton instructions and found bugger all.....and done several other things I cant even remember.......I kinda like Metlas suggestion but it's gonna be a real pain in the ass to do that cause it's a business pc and I've no idea wether they 've got the cd's for their original apps etc .......probably dont.....then it'd need to be reset up on their network etc etc......real annoying.....run a few other things.....cant remember now done a LOT and still it comes back........oh yep run about:buster......installed spyware blaster and tried to lock the system down.....run rapid blaster killer......installed spybot1.4 with teatimer reg protection........GRRRRRRRRRRRRRRGah! Do you have any idea how hard that is to read? Please for the love of God paragraph - it'd be quicker to hit enter than .............. and make it a crapload easier to read.

A lot of docs point to CWShredder being able to get rid fo it. Have you made sure you've updated CW Shredder?
http://www.intermute.com/products/cwshredder.html

Apparently AVG can get rid of it if run in safe mode. I'd also try a Trend housecall.

Tried MSConfig and unticking rogue items? Also go through add/remove programs and remove crap like nCase, MyWebSearch, 180 Search etc etc.

Definitely disable system restore.

This
http://computing.net/windowsme/wwwboard/forum/45241.html

Suggests removing se.dll in safe mode (along with other stuff).

An HJT log wouldn't go astray.

Make sure it has FireFox on it before they get it back.

Harry
13-03-2005, 12:01 AM
A quick check of hits on the web shows this to be quite a hard issue to resolve. I found an interesting post that seems to deal with WinMe as well as XP.
http://computing.net/windowsme/wwwboard/forum/45241.html
Good luck.

ninja
13-03-2005, 12:01 AM
why do a couple of the previous posters seem to suggest that deleting the restore folders may help the situation with the ACTIVE virus ?..........this often annoys me .....folks give out suggestions without any real knowledge of the reasons/consequences.............Because the files can be executed from in there by other processes, called by startup entries and often are what cause reinfections every reboot.

People wouldn't tell you to do it if it wasn't relevant and helpful. At any rate what is there to lose by clearing the system restore? Nothing of any real value.

Almost every Norton walkthru I've ever read suggest turning off system restore before doing anything.

The first few links here cover it:
http://www.google.co.nz/search?q=system+restore+virus&sourceid=mozilla-search&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox-a&rls=org.mozilla:en-US:official

drcspy
13-03-2005, 10:15 AM
ok think i've got the B*stard.......mainly due to a program called Gpo@moveonboot set it to remove any suspicious files before they get active also used a prog called 'restrictapp' which stops undesirable apps from running......grrrr.......

drcspy
13-03-2005, 10:23 AM
http://www.gibinsoft.net/gipoutils/

tha'ts actually GiPo@moveon boot .......pick it up from the above site .....very useful....