trojan or virus or spyware ? log here

Unknown · May 2004

for some reason this website pops up in my browser sometimes out of nowhere

http://th.msie.cc/index.php?aid=20038

it must be part of a hijacker....does anyone know this one? I can find no mention of it in the virus/adware searches

I have been workig very hard to clean this machine thought I was gettig there and this showed up

AVG Resident shield

Virus
Trojan Horse Startpage.4.AO

is found in file
C:\WINDOWS\system32\ebiia.dll

to remove this virus, please run AVG for windows...
avg has done this twice today, the 2nd time it showed up after deletion it had a different dll
it's most likey still there

I can not access most anti virus sites.. I went to trend this morning and now the "page can not be displayed is up" (1st time that's happened in this ordeal)... if I hit the" open housecall.trend micro.com home page" it will take me there 50 % of the time. after there and I hit the scan now for free link I sometimes get the "page can not be displayed page" OR I get to start to load the page for the scan...only to see the little flick my moniter screen does and the hourglass comes up and says windows will have to close IE hope I don't lose any data BLAH and would I like to send a report. once today it didn't even bother to throw up the box it just crashed.

I went to panda to do a scan. I thought I was going to make it and panda found something but the box that said windows was closing IE came up and blocked the view of the virus and I could not see it. I guess I have to stay in the window to get results which I lost when the IE crashed, it gives me no other option but to hit don't send the report ad then the site is gone. ? so that did not help,

so after finding several virus' and adware over the weekend I have
worked to clean up ........
Memory watcher
sandboxer
huntbar
worm agbot
del fin media viewer
Euniverse....... with spy sweeper the only one that found it all and let me delete it
pest patrol showed me the same stuff but I had to buy their full version to do anything
got AVG loaded and it found
trojin horse dailer 7
trojin horsedownloader E spor AC
tojin horse startpage.4.AO

I lost my nortons2003 that was updated it did nothing to stop the virus, and the virus shut nortons down.
lost my pop up stopper via clean ups with the various sweepers and cleaners
at least that's when it disappeared.
notepad was attacked
I can not instal spyware blaster due to bad sector OR virus according to the pop up window that shuts it down
I ran the delcwssk fix and it said it found nothing
i ran coolshreeder
i ran bazooka & adware 6 w/ current up date., spybot S&D
I ran TrendMicro sysClean with the latest update I saved this the other day when I was able to go there, after I had a full scan that said it had deleted virus from my files.

no doubt I still have a virus and my IE is getting worse and crashes more often.
here is the latest highJacker log if some of the Cops could have a look .......
Logfile of HijackThis v1.97.7
Scan saved at 7:15:06 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Filter\server.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scotty\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com/ws/eBayISAPI.dll?V...=3&rows=25
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
O16 - DPF: {76D31A21-9402-11D6-97B6-0010DC2A6243} - http://secure2.comned.com/signuptemplat...curity.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...4974768519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D3A9C04-DBB0-445E-B81B-E04683CAC871}: NameServer = 207.22.166.61 207.22.166.2

thanks
regards
Crimp

Dexter · May 2004

Your log does not appear to have anything bad in it.

The mysteriously appearing DLL's with different names sounds a lot like the "about:blank" problems we have been seeing.

Have a look through this thread: http://www.short-media.com/forum/showthread.php?t=13743

You may have to download some apps called Killbox and PrcView.

Pay attention to the 4th post in that thread, as the process detailed there applies to Windows 98, and you will need to do a slight variation for Win XP.

This may not help at all, but it may get you started in the right direction. Let us know what you find out!

Dexter...

theCrimp · May 2004

hi dexter !
thanks for the link..you are right this does sound like what I have.
I tried to down load killbox but the page is no good any more, any suggestions.?
this looks like mabye I can do it ... I have spent 7 days trying to figure this mess out. thought I had finially got it but no this morning 4 AVG boxes saying it was back to scan and...it did not find aything.?????? so weird..
this thing is unreal..
please point me to another killbox download and I will have a try at it.
crimp

Dexter · May 2004

I'll try to track Killbox down for you.

///Edit: Here you go.

FYI anyone else: updated download link here:

http://download.broadbandmedic.com

Dexter...

vanagon40 · May 2004

I can not access most anti virus sites..

Here is what I found => http://www.experts-exchange.com/Sec...Q_20935886.html

Many of the viruses/worms today are attacking your "hosts" file so you can't access antivirus sites.

With Notepad, open up the file

c:\windows\system32\drivers\etc\hosts

If you see lines like this:

0.0.0.0 www.symantec.com
0.0.0.0 www.norton.com

or any other site mapped to 0.0.0.0, delete those lines. Also, if you see any common sites you recognize (such as Google) mapped to another number (IP address), delete those lines.

Your browser checks this hosts file first when you type a web address into your browser. So, when it sees a site listed, it automatically uses that IP address.

Hopefully, deleting these lines from your hosts file will allow you to update your AV. And, hopefully that updated AV will get rid of your virus problem.

http://th.msie.cc/index.php?aid=20038 is identical (or almost identical) to one of the windows I got with about:blank, but it did not pop up automatically. Got it as a search assistant (instead of MSN default) when I typed an incorrect URL.

I also had no noticable problems with my computer other than the about:blank homepage and redirected search assistant. (The access to anti-virus web sites was another computer with agobot virus).

theCrimp · May 2004

I have nothing in the Hosts file, but I have a file in there called imhost and in it is a file called coolpro.exe.... sound shady do you know this one
also there is a file in my temp in local settings called iec68.temp that it does not want me to delete...connected?
thoughts PLEASE.. I losing it over this.

crimp
scott

vanagon40 · May 2004

I'm sorry, but you have exhausted my VERY limited knowledge of viruses, hijackers, etc.

Hopefully one of the experts can help.

Dexter · May 2004

Coolpro.exe should be the Cooledit software. Check the properties on it for the version name, company, etc.

Anything in your temp dir, delete it. Temp directories are hiding places for malware. A clean temp dir is easier to troubleshoot.

Dexter...

theCrimp · May 2004

from Vanagon45 fix from the post above, I am swimming through this and going down....I have no idea what this is. this is way more complicated than the highjackthis log.
will just wiping clean get rid of this one or is it embedded so deep it's part of the serial number now. the prcview logs are here
anything stand out to those in the know, as far as I concerned it can all go. lol
hey your very nice people to even care this much. I am truly in awe of the kindness. thanks for a rookie who is in over his head.
here is some talk I found that might be connected to this ut I am still not 100% sure this is the strain I have.
http://www.spywareinfo.com/forums/index.php?showtopic=43492&st=0
hope it's ok to put that link here. it's FYI
as if you needed it.
cheers
thecrimp

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1015808 C:\WINDOWS\Explorer.EXE 6.00.2800.1106 (xpsp1.020828-1920) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1106 (xpsp1.020828-1920) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Procedure Call Runtime
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows XP USER API Client DLL
SHLWAPI.dll 70a70000 409600 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8351744 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Shell Common Dll
ole32.dll 771b0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
SHDOCVW.dll 769c0000 1351680 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
netapi32.dll 71c20000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 94208 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpsp1.020828-1920) IP Helper API
urlmon.dll 760f0000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1106 (xpsp1.020828-1920) OLE32 Extensions for Win32
msi.dll 15b0000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
CRYPT32.dll 762c0000 569344 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1106 (xpsp1.020828-1920) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Extensions for Win32
AcroIEHelper.dll 10000000 49152 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
MSGINA.dll 75970000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Logon GINA DLL
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.9030.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
mobsync.dll 61680000 212992 C:\WINDOWS\System32\mobsync.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Synchronization Manager
mydocs.dll 72410000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) My Documents Folder UI
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
zipfldr.dll 73380000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1126 (xpsp2.020921-0842) Compressed (zipped) Folders
SDHelper.dll 2900000 765952 C:\Program Files\Spybot - Search & Destroy\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
arcext.dll 1be0000 200704 C:\Program Files\WinAce\arcext.dll 2.1.0.0 WinAce-Archiver Shell Extension
ace.dll 2bc0000 897024 C:\Program Files\WinAce\ace.dll 2.2.0.0 WinAce ACE Dynamic Link Library
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows NT MARTA provider
MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
avgse.dll 12a0000 49152 C:\PROGRA~1\Grisoft\AVG6\avgse.dll 6, 0, 0, 153 AVG Shell Extension module
Cuteshell.dll 3bc0000 176128 C:\Program Files\GlobalSCAPE\CuteFTP\Cuteshell.dll 50, 5, 16, 2 CuteFTP Shell Integration Module
shimgvw.dll 5cb00000 430080 C:\WINDOWS\system32\shimgvw.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Picture and Fax Viewer
gdiplus.dll 70d00000 1708032 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\gdiplus.dll 5.1.3101.0 (xpsp1.020828-1920) Microsoft GDI+
mscms.dll 73b30000 77824 C:\WINDOWS\System32\mscms.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft Color Matching System DLL
sfc_os.dll 76c60000 167936 C:\WINDOWS\System32\sfc_os.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows File Protection
CCHelper.dll 4650000 69632 C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll 1, 0, 0, 1 Cleaning Companion Helper Module
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL
mstask.dll 735d0000 258048 C:\WINDOWS\System32\mstask.dll 5.1.2600.1106 (xpsp1.020828-1920) Task Scheduler interface DLL
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub
MSVCP60.DLL 55900000 397312 C:\WINDOWS\System32\MSVCP60.DLL 6.00.8972.0 Microsoft (R) C++ Runtime Library

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

vanagon40 · May 2004

I looked through the PRCView log and nothing jumped out at me. There are only 2 undocumented dlls (CLBCATQ.DLL and COMRes.dll) and both are names of "real" dlls. Additionally, most of the about:blank dlls I saw through research were all lower case random letters.

Here are "classic" signs of CoolWebSearch variant SearchX

HJT log over system before cleaning shows registry entries obfuscated, e.g.,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\faciha.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\faciha.dll/sp.html (obfuscated)

as well as registy entries set to about:blank, e.g.,

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Running CWShredder will show "Searchx" removed and register entries restored.

Unless you have one or more of the symptoms, I would guess this is not CoolWebSearch.

My Google Search for "Trojan Horse Startpage.4.AO" revealed only two results, neither with a solution. One states the identical problem => http://www.cybertechhelp.com/forums/showthread.php?t=35090 and http://www.cybertechhelp.com/forums/showthread.php?t=37367

Again, I am not an expert at any of this, only spent a lot of time researching and fixing my about:blank problem.

Good luck (I know how frustrating this can be).

Straight_Man · May 2004

CLBCATQ.DLL

Unfortunately the very existence of this file means something went WRONG with your install of COM+ (which is a critical Windows subsystem dealing with something I cannot explain briefly, need to be asked to even try as I guarantee the reply will be a chapter of a book minimum-- about 10 of my normal "huge" posts in size to degunk the techese into plain english). BASICALLY, since I have been asked to be Short, will say this-- the COM+ subinstaller process writes this file, uses it, and if it cannot install COM+ right it gets left. IF COM+ gets installed right, then the file is automatically renamed to ~CLBCATQ.DLL. This file helps figure out HOW in detail to install COM+ given what is already there. COM+ has been rightly called Component Object Model+, and we are talking about Windows O\S objects here.

Try renaming CLBCATQ.DLL to ~CLBCATQ.DLL, then restart the computer. Windows will probably try to recover from a restore point after restart, this file being there like you have it without being renamed can break the system restore process.

theCrimp · May 2004

well . :bawling: . I see 2 CLBCATQ.DLL in my search... one has cache dll... both named the same. I would guees the top one is the one I want without the cache. the 2nd one is showing because I have hidden system files showing right?created Friday, November 01, 2002, 5:47:31 PM
modified on Thursday, August 23, 2001, 8:00:00 AM could it be that old?
if I rename this and reboot...will I come back up? I need to know if this is IT..
the big one. say goodnight gracie...that kind deal... I can take it...i think? is this why if I leave my machine down for a few days it's so hard to get going again?
thank you
crimp

vanagon40 · May 2004

I see 2 CLBCATQ.DLL in my search............ I need to know if this is IT..

No, this ain't IT.

This will be my last post in this thread as this is WAY beyond my knowledge.

Again, good luck.

theCrimp · May 2004

you misunderstand

I know this is not the virus. I was only asking if its possible that I will crash on reboot after renaming this file and be down...that's the IT ....I was talking about...
the big it...

Kwitko · May 2004

theCrimp wrote:

well . :bawling: . I see 2 CLBCATQ.DLL in my search... one has cache dll... both named the same. I would guees the top one is the one I want without the cache. the 2nd one is showing because I have hidden system files showing right?created Friday, November 01, 2002, 5:47:31 PM
modified on Thursday, August 23, 2001, 8:00:00 AM could it be that old?
if I rename this and reboot...will I come back up? I need to know if this is IT..
the big one. say goodnight gracie...that kind deal... I can take it...i think? is this why if I leave my machine down for a few days it's so hard to get going again?
thank you
crimp

There's another method other than renaming and rebooting you might want to try first. Follow this method. It lets Windows check the install and rebuild it if there's a problem.

theCrimp · May 2004

ok thanks for that link .
best
theCrimp

theCrimp · May 2004

got this demon off my machine at last... the only program to do it was
A squared found 2 that the others did not. it was a free download and worked great. now all I have to do is fix the os problem and I should be rocking aok. thanks to all here that responded to my call. thaks so much. :woowoo:
crimp

Dexter · May 2004

Can you provide a link to that program please?

Dexter...

theCrimp · May 2004

yea no problem.. hope this helps someone from going through what I did with this nasty nasty.

A2 (A squared)

http://www.emsisoft.com/en/

crimp

jlb1028 · June 2004

Hey Crimp, I have the same problem. I had NAV running when I contracted this nasty little beast. I ran several Spyware programs Spybot AdAware, And ran Norton, (nothing...) and AVG, which found misc. Dll files which were cleanable. But the little message still popped up saying I was infected with the "Trojan Horse Startpage.4.AO". Last time is showed up saying it was in System Volume Information, and that was when I started more agressively fighting it. Which is when I stumbled on to your original post.
I Ran A^2 hoping it would fix the issue. But it found nothing.

My machine had no problems with the virus/spyware for a couple of days and then i showed back up. Is you machine still clean? Or do any of you have any more ideas? It sounds like whatever this is it is a royal pain to get rid of.

Any help would be appreciated!
:banghead:

trojan or virus or spyware ? log here

Comments