Hi! I really hope somebody can help because this thing is driving me mad. I've got a trojan on my pc called startpage.CZ, I've tried AdAware inc. latest update but it doesn't even see it. AVG antivirus can see the trojan and says it can't fix it but offers to quarantine it but is unable to. The 2 files it says are infected are svchost.exe and winlogon.exe. I've tried searching on google for info about startpage.CZ but can't find anything. here's my hijackthis log file: ======================================= Logfile of HijackThis v1.97.7 Scan saved at 23:36:13, on 13/02/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\HHVcdV5Sys\VC5Play.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe F:\Tools\AVG6\avgcc32.exe C:\WINDOWS\SVCHOST.exe C:\Program Files\RSNet\RSEDNClient.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe F:\Tools\AVG6\avgserv.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe D:\Tools\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\HHVcdV5Sys\VC5SecS.exe D:\Tools\Kerio\Personal Firewall 4\kpf4gui.exe D:\Tools\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\System32\mdm.exe F:\Downloads\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ffneim.t.rack.cc/sp.php (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ffneim.t.rack.cc/hp.php (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ffneim.t.rack.cc/sp.php (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ffneim.t.rack.cc/sp.php (obfuscated) O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe O4 - HKLM\..\Run: [CloneCDTray] "F:\Tools\CloneCD\CloneCDTray.exe" /s O4 - HKLM\..\Run: [QuickTime Task] "F:\tools\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG_CC] F:\Tools\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [ProxyCap] F:\Tools\ProxyCap\ProxyCap.exe O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.exe O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = D:\Applications\Microsoft Office\Office10\OSA.exe O4 - Global Startup: winlogon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\APPLIC~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_35.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/103404d8a17ad398f922/netzip/RdxIE601.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://137.21.235.77/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2893865741 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab ===================================== Thanks in advance. Shaedo.

Shaedo, Download The Killbox. Extract TheKillBox.exe from the zip file and double click it to open it up. http://download.broadbandmedic.com/VbStuff/TheKillBox.zip In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one: C:\WINDOWS\SVCHOST.exe (the valid one is in system32) Click 'Exit' when done. Open HijackThis, scan, and place a check beside the entries listed below. Make sure ALL Browsers and Explorer Windows are closed (most important). Then click on the "Fixed checked" button. R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ffneim.t.rack.cc/sp.php (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ffneim.t.rack.cc/hp.php (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ffneim.t.rack.cc/sp.php (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ffneim.t.rack.cc/sp.php (obfuscated) Do you use this program? O4 - HKCU\..\Run: [ProxyCap] F:\Tools\ProxyCap\ProxyCap.exe If not it can go O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/103404d8a17ad398f922/netzip/RdxIE601.cab O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.net/Installer/104/rsinstaller.cab Reboot and post a new log, see how it went. Shep

Thanks for the excellent advice Shep. I removed both svchost.exe and winlogon.exe using killbox. Both times forced a system reboot but removed the files successfully. I've rescanned with AVG and it can't find anything. The only problem I've got now is that a lot of shortcuts do not have icons associated with them, I've fixed a few by reassigning the icon but others inc. IE are blank. here's my new hijackthis log: ======================================== C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\HHVcdV5Sys\VC5Play.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe F:\Tools\AVG6\avgcc32.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\RSNet\RSEDNClient.exe F:\Tools\AVG6\avgserv.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe D:\Tools\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe D:\Tools\Kerio\Personal Firewall 4\kpf4gui.exe D:\Tools\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\HHVcdV5Sys\VC5SecS.exe F:\Downloads\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\tools\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG_CC] F:\Tools\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [ProxyCap] F:\Tools\ProxyCap\ProxyCap.exe O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = D:\Applications\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\APPLIC~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_35.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://137.21.235.77/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2893865741 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab =====================================] Thanks, Shaedo.

Not a Trojan. Made for pocket PCs. here's info. From the developer: "Use My Startpage to make all of your Pocket IE favorite sites more accessible. My Startpage replaces the default home page the Pocket IE uses. This gives you a quick and easy way to access all of your favorite sites. These links are also stored on your Pocket PC so that you can go back at any time and edit or delete them." Look in add or remove programs. If not present search for startpage on HDD. look for an uninstall, if not search registry and remove entries reboot and uninstall all references. gilhouli

Shaedo, I don't believe I mentioned winlogon. Anyway about the icons..... Boot your system into safe mode(keep tapping F8 key while booting, select safe mode). Once loaded, reboot normally. This should rebuild the shellicon cache. If not post back, we can try another method. shep

Shaedo, Seems like you picked up some new stuff. First go to start>control panel>tools.folder options>view and put a check mark in show hidden files and folders. Open HiJack this,close ALL windows, put a check mark in the following, and click on fix checked. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe Boot into safe mode and find/search for and delete: C:\Program Files\RSNet\RSEDNClient.exe ---> file C:\Program Files\RSNet\RSEDNClient ----> folder Reboot normally and post a new log. shep

Thanks for the replys Shep. Here's my new log file: ======================================== Logfile of HijackThis v1.97.7 Scan saved at 21:06:20, on 14/02/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.exe C:\Program Files\HHVcdV5Sys\VC5Play.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe F:\Tools\AVG6\avgcc32.exe F:\Tools\AVG6\avgserv.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe D:\Tools\Kerio\Personal Firewall 4\kpf4ss.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe D:\Tools\Kerio\Personal Firewall 4\kpf4gui.exe D:\Tools\Kerio\Personal Firewall 4\kpf4gui.exe C:\Program Files\HHVcdV5Sys\VC5SecS.exe F:\Downloads\HijackThis.exe O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {397D7D63-816E-4ECF-8761-775C932C5CF1} - C:\WINDOWS\iDonate.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe O4 - HKLM\..\Run: [QuickTime Task] "F:\tools\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [AVG_CC] F:\Tools\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [ProxyCap] F:\Tools\ProxyCap\ProxyCap.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = D:\Applications\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\APPLIC~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_35.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://137.21.235.77/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38029.2893865741 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ======================================== Thanks, Shaedo.