Need help removing trojan Startpage.16.M

I have been trying to remove the trojan Startpage.16.M from a friend’s computer over the last few days. At one point, I thought it was gone, only to have it make a comeback – so I am on my second attempt to remove this thing. This is a Windows98 machine. It has AVG 7, SpywareGuard, SpywareBlaster, and Kerio Personal Firewall installed and running. I’ve been using Firefox to browse the web, as Internet Explorer quickly locks up.

Here’s what I have done so far:
1. Ran HijackThis. There were several entries that referenced about:blank, and a couple of O18 entries that pointed to a dll named bhdh.dll in the C:\Windows\System folder. Did not attempt to fix anything at this time.
2. Ran an online scan at Trend Micro’s website. The scan was clean. Attempted to run the online scan at Norton's website, but kept getting an error message claiming that the web page was not found.
3. Ran the McAfee Avert Stinger program. Tried to do this in safe mode, but got a blue screen (this happened with AdAware also), so this and everything that follows was run in normal mode. This scan was also clean.
4. Used CCleaner with default options to remove all temporary files
5. Scanned the machine with AdAware (after downloading most recent updates including the Ad-Aware VX2 Cleaner Plug-In). Adaware found several problems – removed all of them.
6. Scanned with Spybot (after downloading most recent updates including Spybot DSO Exploit patch). Found and removed several problems. Also turned on the Immunize feature.
7. Ran the following programs (None of these reported a problem): CWShredder, Kill2me, and about:Buster.
8. Ran HijackThis. There were still several entries that referenced about:blank. Fixed these only. The O18 entries that pointed to bhdh.dll were gone. I suspect that these were removed by AdAware (step 5 above).
9. Deleted the following file: C:\Windows\System\bhdh.dll. This file had a creation date of 3/1/05. Based on what I’ve read about this trojan, I am sure that this file was part of the problem.

After this, I was able to reboot the machine a couple of times and ran Internet Explorer each time with no ill effects. However, I am still concerned that this thing is lurking somewhere. There is one dll file in C:\Windows\System named ekgi.dll (creation date of 2/19/05 and a size of 39KB) that looks suspicious to me – many of the web articles I have read about this trojan warn of dll’s that have 4 letter names, recent creation dates, and a size of 36-41KB. This file fits the bill, so I am concerned. Would just deleting this file be effective? Or should I use something like KillBox to remove it? Is there any cause for ongoing concern?

Thanks for any and all assistance,
Jim

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

To Repeat: Please be sure to reply in this thread if you need further assistance or have any questions. Someone WILL be along to help you as soon as they can. You can help us help you by following the above instructions and providing detailed information as to the difficulties you are having and/or continuing to have after you have completed the Basic Spyware, Trojan And Virus Removal tutorial. Just telling us you followed the tutorial does not give us enough information. You need to let us know the results...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

We all recognize that if you are here asking for help you are probably frustrated and maybe even angry that your computer has been taken over by some malicious program. Rest assured, we want to help you but that we get frustrated too when we are not given the requested information or when instructions are not followed. Don't be afraid to ask for additional help if you don't understand something! There is no such thing as a dumb question and we do not expect everyone who comes here to have vast computer knowledge, however you will be more educated and better prepared to prevent re-infestation when you leave here!

Good luck!

 

Hi,

I have followed the steps described in the "READ ME FIRST" document, as well as I could. Specifically, I was unable to run the Symantec online scan, as it led to a dead link. Also, I was unable to run any of the programs in safe mode, as they kept on giving me a blue screen in safe mode. Here are the list of steps in the "READ ME" doc with some quick comments about my progress along the way.

Getting Prepared; Steps to be sure your system is ready to be scanned:
1: Disable System Restore temporarily
My comment: This is a Win98 machine, so I skipped this step
2: Network Security, etc.
My comment: This is a Win98 machine, so I skipped this step
3: Enable viewing of hidden files and folders and extensions
My commnent: Done.
4: Downloading Tools
My commnent: Done.

Scanning And Cleaning Steps: (note steps 1 thru 4 are NOT optional!)
1: Virus And Trojan Scanning
- Online scan at Trend Micro: DONE, the scan was clean
- Online scan at Symantec: NOT DONE - got a BAD LINK error at their website
- Run McAfee AVERT stinger in safe mode - got a blue screen when I ran this in safe mode, but was able to run in normal mode, and the scan result was clean.

2: Clean Your Hard Drive; Remove temporary internet and other files not needed with CCleaner. DONE

3: Main Spyware Scan And Removal
- Was unable again to run these in safe mode
- Ran AdAware (with all updates and the Ad-Aware VX2 Cleaner Plug-In). Found and removed several problems.
- Ran Spybot (with all updates and the Spybot DSO Exploit patch). Found and removed several problems.

4: Secondary Spyware Scan And Removal
- Ran CWShredder, Kill2me, and about:Buster. They were all clean.

5: Skipped this - I don't have the "Only the Best" problem.

6: Ran Hijack This. Log is attached.

Thanks,
Jim

 

Firefox and notepad were running simply because I forgot to close them first. As far as how things are running - at the moment all appears to be well. Just hope it stays that way. I have attached the new Hijack This log.

Thanks again,
Jim

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AltaVista
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost


Again, make sure All Browser Windows are Closed when you Click FIX.



NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Are you still experiencing any problems?

 

OK, I have done everything as instructed. The computer is not having any problems now. Anything else I should do?

 

OK - thanks for the help.

/Jim