Starware

Starware has hijacked my IE browser, although the only file I can detect is a Starware cookie. I have endeavoured to follow your 'Read and Run' statement and I enclose the appropriate logs. AdAware and SpyBot found nothing of substance as did Windows Defender. I could not find MS Malicious Software Removal Tool on my PC although I know it is there somewhere.
Bit Defender and Panda Active Scan had to be run in Normal Mode because XP does not appear to be a happy bunny in Safe Mode. No action has been taken on their findings. Avast and Avert have found nothing.

Your help would be appreciated. Thank you in advance.

N.B. McAfee's web site sees possible legal problems in removing Starware.

 

Your BitDefender log is the scan summary; I need the actual Scan log that shows what was found.

HijackThis is not showing Starware. Follow the directions for Running WinPfind by OldTimer

 

Thanks for replying promptly. I attach further logs and aplogise for the misunderstanding concerning BitDefender.
It is amazing that despite all the security arrangements and spysweeps that a Trojan has now come to light. Coincidentally, Microsoft have issued today a version of their Malware Remover.
What would be my next step(s)?

 

Starware Description
Starware is an Internet Explorer toolbar with specialized search functions and a pop-up blocker. Starware Toolbar may display advertisements and redirect your search requests through their parent server. Bug fixes and new features may be added to Starware Toolbar without your notice.

www.Starware.com

Starware Removal Instructions
If you find "Starware" in Add/Remove Programs, begin your removal by uninstalling there.

Kill these running processes with Task Manager:
programfilesdir+\common files\oe\uninstall.exe
programfilesdir+\common files\oe\uninstallwa.exe
programfilesdir+\orbit\ad.exe
programfilesdir+\orbit\update.exe
programfilesdir+\orbit\view.exe
systemroot+\bobsaver.exe
systemroot+\downloaded program files\conflict.1\oeloader.exe
systemroot+\downloaded program files\oeloader.exe

Remove AutoRun Reference: If you find the value
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\cc2kui HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\orbitupdate
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\orbitview
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\sswplauncher

Unregister these DLLs with Regsvr32, then reboot:
programfilesdir+\common files\oe\msbb.dll
programfilesdir+\common files\oe
edirector.dll
programfilesdir+\common files\oe\search.dll
programfilesdir+\common files\oe\toolbar.dll
systemroot+\downloaded program files\conflict.1\oeloader.dll
systemroot+\system
edirector.dll
systemroot+\system32
edirector.dll

Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\clsid\{702ad576-fddb-4d0f-9811-a43252064684}
HKEY_CLASSES_ROOT\clsid\{d48f2e28-68e2-4920-9848-d6e6c7ab3eb7}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{702ad576-fddb-4d0f-9811-a43252064684}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{d48f2e28-68e2-4920-9848-d6e6c7ab3eb7}
HKEY_CLASSES_ROOT\typelib\{c3e17d0d-593a-457b-a1da-6d082e29323a}
HKEY_CURRENT_USER\clsid\{0fda4d2b-7975-405d-8d7c-f5e2247eae80}
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\shellbrowser\{fe6bc4ef-5676-484b-88ae-883323913256}
HKEY_CURRENT_USER\software\microsoft\internet explorer\toolbar\webbrowser\{fe6bc4ef-5676-484b-88ae-883323913256}
HKEY_LOCAL_MACHINE\software\classes\appid\{bac984c9-78c8-4105-9e97-1675a4052686}
HKEY_LOCAL_MACHINE\software\classes\appid\dmserver.exe\appid
HKEY_LOCAL_MACHINE\software\classes\bho.csbho
HKEY_LOCAL_MACHINE\software\classes\bho.csbho.1
HKEY_LOCAL_MACHINE\software\classes\bho.csbho\clsid
HKEY_LOCAL_MACHINE\software\classes\bho.csbho\curver
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{702ad576-fddb-4d0f-9811-a43252064684}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\toolbar\{fe6bc4ef-5676-484b-88ae-883323913256}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{702ad576-fddb-4d0f-9811-a43252064684}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{d48f2e28-68e2-4920-9848-d6e6c7ab3eb7}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage
c:/windows/downloaded program files/conflict.1/oeloader.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage
c:/windows/downloaded program files/oeloader.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\cc2kui
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\orbitupdate
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\orbitview
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion
un\sswplauncher
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
c:\windows\downloaded program files\conflict.1\oeloader.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shareddlls
c:\windows\downloaded program files\oeloader.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\cc2k\displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\cc2k\uninstallstring
HKEY_USERS\s-1-5-21-1409082233-1390067357-1801674531-500\clsid\{0fda4d2b-7975-405d-8d7c-f5e2247eae80}

Remove these files (if present) with Windows Explorer:
addremove.htm
addremove.js
addremove_cc.js
administrator.txt
adzap.lic
adzap_0001.js
autosrch.js
azunins.js
band.js
bobsaver.exe-2b87f43a.pf
bobsaver.scr-3492b408.pf
cars.xsl
cnfmgr.js
completedjobs.xml
context.js
controlpanel.js
csres.dat
dmfilemap.xml
dmserver.exe-375d1fbc.pf
hotels.xsl
inst43.exe-233e3ddf.pf
inst9753.exe-222ff47c.pf
license.js
logging.js
masterconfig.xml
oeuninstaller.exe-06b5e4b2.pf
pestpatrolcl.exe-32de342c.pf
productinfo.xml
programfilesdir+\common files\oe\msbb.dll
programfilesdir+\common files\oe
edirector.dll
programfilesdir+\common files\oe\search.dll
programfilesdir+\common files\oe\toolbar.dll
programfilesdir+\common files\oe\uninstall.exe
programfilesdir+\common files\oe\uninstallwa.exe
programfilesdir+\orbit\ad.exe
programfilesdir+\orbit\update.exe
programfilesdir+\orbit\view.exe
publickey.pbk
refbutton.js
related.js
related.xml
related.xsl
request.xml
response.xml
rundll32.exe-333c496f.pf
scr_adzap.js
settings.xml
smileytown.xml
sslaunch.exe-12da0b03.pf
sstbinst.exe-18a1b725.pf
sys_except.xml
systemroot+\bobsaver.exe
systemroot+\bobsaver.scr
systemroot+\downloaded program files\conflict.1\oeloader.dll
systemroot+\downloaded program files\conflict.1\oeloader.exe
systemroot+\downloaded program files\oeloader.exe
systemroot+\downloaded program files\oeloader.inf
systemroot+\system
edirector.dll
systemroot+\system32
edirector.dll
tbmgr.js
tbproducts.js
toolbar.js
travel.js
travel_0001.js
travel_context.xml
un_screensaver.xml
un_searchassist.xml
un_smileytown.xml
un_travel.xml
update.js
utillauncher.js
winutil.js
xupiter.orbitexplorer.txt

Remove these directories (if present) with Windows Explorer:
programfilesdir+\common files\oe
programfilesdir+\oe
programfilesdir+\orbit

Restore Settings:
Start Microsoft Internet Explorer. In Internet Explorer, click Tools -> Internet Options. Click the Programs tab -> Reset Web Settings.

 

Thanks. I have seen similar lists on other sites but hoped there might be a more sophisticated approach. Nevertheless, I have gone through your catalogue and I have not identified a single relevant object.
Incidentally, in the last few days I have discovered that a pornographic dialler called Centre 24 has attached itself to my Ewido download Uninstaller. It is in quarantine now but when I come to uninstall Ewido I shall disconnect my phone line and hope the dialler does not 'grenade'!
Regards.

 

Good luck

 

Further to my last, I have identified the following items in HKey_Local_Machine/Software/Microsoft/Internet Explorer/Active X compatibility:-
702ad576-fddb-4dOf-9811-a43252064684
d48f2e28-68e2-4920-9848-d6e6c7ab3eb7

I have deleted these without effect but does this point to an Active X problem? Manage Add-Ons shows nothing relevant.

Best Wishes

 

702ad576-fddb-4dOf-9811-a43252064684 <<<=== This returns no information
d48f2e28-68e2-4920-9848-d6e6c7ab3eb7 <<<=== You can delete this entry

Search for any delete Redirector.dll. May be in the System32 folder.

 

Thank you. I am afraid there is no trace of Redirector.dll anywhere.

 

Since my last reply I have run a programme called POP UP Sentry. This identified a Starware related item called maps.exe. and a Trojan called NILaunch.exe. These are both quarantined but attempts to block the IE home page change are being resisted. This is not surprising since maps.exe was a zipped download only.

 

Rename hijackthis.exe to analyse.exe.

Follow the directions for Using GetRunKey and Using ShowNew.

Post a fresh HijackThis log along with runkeys.txt and newfiles.txt.

 

Thank you. I thought perhaps we had come to a dead end! Hope the attached are what you wanted.

 

I see nothing in the logs to explain the pop-ups.

You did not rename hijackthis,eze to analyse.exe as I requested.

Download Blacklight Beta from here:
http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

Hijack was renamed but I did the shortcut by mistake! Have now attached the proper log in case it is still useful.
Also, please find attached the bibeta log as requested.
Incidentally, I don't know if it means anything but the main problem (home page takeover) is not there in Safe Mode.

 

Trouble adding logs. Pasting instead.

 

Follow the directions for Running Hoster.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

 

Thank you. I do believe you've cracked it! My home pages are now 'free-form'. It pays to persevere!
It's interesting to see that items 01, 08 and 017 in your list had disappeared by the time I ran Hijack so Hoster must have played a significant part. In fact, there is no trace of Download Manager anywhere.
It's also interesting that not one of AdAware or the several spyware programs I have detected Starware. I wonder if you have a favourite?
Anyway, many thanks for your help in eliminating this malware. You and your colleagues provide a valuable service for which we should be grateful.
Kind regards,
Dr.G

 

Your welcome.

I use Ad-Aware SE, Spybot S&D, SpywareBlaster and SpywareGuard. The first two are for Spyware, SpywareBlaster adds urls to the Ristricted Zone, and SywareGaurd is for active BHO protection. Depends really how these companies classfiy things, whether they detect a given item as spyware.

 

Thanks for the info. Will add Spyware Guard to the others. See you around.
Dr. G