sp.html spyware homepage high jacker Severity HIGH

[Don]

if anyone gets this dam about.hml page with the popup about your IP
address your a victim.

I have been tracing this thing down in the registry and the winnt
folder
very hard to find
very reproductive.

files it created:
ideb.dll
sp.html
and many others

#######################
its a virus:

http://www.pandasoftware.com/virus_info/encyclopedia/ficha.aspx?iddeteccion=105595

Infection strategy

StartPage.FH is a DLL (Dynamic Link Library) that is registered with
the browser Internet Explorer. This DLL changes the browser's home
page.

StartPage.FH creates the file SP.HTML in the Windows temporary
directory. This file contains the web site displayed when the Internet
Explorer is launched.

StartPage.FH creates the entries in the Windows Registry, among
others:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Internet Explorer\ Main
Search Page = %tempdir%\ sp.html
where %tempdir% is the Windows temporary directory.
HKEY_CURRENT_USER\ Software\ Microsoft\ Internet Explorer\ Main
Start Page = about:blank

Means of transmission

StartPage.FH does not spread automatically using its own means. It
needs the attacking user's intervention in order to reach the affected
computer. The means of transmission used include, among others, floppy
disks, CD-ROMs, e-mail messages with attached files, Internet
downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing
networks, etc.

Further Details

StartPage.FH is 30,720 bytes in size and it is compressed.

###################

the fix:

Is my computer infected by StartPage.FH?

In order to make absolutely sure that StartPage.FH has not affected
your computer, you have the following options:

Carry out a full scan of your computer using Panda Antivirus, after
checking that it is updated. If it isn't and you are a registered
Panda Software client, update it by clicking here.
Check the computer with Panda ActiveScan, Panda Software's free,
online scanner, which will quickly detect any possible viruses.


How to remove StartPage.FH?

If Panda Antivirus or Panda ActiveScan detects StartPage.FH during the
scan, it will automatically offer you the option of deleting it. Do
this by following the program's instructions.

Additional notes:

If your computer has Windows Millenium installed, click here to
permanently remove all trace of the virus.
If your computer has Windows XP installed, click here to permanently
remove all trace of the virus.

How can I protect my computer from StartPage.FH?

In order to keep your computer protected, bear the following tips in
mind:

Install a good antivirus in your computer. Click here to get the Panda
antivirus solution that best suits your needs.
Keep your antivirus updated. If automatic updates are available,
configure your antivirus to use them.
Keep your permanent antivirus protection enabled at all times.
For more detailed information about how to protect your computer
against viruses and other threats, click here.

##########################

I cant wait for the next SP fix so IE wont have holes like this again.

cheers

 

[Ross Durie]

It says first appeared on June 15th yet I've seen versions of this that are
several months old. I also wouldn't expect Panda or any other virus software
to be able to remove the hidden DLL involved.

I use the following method

There is no "automated" anti-spyware removal tool for this type infection.
There are 2 DLLs involved, the "BHO" DLL which you see in your log and the
main culprit which is totally hidden. Removing the "BHO" DLL has no effect
as it (main culprit) will simply generate a new BHO DLL.

Ok, here goes ... this is my "How To:" (Hint: print out the below)

[Tools and files needed]

Download: "RepairAppInit.reg" (XP\2K only!)
http://www.mvps.org/winhelp2002/RepairAppInit.reg
Do not do anything with this file yet, it will be needed later.

Download: CWShredder
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip, but do not run it yet, it will be needed later.

Download: Ad-Aware
http://www.lavasoft.de/software/adaware/
Install, but do not run it yet, it will be needed later.

Download: Find-All.zip
http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm
Unzip, but do not run it yet, it will be needed later.

Download: WINFILE.zip
http://www10.brinkster.com/expl0iter/freeatlast/WINFILE.zip
Unzip, but do not run it yet, it will be needed later.

Download: Registrar Lite [freeware]
http://www.resplendence.com/download
Install, but do not run it yet, it will be needed later.

[Step1]

Double-click the included "Find-All.bat" file from Find-All.zip.
Generates: "output.txt"
Note: if infected you will see:

Locked file(s) found...
C:\WINDOWS\System32\<filename> +++ File read error
Where "<filename>" is the hidden invisable installer.
Note: "+++ File read error" is not an error, this just identifies the
culprit.

[Step2]

Run "Registrar Lite" and navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Double click on "AppInit_DLLs" entry (right pane)
The size will likely be something other than "1" (if infected)
IMPORTANT: Make a note of the filename and location (folder)

[Step3]

Rename the highlighted "Windows" key (left pane)
To rename: Right-click and select: Rename
(type) NoWindows


Double-click "AppInit_DLLs" again (right pane)
Clear (delete) the "Value" containing the .dll and click Ok.


IMPORTANT: Rename the "NoWindows" key (left pane)
To rename: Right-click and select: Rename
(type) "Windows" (no quotes) and close RegLite.

[Step 4]

Using Windows Explorer go to your root drive: (typically) "C:\"
Click File (up top) select: New > Folder
(type) "Junk" (no quotes)

Open Winfile

Navigate to System32 folder.
Click File (up top) select: Move

Copy and paste this into the 'From' box: C:\WINDOWS\System32\<filename>.dll
Copy and paste this into the 'To' box: C:\Junk\<filename>.dll

Note: where "<filename>" = culprit dll from "output.txt"

Click OK. Close Winfile
Open Windows Explorer and check in C:\Junk for the "<filename>.dll" file.

At this point see if you can rename the "<filename>.dll"
Do this several time, changing the name and extension each time.
Then see if you can "Move" to "A:\" (floppy)

[Step 5]

Locate: "RepairAppInit.reg" right-click and select: Merge
Ok the prompt

[Step 6]

Open Regedit (Start | Run (type) "regedit" (no quotes)
Use the Search function for the <filename>.dll
Click: Edit (up top) select: Find
(type) <filename>.dll, click: Find Next

Note: where "<filename>" = culprit dll from "output.txt"

Remove all instances found.Press "F3" to continue searching
until you see the "Completed" message.

Next repeat the above steps, subsitute the "secondary dll"
From: "text/html" as seen in the "output.txt"


[Step 7]

Run CWShredder and reboot.

[Step 8]
Run Ad-Aware

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp.com/howto/updref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard
drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
--

Disclaimer: Renaming the "Windows" key modified some security settings.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

Right-click the "Windows" key, select: Permissions

[Example]
Before renaming the "Windows" key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
*"Administrators
*Power Users
*Users"
"Write"
*"Administrators"

--
[Example]

After Renaming the key:

"Path"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
"Read":
***"Everyone"***
"Write"
*"Administrators
--

You need to check that and if 'Everyone' was added (as seen above)
You need to reset your original settings as follows:
Note: do this after removing the infection.

Right-click "Windows", select: Permissions
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

Click Advanced [button]
If the "inherit permissions" box is checked = Uncheck it.
Then select "COPY" on the prompt.

Select "Everyone Group" (if listed) and remove. (only the group)
You can individually view/edit each group settings.
Be sure "Administrators" and "System" have full control on all.
Note: Creator owner full control on Sub keys only.
"Power users" and "users" = "read control".