That's it! Well, almost... Here is my story. If you are in a rush, start reading at point 12 :-)
1) The classic problem - Homepage was changed to a search page and pop-ups kept appearing to urge me to purchase Spyware removal software. Panda software describe this virus as StartPage.FH
For screen shots of the problem take a look at http://www.pandasoft...x?idvirus=48563
2) Running http://www.pandasoft...n_principal.htm identifies the existence of StartPage.FH and removes it. Incidentally, Trend Micro's on-line scanner at http://housecall.tre.../start_corp.asp was just crashing Internet explorer!
3) After removal with Panda ActiveScan all seemed well for about 24 hours - then the virus reappeared.
4) StartPage.FH appeared to be triggered by the creation of a random named Browser Helper Object DLL. BHODemon V2.0 is good for spotting these as soon as created.
5) Downloaded all sorts of great programs I saw dicussed on this site HijackThis, CWShredder, BDODemon, Ad-Aware... but still I was stuck with 24hr recurrence (after cleaning with Panda ActiveScan).
6) By this stage I had determined that it was definitely iexplore.exe and its associated dlls that were triggering the reinstallation of StartPage.FH
7) So, went to www.sysinternals and downloaded regmon and filemon - great utilities BTW!
8) Rebooted; started regmon and filemon; Opened and closed internet explorer; paused regmon and filemon capture; reviewed regmon and filemon for activity during opening and closing Internet Explorer.
9) Spotted a regmon entry for a strange dll:
BTW, I assume that this dll name is again random??
10) Went looking for this DLL in System32 - it wasn't there!
11) So I thought let create a dummy file of that name in the same folder - but I couldn't - Error message "A file of that name already exists!"
12) Search the web for "hidden dll virus" - all of a sudden we are getting there fast! Take a look at this link:
13) Lots of other references to dllfix.exe as possible fix, but the author has currently removed this file while he fixes some bugs.
14) So followed the manual removal as per the akadia link.
15) Note, you do need the Registrar Lite registry editor - in regedit you can't see the value for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
16) As per Akadia link I installed the recovery console off the XP CD, but Windows wouldn't then start in recovery mode - it blue screened!
17) So, had to run the recovery console directly from the XP CD. Not a problem, just boot from the XP CD and after it's loaded up all it's drivers you will have the option of "Press R to repair via recovery console"
18) Other than that. Just follow the Akadia instructions to the letter!
19) Just to be tidy, do a final cleanup by running CWShredder.
So, this is a nasty one indeed!
The hidden dll is running all the time and seems to:
1) Crash Trend Micro's House call scanner.
2) Hide the value for the AppInit_DLLs in regedit
3) Hide the dll itself (even if you have all your setting at "Show hidden files")!
4) Prevent running (or maybe corrupts the installation) of the recovery console - so forced to run it from the CD.
BTW, I am convinced that I did not "run" anything to get this virus - I am suspicious that this virus got on my PC from the current high profile holes in Internet Explorer - what do others reckon?
Anyway, I hope this helps all the others out there who are also struggling with this nasty hijack - take a look at Panda Software's virus stats for StartPage.FH. At the moment it represents about 3% of all viruses found at by ActiveScan. Yet the graphs show the StartPage.FH barely featured until about mid-June!
BTW, I suggest you run Active Scan to remove StartPage.FH first, before embarking on the hidden dll removal procedure! In case it's not clear from the above - It's not removing StartPage.FH that's the problem, but removing the *hidden* dll that keeps reinstalling it!
Oh, and thank you Akadia!
Edited by JustPassingBy, 02 July 2004 - 07:56 PM.