NAV sabotaged, can't reinstall

I downloaded some sort of Trojan.StartPage hijacker virus - not only does it always show a "search page" as start page - a NAV Alert says "Norton AV has successfully removed the following C:\windows\TEMP\sp.dll and it is ok to start your computer. But when you click "finish" it starts the hijacked page. This NAV notice appears after clicking on any new application. This start page and it's pop-up ads continually interupt.

Tried to do a virus scan - but NAV said an internal problem has occured and to uninstall and reinstall NAV.
But every attempt at a reinstall fails with the same "internal problem..." error message. Apparently NAV has also been sabotaged. NAV 2003 Pro, that I have is no longer suported, where I looked for help.
Will another AV program get me through this?

I am on Win98 SE on my Sony laptop backup.

Here is the logfile for HJT if this might help:

Logfile of HijackThis v1.99.0
Scan saved at 11:34:02 PM, on 2/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\JUNO\EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...400000&I=7.NQ2&L=g#10&M=965199600000&N=PL&O=A
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {C8C92BA1-7308-11D9-8879-000EF77AF625} - C:\WINDOWS\SYSTEM\FDAB.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\PROGRAM FILES\JUNO\TOOLBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Juno_uoltray] C:\PROGRAM FILES\JUNO\EXEC.EXE regrun
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: ComcastHSI - {FEB0B8A0-720F-11D8-8879-0030BD0023D9} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {FEB0B8A1-720F-11D8-8879-0030BD0023D9} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {FEB0B8A2-720F-11D8-8879-0030BD0023D9} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by5fd.bay5.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O18 - Filter: text/html - {C8C92BA0-7308-11D9-8879-000E983653BE} - C:\WINDOWS\SYSTEM\FDAB.DLL
O18 - Filter: text/plain - {C8C92BA0-7308-11D9-8879-000E983653BE} - C:\WINDOWS\SYSTEM\FDAB.DLL


What to do next? Thanks,
Charlie

 

Update: tried to run RAV Virus scan online - but says Active-X is turnerd off.
But I have security settings set to "default" - which is medium security. Either I somehow changed the settings - or something is wrong here.
I have been 2 days w/o AV protection. I need advice.

 

charlie_c,

Have you tried installing AVG anti virus? Two more online scans you can run are Panda ActiveScan and Trend Micro . Here are Norton's instructions for removing the trojan.

Mike

 

OK - Thanks. I did get AVG installed. But after it deleted 3 Trojan.StartPage infected files and opened my browser - the start page was hijacked again. Also I ran Ad-Aware and it found 60 or so critical objects. But it looks like Ad-Aware gets hung-up before the "deleting files" scan bar finishes. I don't know for sure if these are actually deleted. I'm getting Active-X messages, missing .dll files, a search page for my homepage, pop-up ads for spyware removal and most bothersome - everytime I open my Yahoo mail account the search page takes it over in about 2 seconds. I never get a chance to click on "inbox" or anything. It may fill up and start bouncing before I get into the account. I can log into Yahoo groups OK - but everytime I click on email this **** page takes over. I have put 4-5 hours into this problem - including Norton's precise detailed instructions for the error codes given. Every time I reinstalled NAV - it gave an internal error message.
Can't understand this virus. It's dated 2002. I have auto update for NAV data files. I got an update last Wed. and another Friday, I think. I ran the NAV scan on the computer Friday night - and picked this trojan up later that same night! This was not supposed to be that difficult - according to Norton's site.
I'm limping along for the meantime.

 

charlie_c,

I see some listings for about:blank in your HJT log. You may want to do a search on about:blank here at the board. This seems to be a problem lately and there are lots of posts on it. I would also recommend that you update and run HJT again. Then start a new post and name it something like "HJT log help please ". That will get the right people looking at it.

One other thing. Have you tried going back to a good restore point?

Mike

 

Thanks - will do that. It looks like an outbreak - by the posts.
I don't believe I have restore points in Win98, do I?

 

Not that I remember. I wasn't sure which system you were using. I did find a page on manually restoring the registry in 98 . Not sure if that will help. I saw your new HJT post, so maybe you should wait to hear what is suggested there.

Mike

 

So far I'm not getting any replies.

 

Charliec, remove these items in HJT with all internet browsers and Windows Explorer windows closed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O2 - BHO: (no name) - {C8C92BA1-7308-11D9-8879-000EF77AF625} - C:\WINDOWS\SYSTEM\FDAB.DLL
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?
O18 - Filter: text/html - {C8C92BA0-7308-11D9-8879-000E983653BE} - C:\WINDOWS\SYSTEM\FDAB.DLL
O18 - Filter: text/plain - {C8C92BA0-7308-11D9-8879-000E983653BE} - C:\WINDOWS\SYSTEM\FDAB.DLL

When done, Shutdown but choose the Restart in Dos Mode option, and do these commands at the prompt. The first one appears to do nothing.
smartdrv
deltree c:\windows\temp
deltree c:\windows\tempor~1
Type a Y that you want to delete, reboot the computer when done.

Open Windows Explorer, set the Folder Options to Show All Files.

Delete this folder.
C:\PROGRAM FILES\JUSEARCH

Delete this file.
C:\WINDOWS\SYSTEM\FDAB.DLL

Surf for a bit, maybe try the online scan for it may work now. Then post a new log.