Malware DLDR-STARTPAGE.SBB.001 problem

A couple of weeks ago, Boclean popped up a message showing a Trojan detected.
This is the message content
10/06/2007 21:44:12:
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave

I have tried everything to detect and remove this trojan but it still pops up daily.
Other scanners don’t have it listed and it is not detected by CAVS, however Boclean does have it listed. I have googled it and not found much information.

I also put in a ticket to comodo and initially had a reply saying:-
We have forwarded your issue to our developers, once we get solution we will get back to you.

I have heard nothing since and that was on 9th October.
I have put in another ticket referencing the first and comodo support have just put that one on hold without replying to me.
This is the part which annoys me, as I still don’t know if my system is safe or not.
As Boclean apppears to be the only anti-malware program listing this trojan, i need to know if it is a danger and how to get rid of it.

Please somebody help.

Regards

Dave

My setup is as follows

I am running Windows XP Prof SP2
IE version 7.0.5730.11
Security software
Adaware
Spybot
Comodo Firewall prof 2.4
Comodo AV
Boclean 4.25

The detections so far are as follows


10/06/2007 21:44:12:
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/07/2007 23:12:20: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/08/2007 21:36:02: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/10/2007 23:06:40: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\ignored contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/13/2007 23:05:05: DLDR-STARTPAGE.SBB.001 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/14/2007 21:43:52: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/15/2007 08:10:38:
Trojan horse was found in memory.
C:\ignored contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/16/2007 00:23:23: DLDR-STARTPAGE.SBB.001 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/16/2007 22:04:13: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/16/2007 22:04:29:
Trojan horse was found in memory.
C:\DOCUME~1\DAVE\LOCALS~1\TEMP\ROBOFORM\ROBOTASKBARICON.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/17/2007 23:07:16: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/17/2007 23:08:24:
Trojan horse was found in memory.
C:\ignored contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/18/2007 16:00:16: DLDR-STARTPAGE.SBB.001 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/18/2007 22:29:30: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/19/2007 07:42:08: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/19/2007 21:46:15: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave


10/20/2007 10:09:19: DLDR-STARTPAGE.SBB.001 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/21/2007 10:09:27: DLDR-STARTPAGE.SBB.001 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/21/2007 22:40:06: DLDR-STARTPAGE.SBB.001 MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: Dave


10/22/2007 14:27:35: DLDR-STARTPAGE.SBB.001 VARIANT STOPPED BY BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\TASKKILL.EXE contained the trojan.
Active trojan horse WAS shut down. System safe.
Logged in user: Dave

There seem to be a few trojans that use Taskkill to end various processes. Here is some info on some variants:

Did you tell BOClean to remove the trojan when it found it?

If so perhaps it is your system restore that is the problem, I think you may need to turn off system restore (to delete any backed up malware files) before removing the file with BOClean (if it can remove it).

:SMLR

Hi
Thanks for your reply

Yes i have turned off Restore and I do tell Boclean to remove it every time it pops up.
It says that it has been stopped but returns after next bootup.
Also sometimes i get a message saying that the trojan has inbuilt protection and can’t be stopped and that I should reboot.

Also since this trojan has been around, both CAVS and Comodo firewall don’t autorun. i have to start them both manually.

The problem is Boclean only detects it when it tries to load to memory. I have not found any scanner that can actually detect the trojan itself.

Have you tried running hijack this to see what shows up?

Also, some people have said that Antivir will detect variants of this but will not remove them unless in safe mode.

:SMLR

do a google-search for “taskkill.exe”… it looks like it is a legitimate “windows” file, though i don’t have it on my computer, running win xp sp2-home…

i think it is possible that a trojan on your computer might be trying to run the “taskkill.exe” process, but i think that “taskkill.exe”, itself, is not a trojan and that, because it is a legitimate “windows” file, “windows” is automatically restoring the file after BOC removes it…

do a file-search on your computer for the file and, if you find it, look at the file’s properties and see what they say… see if it is a microsoft file… if you can find the file, also, upload it to “virustotal”, for scanning…

if you are not seeing the file, maybe that is because you have allowed BOC to remove it… try rebooting and, maybe, then, “windows” will restore the file and so then you will be able to find it…

update: i just saw this article… windows xp-home, unlike windows xp-professional, does not have “taskkill.exe”:

p.s. i looked at the links that NTTW posted, but i didn’t see anything there about a trojan “dldr.startpage’s” using “taskkill.exe”, but, still, it is possible that some malware that is called “dldr.startpage” does use “taskkill.exe”, while, again, "taskkill.exe, itself, is not malware…

for cleaning your computer, or for seeing it it is clean, i would install some antirootkit utilities and run those and see what they flag… i think you can only run antirootkit utilities in “normal” mode…

also, i would uninstall cavs and install some other antivirus program, instead, and i would also install “superantispyware”… update all of your antimalware programs and then boot into “safe mode” and run scans with the programs while in “safe mode”…

to boot into “safe mode”. tap the “F8” key as the computer is booting up and then select to start in “safe mode”…

i say that you should run scans in “safe mode” because it is possible that you have a rootkit(s) and the antimalware programs will be better able to flag the malicious files if they are run from within “safe mode”…

also, here is a link to a forum where you can get help from experts, with cleaning malware infections, if your computer is infected with malware:

i am guessing that, if you are infected with some malware, it is a “zhelatin” variant and that it is a rootkit, but it could be some other malware-variant…

i would say that it is good that BOC is flagging “taskkill.exe” even if it, itself, is not malware because it is preventing malware from using the “taskkill.exe” process to kill your security programs… at the same time, it is cueing you in that there is a problem…

it looks like you have some type of malware on your computer, imo…

daventhomas,

I apologize for the dificulties you seem to be having with this. :-[
Can I get you to do 2 things?

First, zip a copy of the file “TASKKILL.EXE” along with your logs above and submit it to our lab as directed in the “False Positive?” section of our FAQ. Be sure to insert “False Positive” in the subject line.

Second, submit a customer support ticket pointing to this thread with it’s activity logs.
Let’s put this pup to rest. :wink:

Interesting! To the OP here are my stats for the file taskkill.exe from my WinXP Pro system.

File version 5.1.2600 created 8/23/2001. I wonder if your creation date will be different if MS is recreating the file?

Also the file hashes are:

MD5 Hash - 051036EB5A44774ED861A63F025D062D
SHA1 Hash - CF3F4DAE0E814A88A0347C5662EA1A17ABC5DEE7
CRC-32 - F17C9325

Source is right click and properties on the file itself.

I am not so sure this is a False Positive as no one else is reporting it. Of course I’m not exactly how and when Taskkill.exe is normally run. I would assume when you use Taskmanager to kill a process. I have done that several times over the last week and have not seen a CBOC alert. In your case though maybe something is causing taskkill.exe to run at startup which in turn is causing BOC to alert.

I did notice the one alert on Roboform in the logs. Also noticed that not all the alerts say the same thing. Is if possible for BOC to get a glitch thus causing a FP where a uninstall/reinstall is warranted? Just a thought.

I have not checked back here for a while as I eventually seem to have removed whatever caused the problem. However, I am not too sure which process cleaned it up. I ran many scans using many different software antispy programs. Eventually the BOC alerts stopped.
The thing that dissapoints me though is that Comodo support never replied to two different tickets i raised about this issue. They put them on hold and they are still in that state now.

I therefore reluctantly decided to remove comodo products for all my 5 machines.

I say reluctantly, because I always liked the comodo stuff but this lack of response from support has made me lose faith.

I would like to return to using Comodo products but only if I could get some possitive response from support or any comodo representative to put my mind at rest.

I am currently running a trial of Kaspesky security suite and I am thinking of trying ZoneAlarm again which i used before comodo, but ultimately i would like to have my faith restored that Comodo is really protecting both my machine and my piece of mind when an issue is raised.

Anybody got any thoughts on this?

Dave,
I apologize if this dropped through a ■■■■■. :-[
If you could post the support ticket numbers I’ll be happy to look into it.