Jump to content


Photo

The Trojan horse TR/StartPage.IG.1


  • Please log in to reply
5 replies to this topic

#1 revertzero

revertzero

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2004 - 06:13 PM

Hello everybody :unsure:
i'm infected :ph34r: with the Trojan horse TR/StartPage.IG.1 :blush:

and I've lost 3 days trying to remove it :oops:

I have AntiVir installed but it didn't stop me catching the virus... it does keep on alerting me every 2 seconds though:

"C:\WINDOWS\HOSTS
The Trojan horse TR/StartPage.IG.1"

I have tried following the instructions here:
http://uk.trendmicro...e=TROJ_HARNIG.Q

but with no success... the horrible trojan just won't go away :(

I have attached my Hijack this log in the hope that someone may be able to push me in the right direction:

Thanks for any help

---------------------------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 01:06:31, on 07/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\trun.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Switch Off\swoff.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ACDSYS~1\ACDSee\ACDSee.exe
C:\Program Files\AVPersonal\GUARDGUI.EXE
F:\Media\Software\System\Security\HijackThis.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TimeService] C:\WINDOWS\trun.exe
O4 - Startup: DC++.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 06 July 2004 - 09:00 PM

Hi,
First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files: [required step]
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, rescan with HijackThis
Place a check in each of the following: Then click "Fix checked".

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKCU\..\Run: [TimeService] C:\WINDOWS\trun.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\trun.exe <--this file
C:\WINDOWS\msupdate.exe <--this file
C:\install.cab <--this file
C:\WINDOWS\system32\explorer.exe <--this file
Note: do not delete: C:\WINDOWS\Explorer.EXE

Restart normally and then update HijackThis. Download Posted Image HijackThis! 1.98

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 revertzero

revertzero

    Member

  • New Member
  • Pip
  • 3 posts

Posted 07 July 2004 - 04:37 PM

Firstly thanks a million for replying so fast and in so much depth.
like your new avatar ;)

I followed your instructions with the following exceptions:
- couldn't find C:\install.cab
- I deleted file in C:\WINDOWS\ called dl0001.exe which was obviously a dialer

As your recommended I then ran hijack this1.98....

Logfile of HijackThis v1.98.0
Scan saved at 23:28:17, on 07/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Registry Mechanic\regmech.exe
F:\Media\Software\System\Security\hijackthis1.98\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: DC++.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O18 - Filter: text/html - {EEC083A6-A997-47C3-8A8E-B6694DA9E880} - C:\WINDOWS\System32\gmcpgb.dll
O18 - Filter: text/plain - {EEC083A6-A997-47C3-8A8E-B6694DA9E880} - C:\WINDOWS\System32\gmcpgb.dll
O21 - SSODL: System - {BA1B5AC5-F432-4CCE-8E66-18E991986A1B} - C:\WINDOWS\system32\system32.dll (file missing)

Don't know if this helps but I also downloaded registry mechanic... it says that I have 9 Errors to be repaired in the Trial version and 18 in the Full version!

Thanks again for helping me out of this nightmare :)

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 07 July 2004 - 06:01 PM

Hi,
Did you have a previous (CWS) hijack? You have indications ...

Download Posted Image Ad-Aware

After installing Ad-Aware, and before running the program.

Update Ad-aware's Reference File: instructions Posted Image here

Required Step: Posted Image Reconfigure Ad-Aware for Full Scan

Note: do not run Ad-Aware yet, just update and reconfigure.


Close all open windows, rescan with HijackThis
Place a check in each of the following then click "Fix checked".

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - Startup: Trillian.lnk = ? ("?" = broken link)
O18 - Filter: text/html - {EEC083A6-A997-47C3-8A8E-B6694DA9E880} - C:\WINDOWS\System32\gmcpgb.dll
O18 - Filter: text/plain - {EEC083A6-A997-47C3-8A8E-B6694DA9E880} - C:\WINDOWS\System32\gmcpgb.dll
O21 - SSODL: System - {BA1B5AC5-F432-4CCE-8E66-18E991986A1B} - C:\WINDOWS\system32\system32.dll (file missing)


Then reboot, on restart, restart in Safe Mode [required step - see "How To" below]

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\gmcpgb.dll <--this file

While still in Safe Mode run Ad-Aware and fix everything it finds.

After the above, reboot, rescan with HijackThis and post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 revertzero

revertzero

    Member

  • New Member
  • Pip
  • 3 posts

Posted 08 July 2004 - 01:50 PM

mmm I think I did have a previous hijack but I think I resolved it easily with ad-aware.

Thanks again for all your effot... you have been of enourmous help :D

I followed your instructions and here is my log:

Logfile of HijackThis v1.98.0
Scan saved at 20:46:11, on 08/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
F:\Media\Software\System\Security\hijackthis1.98\HijackThis.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: DC++.lnk = C:\Program Files\DC++\DCPlusPlus.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for ¸æb: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 08 July 2004 - 04:04 PM

Hi,
Your log looks clean now ... good job!

Last Step:

"Flush System Restore" (see "How To" below)
Basically turn off System Restore, reboot run a full AVPersonal scan, reboot and turn System Restore back on and create a new Restore Point.

I would suggest adding some "Defense" to your system ...
How To: Prevent this from happening again? :wave:
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button