Jump to content


Photo

Trojan TR/startpage.IG.1


  • Please log in to reply
3 replies to this topic

#1 nicko

nicko

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 11:27 PM

Last night i was surfing the net and my AntiVir software picked up this trojan in two locations (c:\windows\hosts and c:\windows\system32\drivers\ETC\hosts

Now every time I deleted it it kept on coming back. Now I cant even use msn or IE coz it keeps on freezing up (infact i dunno if the net is workn at all).

ive tried using the CWShredder and it said it had cleared the system but while it was doing it and after it had finished the antivir kept on saying the trojan TR/startpage.IG.1 was present and asked me if i wanted to delete etc.

So after that i used the Hijack this tool and this is the log (if some1 can tell me what to do):

Logfile of HijackThis v1.98.0
Scan saved at 3:37:32 PM, on 13/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Omniquad\Omniquad Personal Firewall\OPFSVC.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\StarOffice6.0\program\soffice.exe
C:\Program Files\AVPersonal\GUARDGUI.EXE
C:\download_files\cwshredder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.team-hyundai.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.team-hyundai.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Samsung Wheel Mouse\Samsung Wheel Mouse\4.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6 "USB001" /M "Stylus CX3100"
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [OPF] C:\Program Files\Omniquad\Omniquad Personal Firewall\OPF.exe
O4 - Startup: StarOffice 6.0.lnk = C:\Program Files\StarOffice6.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.team-hyundai.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com

Now the computer is only a couple of months old, so would it be wise just to take it back to a new computer (reformatting)

#2 nicko

nicko

    Member

  • New Member
  • Pip
  • 4 posts

Posted 12 July 2004 - 11:29 PM

oh and after i did the shredder i reset my internet options (hence why i have the hyundai home page instead of coolwebsearch)

#3 nicko

nicko

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 12:01 AM

Note*
I ran the shredder in normal mode, then ran hijackthis to get the log.

I have now run the shredder in safe mode but still says that its clean, so would the log be any different if i ran hijackthis now.
(plus every time i post a report i have to burn a CD and send it up to this computer, since this trojan has frozen the browser)

#4 nicko

nicko

    Member

  • New Member
  • Pip
  • 4 posts

Posted 13 July 2004 - 05:03 PM

Ok ive decided to reformat my computer, coz i just cant get rid of this thing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button