Jump to content


Photo

TR/StartPage.IG.1 - please help


  • Please log in to reply
3 replies to this topic

#1 StefChri

StefChri

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 July 2004 - 04:38 PM

Hello everybody,

my pc is infected with TR/StartPage.IG.1.

Ive already tried several tools to get rid of this *#+! - piece of ...

Antivir XP is recognizing it but unable to remove it.
Ive also tried CWShredder and Ad-aware 6 without success.

I also tried these tools in Safe Mode with the same results.

What I found out is that a file named hosts is infected. But after deleting this file it reapears almost immediatly.

Now Im definetly at the end of my knowledge and need help.

Ive run HijackThis and here is the log:

And by the way, please apologize my poor english -Im from germany.

Thanks in advance for any help


---------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 23:24:30, on 21.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SLEE401.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Norton Internet Security\IAMAPP.EXE
C:\Programme\Dialer Control\dc.exe
C:\WINDOWS\system.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\PC-TV\WinManager\WinManager.exe
C:\WINDOWS\System32\devldr32.exe
C:\Programme\GetRight\getright.exe
C:\Dokumente und Einstellungen\Stefan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iamapp] "C:\Programme\Norton Internet Security\IAMAPP.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dialer Control] C:\Programme\Dialer Control\dc.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - Global Startup: WinManager.lnk = C:\Programme\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDB37FE6-82B7-40D5-A628-7D5214B3FACF}: NameServer = 217.237.150.141 194.25.2.129

---------------------------------------------------

#2 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 21 July 2004 - 04:47 PM

This may be the problem (especially if www.google.com is not your wanted homepage)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php


This file is unkown to me. If you didn't install it then fix it:

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll

Sometimes you need to go into safemode to do ths without it coming back.

Also try CW Shredder (click here to download)

Hope this helps.

#3 StefChri

StefChri

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 July 2004 - 05:49 PM

Hello strafer,

seems to be solved now. :bounce:
I deleted the following files in the safe mode:

c:\windows\hosts
c:\windows\system32\explore.exe (was the problem in another thread)
C:\WINDOWS\questmod.dll

Then I used Antivir for a complete scan, CWShredder and Ad-aware.

Now after reboot in normal mode this is the new log:

Thanks a lot for your help. :thumbsup:

StefChri

-----------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 00:46:48, on 22.07.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SLEE401.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Norton Internet Security\IAMAPP.EXE
C:\Programme\Dialer Control\dc.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\PC-TV\WinManager\WinManager.exe
C:\WINDOWS\System32\devldr32.exe
C:\Dokumente und Einstellungen\Stefan\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iamapp] "C:\Programme\Norton Internet Security\IAMAPP.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Dialer Control] C:\Programme\Dialer Control\dc.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - Global Startup: WinManager.lnk = C:\Programme\PC-TV\WinManager\WinManager.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Programme\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDB37FE6-82B7-40D5-A628-7D5214B3FACF}: NameServer = 217.237.150.141 194.25.2.129

#4 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 21 July 2004 - 07:03 PM

Anytime :D . Glad I could help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button