Jump to content


Trojan horse TR/StartPage.IG.1

  • Please log in to reply
4 replies to this topic

#1 terried



  • New Member
  • Pip
  • 2 posts

Posted 22 July 2004 - 11:13 PM

Any help is greatly appreciated

Thanks so much

StartupList report, 7/23/2004, 12:01:22 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Terrie\Desktop\hijack this\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options

Running processes:

C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Terrie\Desktop\hijack this\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe


Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE


Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,


Autorun entries from Registry:

HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HPHUPD05 = C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HP Component Manager = "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HPHmon05 = C:\WINDOWS\System32\hphmon05.exe
hpppta = C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
HP Software Update = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
System32 = C:\WINDOWS\system.exe
VVSN = C:\Program Files\VVSN\VVSN.exe
AVGCtrl = C:\Program Files\AVPersonal\AVGNT.EXE /min


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\1090368255.dll - {89BD84F1-4A6C-445D-9BE8-5B8C4B019855}


Enumerating Task Scheduler jobs:

1-Click Maintenance.job
HP DArC Task #Hewlett-Packard#7700#MY388121P8K5.job
HP Usg Daily.job


Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell....iler/SysPro.CAB

InProcServer32 = C:\WINDOWS\Downloaded Program Files\DD_v4.ocx
CODEBASE = http://www.drivershq.com/DD_v4.CAB

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PCPitstop.dll
CODEBASE = http://www.pcpitstop...p/PCPitStop.CAB

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...B?38097.2140625

[DoomCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoomCln.dll
CODEBASE = http://www.microsoft...ols/DoomCln.CAB

[Downloader Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\dwnldr.dll
CODEBASE = http://www.stopzilla...ller/dwnldr.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcaf...380/mcfscan.cab


Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
System: C:\WINDOWS\system32\system32.dll

End of report, 6,605 bytes
Report generated in 0.625 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 Sasquatch



  • Full Member
  • Pip
  • 15 posts

Posted 22 July 2004 - 11:32 PM

A quick search at Symantec for "startpage.ig.1" or other variants came up with no results. However, looking at your logfile, I noticed "system.exe" which is suspicious and seems to be connected to Net Controller 1.08 Trojan

system - system.exe - Process Information

Process File: system or system.exe
Process Name: System
Description: Net Controller 1.08 Trojan.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

Have you used Spybot Search and Destroy AND Ad-Aware in an attempt to remove these suspicious files?

If so, what were the results?

Edited by Sasquatch, 22 July 2004 - 11:33 PM.

Get away from Internet Explorer and Outlook / Outlook Express... http://www.mozilla.org

#3 needenalife



  • Full Member
  • Pip
  • 42 posts

Posted 22 July 2004 - 11:38 PM

I also suggest running a virus scan


Panda Activescan


#4 terried



  • New Member
  • Pip
  • 2 posts

Posted 22 July 2004 - 11:48 PM

I ran Ad-Aware as well as a few others and nothing came up about that particular file. When I run Ativir it shows a trojan TR/StartPage.IG.1 and it seems to keep replicating itself as soon as I delete it

#5 Sasquatch



  • Full Member
  • Pip
  • 15 posts

Posted 22 July 2004 - 11:58 PM

I just posted this for another person, but you may want to give this a try as well.

Also, ensure you dump all of your .tmp (temporary files). These hold many, many nasty recurring problems if not dumped.

Go to Start-->Find-->Files and Folders and search for *.tmp

Make sure you use the asterisk. Let it search and when it finishes, select all the files and hold down the shift key while pressing delete. Once this is done, go into your Control Panel and find your "Internet Options" icon. This opens the controls for Internet Explorer without actually opening the browser. Delete all temporary internet files and offline content. Restart your computer and then see how things go.

I would also suggest running a DOS based anti-virus program such as F-PROT for DOS.

First thing: Shut off your system restore

Second thing: Download F-PROT

Once you have it downloaded, I simply extract all contents to the root of C:\\

Once you have done this, you will need to update F-PROT with the latest detection strings.

Extract all files to C:\\ and confirm the file overwrites.

Once done, find or create a Windows boot (startup) disk. (Windows 95/98 will work fine).

Use it and reboot your system. Once at the command prompt, navigate to the root and then run F-PROT by typing f-prot.exe

Once the program starts, you will have to set some parameters regarding what you want it to do. Once done, scan your machine and see what, if anything, it finds.
Get away from Internet Explorer and Outlook / Outlook Express... http://www.mozilla.org

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!