1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Trojan Small AR

Discussion in 'Malware and Virus Removal Archive' started by Daisy30875, 2003/12/31.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. 2004/01/02
    Daisy30875

    Daisy30875 Inactive Thread Starter

    Joined:
    2003/12/31
    Messages:
    29
    Likes Received:
    0
    Highjack this Log

    Ok I was asked earlier to post my highjack this log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:00:53 AM, on 1/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\AMERICA ONLINE 4.0\DOWNLOAD\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.viewpornkey.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.viewpornkey.com/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.viewpornkey.com/se.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.viewpornkey.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.search-dot.com/1/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.viewpornkey.com/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-dot.com/1/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.search-dot.com/1/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.viewpornkey.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.viewpornkey.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.viewpornkey.com/se.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.viewpornkey.com/se.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.viewpornkey.com/se.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.viewpornkey.com/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://my.netzero.net/s/sp?r=al&cf=...00000&D=0&I=7.NQ1&L=&M=1069056000000&N=EM&O=A
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_6_0.DLL
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe "
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\PROGRAM FILES\CREATIVE\SURROUNDMIXER\CTSYSVOL.EXE
    O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE "
    O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
     
    Daisy30875,
    #21
  2. 2004/01/02
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Daisy
    You have quiet a few bad entries.

    Remove all R0, and R1 entries EXCEPT last three:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about :blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://my.netzero.net/s/sp?r=al&...mp;N=EM&O=A

    F1 - win.ini: run=hpfsched (if you have HP DeskJet printer, this is an icon, that sits in your systray to remind you once in a while to performorm print heads cleaning....if you want, you can keep it...It's a garbage in my opinion)

    Remove following O4 entries:
    That's it for bad guys.
    I also noticed several programs, which are not necessary to be run at startup. You can ucheck them in "msconfig\startup ":
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE (this one is needed only if you run some scheduled tasks)
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A (this is a leftover from DirectX upgrade, and it was suppose to run just once)
    Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme(if you don't use Power Management, which is not recommended in Windows 98....this entry is listed twice in msconfig\startup)
     
    Last edited: 2004/01/02
    broni,
    #22


  3. to hide this advert.

  4. 2004/01/03
    Daisy30875

    Daisy30875 Inactive Thread Starter

    Joined:
    2003/12/31
    Messages:
    29
    Likes Received:
    0
    Broni

    Thank you again for your help, just one question.

    Why is it not recommended to run power management? :confused:
     
    Daisy30875,
    #23
  5. 2004/01/03
    Daisy30875

    Daisy30875 Inactive Thread Starter

    Joined:
    2003/12/31
    Messages:
    29
    Likes Received:
    0
    Virus Detected! Here we go!

    Ok so i just ran the AVG program and it came up with a virus detected called Trojan Horse Startpage.CG which was located in the msconfig.exe. It recommended me to put it in the vault since I cannot just up and delete the msconfig.exe! So, does this mean my system is clean or what does this mean? This is gettin to be a bit frustrating. I wish I knew more about viruses. I tried to look up info about this virus and was unable to come up with a stitch of anything. I am however very greatful to know that I can have a free Virus dectection program. In my oppinion Norton wasnt doing its job so I took it off my system completely. Norton only does its job if you pay for the updates and I got this computer in 98, so my NAV was basically useless anyhow. What do I do now? Besides change my computer experience status to....BEGINNER!!! LOL! :D
     
    Daisy30875,
    #24
  6. 2004/01/03
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK, Daisy
    1. Power Management is a known Windows 98 troublemaker. If it's on, it's know to cause all kind of conlicts, error messages, problems with shutting computer down, etc...It may work OK for some people. Why? I've never seen any good explanation.
    2. As for your virus. You had some virus-like entries in your HijackThis listings (O4 entries), but I'm not sure, if they were related to your new discovery.
    There are several types of "Startpage" trojan horse virus out there. You can read about them:
    HERE
    HERE
    and
    HERE
    However all of those above do not much more then just changing your IE home page.
    As you said your virus was discovered, attached to "msconfig.exe" file. Some viruses pretend to be attached, or even create a new file, which looks like a legitimate Windows file.
    You have to take a really close look at a name of infected file (i. e. one letter may be different, say "msconfg.exe ", instead of "msconfig.exe'), and its location. For instance, real "msconfig.exe" file is located in C:\Windows\System directory. A clever virus may create a file witha very same name "mscinfig.exe ", but, let say in C:\Windows directory. It does so to scare you: "Oh, it's a real Windows file, so I can't delete it ".
    So...take a close look at the name of infected file, and make sure it's really spelled "msconfig.exe ", then see in what directory it's located. If AVG doesn't give you that information, simply go Start>Run, and type: MSCONFIG, hit OK. If it run, it means your original Windows file is OK, and that fake "msconfig" file is either spelled little bit different, or ihas a different location, then original Windows file.


    HERE is an example how viruses hide themselves, pretending to be a legit Windows files.
    Let me know of your findings
     
    broni,
    #25
Page 2 of 2
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...