Help Needed .. Trojan Startpage Menance

[sumdumguy]

seems to me that you probably have a few different ones.. there are processes there that I've never heard of.. just googling each one could tell you more. For example, I picked "SMSS.exe" , googled it and found this link.. http://www.viruslist.com/eng/viruslist.html?id=51071.. which shows that you have Worm.Win32.Ladex.. as you'll see by that link, the CRSS.exe is also part of that worm. read that link please because there's good info in there.. I'll just quote the last part..

Invisibility

Using the additional components SMSS.EXE and CSRSS.EXE the worm tries to mask (hide)itself in the system. Both files ensure the functioning of the main module LMHSVC.EXE if for any reason it appears unloaded from memory. Besides these components it looks for REGEDIT - if REGEDIT is open it temporarily removes the keys in the system registry and restores them upon the closure of the REGEDIT application. Thus the worm achieves invisibility in the system registry.

Payload

The worm starts the joke program LADY.EXE which displays a set of creeping flies which can be "killed" with the mouse cursor.

as for hijacking, since no one has mentioned it yet.. try hijackthis, but be careful of what you delete. posting a log of it either at tomcoyote's forum or here would be advisable.

hijackthis : http://www.tomcoyote.org/hjt/
log tutorial : http://www.spywareinfo.com/~merijn/htlogtutorial.html

[ShagDevil]

Anj, I'd recommend checking your running tasks against a couple lists. check:

http://www.answersthatwork.com/Taskl...s/tasklist.htm (or)
http://www.liutilities.com/products/...processlibrary

These may not have everything but it's a good start. good luck.

[pZargs]

Another goody program is called " hijackthis " you can find this program at any search engine
but read some forums first and make sure you do not delete any windows registry's
I personally had a trojan called .hogle the only I could remove it was with hijackthis ,and I still had to disable system restore becuase system restore kinda takes a picture of your windows configuration and the bios and then protects it.But you should be able to find what your looking for when you scan with the hijackthis program and i mean usually there is the words like ctrlpan.dll in the line that you would want hijackthis to delete...hope this helped
pZargs

[Abyzz]

umm.. errr.... eh ..

How do i start a tread and where can i find a place to post it???

anyway i wanna know how to crack a damn cd check cuz i broke the cd

[anjali]

Hi All,

I have download Spyguard and hijack this....

Although Spyguard ensure that the trojan can no more change my default IE page....

But my Antivirus program still cannot delete the ctrlpan.dll file from system32 folder....

I am herewith copying the Log file generated by Hijack this.... Request you all to help me identify the torjan thread....

Hi Boardwalk_angel,

Pls. find here the logfile that i could generate after running hijack this....

Pls. See me if u could help me get rid of this Trojan.Startpage virus...


Logfile of HijackThis v1.97.7
Scan saved at 22:40:44, on 18/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Kalpesh\Local Settings\Temp\FreeRAM XP Pro 1.40.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Kalpesh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.indiatimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.indiatimes.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file:///C:\WINDOWS\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.indiatimes.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [UPSUtl] C:\WINDOWS\web.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Kalpesh\Local Settings\Temp\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [quicken] C:\WINDOWS\quicken.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A823B2BB-7332-4A3C-A236-3F455659B499}: NameServer = 202.9.136.6 202.71.144.67
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)



Thanks in advance.....

Regards

Kalpesh

[anjali]

Thanks a ton AO for helping me get rid of this trojan....

I read abt Merijin and coolwebsearch .. I found that I 2 was infected by same virus....

Merijins CWShredder is a wonder product.. I must agree merijin is doing a wonderful job......

It just deletes all the variants of virus so easily... Infact i had more than 5 variants of the above virus......

But glad to have got rid of them now..... Its been atleast 3 weeks since I was trying to figure out a solution to get rid of this idiotic virus..glad that I have finally been succesful....

All thanks to AO.... Long live AO.. Long live merijin

Bye