Trojan horse Startpage.3.AR

I picked up a virus through my Internet Explorer 6.0 where I picked up a hijacking homepage and a bundle of Trojans. I successfully deleted the hijacking homepage by using the appropriate software, but the bundle of Trojans remained. My AVG 6.0 Anti-Virus software instantly picked up those files and healed most of them. Currently those "healed" files are in my virus vault, and everytime I restore those "healed" files from my virus vault to their original places on my computer, I get a virus detected message again when I subsequently run my AVG. Currently my computer is virus free as long as I keep those files in my virus vault. The actual name of the infected files in my virus vault, along with the actual virus names associated with those files are: olehelp.exe, and the virus name associated with it is Trojan horse Startpage.3.AR . olehelp.exe was the only file that AVG actually said that it could not heal and that it should be placed in the virus vault; xwxload.exe, and the virus name associated with this file is Trojan horse Downloader.X, and msdos.exe, and it had a virus name of Backdoor.Jeemp.A . The msdos.exe file was deleted by my F-Prot Anti-Virus software that I use in DOS. F-Prot said that the msdos.exe file could not be disinfected, and that it could only be deleted. So I did. After having deleted the msdos.exe file, I feel better about deleting the other infected files in my virus vault. That's the thing about the average computer user, you know that in the back of your mind that Windows has thousands upon thousands of files, and with all of those files, it makes you a little uncomfortable just deleting any of them as you don't know what is real or what is junk. So my questions are: Should I go ahead and delete these files ? and Are these files actually Windows files, or are they junk files created by the author of the virus ? I have taken the liberty of securing and updating a copy of Spywareblaster to avoid this again. Thank You for your time and anticipated response.

 

olehelp.exe should be safe to delete:
http://www.spywareinfoforum.com/~merijn/cwschronicles.html#olehelp

Regards,

Pieter

 

I deleted the olehelp.exe with ease. Now I'll do the same thing to xwxload. exe, which is the Trojan horse Downloader.X if thats alright. I do seem to also have the CWS.Control on C:\Windows\control.exe . CWShredder does not pick this up during the actually scan, but does acknowledge it on the summary or logfile. When olehelp.exe was out of the virus vault, it did not pick this up either during the actually scan, but also listed it on summary or logflie. I can't locate a file named control.exe on my computer, only a control file which opens my control panel. And my control works fine. I don't have a Windows 98SE CD to reinstall files, but I do have a Windows setup icon on my computer. Could I extract a file by using that as an alternative to a CD or could I download it from somewhere if I needed it. Here is copy of my CWShredder logfile. Tell me what you think. Thank You.
CWShredder v1.53.4 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: User

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A)
Found line in Win.ini: load=essspk.exe
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

 

This is my second posting in about five minutes. Please see my other posting above first. After my last posting, I went into my registry, clicked on edit and then find, and keyed in control. exe where I did find CWS.Control listed twice once listed as CWS.Control, and the CWS Control without the period in between if that makes any difference. Should I delete them now? Thanks again.

 

Hi Doc77,

If you truly have active CWS files CWShredder will remove them. If you do not trust the judgement of your AV and CWS, you can find online scans here:
http://www.wilders.org/free_services.htm

Note that there are also sites (DrWeb and Kaspersky) wher you can upload single files.

Regards,

Pieter