Trojan horse Startpage.3.AR

Discussion in 'malware problems & news' started by Doc77, Mar 22, 2004.

Thread Status:
Not open for further replies.
  1. Doc77

    Doc77 Guest

    I picked up a virus through my Internet Explorer 6.0 where I picked up a hijacking homepage and a bundle of Trojans. I successfully deleted the hijacking homepage by using the appropriate software, but the bundle of Trojans remained. My AVG 6.0 Anti-Virus software instantly picked up those files and healed most of them. Currently those "healed" files are in my virus vault, and everytime I restore those "healed" files from my virus vault to their original places on my computer, I get a virus detected message again when I subsequently run my AVG. Currently my computer is virus free as long as I keep those files in my virus vault. The actual name of the infected files in my virus vault, along with the actual virus names associated with those files are: olehelp.exe, and the virus name associated with it is Trojan horse Startpage.3.AR . olehelp.exe was the only file that AVG actually said that it could not heal and that it should be placed in the virus vault; xwxload.exe, and the virus name associated with this file is Trojan horse Downloader.X, and msdos.exe, and it had a virus name of Backdoor.Jeemp.A . The msdos.exe file was deleted by my F-Prot Anti-Virus software that I use in DOS. F-Prot said that the msdos.exe file could not be disinfected, and that it could only be deleted. So I did. After having deleted the msdos.exe file, I feel better about deleting the other infected files in my virus vault. That's the thing about the average computer user, you know that in the back of your mind that Windows has thousands upon thousands of files, and with all of those files, it makes you a little uncomfortable just deleting any of them as you don't know what is real or what is junk. So my questions are: Should I go ahead and delete these files ? and Are these files actually Windows files, or are they junk files created by the author of the virus ? I have taken the liberty of securing and updating a copy of Spywareblaster to avoid this again. Thank You for your time and anticipated response.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    olehelp.exe should be safe to delete:
    http://www.spywareinfoforum.com/~merijn/cwschronicles.html#olehelp

    Regards,

    Pieter
     
  3. Doc77

    Doc77 Guest

    I deleted the olehelp.exe with ease. Now I'll do the same thing to xwxload. exe, which is the Trojan horse Downloader.X if thats alright. I do seem to also have the CWS.Control on C:\Windows\control.exe . CWShredder does not pick this up during the actually scan, but does acknowledge it on the summary or logfile. When olehelp.exe was out of the virus vault, it did not pick this up either during the actually scan, but also listed it on summary or logflie. I can't locate a file named control.exe on my computer, only a control file which opens my control panel. And my control works fine. I don't have a Windows 98SE CD to reinstall files, but I do have a Windows setup icon on my computer. Could I extract a file by using that as an alternative to a CD or could I download it from somewhere if I needed it. Here is copy of my CWShredder logfile. Tell me what you think. Thank You.
    CWShredder v1.53.4 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows 98 (4.10.2222 A)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: User

    Hosts file not present
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A)
    Found line in Win.ini: load=essspk.exe
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
  4. Doc77

    Doc77 Guest

    This is my second posting in about five minutes. Please see my other posting above first. After my last posting, I went into my registry, clicked on edit and then find, and keyed in control. exe where I did find CWS.Control listed twice once listed as CWS.Control, and the CWS Control without the period in between if that makes any difference. Should I delete them now? Thanks again.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Doc77,

    If you truly have active CWS files CWShredder will remove them. If you do not trust the judgement of your AV and CWS, you can find online scans here:
    http://www.wilders.org/free_services.htm

    Note that there are also sites (DrWeb and Kaspersky) wher you can upload single files.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.