Hi Everyone,

Recently my symantec program detected the trojan.startpage virus in my msconfd.dll file. When using IE, our homepage was going to new site, and we have a new and interesting set of favorites! I have attempted to delete this item (apparently blindly, not realizing its potential importance), but received a pop-up message indicating that I was not allowed to delete it because it was being used by windows. I went onto the symantec page to read about the virus, and it suggests deleting whichever files are corrupted. Can anyone help? Is this an essenial file, and if not, can it be deleted somehow? I appreciate all those who have taken the time to read this, and here is a quick thanks to anyone with advice!

Lastly, are there any programs out there that can alert you when files are being saved onto your computer when you are on the net?

Sincerely,
Lisa

hey there, i'm pretty new to this so i could be wrong but one suggestion (and it has worked for me when this happens) is to go to www.download.com and get a program called ad-aware (it's free and although you don't get the full program it still works real good), install this as normal on your computer. open ad-aware and run a scan it will come up with some registry values and files, delete them (you could also then run a check with your virus scanner). BEFORE you get back on the net, right click your browser and go to properties and change your homepage to whatever you normally have and your problem should be fixed.
alternatively (try this first), sometimes these annoying pages have a link at the bottom that is labelled something like "how can i uninstall [the name of the page]" i've only come across this once but it's sooo much easier, if this happens still remember to change your homepage before getting back to it or it will only install itself again :)
sorry this is so long but it is one of the few probs i think i can solve, good luck to you. happy new year!!!

Follow these instructions
http://www.computing.net/security/wwwboard/forum/6433.html

Hi Everyone,

I have installed and run Adaware and SpyBot, both programs found problems which I have quarantined. I restarted my computer and still have a couple of problems. My nortin antivirus keeps detecting msconfd.dll as being infected. I get a pop-up message notifying me of this at start-up and every time I launch another program (ie. Word, virus protection programs, IE, notepad, etc.). This still seems to be my main problem - how to fix msconfd.dll. My other smaller problem is that my default homepage (the page listed for 'use default' in the general tab of the internet tools window)has been set to some obscure site, and I don't know how to change the default home page entered when IE was set up. Any help here would be greatly appreciated.

Here is the log from hijack this, although I am not sure if it is of any help with my msconfd.ll problem.

Logfile of HijackThis v1.97.7
Scan saved at 10:39:24 AM, on 1/2/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\msadc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\PMJ151LA.BIN
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\Mixer.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\msdos.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\lwalters\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my.search/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.search/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freshvideogals.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://freshvideogals.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://freshvideogals.com/search/small.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://freshvideogals.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freshvideogals.com/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://freshvideogals.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://e-plus.cc/search.php?aff_id=46&keyword=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://google.ca"); (C:\Documents and Settings\lwalters\Application Data\Mozilla\Profiles\default\31hcbj4v.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\lwalters\Application Data\Mozilla\Profiles\default\31hcbj4v.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MsSystem] c:\msdos.exe
O4 - HKLM\..\Run: [AdobeFonts] C:\WINNT\Fonts\fonts.hta
O4 - HKCU\..\Run: [iedll] c:\WINNT\iedll.exe
O4 - HKCU\..\Run: [loader] c:\WINNT\loader.exe
O4 - HKCU\..\Run: [quicken] C:\WINNT\quicken.exe
O4 - HKCU\..\Run: [editpad] C:\WINNT\editpad.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.2178935185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINNT\hh.htt (file missing) (HKLM)

Thanks again,

Lisa

hi i had a startpage trojan recently in a dll file i think it was the same one if you get the avg free version run a complete scan and it will detect that trojan and quarantine it
neo

Hi
Download and run cwshredder, hit the next
button not scan.
cwshredder.zip

cwshredder.exe

Post another log after your done.

Thank you Thank you Thank you. If you could see me dancing around with delight you would laugh. I appreciate all the suggestions everyone made. cwshredder finally did the trick. I then ran hijackthis and fixed the files pertaining to my default IE page.

Once again, thank you for donating your time to my cause.

Sincerely,

Lisa :)

I don't know if my message got up. I checked and couldn't see it. Just in case, here is my message:
Well, I have the same problem as Lisa. I used the shredder and it did something, but I still have a problem: I still get a pop-up when I open up IE. This may have nothing to do with the Trojan.Startup, but, I have no idea what to do. It's sad that the shredder did what the expensive Symantec Norton Antivirus couldn't do. The only purpose that NAV served me was that it found a problem, it just couldn't do anything about it. I bet this post is really old and I bet that my response will never be read, but I don't know where else to turn. Thank you espescially, Lisa, for putting up the post and getting the responses you did. If it wasn't for that, I would still be getting ugly pop-ups and favorites that I do not want. Someone, please help me. Thank you for your time.

Tony

Email: tjc2003m@aol.com

Let me add my thanks! Same problem here, been pulling my hair out for days with other "fixes". cwshredder fixed it in under one minute! unbelievable! Thank you abnormal!

another Lisa

Lisa Thanks, thank you everybody (especially "abnormal").
I had the same problem with Lisa today, or almost the same... I had an alert saying I got the Trojan.StartPage in C:Windows/System32/ctrlpan.dll (and not in msconfd.dll). I followed "abnormal's" instructions and thank God the virus disappeared (together with the file ctrlpan.dll), but I still have a problem...
Together with the virus alert I noticed that when I started my P.C. it took more than two minutes to start which has never happened before (you know, it takes two minutes to make the usual sound of the beginning of Windows XP). I feel like although the virus went away there is still something infected or badly working in my system. Any ideas?

wow, dimitris Mantziaras, ctrlpan.dll is the exact same file mine was in. Once again, thanks everyone.

Hello Toan,
Thanks for answering, but still I haven't any ideas about this delay when I start my PC. I don't know what causes this 2 min delay in starting my system. However it works fine when it finally starts....
What should I do?

Well, sorry, I don't think I can really help. The only thing you might could do is try to clear up your desktop and quick launch items. That sped up my startup a little. Sorry I can't really help

Dimitris, you may have some leftover
spyware.
Download Ad-Aware and update it.
http://www.lavasoftusa.com/support/download/

From lavasoft faqs.
Use the Custom Scan with Memory and Both registry scans ON for your first scan.
I keep it at that setting.

Also.... make sure that you activate IN-DEPTH scanning before you proceed.
Actually you should always use IN-DEPTH scanning whichever mode you choose.
This will be made a default setting in Ad-aware 6.2 when released.

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Next...
Run Ad-aware 6.

Good luck


abnormal

The below file is now not available. Does anyone have CWShredder that I can D/L?

http://www.merijn.org/files/CWShredder.exe
http://216.180.233.153/~merijn/files/CWShredder.exe

Thanks

Hi Bunyip, try this;

http://www.sherrylynn.us/CWShredder.exe

Some tips to stay safe, under my name.
Some spywareinfo sites are down now, that's
why the link don't work for you.

Another place to get it, most recent version
http://www.majorgeeks.com/download4086.html