Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.StartPage.53879

Added to the Dr.Web virus database: 2013-05-31

Virus description added:

Technical Information

Malicious functions:
Creates and executes the following:
  • '%HOMEPATH%\Desktop\Packed.exe'
Terminates or attempts to terminate
the following user processes:
  • iexplore.exe
Sets a new unauthorized home page for Windows Internet Explorer.
Modifies file system :
Creates the following files:
  • <Current directory>\0404heixin\浙江1[278].txt
  • <Current directory>\0404heixin\浙江2[109].txt
  • <Current directory>\0404heixin\浙江3[64].txt
  • <Current directory>\0404heixin\河南4[236].txt
  • <Current directory>\0404heixin\河南5[202].txt
  • <Current directory>\0404heixin\河南6[291].txt
  • <Current directory>\0404heixin\浙江6[25].txt
  • <Current directory>\0404heixin\湖北3[238].txt
  • <Current directory>\0404heixin\湖北4[203].txt
  • <Current directory>\0404heixin\湖北5[158].txt
  • <Current directory>\0404heixin\浙江7[54].txt
  • <Current directory>\0404heixin\湖北1[520].txt
  • <Current directory>\0404heixin\湖北2[264].txt
  • <Current directory>\0404heixin\江苏8[92].txt
  • <Current directory>\0404heixin\江西1[619].txt
  • <Current directory>\0404heixin\江西2[121].txt
  • <Current directory>\0404heixin\江苏3[145].txt
  • <Current directory>\0404heixin\江苏4[122].txt
  • <Current directory>\0404heixin\江苏6[107].txt
  • <Current directory>\0404heixin\江西3[277].txt
  • <Current directory>\0404heixin\河南1[946].txt
  • <Current directory>\0404heixin\河南2[726].txt
  • <Current directory>\0404heixin\河南3[389].txt
  • <Current directory>\0404heixin\河北1[447].txt
  • <Current directory>\0404heixin\河北4[78].txt
  • <Current directory>\0404heixin\河北5[33].txt
  • <Current directory>\0404heixin\贵州1[680].txt
  • <Current directory>\0404heixin\辽宁1[367].txt
  • <Current directory>\0404heixin\辽宁2[117].txt
  • <Current directory>\0404heixin\西南1[1264].txt
  • <Current directory>\0404heixin\西南2[452].txt
  • <Current directory>\0404heixin\西南3[105].txt
  • <Current directory>\0404heixin\辽宁3[60].txt
  • <Current directory>\0404heixin\黑龙江1[388].txt
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\loading[1].html
  • %WINDIR%\Fonts\Guanggaopz.ini
  • <Current directory>\0404heixin\重庆1[567].txt
  • <Current directory>\0404heixin\重庆2[143].txt
  • <Current directory>\0404heixin\陕西1[1094].txt
  • <Current directory>\0404heixin\湖南1[607].txt
  • <Current directory>\0404heixin\湖南2[375].txt
  • <Current directory>\0404heixin\湖南3[251].txt
  • <Current directory>\0404heixin\湖北6[90].txt
  • <Current directory>\0404heixin\湖北7[55].txt
  • <Current directory>\0404heixin\湖北8[112].txt
  • <Current directory>\0404heixin\湖南4[211].txt
  • <Current directory>\0404heixin\福建1[345].txt
  • <Current directory>\0404heixin\福建2[194].txt
  • <Current directory>\0404heixin\西北1[538].txt
  • <Current directory>\0404heixin\湖南5[275].txt
  • <Current directory>\0404heixin\湖南6[154].txt
  • <Current directory>\0404heixin\湖南7[364].txt
  • <Current directory>\0404heixin\华北4[91].txt
  • <Current directory>\0404heixin\四川1[710].txt
  • <Current directory>\0404heixin\四川2[366].txt
  • <Current directory>\0404heixin\华北1[233].txt
  • <Current directory>\0404heixin\华北2[169].txt
  • <Current directory>\0404heixin\华北3[54].txt
  • <Current directory>\0404heixin\四川3[258].txt
  • <Current directory>\0404heixin\天津1[84].txt
  • <Current directory>\0404heixin\安徽1[816].txt
  • <Current directory>\0404heixin\安徽2[346].txt
  • <Current directory>\0404heixin\四川4[280].txt
  • <Current directory>\0404heixin\四川5[224].txt
  • <Current directory>\0404heixin\四川6[229].txt
  • <Current directory>\0404heixin\上海1[295].txt
  • <Current directory>\0404heixin\上海2[156].txt
  • <Current directory>\0404heixin\上海3[120].txt
  • %HOMEPATH%\Desktop\ТщµґІҐУ°КУµјєЅ.html
  • %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\97jianzhan.taobao[1]
  • %HOMEPATH%\Desktop\Packed.exe
  • <Current directory>\0404heixin\东北1[284].txt
  • <Current directory>\0404heixin\内蒙古1[84].txt
  • <Current directory>\0404heixin\北京1[243].txt
  • <Current directory>\0404heixin\北京3[31].txt
  • <Current directory>\0404heixin\东北2[237].txt
  • <Current directory>\0404heixin\云南1[227].txt
  • <Current directory>\0404heixin\云贵1[85].txt
  • <Current directory>\0404heixin\广东6[222].txt
  • <Current directory>\0404heixin\广东7[193].txt
  • <Current directory>\0404heixin\广东8[244].txt
  • <Current directory>\0404heixin\广东3[382].txt
  • <Current directory>\0404heixin\广东4[229].txt
  • <Current directory>\0404heixin\广东5[204].txt
  • <Current directory>\0404heixin\广东9[99].txt
  • <Current directory>\0404heixin\新疆1[85].txt
  • <Current directory>\0404heixin\江苏1[297].txt
  • <Current directory>\0404heixin\江苏2[217].txt
  • <Current directory>\0404heixin\广西1[922].txt
  • <Current directory>\0404heixin\广西3[629].txt
  • <Current directory>\0404heixin\广西5[65].txt
  • <Current directory>\0404heixin\山东4[47].txt
  • <Current directory>\0404heixin\山东5[95].txt
  • <Current directory>\0404heixin\山东6[93].txt
  • <Current directory>\0404heixin\安徽3[250].txt
  • <Current directory>\0404heixin\山东1[406].txt
  • <Current directory>\0404heixin\山东3[116].txt
  • <Current directory>\0404heixin\山西1[344].txt
  • <Current directory>\0404heixin\广东12[138].txt
  • <Current directory>\0404heixin\广东1[517].txt
  • <Current directory>\0404heixin\广东2[438].txt
  • <Current directory>\0404heixin\山西2[55].txt
  • <Current directory>\0404heixin\广东10[48].txt
  • <Current directory>\0404heixin\广东11[113].txt
Deletes the following files:
  • %HOMEPATH%\Desktop\Packed.exe
Network activity:
Connects to:
  • 'www.97##g.com':80
  • '97#####han.taobao.com':80
  • 'localhost':1035
TCP:
HTTP GET requests:
  • www.97##g.com/7298dy/loading.html
  • 97#####han.taobao.com/
UDP:
  • DNS ASK www.97##g.com
  • DNS ASK 97#####han.taobao.com
Miscellaneous:
Searches for the following windows:
  • ClassName: '#32770' WindowName: '????????????????'
  • ClassName: '' WindowName: 'iexplore.exe'
  • ClassName: 'EDIT' WindowName: ''
  • ClassName: 'Internet Explorer_TridentDlgFrame' WindowName: 'Internet Explorer ????????'
  • ClassName: 'Shell_TrayWnd' WindowName: ''
  • ClassName: 'MS_AutodialMonitor' WindowName: ''
  • ClassName: 'MS_WebcheckMonitor' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies