startpage hijacked

Hi dear all
My startpage has been hijacked. I open IE and about:blank appears.

This is the hijackthis scan log
Logfile of HijackThis v1.97.7
Scan saved at 11.46.54, on 01/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAMMI\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAMMI\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\WINDOWS\LTSMMSG.EXE
C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
C:\PROGRAMMI\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\PROGRAMMI\TREND PC-CILLIN 2000\WEBTRAP.EXE
C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\KEYMAP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMMI\DAP\DAP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMMI\DAP\DAPBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {C129D23C-8523-4062-8DAF-AA24ED4B0C59} - C:\WINDOWS\SYSTEM\GDG.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMMI\DAP\DAPIEBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AcerPowerkey] "C:\Programmi\Acer\Powerkey\Powerkey.exe"
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Programmi\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [WebTrap.exe] "C:\Programmi\Trend PC-cillin 2000\WebTrap.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VolKey] C:\WINDOWS\SYSTEM\Keymap.exe
O4 - HKLM\..\Run: [Launch App] c:\DMSINFO\launapp.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download using Offline &Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_UrlO.htm
O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_AllO.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Organizzatore ricerche (HKLM)
O9 - Extra button: SUPER NOVITA' (HKLM)
O9 - Extra 'Tools' menuitem: Strumento Super Internet (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38134.3084259259

Can anybody help me

Alessandro

 

Hi alessandrocancian,

First, make sure your Windows and IE are fully updated.
Then download:
http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice on the root drive, in your case C:\

1.Run start.bat and press option 1. 'output.txt' will be created in the folder

(note : it's best to post that report together with a HijackThis log in your topic, so experts can have a look as well)

2. IF hidden dll was successfully found, run start.bat again and choose option 2. Hit '1' and enter dll name manually.

3. If dll was not found after first running start.bat :

Run start.bat again and choose option '2'. You must reboot after doing so.

4. Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

5. Ask for a new hijackthis log, a new output.txt after the fix

6. You can also run CWShredder finally to clean up other entries

Regards,

Pieter

 

Thanks,
I tried to run dllfix start, but a message appeares: this version is only for windows 2000 or XP. I use windows ME and it doesn't work.

Please help

Regards

Alessandro

 

My mistake. This malware normally doesn't run on 9x computers so I forget to check sometimes.

Download: StartDreck and unzip it.
DoubleClick: 'StartDreck.exe'
Hit: config
Hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.
Post the log.

Regards,

Pieter

 

Thanks Peter,
here is the log:

StartDreck (build 2.1.5 public BETA) - 2004-06-02 @ 12.06.14
Platform: Windows ME (Win 4.90.3000 )

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*ALiSndMgr=ALiSndMg.exe
*LTSMMSG=LTSMMSG.exe
*AcerPowerkey="C:\Programmi\Acer\Powerkey\Powerkey.exe"
*PCCIOMON.EXE="C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
*pop3trap.exe="C:\Programmi\Trend PC-cillin 2000\pop3trap.exe"
*WebTrap.exe="C:\Programmi\Trend PC-cillin 2000\WebTrap.exe"
*SynTPLpr=C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
*VolKey=C:\WINDOWS\SYSTEM\Keymap.exe
*Launch App=c:\DMSINFO\launapp.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*RegShave=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
*TaskMon=C:\WINDOWS\SYSTEM\taskmon.exe
*AVG_CC=C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
*CnxDslTaskBar=C:\WINDOWS\SYSTEM\CnxDslTb.exe
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
*PCCIOMON.EXE="C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*Avgserv9.exe=C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FFEF06D1=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF4075=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFE079=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFEA05=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE35A9=C:\PROGRAMMI\TREND PC-CILLIN 2000\PCCIOMON.EXE
*FFFE6401=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE69D1=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
*FFFE4AE9=C:\PROGRAMMI\GRISOFT\AVG6\AVGSERV9.EXE
*FFFE8205=C:\WINDOWS\SYSTEM\STIMON.EXE
*FFE12595=C:\WINDOWS\EXPLORER.EXE
*FFE1A849=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFE01691=C:\WINDOWS\TASKMON.EXE
*FFE0AB9D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFE0F781=C:\WINDOWS\SYSTEM\ALISNDMG.EXE
*FFE0D399=C:\WINDOWS\LTSMMSG.EXE
*FFE053BD=C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
*FFE0CA41=C:\PROGRAMMI\TREND PC-CILLIN 2000\POP3TRAP.EXE
*FFE30741=C:\PROGRAMMI\TREND PC-CILLIN 2000\WEBTRAP.EXE
*FFE3786D=C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPLPR.EXE
*FFE35C2D=C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPENH.EXE
*FFE3BB19=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFE3A9A9=C:\WINDOWS\SYSTEM\KEYMAP.EXE
*FFE3CE95=C:\PROGRAMMI\GRISOFT\AVG6\AVGCC32.EXE
*FFE38F9D=C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
*FFE2A199=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
*FFE43E89=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFE77CD5=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFE378D=C:\DOCUMENTI\WXKBD41\KEYS32.EXE
*FFE42D01=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFE4D081=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFE58AFD=C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
*FFE5E6E9=C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
*FFE5EA6D=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFE69E35=C:\PROGRAMMI\DAP\DAP.EXE
*FFE85C21=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
»Application specific



Anyway the startpage problem desappeared after running CW Shredder,

Let me know.

Regards

Ale

 

The problem is that it will probably return.
If and when it does post a new Startdreck log in this thread. (It does not show the entry we are looking for now)

Regards,

Pieter