startpage hijacked

Discussion in 'adware, spyware & hijack cleaning' started by alessandrocancian, Jun 1, 2004.

Thread Status:
Not open for further replies.
  1. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    Hi dear all
    My startpage has been hijacked. I open IE and about:blank appears.

    This is the hijackthis scan log
    Logfile of HijackThis v1.97.7
    Scan saved at 11.46.54, on 01/06/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAMMI\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ALISNDMG.EXE
    C:\WINDOWS\LTSMMSG.EXE
    C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAMMI\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPENH.EXE
    C:\WINDOWS\SYSTEM\KEYMAP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAMMI\DAP\DAP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\GDG.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAMMI\DAP\DAPBHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {C129D23C-8523-4062-8DAF-AA24ED4B0C59} - C:\WINDOWS\SYSTEM\GDG.DLL
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\PROGRAMMI\DAP\DAPIEBAR.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMMI\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [AcerPowerkey] "C:\Programmi\Acer\Powerkey\Powerkey.exe"
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Programmi\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [WebTrap.exe] "C:\Programmi\Trend PC-cillin 2000\WebTrap.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [VolKey] C:\WINDOWS\SYSTEM\Keymap.exe
    O4 - HKLM\..\Run: [Launch App] c:\DMSINFO\launapp.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download using Offline &Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_UrlO.htm
    O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\PROGRAMMI\OFFLINE EXPLORER\Add_AllO.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Programmi\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Programmi\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Organizzatore ricerche (HKLM)
    O9 - Extra button: SUPER NOVITA' (HKLM)
    O9 - Extra 'Tools' menuitem: Strumento Super Internet (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38134.3084259259

    Can anybody help me

    Alessandro
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi alessandrocancian,

    First, make sure your Windows and IE are fully updated.
    Then download:
    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    1.Run start.bat and press option 1. 'output.txt' will be created in the folder

    (note : it's best to post that report together with a HijackThis log in your topic, so experts can have a look as well)

    2. IF hidden dll was successfully found, run start.bat again and choose option 2. Hit '1' and enter dll name manually.

    3. If dll was not found after first running start.bat :

    Run start.bat again and choose option '2'. You must reboot after doing so.

    4. Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    5. Ask for a new hijackthis log, a new output.txt after the fix

    6. You can also run CWShredder finally to clean up other entries

    Regards,

    Pieter
     
  3. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    Thanks,
    I tried to run dllfix start, but a message appeares: this version is only for windows 2000 or XP. I use windows ME and it doesn't work.

    Please help

    Regards

    Alessandro
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    My mistake. This malware normally doesn't run on 9x computers so I forget to check sometimes. :oops:

    Download: StartDreck and unzip it.
    DoubleClick: 'StartDreck.exe'
    Hit: config
    Hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.
    Post the log.

    Regards,

    Pieter
     
  5. alessandrocancian

    alessandrocancian Registered Member

    Joined:
    May 26, 2004
    Posts:
    15
    Thanks Peter,
    here is the log:

    StartDreck (build 2.1.5 public BETA) - 2004-06-02 @ 12.06.14
    Platform: Windows ME (Win 4.90.3000 )

    »Registry
    »Run Keys
    »Current User
    »Run
    »RunOnce
    »Default User
    »Run
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    *SystemTray=SysTray.Exe
    *ALiSndMgr=ALiSndMg.exe
    *LTSMMSG=LTSMMSG.exe
    *AcerPowerkey="C:\Programmi\Acer\Powerkey\Powerkey.exe"
    *PCCIOMON.EXE="C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    *pop3trap.exe="C:\Programmi\Trend PC-cillin 2000\pop3trap.exe"
    *WebTrap.exe="C:\Programmi\Trend PC-cillin 2000\WebTrap.exe"
    *SynTPLpr=C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
    *SynTPEnh=C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
    *VolKey=C:\WINDOWS\SYSTEM\Keymap.exe
    *Launch App=c:\DMSINFO\launapp.exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *RegShave=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    *TaskMon=C:\WINDOWS\SYSTEM\taskmon.exe
    *AVG_CC=C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    *CnxDslTaskBar=C:\WINDOWS\SYSTEM\CnxDslTb.exe
    *Installed=1
    *NoChange=1
    *Installed=1
    *Installed=1
    »RunOnce
    »RunServices
    *PCCIOMON.EXE="C:\Programmi\Trend PC-cillin 2000\PCCIOMON.EXE"
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
    **StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
    *Avgserv9.exe=C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFEF06D1=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF4075=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFE079=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFFEA05=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFE35A9=C:\PROGRAMMI\TREND PC-CILLIN 2000\PCCIOMON.EXE
    *FFFE6401=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE69D1=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    *FFFE4AE9=C:\PROGRAMMI\GRISOFT\AVG6\AVGSERV9.EXE
    *FFFE8205=C:\WINDOWS\SYSTEM\STIMON.EXE
    *FFE12595=C:\WINDOWS\EXPLORER.EXE
    *FFE1A849=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    *FFE01691=C:\WINDOWS\TASKMON.EXE
    *FFE0AB9D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFE0F781=C:\WINDOWS\SYSTEM\ALISNDMG.EXE
    *FFE0D399=C:\WINDOWS\LTSMMSG.EXE
    *FFE053BD=C:\PROGRAMMI\ACER\POWERKEY\POWERKEY.EXE
    *FFE0CA41=C:\PROGRAMMI\TREND PC-CILLIN 2000\POP3TRAP.EXE
    *FFE30741=C:\PROGRAMMI\TREND PC-CILLIN 2000\WEBTRAP.EXE
    *FFE3786D=C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPLPR.EXE
    *FFE35C2D=C:\PROGRAMMI\SYNAPTICS\SYNTP\SYNTPENH.EXE
    *FFE3BB19=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFE3A9A9=C:\WINDOWS\SYSTEM\KEYMAP.EXE
    *FFE3CE95=C:\PROGRAMMI\GRISOFT\AVG6\AVGCC32.EXE
    *FFE38F9D=C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    *FFE2A199=C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    *FFE43E89=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFE77CD5=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FFFE378D=C:\DOCUMENTI\WXKBD41\KEYS32.EXE
    *FFE42D01=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FFE4D081=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FFE58AFD=C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    *FFE5E6E9=C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    *FFE5EA6D=C:\WINDOWS\SYSTEM\PSTORES.EXE
    *FFE69E35=C:\PROGRAMMI\DAP\DAP.EXE
    *FFE85C21=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
    »Application specific



    Anyway the startpage problem desappeared after running CW Shredder,

    Let me know.

    Regards

    Ale
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The problem is that it will probably return.
    If and when it does post a new Startdreck log in this thread. (It does not show the entry we are looking for now)

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.