Options
Internet Explorer infected with Trojan Startpage Gx
Hi,
First of all, I would like to congratulate you on doing a yeoman's service. While going through the forum threads I was overwhelmed with the ease and dexterity with which you solve the problems.
Recently, I have encountered a strange problem in my machine. Would you be kind enough to see what is the fault and what I have to do to get out of the mess.
Problem
Whenever, I open Internet Explorer, my AVG antivirus popups up with a message "Trojan Horse Startpage GX found". Even after I delete it, it popups up again the next time I open IE.
I have run Ad-Aware, SpyBot Search and Destroy. Both have found browser hacker CoolwebSearch, which I have promptly removed. But the problem remains.
Please find attached the HijackThis log for your perusal.
Thanks a ton in anticipation,
Somak
Logfile of HijackThis v1.99.1
Scan saved at 12:14:16 AM, on 7/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
E:\tata\HijackThis.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - E:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {63F3F42A-882F-4113-8737-BF5CE266D168} - C:\WINNT\system32\nofn.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Windows Media Player] lol.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "e:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~2\DAP\dapextie.htm
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O18 - Filter: text/html - {312391A9-5A80-4A6A-A77B-356AA7B3169E} - C:\WINNT\system32\nofn.dll
O18 - Filter: text/plain - {312391A9-5A80-4A6A-A77B-356AA7B3169E} - C:\WINNT\system32\nofn.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - E:\oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINSPIRIT - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
First of all, I would like to congratulate you on doing a yeoman's service. While going through the forum threads I was overwhelmed with the ease and dexterity with which you solve the problems.
Recently, I have encountered a strange problem in my machine. Would you be kind enough to see what is the fault and what I have to do to get out of the mess.
Problem
Whenever, I open Internet Explorer, my AVG antivirus popups up with a message "Trojan Horse Startpage GX found". Even after I delete it, it popups up again the next time I open IE.
I have run Ad-Aware, SpyBot Search and Destroy. Both have found browser hacker CoolwebSearch, which I have promptly removed. But the problem remains.
Please find attached the HijackThis log for your perusal.
Thanks a ton in anticipation,
Somak
Logfile of HijackThis v1.99.1
Scan saved at 12:14:16 AM, on 7/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
E:\tata\HijackThis.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - E:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {63F3F42A-882F-4113-8737-BF5CE266D168} - C:\WINNT\system32\nofn.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Windows Media Player] lol.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "e:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~2\DAP\dapextie.htm
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O18 - Filter: text/html - {312391A9-5A80-4A6A-A77B-356AA7B3169E} - C:\WINNT\system32\nofn.dll
O18 - Filter: text/plain - {312391A9-5A80-4A6A-A77B-356AA7B3169E} - C:\WINNT\system32\nofn.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - E:\oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINSPIRIT - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
0
Comments
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
(Description: Home page or search page hijacker (running from temp folder))
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
(Description: Home page or search page hijacker (running from temp folder))
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - E:\Program Files\DAP\DAPIEBar.dll
(Description: Accelerator Plus adware.)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
(Description: DAP)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\RunServices: [Windows Media Player] lol.exe
Download LSPfix. Run Lspfix once you finished unzipping the file.
Download cleanup 4.0. Save the setup file to your desktop and then run it. Run cleanup 4.0 by clicking cleanup.
Make sure you can view all hidden files:
Open my computer>click tools>click folder options>
click view tab>check show hidden files>uncheck hide file extensions>click apply>click OK>exit
Post a new log.
Thank you, it seems that the problem has been solved. Please find my latest HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 8:15:34 PM, on 7/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\mqsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
E:\tata\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - E:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TataIndicomStartUp] C:\Program Files\Tata Indicom Wireless Internet Service\TataIndicomStartUp.exe
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\SOMAKR~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~2\DAP\dapextie.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - E:\oracle\ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - E:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Oracle Corporation - E:\oracle\ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81HTTPServer - Unknown owner - E:\oracle\ora81\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown owner - E:\oracle\ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - E:\oracle\ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINSPIRIT - Oracle Corporation - e:\oracle\ora81\bin\ORACLE.EXE
open "my computer">click tools>folder options>view>check show hidden files>untick hide file extensions>click apply>click ok>exit