Win32.Startpage-006(Trj)

[Jamalin]

Avast says I have this virus on c:\windows\system\ggjogda.dll.
I also get a pop up sign warning for spyware and adware.
What can a novice like me do. Avast wantrepair it.
Can I delete the file without problems for Windows?
Greatful for help.
Jamalin

[raman]

You can start your PC in safe mode and let Avast scan your PC again. Than it should be able to delete the file.
You also try Avast and Spybotsd (use Google or Boardsearch) for a downloadlink. Download/install/update them and scan your PC.

If there are still some problems left, post a hijackthis log: www.hjt.klaffke.de/en

[GPA]

Hi,

i also have this virus and am wondering if its ok to delete .dll files (running windows ME) - did you have any success?

GPA

[igor]

ggjogda.dll really don't sound like any common system file - you can delete it (but I would expect the program that has dropped this file to be somewhere near...)

[raman]

If you have the "special" Hijack Version, try this one:

ftp://ftp.kaspersky.com/utils/clrav/clrav.com

or read this:
http://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

[GPA]

Thanks Igor and Raman,  
I read that article but it all seemed a bit complicated!  Is that link for another CWS shredder type of programme?

And i have another question, i defragged my pc since having this virus and various programmes are now acting funny or not runing.  do you think i should do a system restore before trying anymore fixes ( i have tried shredder, spybot and avast)?  and do i need to disable system restore before i run all these scans (including avast).

Thanks for your help, much appreciated.

[raman]

No you do not need to disable the SR. Try the CLRAV cleaner. If that does not do the job, post a hijackthis.log: www.hjt.klaffke.de/en

[Yosh]

Well, I've got the same problem with Win32.Startpage-006(Trj). Avast alarms me in various situations with 2 warnings. First is about a file in temp.int.files dir (m[1].bin or smth like that) and the second one is about a DLL file in winnt/system32 directory. I've deleted manually all suspicious DLLs from that dir and it still creates new ones just before every Avast alarm.

I tried:
- Ad-Aware (it found something, however it didn't help).
- CWShredder (after alarms it sometimes finds a trojan and fix it).
- Hijack This (this one doesn't find anything)
- and I also use SpywareGuard (it seems that it finds something only if I let it through avast but doesn't help at all, only temporary).
- 2 online scans many times and they didn't help.
I also tried Avast in safe-mode - didn't find anything wrong.

I have no idea what to do :/ It alarms me when I click a program, open my instant messenger, open IE (I didn't noticed any problem with Mozilla, maybe becouse I usually use IE)... Everything seems to be ok, and suddenly it strikes back.

system:
Windows 2000 SP4
Internet Explorer 6 SP1 (as far as I remember)
Avast Antivirus
ZoneAlarm Firewall
SpywareGuard

[whocares]

Hi,

please explain what you mean by "didn't help":
didn't find anything, or didn't remove it.. ??

--> please post the hijackthis-Logfile..

[Yosh]

By "didn't help" I wanted to say that I run it several times. It (AdAware) found something and I just removed everything suspicious. However after a few minutes i launch IE and Avast alarms me again about a file in tmp.int.files and a dll in system32 dir.

It is like I find some spyware or startpage-changers... but after I delete them all with a lot of spyware removal software they come back..

I had tried to find some help in the Net (forums or sth like that) and I have found some people with the same problem who had no idea what to do.. :/ I don't want to reinstall the whole system.

-----------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 21:28:51, on 2004-06-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\The Bat!\thebat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ASUSTweakEnable] C:\Program Files\ASUS\Tweaking Utilities\atstart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Go Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\VGAProbe.exe FirstTime
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: QuickTV.lnk = C:\AVERTV2K\QuickTV.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: kbutils - https://www.kb24.pl/ikd/kbutils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

[mals]

i have the same problem avast tells me i have it just as you have said tried everything as you have the only thing i have found is a file called d3do.dll a superhiden file that i can not get rid of. it is in the system32 folder and security task manager finds it. seached every place done most things but cannot delete it only thing i have not done is try recovery to delete it.

I will give this another week then i think it will be a format  

[Yosh]

I forgot about it. Yesterday evening I  have removed the d3d.dll file from my system32 folder. The problem was that it had been in system memory (Avast finds it while checking memory) and I had to run before the system starts.
After avast finds it (Win32.Trojan-gen{Other}) and tells that in can't be removed becouse it's in use, there is a question wether you want to restart your Windowz and run Avast first (before that d3d.dll gets into memory). Try.

[mals]

well set up avast to scan system32 folder on startup and it found d3do.dll and deleted it now been free of startpage troj for a few days

thanks for the info

[karakartal]

hi, i have this virus in system and i can't get rid of too.
I tried ad aware=no detection,i tried spybot=no detection

Avast detects the virus when i log on to the internet and asks me to repair,delete or move to chest but when i scan and click on repair, it doesnt repair it and says that it can't process the file blah blah.I used to be able to move it to chest, but now it doesnt move it.Before I was also able to detect the virus with avast (it might move it to chest when i try another time), but now it doesnt detect the win32 startpage006 when i start the pc and use the avast virus scanner straight away nor it can detect it in safe mode.I detected it before but it didnt repair it.
i dont know how to get rid of and i have run out of ideas... plz help

i use 2002 xp,kerio PF
here is my Hj

Logfile of HijackThis v1.97.7
Scan saved at 23:30:53, on 15/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\QuickTime\qttask.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Software Assist\Instant Access\InstantAccess.exe
C:\Program Files\FastNet99\FastNet99.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LeechGet 2004\LeechGet.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\downloads1\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D65946B4-8DA7-4EDB-8317-58DD8252F3C7} - C:\WINDOWS\System32\pfnl.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O4 - Startup: fastnet99.lnk = C:\Program Files\FastNet99\FastNet99.exe
O4 - Global Startup: Instant Access.lnk = C:\Program Files\Software Assist\Instant Access\InstantAccess.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38026.8246527778
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B3A5878E-5B4C-4D12-9156-4D7FD8D0AF6C} (Cltbuilder Class) - http://www.one2one.com/static/class/one2oneSvc.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4339/mcfscan.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.33/EPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C08A1DE7-FF60-4E0F-A7F9-9AA6CE4B1DDC}: NameServer = 213.1.119.97 213.1.119.98



T

[Yosh]

Weird. Try to manually find file d3d.dll w system32. When you find it scan that file. In "normal" scan Avast finds it while memory check - don't stop it before end. If it is the Win32:Startpage-006 then you should delete those dll's that are in alerts (those created by the trojan) instead of repairing them. You may not have them if you were deleting or moving them every time there was a communicate about the virus.