Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help please with the removal of trojan startpage.FH

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help please with the removal of trojan startpage.FH

Unread postby junipaire » April 4th, 2005, 10:11 am

Hi Nellie or another expert at getting rid of malware

I was helped out on this thread below about my brothers PC and that dreaded virus Trojan Startpage.FH

http://www.pcadvisor.co.uk/index.cfm?go ... &forumid=1

Well it returned, dunno how it did it but he reckoned it was ok for a couple of weeks, although he doesn't use his machine much I don't think, then the virus was there again.

I went round on Friday night and put him on firefox to use as his browser, the homepage wasn't changed but we did still get pop ups saying click to get rid of malware etc.

Did as you suggested downloaded FxAgentB tool when used in conjunction with CWShredder and Adaware and FXAgentB did find the virus and supposivly got rid only when reboot there the blasted thing was again. Now when I ran the FXAgentB again it didn't find anything, but the virus still changes his homepage and still has these pop ups so still there, so will have to ask for you help to manually remove or would you suggest anything else.

I got a fresh hijackthis log here as you suggested.

Logfile of HijackThis v1.98.2
Scan saved at 21:10:58, on 01/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Simon\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Simon\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Simon\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2EAED660-598D-4B00-A706-4E75500EE2EF} - C:\WINDOWS\system32\jbpa.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\Run: [etlogonn] C:\WINDOWS\System32\etlogonn.exe
O4 - HKLM\..\Run: [cpl] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\ssvr.exe /i
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Simon\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CF7671E-2173-48F1-8B9C-9AE90BED9D03}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CF7671E-2173-48F1-8B9C-9AE90BED9D03}: NameServer = 194.168.4.100 194.168.8.100
O18 - Filter: text/html - {ECE2F6B5-8B9F-4FEA-A46D-F08223DAE3F0} - C:\WINDOWS\system32\jbpa.dll
O18 - Filter: text/plain - {ECE2F6B5-8B9F-4FEA-A46D-F08223DAE3F0} - C:\WINDOWS\system32\jbpa.dll
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am
Advertisement
Register to Remove

Unread postby Elrond » April 4th, 2005, 1:31 pm

Hi junipaire
Welcome to Malware Removal Forums.
I'm looking over your log file and will get back to you soon.

Elrond
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Elrond » April 4th, 2005, 1:46 pm

Hi junipaire

You have a nasty infection on the computer. I am Elrond and will do my best to help you get the computer abck to normal.

RED or UNDERLINED words are links that can be clicked.

HOW TO:
Should you need instructions for:
Showing hidden files and folders in Windows.
Reboot in safe mode. (If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key.)
How to print the fix instructions
Click the red links above.

How to unzip a downloaded zip file.
Place the zip file in the folder where you want the unzipped program to be.
If you are running Windows XP you simply right click the zip file and select "Extract Files".
For the other versions of Windows you will need a program like 7-Zip . Open 7-Zip. Navigate to to the downloaded zipfile and highlight it. Right click and select "Extract Here"

When asked to post a new HijackThis log please
Close all windows and browsers.
Find the HijackThis folder. Open it and double click "HijackThis.exe". Click "Do a system scan" and save a "logfile". (If Hijack this shows you a "Scan" button that is OK.)
When the scan is finished, the "Scan" button will change into a "Save Log" button. Click it. Click "Ctrl-A" (the "Ctrl" key and the "A" key at the same time) to highlight the whole log. Now click "Ctrl-C" to copy the text. Open this topic and click the "Add Reply" button at the bottom of the page. Paste the log into the window that opens up by clicking "Ctrl-V". Click "Add Reply" to post.


1. Please copy the instructions to a notepad or preferably print them.

2. Make sure to work through the fixes exactly as given and in the exact order they are mentioned below.

3. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

4. IMPORTANT. Must be done before start of cleanup.

Your HijackThis is not the latest version. Please download this self extracting file to your Downloads folder in My Documents or some other place where you will find it easily:
* Now go to the folder you saved "HijackThis_sfx.exe" in. Double click "HijackThis_sfx.exe" and select "Unzip". When done click "OK".
* Close the WinZip self Extractor window.
* To find HijackThis go to C:\Program Files\HijackThis.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL INSTRUCTED TO DO SO. SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH

5. Configure Windows to show all files.

6. * Close ALL windows except "HijackThis"
* SCAN with "HijackThis"
* POST the new log in this thread using "Add Reply"
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby junipaire » April 5th, 2005, 4:37 am

Thanks Elrond

Do appreciate you taking the time to help me out, the nuisance part of this is its my brothers machine and although I don't know much about computers he knows a lot less so will have to hopefully get round there sometime this week to try what you've said out.

I'll get back to you

Junipaire
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby Elrond » April 5th, 2005, 5:36 am

Please note that many of these infections get worse when you use the computer on the internet. They download more junk onto the computer that then needs to be removed. What I instructed you to do is only preliminaries to the clean up. Come back soon with that new HijackThis log from the latest version of HijackThis.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby junipaire » April 5th, 2005, 6:10 am

Hi Elrond

Was thinking would it be just easier if I was to completly format his computer and reset back to factory settings (and put anything important onto cds) as this could be a little hassle going round to his house all the time trying new things.

Would this get rid of the virus though?

Junipaire
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby Elrond » April 5th, 2005, 7:43 am

That is up to you. What I could see from the log you sent me the infection is serious but well known by now. We would of cource only know if this is the case once we start doing the necessary fixes. However if you do reformat and and a reinstallation you should still come come back here before you do it as I would then give you tips on what programs to install in order not to repeat the infections again.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby junipaire » April 5th, 2005, 8:10 am

I think we will then reformat and reinstall, I'll be going round tomorrow I think so what programs do you suggest to stop this happening again.

Thanks again
Junipaire
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby ChrisRLG » April 5th, 2005, 8:13 am

Our sites recommended items are in this post in our public library.

http://www.malwareremoval.com/forum/viewtopic.php?t=14

Elrond wil probably post a few suggestions too.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » April 15th, 2005, 7:10 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 293 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware