Ok guys, I know how good you all are but I have one of the biggest bitch trojans I have ever had. I have spybot, adaware, cwShredder and Symantic antivirus based on searches here I tried. I cant get rid of this Trojan.startpage. I am still very hesitant to mess with my registry but I did a hijackthis log, can anyone help me decipher it? Please ask me to post it and I will.

I see about 4 lines in the with references to about.blank but not sure to do anything without getting a second opinion...please help guys.

Dave

Well I got a followup for you, I found this page:

http://hijackthis.de/index.php

It is amazing and I loved it, I followed what it said and I think I am back in the clear baby. Trojan.StartPage can suck it! Thanks aeveryone for the posts so I could find that lil jewel site

Hi,
Out of interest this may have helped...

http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.html

daisymay

First search Google for a little program called LSPFIX. When you attempt to get shot of about:blank you risk losing your internet connection. LSPFIX will get you back online again if this happens.

Next download and run this:
ABOUT:BUSTER

In order to run About:Buster this you will need to have the following file and register it (unless you already have it on board):
MSCOMCTL.OCX INFO & DOWNLOAD

If you look where it says "alternatively" you will see that the file registering procedure is very simple. This will save a 5.66M program download.

No promises but the above looks like your best bet. Avoid advertised removers generally, they are often riddled with spyware.

Derek.W

Thx for feedback (arrived while typing mine). Worth knowing, sounds simpler and nice to know it worked.

Derek.W

As an afterthought, I see this seems to have been cured within about half an hour - very fast. This nasty can hide itself and come back again. If it does, try my #3.

It would be very useful to us if you keep us posted and let us know if your fix lasted.

Thanks

Derek.W

OH thansk fellas and your so right Derek, I didnt get it with that. I found the perfect fix and I got it off the net and this guy nailed it. it worked perfectly but you have to go into Safe mode and do it exactly as he says. Here it is:

Go here and download Adaware SE. Install the program then in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files. but don't run it.

Also click here to download CWSinstall.exe. CWSinstall.exe file and it will install CWShredder, but don't run it yet either.

Set your folder options to show hidden files like so:

Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now copy these instructions to notepad and save them to a convenient location like your desktop. You will need them to refer to in safe mode.

Restart into Safe mode.

How to start your computer in safe mode

Do all of the following in safe mode:

Run Hijack This and put a check by all of the following entries then click the "Fix Checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OWNERY~1.002\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\OWNERY~1.002\LOCALS~1\Temp\sp.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {D90307F0-2074-4EC3-B86A-E9C5D9010546} - C:\WINDOWS\System32\odml.dll

O18 - Filter: text/html - {72AA6E26-38B0-4C14-A3BF-F5ECA502189A} - C:\WINDOWS\System32\odml.dll

O18 - Filter: text/plain - {72AA6E26-38B0-4C14-A3BF-F5ECA502189A} - C:\WINDOWS\System32\odml.dll

Find and delete this file:

C:\WINDOWS\System32\odml.dll

Also in safe mode navigate to the C:\WINNT\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Run CWShredder Click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

Next run Adaware according to these insrructions:

From main window :Click Start then under Select a scan Mode tick Perform full system scan.

Next deselect Search for negligible risk entries.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Fine - thanks for the info. A kinda variation on a theme but the variations might make all the difference. Keep us posted - we need to know about any fix that holds up for more than a few days (as do those Googling to this page in future).

Err...doesn't everyone always show all files and extensions LOL? It's MS logic to do otherwise. I think it's supposed to protect system files from newbies but they can still do plenty of damage deleting the ones they can see (watch these forums).

Derek.W

Thanks Dave7 , finally I got rid of this nasty trojan through the procedure suggested by you.

It was a pain.

Regards
Rahul.

I did the same as response number 6, however i finally relized that there could be some differences in the file names.

For Example: not odml.dll but (haee.dll)

O18 - Filter: text/html - {72AA6E26-38B0-4C14-A3BF-F5ECA502189A} - C:\WINDOWS\System32\odml.dll

O18 - Filter: text/plain - {72AA6E26-38B0-4C14-A3BF-F5ECA502189A} - C:\WINDOWS\System32\odml.dll

Find and delete this file:

C:\WINDOWS\System32\odml.dll

same with this one above. Delete c:\windows\system32\haee.dll

after I deleted haee.dll, I was fine. I followed the same steps as in response 6 but still had problems because of the difference in file names. This Virus was the hardest thing for me to remove.

Thanks to Response 6 for getting us started

Thx all for valuable feedback.

Derek.W

I got the b*stard yesterday and Responses 6 & 9 definitely work.

I searched for *dll files modifed that day and found a emfk.dll in System32. Checked on the net to see if emfk.dll was an authentic .dll file, but found it doesn't exist.

I ran spybot, hijack this and spyware blaster, deleted and immunised then restarted in Safe Mode. Found the file and renamed it as an *.old file.

Restarted normally and hey presto no more trouble.

Hi

Jus wanna ask whether is it possible to remove trojan.startpage by jus using 'hijackthis'? Is it necessary to go thru the procedures shown in respond #6?

Hi Sue

I assume you Googled into this thread. That way we don't know your operating system. Best bet is to start a new post.

You might be lucky with HijackThis but about:blank is renowned to be a difficult one to get off your machine.
Be careful with any "wonder fixes" advertised on the internet (they are often spyware themselves).

If you are on Windows XP I gather that Microsoft's new Anti-Spyware freebie can fix this one.

Otherwise, as 6 & 9 appear to have done the trick then they would be your best bet (unless anyone comes along on here who knows a quick fix that actually works).

Derek.W

Hey guys, I've tried all the above and as soon as I close and reopen IE or reboot the Trogan start page is back again. I have a firewall, run Norton's antivirus, run SpySubtact. CWShredder,Adaware and they find the problems but as soon as I reboot it is back.

Keep an eye on this later post too:

S&V Forum 15222

Derek.W