Trojan startpage.FH How do I get rid of this

  erkmatrix 17:48 22 Feb 05
Locked

Just spent all afternoon round my brothers trying to get rid of this damn thing, it keeps setting his homepage to this blank page and has these popups directing him to the bogus spyware remover sites.

First off turned his system restore off and did a scan with Pandasoftware thats on his machine, it detected 10 viruses and deleted them, then rebooted only to find the thing reset him back to blank home page and still there, so then used spybot, ad-aware, hijack this, cw shredder and hijack hunter all detected things but none got rid of this as after reboot still there.

How do I get rid of this thing, He says he doesn't mind now paying for some software to get rid of this as all the free downloads of above programs don't seem to actually get rid of it.

Thanks
Phil

  JoeC 18:02 22 Feb 05
  GANDALF <|:-)> 18:04 22 Feb 05

Solution here.........click here

G

  erkmatrix 18:47 22 Feb 05

Hi Joe seen that page thanks and followed what it said but sadly the pandatsoftwares couldn't get rid of it.

Hi Gandalf how do I back up a registry and set up a restore point like it says. I don't quite understand what needs to be done from that webpage. whats the two boxes with trojan.win32.startpage.fh.exe
mean and is it the same virus as my brothers panda software came up with it as trj/startpage.FH

cheers for any advice
Phil

  VoG II 18:50 22 Feb 05

If you are unclear I suggest that you first try to remove it using a² click here

If that doesn't work, post back and we'll walk you through what to do to remove it manually.

  erkmatrix 17:40 23 Feb 05

Hi guys I told my brother to try the a² free software from the link above, sadly it didn't get rid of this damn thing, only used the free one mind should he of used the personal one with its trial for 30 days.

Please how should I start to manually get rid of it, appreciate in simple terms as I'm not really good when it comes to anything like this and fixing computers.

Thanks
Phil

  VoG II 18:47 23 Feb 05

To backup the regustry, Start, Run, type in

regedit

and click OK. File/Export to save a backup somewhere handy like the desktop. Close the registry editor using the X. In the unlikely event of things going wrong, double click the backup to restore the registry.

To start Task Manager press CTRL+ALT+DEL once only. On the Processes tab, click on

trojan.win32.startpage.fh.exe

then click the End Process button. Close Task Manager using the X.

Start, Search, and search for trojan.win32.startpage.fh.exe. Right click the file in the search results box and select Delete.

  erkmatrix 15:01 25 Feb 05

I'm at my brother now. Have tried to do what you've said VoG but when I go to Task Manager press CTRL+ALT+DEL on the Processes tab, there unfortunatly is no file trojan.win32.startpage.fh.exe

I don't know now what to do, it must be a really clever virus this and doing my head in. As I say the panda software says its called trj/startpage.FH and it does exactly what they say it does on their website as alsways on this blank page when it goes to home page and has these popups directing you to bogus virus protection sites.

Can you suggest anything else here please.

Heres the hijack this log

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {948F558A-D6F3-41AA-AE73-470EF65102D2} - C:\WINDOWS\system32\flcjb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [System Process] C:\WINDOWS\lsass.exe /i
O4 - HKLM\..\Run: [etlogonn] C:\WINDOWS\System32\etlogonn.exe
O4 - HKLM\..\Run: [cpl] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\ssvr.exe /i
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [SpywareGuard] C:\WINDOWS\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CF7671E-2173-48F1-8B9C-9AE90BED9D03}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CF7671E-2173-48F1-8B9C-9AE90BED9D03}: NameServer = 194.168.4.100 194.168.8.100
O18 - Filter: text/html - {90381B50-89C0-45D2-A49B-1F6638C418E4} - C:\WINDOWS\system32\flcjb.dll
O18 - Filter: text/plain - {90381B50-89C0-45D2-A49B-1F6638C418E4} - C:\WINDOWS\system32\flcjb.dll
O20 - AppInit_DLLs: c:\windows\system32\sqljhh.dll

  erkmatrix 16:53 25 Feb 05

I had a look in google to find more about this thing and came to a page in a newsgroup

click here

It seemed to say this could be the later version of this about blank virus and very hard to get rid of. I followed the instructions on the newsgroup and to actually get rid of it, was directed to

click here

Can someone please explain the instructions given here,

The first and easy step is to remove the visible DLL. Sort the C:\Windows\System32 Folder on the Column "Modified" an you will see the visible DLL on top of Windows Explorer:
C:\Windows\System32\"Visible".dll
Note that "Visible" is a name which changes each time, so your visible name is not the same as ours.
You cannot remove it using Windows Explorer, because the visible DLL is in use. But you can rename it to something like: remove_me_after_reboot. Rename the visible DLL in the CMD-shell or any other tool (e.g. Cygwin).
After rebooting your PC, delete this renamed file.

I went to explorer and in thesystem32 with date modified clicked found the first dll file from the top was actually a microsoft corporation file called wininet.dll but I didn't think it could be this as the file says copyrighted Microsoft the one after some Microsoft dll files was this flcjb.dll which didn't come up with a publisher when in properties and is also on the hijackthis log at the bottom.

Please can someone explain what the cmd shell is and how I go about deleting this file out of explorer and also explain the other instructions on the hidden file as I'm not too clued up on computers.

  Jak_1 17:14 25 Feb 05

Try CWShredder:

click here

This may help restore your homepage.

  erkmatrix 17:31 25 Feb 05

Already tried everything like that, this virus sadly looks to be very clever and tried spybot, cwshredder, A squared, trojanhunter, ad-aware and pandasoftware antivirus checker.

This thread is now locked and can not be replied to.

Surface Pro 5 News - release date, UK price, features, specs

Animator Emanuele Kabu’s psychedelic video is a stunning tribute to Lisbon city

Best Mac antivirus 2017