Startpage Trojan problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tlledet, Nov 24, 2004.

  1. tlledet

    tlledet Private E-2

    Startpage Trojan HJT log

    chaslang requested I post my HJT log here. Also, have system information attachment. I hope the attachments are on this thread.
    I went through the "Read Me First..." downloads and fixes. I didn't get into "safe mode with networking support" because it wasn't an option when I went to safe mode. Ran the scans in normal mode.
    If you can't see my attached files, I re-send them. Thanks!
     
    Last edited: Nov 24, 2004
    tlledet, Nov 24, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Re: Startpage Trojan HJT log

    Hi, if your already involved in a thread, reply to that and attach it, we will look at it :)
     
    Major Attitude, Nov 24, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Startpage Trojan HJT log

    MA, the request was due to a PM, so this log should be posted here.

    tlledet, we do not see you log. You have to be in Advanced Mode and click Manage Attachments. Then Browse for you log and upload it.
     
    chaslang, Nov 24, 2004
    #3
  4. tlledet

    tlledet Private E-2

    Sorry about not putting the attachments on. I lost them when I used the back arrow after I did a Preview Post. Hopefully the attached files that chaslang asked me to post here are really here. Anyway, I tried all the "Read Me first..." items with a lot of success except for the Startpage taking over my homepage browser whenever I try to use it. Please look at what I have and give me your ideas as what I should try. Thanks!
     
    tlledet, Nov 24, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should have stayed in your original thread. I merged them together.
     
    chaslang, Nov 24, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First look in Add/Remove programs for Windows AdControl or WinAd, if found, uninstall it.
    If that works, some of the items below will already be fixed.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    WINADCTL.EXE
    WINADALT.EXE
    EWVDJTOR.EXE
    L39XN29UXKZXC.EXE
    BTWS.EXE
    C:\WINDOWS\SYSTEM\2HP79IUJH0T.EXE

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    O4 - HKLM\..\Run: [Windows AdControl] C:\PROGRAM FILES\WINDOWS ADCONTROL\WINADCTL.EXE
    O4 - HKLM\..\Run: [FX] C:\WINDOWS\DOWNLOADED PROGRAM FILES\IELOADER.EXE
    O4 - HKLM\..\RunServices: [VidSvr]
    O4 - HKCU\..\Run: [Emphgwd] C:\WINDOWS\SYSTEM\ewvdjtor.exe
    O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\L39XN29UXKZXC.EXE
    O4 - HKCU\..\Run: [Lrrn] C:\WINDOWS\Application Data\btws.exe
    O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://wdownload.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=cf3d6d5353c60b9c57a954782f56eb0cd9479ee0ea04b6bc0ce90bac83d24136f9dd061a26c7bee673eca0d57a04fbe728c2ef828f08:089f8d69b8a0dd824129ec8711ffcf53
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab

    Did you install this RecoverFromReboot program? If you did, skip the following. If not, see if there is an uninstall for it. If not, fix the next line too.
    O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\TEMP\RECOVE~1.EXE


    Boot into safe mode and use Windows Explorer to delete:
    C:\PROGRAM FILES\WINDOWS ADCONTROL <--- the whole directory if still there
    C:\WINDOWS\SYSTEM\EWVDJTOR.EXE
    C:\WINDOWS\SYSTEM\L39XN29UXKZXC.EXE
    C:\WINDOWS\SYSTEM\2HP79IUJH0T.EXE

    This next item seems suspicious to me but do not delete it yet. Let's make sure it is not needed. It may be related to your video card. Do you know anything about it.
    C:\WINDOWS\APPLICATION DATA\BTWS.EXE


    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Nov 24, 2004
    #6
  7. tlledet

    tlledet Private E-2

    Success! Startpage Trojan N/A GONE!

    I appreciate your patience. I make a lot of mistakes. But, Im learning with each wrong click. The help chaslang posted was what my old beat-up computer needed.
    I've posted my lates HJT log file as requested.
    Again, thanks for helping me an all others that are looking for the light at the end of the long tunnel.

    Tommy.
     
    tlledet, Nov 24, 2004
    #7
  8. tlledet

    tlledet Private E-2

    Re: Success! Startpage Trojan N/A GONE!

    Any body looking for computer problem solvers, this is the place. Job well done....soldier!
     
    tlledet, Nov 24, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Success! Startpage Trojan N/A GONE!

    You're welcome. Please remember to always remain in one thread for a particular problem. I merged you back to your original thread again. Your log is clean now.
     
    chaslang, Nov 25, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds