How to remove "TROJAN..STARTPAGE-FJ" On McAcfee - Friend Needs Help

system · November 20, 2004, 3:39pm

How do you remove this trojan??? ???

Eddy · November 20, 2004, 4:06pm

Click on the link in my signature and follow the steps as explained on that page to clean your system. This method is for ALL malware.

system · November 20, 2004, 5:08pm

Eddy I told her to download Hijack This and here’s the log

Logfile of HijackThis v1.98.2
Scan saved at 11:03:31 AM, on 11/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
C:\WINDOWS\TEMP\OAJ13E.EXE
C:\WINDOWS\SYSTEM\HOTPLUG5.EXE
C:\WINDOWS\SYSTEM\MKKGJN.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\YUM\YUM.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://msaps.dll/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msaps.dll/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = res://msaps.dll/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\SYSTEM\VTLBAR1.DLL
O2 - BHO: (no name) - {1FFA3C0A-B515-7CB5-8753-60550DF32F40} - C:\WINDOWS\SYSTEM\MSNADOUM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-76746C56544C} - C:\WINDOWS\SYSTEM\VTLBAR1.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM..\Run: [tapisys] C:\WINDOWS\System32\tss.exe
O4 - HKLM..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
O4 - HKLM..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [VSOCheckTask] “C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE” /checktask
O4 - HKLM..\Run: [VirusScan Online] “C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe”
O4 - HKLM..\Run: [MSOffice] C:\WINDOWS\SYSTEM\MSOFFICE\SERVICES.EXE
O4 - HKLM..\Run: [OAJ13E] C:\WINDOWS\TEMP\OAJ13E.EXE
O4 - HKLM..\Run: [a085f9697a35] C:\WINDOWS\SYSTEM\HOTPLUG5.exe
O4 - HKLM..\Run: [4MPC2PE5SHSACM] C:\WINDOWS\SYSTEM\Ylot4R.exe
O4 - HKLM..\RunServices: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe”
O4 - HKLM..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU..\Run: [Krjvowrg] C:\WINDOWS\SYSTEM\mkkgjn.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra ‘Tools’ menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O9 - Extra ‘Tools’ menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2fucked.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50/Java/cfsn31235.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/272128db4a11aa2d9a14/netzip/RdxIE601.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Eddy · November 20, 2004, 5:40pm

Let here follow the steps on that webpage I gave you. That system is loaded with malware !

This is what my HJT log analyzer came up with already, and there may be even more.

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\system\msoffice\services.exe
\windows\temp\oaj13e.exe
\windows\system\hotplug5.exe
\windows\system\mkkgjn.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = file://c:\windows\system\searchbar.htm
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = res://msaps.dll/index.html
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = res://msaps.dll/search.html
r0 - hklm\software\microsoft\internet explorer\main,start page = http://www.coolsearch.biz/
r1 - hkcu\software\microsoft\internet explorer\searchurl,(default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
r0 - hkcu\software\microsoft\internet explorer\main,local page = res://msaps.dll/index.html
r1 - hkcu\software\microsoft\internet explorer\main,start page_bak = res://msaps.dll/index.html
o2 - bho: tubby - {9eac0102-5e61-2312-bc2d-76746c56544c} - c:\windows\system\vtlbar1.dll
o2 - bho: (no name) - {1ffa3c0a-b515-7cb5-8753-60550df32f40} - c:\windows\system\msnadoum.dll
o3 - toolbar: search toolbar - {9eac0102-5e61-2312-bc2d-76746c56544c} - c:\windows\system\vtlbar1.dll
o4 - hklm..\run: [tapisys] c:\windows\system32\tss.exe
o4 - hklm..\run: [msoffice] c:\windows\system\msoffice\services.exe
o4 - hklm..\run: [oaj13e] c:\windows\temp\oaj13e.exe
o4 - hklm..\run: [a085f9697a35] c:\windows\system\hotplug5.exe
o4 - hklm..\run: [4mpc2pe5shsacm] c:\windows\system\ylot4r.exe
o4 - hkcu..\run: [krjvowrg] c:\windows\system\mkkgjn.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: (no name) - {120e090d-9136-4b78-8258-f0b44b4bd2ac} - c:\windows\system\maxspeed.exe
o9 - extra ‘tools’ menuitem: maxspeed - {120e090d-9136-4b78-8258-f0b44b4bd2ac} - c:\windows\system\maxspeed.exe
o15 - trusted zone: *.iframe.biz
o15 - trusted zone: *.newiframe.biz
o15 - trusted zone: *.pizdato.biz
o15 - trusted zone: *.vse-moe.biz
o15 - trusted zone: *.sp2fucked.biz
o15 - trusted zone: *.sp2admin.biz
o15 - trusted zone: *.clickspring.net
o15 - trusted zone: *.mt-download.com
o15 - trusted zone: *.slotch.com
o15 - trusted zone: *.windupdates.com
o15 - trusted zone: *.c4tdownload.com
o15 - trusted zone: *.xxxtoolbar.com
o15 - trusted zone: *.ysbweb.com
o15 - trusted zone: *.overpro.com
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {f58e1cef-a068-4c15-ba5e-587caf3ee8c6} (msn chat control 4.5) - http://chat.msn.com/bin/msnchat45.cab
o16 - dpf: chatspace full java client 3.1.0.235n - http://205.177.13.50/java/cfsn31235.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} - http://software-dl.real.com/272128db4a11aa2d9a14/netzip/rdxie601.cab
o16 - dpf: {1d0d9077-3798-49bb-9058-393499174d5d} - file://c:\counter.cab
o16 - dpf: {b8be5e93-a60c-4d26-a2dc-220313175592} (zoneintro class) - http://zone.msn.com/binframework/v10/zintro.cab27513.cab
o16 - dpf: {386a771c-e96a-421f-8ba7-32f1b706892f} (installer class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
o16 - dpf: {4f1e5b1a-2a80-42ca-8532-2d05cb959537} (msn photo upload tool) - http://by12fd.bay12.hotmail.msn.com/resources/msnpupld.cab
o16 - dpf: {ff65677a-8977-48ca-916a-dff81b037df3} - http://download.overpro.com/wildapp.cab

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot

How to remove "TROJAN..STARTPAGE-FJ" On McAcfee - Friend Needs Help

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

Announcements

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY: