How do you remove Trojan StartPage.RA

Question

my system is infeced with a trojan StartPage.RA

My antivirus detects and cleans it but the moment u run either Internet explorer or windows explore or restar the computer a temperory file in Windows\Temp\sp.dll is crated and this file is the source for further problems

i have tried all things i know including deleting registries and ckecking after disabling the System Restore

but when u restart its back

it changes the homepage in the explorer and does not allow the some websites to be viewed

i am using Bullguard 4.5 as my antivirus and Noadware as my spyware

plse help

[email protected]

Answer

This question was answered on April 19, 2005. Much of the information contained herein may have changed since posting.

Please print this page and follow step by step.

Because you are running Windows Me I recommend that you temporarily disable System Restore (which Ive noted that youve done previously)

A Click Start > Settings > Control Panel

B Double-click the System icon (If the System icon is not visible, click "View all Control Panel options" to display it).

C On the Performance tab click File System.

D Click the Troubleshooting tab, and then check Disable System Restore.

E Click OK

F Click Yes, when you are prompted to restart Windows When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.

Next update your virus definitions:

A Connecting to the internet

B Then check for updates by double-clicking the BullGuard icon in your system-tray.

C Click the "Check & Update" button.

If no update is found then the BullGuard is up-to-date message will appear, this means that you are fully up to date.

If an update is found, it is displayed in the window and you should click "Update" The download will begin.

Next restart the computer in Safe mode by:

A Restarting your PC and pressing F8 a couple of times just after the memory test at boot up

B A Windows Start Up menu appears

C Select SAFE MODE then press OK

Run a full system scan and delete all the files detected as Trojan horse To make a complete scan with BullGuard, you need to shut down all open programs Especially your email-client (i.e Outlook, Outlook Express or Eudora) is important to shut down.

A Double-click the BullGuard icon in your system-tray,

B Next click the anti-virus section and then click the Scan tab.

C Click the big "Scan now" button and BullGuard will start the scanning of your computer using the standard settings, which are sufficient Depending on the size of your hard drive this may take a while.

D While scanning, BullGuard will show you its progress and alert you if any viruses are found.

E Once the scanning is complete, BullGuard will create a report of what it found.

F If BullGuard finds viruses present, it will list these and try to remove them automatically If this is the case, follow the on-screen instructions.

Delete any values that were added to the registry

A Click Start > Run

B Type regedit

C Then click OK

D Navigate to the subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

E In the right pane, delete the values:

"ALG32" = "%Sytem%\AG32.EXE"

"SPOOLSVU" = "%Sytem%\SOOLSVU.EXE"

F Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTASS.HTDP

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTASS.HTDP.1

G In the right pane, delete the value:

"(Default)" = "HTDP Class"

H Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4677FF8F-7740-4A9C-9F5E-E93794A86E85}\1.0\0\win32

I In the right pane, delete the value:

"(Default)" = "%Widir%\hass.dll"

J Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTASS.HTDP\CurVer

K In the right pane, delete the value:

"(Default)" = "HTASS.HTDP.1"

L Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\TypeLib

M In the right pane, delete the value:

"(Default)" = "{4677FF8F-7740-4a9c-9F5E-E93794A86E85}"

N Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}\VersionIndependentProgID

O In the right pane, delete the value:

"(Default)" = "HTASS.HTDP"

P Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTASS.HTDP\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTASS.HTDP.1\CLSID

Q In the right pane, delete the value:

"(Default)" = "{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}"

R Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4677FF8F-7740-4A9C-9F5E-E93794A86E85}\1.0

S In the right pane, delete the value:

"(Default)" = "HTASS 1.0 Type Library"

T Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4677FF8F-7740-4A9C-9F5E-E93794A86E85}\1.0\FLAGS

U In the right pane, delete the value:

"(Default)" = "0"

V Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4677FF8F-7740-4A9C-9F5E-E93794A86E85}\1.0\HELPDIR

W In the right pane, delete the value:

"(Default)" = "%Widir%&qot;

X Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

Y In the right pane, delete the values:

"MSMsgSvc" = ""

"SEHLPstp" = ""

"WTLBAstp" = ""

Z Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

AA In the right pane, delete the value:

"{9E6EC32A-7C19-4409-99E8-FC980BCDAF26}" = ""

AB Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}

AC In the right pane, delete the value:

"(Default)" = "IDOMPeek"

AD Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}\ProxyStubClsid32

AE In the right pane, delete the value:

"(Default)" = "{00020424-0000-0000-C000-000000000046}"

AF Navigate to the subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0B6EF17E-18E5-4449-86EA-64C82D596EAE}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}\TypeLib

AG In the right pane, delete the values:

"(Default)" = "{4677FF8F-7740-4A9C-9F5E-E93794A86E85}"

"Version" = "1.0"

AH Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B1E68D42-02C4-465B-8368-5ED9B732E22D}

AI In the right pane, delete the value:

"(Default)" = "IDocEventHandler"

AJ Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

AK In the right pane, delete the values:

"HTAssADutid" = "0x4134CCF1"

"HTAssutid" = "0x4134CFCB"

"HTAssittid" = "0x4134CD73"

"HTAssistid" = "0x4134CD73"

"HTAssiftid" = "0x4134CE3B"

"HTAssID" = "0x989681"

"HTAssBnxt" = "0x4134DFCF"

AL Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HTAssLib

AM In the right pane, delete the values:

"DisplayName" = "HTAss Library"

"UninstallString" = "%Widir%\HASSUI.exe"

AN Navigate to the subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

AO In the right pane, delete the value:

"Start Page" = "http:/ /default.home"

AP Exit the Registry Editor.

Remove any references to the infected files, which the Trojan added to the Win.ini and System.ini files The file-protection process may have made a backup copy of the

Win.ini and System.ini files that you need to edit If these backup copies exist, they will be in the C:\Windows\Recent folder I recommends that you delete these files by:

A Starting Windows Explorer

B Browse to and select the C:\Windows\Recent folder

C In the right pane, select the Win.ini file and the System.ini files, and then delete them Windows will regenerate them.

D Next click Start > Run

E Type: edit c:\windows\win.ini

F Click OK

G The MS-DOS Editor opens.

(If Windows is installed in a different location, make the appropriate path substitution.The following steps instruct you to remove the text from the load= and run= lines of

the Win.ini file The Trojan may have added lines, such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces> msrexe.exe.

If you are sure that the text contained in these lines is for the programs that you normally use, then DO NOT remove it If you are not sure, but the text does not refer to the file names you previously noted, then you can prevent the lines from loading by placing a semicolon (;) in the first character position of the line)

H Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file

I Position the cursor immediately to the right of the equal (=) sign.

J Press Shift End to select all the text to the right of the equal sign, and then press Delete.

K Repeat steps E and F for the run= line, which is usually beneath the load= line.

L Click Start > Run.

M Type the following: edit c:\windows\system.ini

N Click OK

O In the [boot] section, which is usually located near the top of the file, find the line that begins with shell=explorer.exe.

P Position the cursor immediately to the right of explorer.exe.

Q Press Shift End to select all the text to the right of explorer.exe, and then press Delete (When you are finished, the line should look like this: shell=explorer.exe)

R Click File > Exit > Yes (click Yes when you are prompted to save the changes).

Clear the Temporary Internet Files:

A Restart the computer in Normal mode.

B Start Internet Explorer

C Click Tools > Internet Options

D In the Temporary Internet Files section, click the Delete Files button

E Check Delete all offline content.

F Click OK.

Reset the Internet Explorer home page:

A Start Microsoft Internet Explorer

B Connect to the Internet, and then go to the page that you want to set as your home page

C Click Tools > Internet Options

D In the Home page section of the General tab, click Use Current > OK.

When all instructions have been completed, restart your PC in Normal mode and enable System Restore again by following the instructions below:

A Click Start > Settings > Control Panel

B Double-click System

C On the Performance tab click File System

D On the Troubleshooting tab, uncheck Disable System Restore

E Click OK Click Yes, when you are prompted to restart Windows.

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Kisha of Katharine Gibbs School - New York on April 19, 2005