How do you remove Startpage 8 AT located in C Windows system32 knqtwz dll?

Answer 1

I followed the recommendations from the answer given to: "How do you remove Trojan Horse: Startpage.8.bj in wC:\windows\system32\fiealab.dll? Posted on August 16, 2004.

I'm using Windows XP Pro SP1. HijackThis helps to identify the problematic files/keys and then you can clean/delete them. I think you'll need to clean/delete these: 1. in "regedit" those keys identified by HijackThis. 2. Remove the startpage/searchpage/default page entries that point to the "Trojan" page. These include: HKEY_CURRENT_USER\software\microsoft\internet Explorer\Main"Default_Page_URL" HKEY_CURRENT_USER\software\microsoft\internet Explorer\Main"Local Page" HKEY_CURRENT_USER\software\microsoft\internet Explorer\Main"Start Page" HKEY_LOCAL_MACHINE\software\microsoft\internet Explorer\Main"Default_Page_URL" HKEY_LOCAL_MACHINE\software\microsoft\internet Explorer\Main"Local Page" HKEY_LOCAL_MACHINE\software\microsoft\internet Explorer\Main"Start Page" HKEY_USERS\...\software\microsoft\internet Explorer\Main"Default_Page_URL" HKEY_USERS\...\software\microsoft\internet Explorer\Main"Local Page" HKEY_USERS\...\software\microsoft\internet Explorer\Main"Start Page"

3. Reset c:\windows\hosts and c:\windows\system32\drivers\etc\hosts back to just one line "127.0.0.1 localhost"

4. delete the .dll file (in my case it was called c:\windows\system32\system32.dll)

I found Windows locked the .dll file and could not be deleted. To solve this, I re-boot the machine in safe mode. I almost stuck there as I could not login to the machine without the administrator's password (it was a company PC). Likely, I've created a floppy boot disk which enable me to re-enter in normal mode and to change the administrator's password as my username has administrator privilege! Only when I'm in safe mode can I delete the .dll file. I think this is the part that causes so many trouble with other people infected with StartPage (mine was StartPage-DC).

winxp_boot_disk.exe can be downloaded from www.answersthatwork.com. I also need floppy_disk_manager.exe (from the same site) to create the floppy. Of course an up-to-date virus scan is required.

After spending almost one whole working day browsing internet for help and virus information. It seems that my computer is clean now. Hope this would help.

Well, as described above might work, but it is much easier in case you know how to do it. It took me also half a decade to find that out. You just need to run HijackThis. After a scan you can select the regedit items as listed in the post above (they'll all be identified by HijackThis as bad entries) an let the program do the cleanig for you. But the most important is to get rid of the hknqtwz].dll in the sytem32 folder which is normally "untouchable". To delete this just run HijackThis, Config-button on the lower right, then "Misc Tools" and "Delete a file on reboot". There you select that f..... hknqtwz].dll. Now you just have to reboot and voilà....it should be gone and never come back. If this file is not removed, all the regestry entries will come back. Hope I could help ;0))