We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

BullGuard Kundenbetreuung

Wir sind rund um die Uhr 24/7 verfügbar.

Senden Sie uns eine E-Mail und wir werden innerhalb von 24 Stunden antworten.



How to remove Trojan.VBS.StartPage.BK






1. Restart the system in Safe Mode.

2. Go to Start, Run type regedit and press OK.

3. Search the registry for the value LIDO44.FILE and delete any key that has a reference to it.

After that, locate and delete the following registry keys:


4.Navigate to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

Modify the following keys to their default values. They should appear similar to the ones below:

C:\Documents and Settings\User\Local Settings\Temporary Internet Files

Cd Burning
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\CD Burning

C:\Documents and Settings\User\Favorites

C:\Documents and Settings\User\Local Settings\History

My Music
C:\Documents and Settings\User\My Documents\My Music

My Pictures
C:\Documents and Settings\User\My Documents\My Pictures

My Video
C:\Documents and Settings\User\My Documents\My Video

C:\Documents and Settings\User\My Documents

C:\Documents and Settings\User\Start Menu\Programs

Start Menu
C:\Documents and Settings\User\Start Menu

NoteUser stands for your Windows logon username.


5. Navigate to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

and modify it to reflect the desired web page that you want to appear when you open Internet Explorer.


6. Modify the following registry keys value to 0:

HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_USERS\.DEFAULT\Control Panel\Mouse\SwapMouseButtons


7. Modify the following registry keys value to h:mm:ss tt or to your desired value:

HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat


8. Modify the following registry key value to 7:


9. Modify the following registry key value to 0:


10. Modify the following registry key value to explorer.exe:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell


11. Delete the following files:



12. Run a full system scan with BullGuard.




1. Computer slowdown.

2. A fake message appears, telling you that an email has been received and copied to the Desktop.


3. Disabled Task Manager, swapped mouse buttons, multiple icons on the Desktop, multiple Windows of Freecell

and Minesweeper opened.



1. When run, it will display a fake message telling the user that he/she received an email from a girl and that

it was copied to the Desktop. It is in fact just an .html file. The contents of the file is written in French and refers to a

meeting. The email address, the day of the meeting and the phone number are randomly selected.

Below is an example of a message:

Form : Sarah_icqGroup@...

Notre rendez-vous sera aprés 4 jours (dimanche) - appelle-moi apres 7 heures de l'apres-midi.

Tel: +216 22 637 [blocked] - C'est urgent

The name of the girl can be one of the following:

Sarah_icqGroup, imen_nannou, ahlem_3ishk, amina_kissme, amel_sousse, sana_hammamet, molka_nabeul,

noura_sfax, amani_staracademy, sandra_algerie, madiha_ariana, sonia_malhat_manar2

2. After that, it can do the following:

- Change the Internet Explorer start page.

- Swap mouse buttons.

- Change the desktop settings and the wallpaper.

- Change console settings.

- Change the time format.

- Change the value of some of the shell folders.

- Add many .html files to the Desktop.

- Disable the Task Manager.

- Search for .htm and .html files to infect. It verifies if the file is already infected and if it isn't, then it will add itself

to the beggining of the file.

- Search for files with the following extensions: .mp3 .mpg .doc .xls .jpg

If it finds one, then the trojan will create a copy of itself with the name of the file and the .vbs extension.

It may open applications like Freecell, Minesweeper and Internet Explorer multiple times.

The BullGuard Team