We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

PRODUTOS

Produtos de Segurança
Premium Protection Internet Security 2013 Antivirus 2013 Mobile Security Spamfilter 10
Produtos de backup
Mobile Backup 12 Online Backup 2013
DOWNLOADS

Downloads populares
Premium Protection Internet Security 2013 Mobile Backup 12
Outros downloads
Antivirus 2013 Spamfilter Online Backup 2013
LOJA

Produtos mais vendidos
Premium Protection Internet Security 2013 Antivirus 2013 Mobile Backup 12 Mobile Security
Outros produtos
Online Backup 2013
BLOG
Posts mais recentes
SUPPORT
Atendimento ao cliente Guias de Produtos Perguntas Mais Freqüentes
A MINHA CONTA

Política de Privacidade & Cookies

Serviço de suporte 24 horas por dia, 7 dias por semana

Estamos prontos para ajudar com qualquer problema de segurança na Internet.

Quer opte por entrar em contato via Chat ao Vivo ou via e-mail, você pode contar com nossa equipe de especialistas para fornecer respostas rápidas para suas dúvidas.

Iniciar Chat ao Vivo Enviar e-mail

How to remove Trojan.VBS.StartPage.BK

THREAT NAME

Trojan.VBS.StartPage.BK

CLEAN INSTRUCTIONS

1. Restart the system in Safe Mode.

2. Go to Start, Run type regedit and press OK.

3. Search the registry for the value LIDO44.FILE and delete any key that has a reference to it.

After that, locate and delete the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAmail
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\SAmail
HKEY_LOCAL_MACHINE\shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

4.Navigate to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

Modify the following keys to their default values. They should appear similar to the ones below:

Cache
C:\Documents and Settings\User\Local Settings\Temporary Internet Files

Cd Burning
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\CD Burning

Favorites
C:\Documents and Settings\User\Favorites

History
C:\Documents and Settings\User\Local Settings\History

My Music
C:\Documents and Settings\User\My Documents\My Music

My Pictures
C:\Documents and Settings\User\My Documents\My Pictures

My Video
C:\Documents and Settings\User\My Documents\My Video

Personal
C:\Documents and Settings\User\My Documents

Programs
C:\Documents and Settings\User\Start Menu\Programs

Start Menu
C:\Documents and Settings\User\Start Menu

Note: User stands for your Windows logon username.

5. Navigate to the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

and modify it to reflect the desired web page that you want to appear when you open Internet Explorer.

6. Modify the following registry keys value to 0:

HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_USERS\.DEFAULT\Control Panel\Mouse\SwapMouseButtons

7. Modify the following registry keys value to h:mm:ss tt or to your desired value:

HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat

8. Modify the following registry key value to 7:

HKEY_CURRENT_USER\Console\ScreenColors

9. Modify the following registry key value to 0:

HKEY_CURRENT_USER\Console\FullScreen

10. Modify the following registry key value to explorer.exe:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

11. Delete the following files:

C:\www.MacDonald.com-index.htm
C:\Windows\System32\user44.ico
C:\Windows\System32\snd44.gif
C:\Windows\System32\Vbscr.xml

12. Run a full system scan with BullGuard.

SYMPTOMS

1. Computer slowdown.

2. A fake message appears, telling you that an email has been received and copied to the Desktop.

3. Disabled Task Manager, swapped mouse buttons, multiple icons on the Desktop, multiple Windows of Freecell

and Minesweeper opened.

DESCRIPTION

1. When run, it will display a fake message telling the user that he/she received an email from a girl and that

it was copied to the Desktop. It is in fact just an .html file. The contents of the file is written in French and refers to a

meeting. The email address, the day of the meeting and the phone number are randomly selected.

Below is an example of a message:

Form : Sarah_icqGroup@...

Notre rendez-vous sera aprés 4 jours (dimanche) - appelle-moi apres 7 heures de l'apres-midi.

Tel: +216 22 637 [blocked] - C'est urgent

The name of the girl can be one of the following:

Sarah_icqGroup, imen_nannou, ahlem_3ishk, amina_kissme, amel_sousse, sana_hammamet, molka_nabeul,

noura_sfax, amani_staracademy, sandra_algerie, madiha_ariana, sonia_malhat_manar2

2. After that, it can do the following:

- Change the Internet Explorer start page.

- Swap mouse buttons.

- Change the desktop settings and the wallpaper.

- Change console settings.

- Change the time format.

- Change the value of some of the shell folders.

- Add many .html files to the Desktop.

- Disable the Task Manager.

- Search for .htm and .html files to infect. It verifies if the file is already infected and if it isn't, then it will add itself

to the beggining of the file.

- Search for files with the following extensions: .mp3 .mpg .doc .xls .jpg

If it finds one, then the trojan will create a copy of itself with the name of the file and the .vbs extension.

It may open applications like Freecell, Minesweeper and Internet Explorer multiple times.

Author:
The BullGuard Team

Suporte 24 horas por dia, 7 dias por semana

Nossa dedicada equipe de suporte está pronta para ajudar fornecendo o conselho de especialistas, quer seja em inglês, 24 horas por dia/7 dias por semana, ou em outros idiomas, durante intervalos específicos.

Obtenha ajuda agora

Atualizar / Renovar

Você já usa o BullGuard?

Queremos que você aproveite ao máximo nossos produtos!

Atualizar Renovar


Tweet	Mais