We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.

Close

BullGuard Ondersteuning

We zijn hier om u te helpen 24/7


E-mail ons ondersteuning team en we komen binnen 24 uur bij u terug


 

 

How to remove Trojan.VBS.StartPage.BK



THREAT NAME

Trojan.VBS.StartPage.BK

 

 

CLEAN INSTRUCTIONS

1. Restart the system in Safe Mode.


2. Go to Start, Run type regedit and press OK.


3. Search the registry for the value LIDO44.FILE and delete any key that has a reference to it.


After that, locate and delete the following registry keys:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAmail
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\SAmail
HKEY_LOCAL_MACHINE\shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr


4.Navigate to the following registry key:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\


Modify the following keys to their default values. They should appear similar to the ones below:


Cache
C:\Documents and Settings\User\Local Settings\Temporary Internet Files

Cd Burning
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\CD Burning

Favorites
C:\Documents and Settings\User\Favorites

History
C:\Documents and Settings\User\Local Settings\History

My Music
C:\Documents and Settings\User\My Documents\My Music

My Pictures
C:\Documents and Settings\User\My Documents\My Pictures

My Video
C:\Documents and Settings\User\My Documents\My Video

Personal
C:\Documents and Settings\User\My Documents

Programs
C:\Documents and Settings\User\Start Menu\Programs

Start Menu
C:\Documents and Settings\User\Start Menu

NoteUser stands for your Windows logon username.

 

5. Navigate to the following registry key:


HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page


and modify it to reflect the desired web page that you want to appear when you open Internet Explorer.

 

6. Modify the following registry keys value to 0:


HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_USERS\.DEFAULT\Control Panel\Mouse\SwapMouseButtons

 

7. Modify the following registry keys value to h:mm:ss tt or to your desired value:


HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat

 

8. Modify the following registry key value to 7:


HKEY_CURRENT_USER\Console\ScreenColors


9. Modify the following registry key value to 0:


HKEY_CURRENT_USER\Console\FullScreen


10. Modify the following registry key value to explorer.exe:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

 

11. Delete the following files:


C:\www.MacDonald.com-index.htm
C:\Windows\System32\user44.ico
C:\Windows\System32\snd44.gif
C:\Windows\System32\Vbscr.xml

 

12. Run a full system scan with BullGuard.

 

 

SYMPTOMS

1. Computer slowdown.


2. A fake message appears, telling you that an email has been received and copied to the Desktop.

 

3. Disabled Task Manager, swapped mouse buttons, multiple icons on the Desktop, multiple Windows of Freecell

and Minesweeper opened.

 

DESCRIPTION

1. When run, it will display a fake message telling the user that he/she received an email from a girl and that

it was copied to the Desktop. It is in fact just an .html file. The contents of the file is written in French and refers to a

meeting. The email address, the day of the meeting and the phone number are randomly selected.

Below is an example of a message:


Form : Sarah_icqGroup@...

Notre rendez-vous sera aprés 4 jours (dimanche) - appelle-moi apres 7 heures de l'apres-midi.

Tel: +216 22 637 [blocked] - C'est urgent

The name of the girl can be one of the following:


Sarah_icqGroup, imen_nannou, ahlem_3ishk, amina_kissme, amel_sousse, sana_hammamet, molka_nabeul,

noura_sfax, amani_staracademy, sandra_algerie, madiha_ariana, sonia_malhat_manar2


2. After that, it can do the following:

- Change the Internet Explorer start page.

- Swap mouse buttons.

- Change the desktop settings and the wallpaper.

- Change console settings.

- Change the time format.

- Change the value of some of the shell folders.

- Add many .html files to the Desktop.

- Disable the Task Manager.

- Search for .htm and .html files to infect. It verifies if the file is already infected and if it isn't, then it will add itself

to the beggining of the file.

- Search for files with the following extensions: .mp3 .mpg .doc .xls .jpg

If it finds one, then the trojan will create a copy of itself with the name of the file and the .vbs extension.

It may open applications like Freecell, Minesweeper and Internet Explorer multiple times.

Author:
The BullGuard Team



00: 00: 00: 00
Dagen Uren Minuten Seconden
Close