Sophie wrote: >I have a friend who's computer has a virus when starting up...... I was always >able to ask Nigel to help but now he is not around I hope someone on the list >can help me. She has "Trojan Horse" in "Startpage.B" and cannot access her >computer to even quarantine the virus. She does have AVG but I have a feeling >it is not set up properly. Hope someone can help >Soph > > > Try going to safe-mode. Startpage.b is the virus/trojan/spyware. I don't think it has a Trojan in it. What it does is change the start page of I.E. You should be able to go to safe-mode and run AVG. If AVG doesn't see it then run ad-aware/spybot, they will see it and get rid of it. More than likely if you have Starpage then you may have others. As a last resort you can try removing it by hand. More instructions for ME/XP below. *Removing Autostart Entries from the Registry* Removing autostart entries from the registry prevents the malware from executing during startup. 1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. 2. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer 3. In the right panel, locate and delete all entries that start with the following string: "http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/"; 4. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main 5. In the right panel, locate and delete all entries that start with the following string: "http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/"; 6. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Search 7. In the right panel, locate and delete all entries that start with the following string: "http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/"; 8. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer 9. In the right panel, locate and delete all entries that start with the following string: "http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/"; 10. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Main 11. In the right panel, locate and delete all entries that start with the following string: "http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/"; 12. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Search 13. In the right panel, locate and delete all entries that start with the following string: "http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/"; 14. In the left panel, double-click the following: HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Styles 15. In the right panel, locate and delete the entry: User Stylesheet 16. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Styles 17. In the right panel, locate and delete the entry: User Stylesheet 18. Close Registry Editor. *NOTE:* If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system. *Restoring Modified Files* Delete or replace the following files created by the malware: "%Windows%\Web\win.def" "%Windows%\default.css" Windows Millennium Edition (ME) and Windows XP have a feature known as System Restore, which creates backups of certain files in the _Restore folder. The System Restore feature usually backs up files with EXE or COM extensions, which may include infected files and malware programs. Files in the _Restore folder are protected and can only be accessed using System Restore. This feature must be disabled first before Trend Micro antivirus can access and clean these files. The following procedure disables the System Restore feature: *For Windows ME* 1. Right-click the My Computer icon on the Desktop and click Properties. 2. Click the Performance tab. 3. Click the File System button. 4. Click the Troubleshooting tab. 5. Select Disable System Restore. 6. Click Apply > Close > Close. 7. When prompted to restart, click Yes. 8. Press F8 while the system restarts. 9. Choose Safe Mode then hit the Enter key. 10. After your system has restarted, continue with the scan/clean process. Files under the _Restore folder can now be deleted. 11. Re-enable System Restore by clearing Disable System Restore and restarting your system normally. *For Windows XP* 1. Log on as Administrator. 2. Right-click the My Computer icon on the desktop and click Properties. 3. Click the System Restore tab. 4. Select Turn off System Restore. 5. Click Apply > Yes > OK. 6. Continue with the scan/clean process. Files under the _Restore folder can now be deleted. 7. Re-enable System Restore by clearing Turn off System Restore. Pc Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig> Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi List archives at //www.freelists.org/archives/pchelpers PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig Good advice is like good paint- it only works if applied.