[pchelpers] Re: Virus on starting up
- From: PcCowboy <saddle@xxxxxxxxxxxxxxxxxxx>
- To: pchelpers@xxxxxxxxxxxxx
- Date: Sun, 11 Jan 2004 07:26:47 -0600
Sophie wrote:
>I have a friend who's computer has a virus when starting up...... I was always
>able to ask Nigel to help but now he is not around I hope someone on the list
>can help me. She has "Trojan Horse" in "Startpage.B" and cannot access her
>computer to even quarantine the virus. She does have AVG but I have a feeling
>it is not set up properly. Hope someone can help
>Soph
>
>
>
Try going to safe-mode.
Startpage.b is the virus/trojan/spyware. I don't think it has a Trojan
in it. What it does is change the start page of I.E.
You should be able to go to safe-mode and run AVG. If AVG doesn't see it
then run ad-aware/spybot, they will see
it and get rid of it. More than likely if you have Starpage then you may
have others.
As a last resort you can try removing it by hand. More instructions for
ME/XP below.
*Removing Autostart Entries from the Registry*
Removing autostart entries from the registry prevents the malware from
executing during startup.
1. Open Registry Editor. To do this, click Start>Run, type Regedit,
then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer
3. In the right panel, locate and delete all entries that start with
the following string:
"http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/";
4. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Main
5. In the right panel, locate and delete all entries that start with
the following string:
"http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/";
6. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Search
7. In the right panel, locate and delete all entries that start with
the following string:
"http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/";
8. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer
9. In the right panel, locate and delete all entries that start with
the following string:
"http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/";
10. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Main
11. In the right panel, locate and delete all entries that start with
the following string:
"http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/";
12. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Search
13. In the right panel, locate and delete all entries that start with
the following string:
"http://%61%63%63%2e%63%6f%75%6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d%2d/";
14. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Internet Explorer>Styles
15. In the right panel, locate and delete the entry:
User Stylesheet
16. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Internet Explorer>Styles
17. In the right panel, locate and delete the entry:
User Stylesheet
18. Close Registry Editor.
*NOTE:* If you were not able to terminate the malware process from
memory as described in the previous procedure, restart your system.
*Restoring Modified Files*
Delete or replace the following files created by the malware:
"%Windows%\Web\win.def"
"%Windows%\default.css"
Windows Millennium Edition (ME) and Windows XP have a feature known as
System Restore, which creates backups of certain files in the _Restore
folder. The System Restore feature usually backs up files with EXE or
COM extensions, which may include infected files and malware programs.
Files in the _Restore folder are protected and can only be accessed
using System Restore. This feature must be disabled first before Trend
Micro antivirus can access and clean these files.
The following procedure disables the System Restore feature:
*For Windows ME*
1. Right-click the My Computer icon on the Desktop and click Properties.
2. Click the Performance tab.
3. Click the File System button.
4. Click the Troubleshooting tab.
5. Select Disable System Restore.
6. Click Apply > Close > Close.
7. When prompted to restart, click Yes.
8. Press F8 while the system restarts.
9. Choose Safe Mode then hit the Enter key.
10. After your system has restarted, continue with the scan/clean
process. Files under the _Restore folder can now be deleted.
11. Re-enable System Restore by clearing Disable System Restore and
restarting your system normally.
*For Windows XP*
1. Log on as Administrator.
2. Right-click the My Computer icon on the desktop and click Properties.
3. Click the System Restore tab.
4. Select Turn off System Restore.
5. Click Apply > Yes > OK.
6. Continue with the scan/clean process. Files under the _Restore
folder can now be deleted.
7. Re-enable System Restore by clearing Turn off System Restore.
Pc
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi
List archives at //www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Good advice is like good paint- it only works if applied.
Other related posts:
