Re: Trojan Horse = BackDoor.Agent.BA + Startpage
Home page problem:
This advice covers three types of home page locking - hijacking (by web
sites), hijacking (by viruses) and locking (by ISPs when you install their
software, and computer manufacturers)
Malware:
If your computer home page is set to about:blank against your wishes, or any
other page, you have a malware problem. For advice on getting rid of it,
check out the link below:
http://inetexplorer.mvps.org/data/tshoot.htm
If you are using Spybot S&D, check your 'immunize' settings which may be
locking the home page.
Microsoft links to problems with the above sites are as follows:
PassThisOn.com Home Page Appears When You Start Computer [Q309313]
http://support.microsoft.com/default...;EN-US;Q309313
Cannot Change Default Home Page Setting from Webcombo Site [Q302459]
http://support.microsoft.com/default...;EN-US;Q302459
Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page
Setting
http://support.microsoft.com/default...b;EN-US;320159
In addition, you may discover that browser.secondpower.com is being added to
your homepage URL. This link has an Uninstaller:
http://www.secondpower.com/customer.html
Prevent Hijacking:
First, update to Internet Explorer 6. Most sites that try to hijack your
home page will now trigger a 'do you want to do this' warning message that
lets you stop the hijacking. The sneaky background activex downloads that
are often used by hijack sites to install spyware will also trigger a 'do
you want to do this' install window.
Please see this link for advice on security fixes that can help prevent such
hijackings:
http://inetexplorer.mvps.org/data/prevention.htm
Make sure that your antivirus is completely up to date.
There is a clever little shareware programme that can help stop your home
page being changed; it seems to work well but tends to trigger when you
change your home page manually the next time that you start IE - the
programme makes it much easier to take back control of your home page
settings:
http://www.pjwalczak.com/spguard/
If you are using Spybot S&D you can lock your home page using the 'immunize'
option.
Manufacturer/ISP Locking:
Some computer manufacturers and suppliers of internet access set IE to their
home page and lock this setting via the registry. Hijackers use exactly the
same trick. The locking is done using registry settings as per the
following:
Home Page Setting Changes Unexpectedly, or You Cannot Change Your Home Page
Setting http://support.microsoft.com/default...;EN-US;q320159
Specific registry settings affected are:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Int ernet Explorer\Control
Panel] -
DWORD "HomePage"=dword:00000001 (grays out the whole section)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\Policies\Explorer]
-
DWORD "NoSetHomePage"=dword:00000001
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Int ernet
Explorer\Restrictions] -
DWORD "NoSetHomePage"=dword:00000001
Spyware/adware/malware problems:
There are many people who have helped this FAQ improve over time - MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a wonderful
resource.
Read the advice at my prevention link
(http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
your computer being infected.
IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm
Also get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
The software you should download and have ready to use is:
AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
previous versions are NO LONGER SUPPORTED and will not be updated...]
Spybot Search and Destroy - http://spybot.eon.net.au
HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe
CWShredder - http://www.merijn.org/files/CWShredder.exe
IMPORTANT: After obtaining the required software above, make sure you check
for updates and run the programmes in safe mode.
Malware removal (beginner's guide):
First, go to Control Panel, add/remove programs. Check for malware entries
and use the uninstall programs, then reboot.
Go to start/run and type MSCONFIG. Go to the startup tab. Disable
everything that you do not recognise as legitimate (do not disable any power
profile options).
Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.
Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find
information about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]
Start CWSHREDDER, update it and fix anything it finds. Reboot back into
safe mode.
Start AdAware. Use the 'check for updates now' option. After you have
updated, click 'start'.
Note that when run using default settings, AdAware does not cope with new
'intelligent' malware. Make the following changes to the default settings.
Use the option 'select drives/folders to scan'. Set AdAware to scan your
entire hard drive.
Make sure 'activate in depth scan' is enabled.
Select 'use custom scanning options' and then click on the 'customize'
button. Turn on the following scan options - scan within archives, scan
active processes, scan registry, deep registry scan, scan [my] IE favorites
for banned URLs, and scan [my] hosts file.
Use the 'tweak' button. Turn on the following options:
Cleaning engine: 'automatically try to unregister objects prior to
deletion', 'let windows remove files in use at next reboot', 'delete
quarantined objects after restoring'.
Scanning engine: 'unload recognized processes during scan'.
After you have finished with AdAware run Spybot to pick up any leftovers.
Fix anything marked in red. Again, don't forget to check for updates first.
Also do the following:
Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.
Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.
Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.
If the problem comes back, start all over again but with the following
changes (this section requires advanced computer skills - inexperienced
users will require assistance):
Examine win.ini using MSCONFIG to see what is loading. You may find
something there. Go to MSCONFIG and go to the General tab. Turn off
process win.ini file, load system services and load startup items. Restart
Windows and run AdAware etc once more.
Use services.msc to see what is running. Some malware is now registering
itself as a Service. The problem is working out what is legitimate and what
is not.
I strongly recommend that unless you have strong experience working in this
area that until such time as I am able to track down a comprehensive list of
legitimate services (or put one together myself), that you post details of
the services revealed by services.msc to a microsoft.public newsgroup for
professional guidance. If you turn off the wrong service you could cause
serious problems, and at the very worst, leave the computer unbootable.
An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer
Another excellent programme for the experienced user is APM (Advanced
Process Manipulation), available at:
http://www.diamondcs.com.au/index.php?page=apm
Once the computer is clean, and if it applies to the operating system,
create a new restore point. The old ones may, of course, be infected with
the malware and therefore cannot be used. Run disk cleanup to remove old
restore points (if your operating system has this option you will find it on
the 'more options' tab of the disk cleanup utility. If the option to remove
old restore points is not available, stop and restart the restore service
which will flush out old restore points and prevent accidental reloading of
malware.
MS have released a limited KB article regarding what they call 'deceptive
software'.
http://support.microsoft.com/default...b;EN-US;827315
Here is advice specific to:
home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page
pop-up ads
http://inetexplorer.mvps.org/data/popup.htm
search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine
--
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org
"John" <anonymous@discussions.microsoft.com> wrote in message
news:2173601c45bc1$d6e0d0d0$a601280a@phx.gbl...
> Hi All:
>
> Man, oh man...have I gotten nailed! Ouch! These viruses
> came out of nowhere and nailed my machine. It installed
> itself 6/20. I have literally spent 2 days trying
> everything I know.
>
> Some background information...
>
> 1. I am a fanatic about getting XP updates.
> 2. I have Norton AV and it doesn't even pick this one
> (the backdoor.ba job) up. Norton AV found the StartPage
> virus but failed to fix or delete it.
> 2a. This (BackDoor) was detected by AVG 6.0 (a free
> download); but not by Norton AV.
> 2b. AdAware 6.181 will find the "bad" registry entries
> related to StartPage and quarantine them...but they come
> back like herpes.
> 3. I have tried doing all the following (to no avail).
>
> A. Disabled System Restore
> B. Rebooted in Safe Mode
> C. Ran "regedit" and deleted the entries made in the
> registry. They are found in HKEY CURRENT USER and HKEY
> LOCAL MACHINE registries.
> D. I followed the instructions on Symantec's website to
> kill off StartPage (like 4 times) and it has totally
> failed.
>
> Question #1:
>
> With regard to the StartPage issue - Is there ANYBODY who
> can help? The whole family is sick and tired of seeing
> the damned "about:blank" home page. So am I.
>
> Can anyone tell me what file in the system files keeps
> propogating the registry entries (8 or 9 of them)?
>
> Question #2:
>
> With regard to the BackDoor.Agent.BA issue. I have
> isolated the file to "winpa.dll" that seems to be the
> problem. How can I delete it!?
>
> Renaming the file don't work (tried that). You still get
> the AVG warning. Then I tried changing the attributes
> (read only to something else)...no dice. Can't delete it
> either.
>
> For now, I renamed it...but I keep getting messages that
> it is infected with the backdoor.agent.BA virus.
>
> Can anybody please help?
>
> Reply offline to John_C_Eberle@msn.com
>
> DO NOT SEND A FILE ATTACHMENT. :-)
Cell Phones reviews
06-26-04, 08:11 PM
Linear Mode
