Problems with Homepage

scouselass

LincsLad you mentioned the many different ways the virus attacks the computer, and I am wonder if my problem is the same sort of thing.

For approx the last month, whenever I log on to the internet, or email, I get an message popping up saying: (this is one of them)

eTrust EZ Antiviru real-time protections has found that C:\DOCUME~1\ALLUSE~1\PRIBI\PRIBI.DLL is Win31.Startpage.IO trogan.

I have the option to click ok, or select the X to close the box. I always go for the X cos it doesn't seem right to say OK to a virus (is this female logic!!!) Anyhow, when I do click X, the box keeps reappearing approx 6 times, and the same message reappears every time. Then on the 6th click it goes off, until I next access another internet set, or check emails!!!

However, on different days, some of the detail in that messages changes! But still says it is ..... startpage...trogan.

This problem is driving me batty. Is it the same sort of thing as you describe? Is it doing anything really bad behind the scenes to my computer? How do I get rid?

LincsLad_3

Yup, it's a virus/trojan. As the message you receive suggests, it is called "TROJ_STARTPAG.BK", also known as Trojan.Win32.StartPage.bk or Win32/StartPage.bk.Trojan

This Trojan registers itself as a Browser Helper Object (BHO), which is capable of modifying the behavior and settings of the Internet Explorer browser. It runs on Windows 95, 98, ME, NT, 2000, and XP

Solution: (Note: You should ALWAYS back up the Windows Registry before making any changes)

IMPORTANT: Before proceeding with this clean instructions, first close all Internet Explorer windows.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. On Windows 98 and ME,
in the right panel, locate and delete the following entry:
\Pribi.exe = "C:\Windows\All Users\
Application Data\ Pribi\Pribi.exe"

On Windows NT, 2000, and XP,
also in the right panel, locate and delete the following entry:
\Pribi.exe = "C:\Documents and Settings\All Users\
Application Data\ Pribi\Pribi.exe"
4. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Unregistering the Browser Helper Object

» On Windows 98 and ME

1. Click Start>Run, type COMMAND, then press Enter.
2. In the command prompt type
CD C:\Windows\All Users\Application Data\ Pribi
then press Enter
3. Type C:\Windows\System\Regsvr32 pribi.dll /U, then press Enter to un-register the Browser Help Object.

» On Windows NT, 2000, and XP

1. Click Start>Run, type CMD, then press Enter.
2. In the command prompt type
CD C:\Documents and Settings\All Users\Application Data\ Pribi
then press Enter
3. Type Regsvr32 pribi.dll /U, then press Enter to un-register the Browser Help Object.

Then sweep your PC with an up to date version of whichever antivirus software you use. (Note: If running Windows ME/XP or 2000 you MUST disable System Restore to allow full scanning of infected systems.

scouselass

Lincslad, thank you for your very comprehensive answer. Here is my non-techie response.

I did attempt a prompt response on 26th as to what had happened when following your instructions, and then I lost it (somehow) whilst posting it here (my fault). I have just been away for a couple of days and will try again now.

Right, I did the removing autostart, and that appeared to go ok, without a hitch. Although, in truth, I dont know if it worked because I dont know what to expect!

When it came to unregistering the browser help object, I was able to follow steps 1 and 2, but after step 3 it gave the following message:

Loadlibrary("pribi.dll") failed - Access Denied

Now I retyped step 3, putting pribi.d11 (because I did not know if it was two 1's, or two l's) but I got the same message

What was it about step 3 that I got wrong? Can I check a couple of things. In the instruction at Step 3 was there a space in front of the forward slash ( /U)? Or doesn't it make any difference? Should I have inserted the word 'type' at the beginning of step 3? (I didn't put it in). Did it matter that I was connected to the internet, when trying out these commands? I kept that open, as I wanted to post my response once I had tested out the instructions.

This trojan I have, means I now need to click 10 times to get rid of the box!!! Will it keep increasing? should I be clicking on the X, or the OK button, to clear it off the screen?

Even if I can stop the trojan, will it have done any lasting damage. I believe its made my machine slower, can I do anything about that? The slowness of course could be my vivid imagination. Maybe its the user!

I don't want a glossary of terms, but can I ask a couple of other questions? What is the windows registry, and how can I back it up? Clearly my question betrays the fact that I carried out your instructions, but I ignored that step about backing it up because I didn't know what to do.

What is the Browser Help Object?

Finally, I have used system restore in the past, and found the location where it can be disabled, but I can't recall where that is now. Also, if I didn't switch it back on the last time I used it, what are the implications of that? I have two virus checkers (freebies) ETrust, and AVG, the latter does a weekly scan - should system restore be off when it does that?

Hope you can help/also advise about virus software.

cheers

scouselass

LincsLad_3

I'm just about to go away for a few days, so this is a 'quick and dirty' response - hopefully others will jump in and fill in the gaps.

Definitions etc:
Windows Registry: Click here for the Microsoft definition, and links on how to backup (possibly too late! ) and restore the Registry. It's a bit Techie-speak, but hopefully not TOO much. ;D

Click here for the details on System Restore. The implications of having turned it off a while ago and not back on again are that you will have no 'old' points to restore to. Once the PC is sorted you should turn System Restore on again and create a new Restore Point.

Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, that shares IE's memory space, and can perform many actions on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page. All iin all - not nice.

OK, onto the questions.....

Loadlibrary("pribi.dll") failed - Access Denied

I suspect this happens as the file (pribi.dll - with two letter l's) is in use. You should boot the PC in safe mode ( Click Here. ) and try again.

Leave the space in front of the /U

Do NOT insert the word 'Type'

It probably is not important that you were connected to the Internet, but boot into Safe mode as above and forget about the Internet for a while.

Once the Trojan is gone, there should be no lasting effects.

Keep clicking on whichever you click on right now to close the box and yes, it probably will increase while your PC is infected.

Anyway, keep at it, you are almost there. By the time I get back I am sure it will be sorted!

Sorry if I missed anything - typed in a hurry!!

scouselass

Thanks Lincslad

I got rid of my Trojan! Yippee!!!

I really do appreciate the help as I don't know how else I would have got rid of it withour your assistance. When visiting sites like Windows, or using virus checkers they don't usually give instructions on how to get shut of these things, at least not in the way I received it on these posts.

thanks