Troj/StartPa-EH changes settings for Microsoft Internet Explorer.
The installation executable drops a DLL component to the Windows system folder with a random filename and an extension of DLL and registers the DLL as a COM object using a randomly generated class ID. The pathname of the DLL will be stored in the following new registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
SearchAssistant\Uninstall\UninstallString
= "regsvr32 /s /u <pathname of Troj/StartPa-EH DLL>
The class ID for the dropped DLL will be stored under the following new registry entry:
HKCR\CLSID\(<class ID for Troj/StartPa-EH DLL>)\InProcServer32 =
<pathname of Troj/StartPa-EH DLL>
The DLL is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer by using its class ID string to create a new sub-entry of the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\
This will cause the Troj/StartPa-EH DLL to be loaded automatically each time Microsoft Internet Explorer is run.
The Troj/StartPa-EH DLL creates a file named sp.html in the TEMP folder and changes settings for Internet Explorer by setting the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page = "about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\
Start Page = "about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\
HOMEOldSP = "about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\
HOMEOldSP = "about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Bar = "file://%TEMP%\sp.html"
HKLM\Software\Microsoft\Internet Explorer\Main\
Search Bar = "file://%TEMP%\sp.html"
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page = "file://%TEMP%\sp.html"
HKLM\Software\Microsoft\Internet Explorer\Main\
Search Page = "file://%TEMP%\sp.html"
HKCU\Software\Microsoft\Internet Explorer\Search\
SearchAssistant = "file://%TEMP%\sp.html"
HKLM\Software\Microsoft\Internet Explorer\Search\
SearchAssistant = "file://%TEMP%\sp.html"
HKCU\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL = 1
HKLM\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL = 1
HKCU\Software\Microsoft\Internet Explorer\Main\
Use Search Asst = "no"
HKLM\Software\Microsoft\Internet Explorer\Main\
Use Search Asst = "no"
Troj/StartPa-EH can be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start -> Settings -> Control Panel -> Add/Remove Programs by selecting the entry "Search Assistant Uninstall".
The Troj/StartPa-EH DLL can be de-registered manually by running the following from a commandline (Start -> Run):
regsvr32 /S /U <pathname of Troj/StartPa-EH DLL>