Aliases
-
Trojan.Win32.StartPage.hb
Characteristics
-
Modifies data on the computer
-
Installs itself in the registry
Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing Trojans.
You will need to edit the following registry entries. Please read the warning about editing the registry.
Renaming the registry editor
- Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
- Rename the copy of Regedit.exe to Regedit.com.
- At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.
Editing the registry
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_CLASSES_ROOT entry:
Typically an unaltered registry entry will be set to
HKCR\exefile\shell\open\command\(default) = "%1" %*
the altered registry entry will be
HKCR\exefile\shell\open\command\(default) = <path to Trojan> "%1" %*
delete only the path to the Trojan. Do not delete anything else.
Locate the HKEY_CURRENT_USER entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
right-click them and select 'Delete'. Click OK.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant
right-click them and select 'Delete'. Click OK.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
right-click them and select 'Modify'. Delete the web address leaving only "http://". Click OK.
Close the registry editor.
Delete the links added by the Trojan from your Favorites folder in Internet Explorer.