Troj/StartPa-HB is a startpage Trojan.
Troj/StartPa-HB copies itself to SVCHOST.EXE in the Windows folder and sets the following registry entry so as to run it on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost
Troj/StartPa-HB also copies itself to SETDBG.EXE in the Windows folder and sets the following registry entry so as to run it before any EXE file:
HKCR\exefile\shell\Open\Command
Troj/StartPa-HB attempts to intercept the files IEXPLORE.EXE and OPERA.EXE as they open and make them start at its own website.
Troj/StartPa-HB sets the following registry entries to change various Start and Search pages:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www
Troj/StartPa-HB also sets the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no"
HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no"
Troj/StartPa-HB adds files containing URL links called "Teens Anal Fucking.url" and "Sex.url" to the folder found in
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites.
Troj/StartPa-HB moves the following registry entries to disable the handling of certain types of webpage:
HKCR\PROTOCOLS\Handler\its\CLSID to HKCR\PROTOCOLS\Handler\its\CLSID0
HKCR\PROTOCOLS\Handler\mhtml\CLSID to HKCR\PROTOCOLS\Handler\mhtml\CLSID0
HKCR\PROTOCOLS\Handler\ms-its\CLSID to HKCR\PROTOCOLS\Handler\ms-its\CLSID0