Aliases
Characteristics
-
Modifies data on the computer
-
Reduces system security
-
Installs itself in the registry
Affected Operating Systems
Recovery Instructions:
Please follow the instructions for removing Trojans.
In Windows 2000/XP/2003, remove the Trojan files and perform the following actions in Safe Mode with command prompt only.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the command prompt type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_CLASSES_ROOT entry:
HKCR\MIME\Database\Content Type\application/hta
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysSearch = "C:/WINDOWS/REGEDIT.EXE -s c:/WINDOWS/sysreg.reg"
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
and delete them if they exist.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
and delete the Trojan URL. Leave blank, or copy from another computer.
Locate the HKEY_CURRENT_USER entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
and delete them if they exist.
Locate the HKEY_CURRENT_USER entry:
HKCU\Software\Microsoft\Internet Explorer\Search URL
delete the Trojan URL. Leave blank, or copy from another computer.
Locate the HKEY_CURRENT_USER entries:
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
right-click the entry and select 'Delete'. Click OK.
Close the registry editor.
At the command prompt type "Explore" to start Windows Explorer.
Search your computer for the file sysreg.reg, and delete it if it exists.
The following registry entry
HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\
(00000566-0000-0010-8000-00AA006D2EA4)\Compatibility Flags
may be used to exploit a vulnerability. Read and follow the advice given in Microsoft Knowledge Base Article 870669, repatching if necessary. On single computers, update with all relevant security patches from Windows update.