Troj/StartPa-ME is a Trojan that changes registry entries related to Internet Explorer.
When first run, the Trojan creates the file sysreg.reg in the Windows folder and copies its contents into the registry by executing the following command:
regedit -s sysreg.reg
In order to run automatically at system start, Troj/StartPa-ME creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysSearch = "C:/WINDOWS/REGEDIT.EXE -s c:/WINDOWS/sysreg.reg"
The Trojan also modifies the following registry entries in order to change Internet Explorer behaviour:
HKCU\Software\Microsoft\Internet Explorer\Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst
HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
HKCR\MIME\Database\Content Type\application/hta
HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\
(00000566-0000-0010-8000-00AA006D2EA4)\Compatibility Flags
HKCR\PROTOCOLS\Handler\mhtml\
HKCR\PROTOCOLS\Handler\mhtml\CLSID