Troj/Boa-A

Please follow the instructions for removing Trojans.

Please follow the instructions for removing Trojans.

You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msnet
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\msnet

and delete them if they are present.

Close the registry editor.

You should also check the Windows system folder for any *.jpg files of the type mentioned above and delete them.

Troj/Boa-A is a keylogging Trojan. The Trojan monitors keypresses and other system activity and periodically sends an email to the attacker containing a log of the actions monitored on the victim's machine.

When Troj/Boa-A is first executed a copy will be created in the System folder with the filename msnet.exe and the following two registry files will be created so that the Trojan is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msnet
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\msnet

Troj/Boa-A also fills up the user's hard disk with JPG files in the Windows system folder with the filenames file000.jpg, file001.jpg, file002.jpg, etc. These JPG files contain snapshots of parts of the user's Desktop and are intended to be emailed to the attacker along with the other logs.