Troj/Delf-RX

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
PornoTop=
<path to Trojan>

and delete it if it exists.

Close the registry editor.

Troj/Delf-RX is a backdoor Trojan for the Windows platform.

On first execution the Trojan will create the folder PornoTop in the "Program Files" folder and place a copy of itself there as PTOP.EXE. Additionally the Trojan may store some data files in this folder. The Trojan will then create the following registry entry so as to run on system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
PornoTop=
<path to Trojan>

Troj/Delf-RX will also create the folder C:\windowsearch and drop parts of itself there as WINDOWSSEARCH.HTML and FRM1.HTML, before setting the internet explorer home page to reference the WINDOWSEARCH.HTML file.

This html file will cause the user to start internet explorer at a given website as a subframe of the local file.

The Trojan will also try to connect to a given internet site and receive backdoor commands.

After a small delay, the Trojan will place a large red message in the middle of the screen warning the user that they are infected with spyware and offering to direct them to a spyware removal package.