high
Summary
Summary
Action- More Information
| Protection available since | 28 January 2004 12:15:37 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\coolwebprogram
= <filename>
and delete it if it exists.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\coolwebprogram= <filename>
and delete it if it exists.
Close the registry editor and reboot your computer.
More Information
Troj/Digits-B could exist in any folder with any of the following filenames:
iexplorer.exe
explore.exe
exploreer.exe
sistem.exe
systeem.exe
critical.exe
directx.exe
internet.exe
window.exe
winmgnt.exe
clrssn.exe
splorer32.exe
win32e.exe
inetinf.exe
directx32.exe
uninstall.exe
time.exe
volume.exe
autorun.exe
user32.exe
The Trojan's filename will change after each execution along with the file associated with the following start up entries that are created in the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\coolwebprogram
= <filename>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\coolwebprogram
= <filename>
The following Internet Explorer registry entries will be changed so that IE features such as the startup and search pages point to smartsearch.ws:
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant
Several entries will be added to Internet Explorer's favourites list, all of which point to smartsearch.ws.
Troj/Digits-B will periodically attempt to update itself over the internet.
The local hosts file will be changed so that a number of URLs will point to the same web address.
|
