Troj/Exdis-A

Please follow the instructions for removing Trojans.

You will also need to edit the following registry entry. Please read the warning about editing the registry.

First rename the registry editor.

• Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
• Rename the copy of Regedit.exe to Regedit.com.

At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_CLASSES_ROOT entry:

Typically an unaltered registry entry will be set to

HKCR\exefile\shell\open\command\(default) = "%1" %*

the altered registry entry will be

HKCR\exefile\shell\open\command\(default) = <path to Trojan> "%1" %*

delete only the path to the Trojan. Do not delete anything else.

Close the registry editor.

Change any data that may have become compromised.

Troj/Exdis-A is an IRC backdoor Trojan and a web proxy server that also logs keypresses and steals passwords. The Trojan may copy itself into the windows folder with a random name.

Under Windows 95/98/Me Troj/Exdis-A changes the following registry entry:

HKCU\exefile\shell\open\command

The Trojan runs as a service process and may create the following files in the system folder:

execmd.xad
klg.dat
plg.dat
prtxad.bin
rasxad.bin
xad600.bin

and others with a WMT extension.