Troj/Malche-A

Please follow the instructions for removing Trojans.

Troj/Malche-A is a stealthing startpage Trojan.

Troj/Malche-A drops a file to the Windows temp folder called MSDIRECTX.SYS. Troj/Malche-A runs this using the service control manager as a kernel-mode driver named MSDIRECTX and uses it to hide itself from being monitored. This dropped file is detected as Troj/Rootkit-V.

Troj/Malche-A copies itself to the Windows system folder and sets the following entry in the registry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\
Debugger
<Windows system folder>\kb32.exe

Troj/Malche-A sets the following entries in the registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MS alchemy\
DisplayName
MS alchemy

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MS alchemy\
UninstallString
<Windows system folder>\kb32.exe --uninstall

Troj/Malche-A may drop and execute the following batch scripts in the Windows temp folder in order to delete its own files:

temp0001806.bat
temp0001807.bat

Troj/Malche-A contacts a script at http://lucky-dreams.com to see if it needs to update itself and may drop the update temporarily to the file UPD00137.EXE in the Windows temp folder.

Troj/Malche-A attempts to change the following registry entries so as to redirect certain internet browsers to pages at the site http://search-links.net:

HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
www

HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\
SearchAssistant

HKCU\SOFTWARE\Microsoft\Internet Explorer\Search\
CustomizeSearch

Troj/Malche-A attempts to modify the HOSTS file in the drivers\etc subfolder of the Windows system folder, appending the following line so as to prevent access to the specified Microsoft website by directing it to the loopback address:

127.0.0.1 auto.search.msn.com