high
Summary
Summary
Action- More Information
| Protection available since | 20 January 2004 16:41:27 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.
Editing the registry
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
UserSystem= <Path to Trojan>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
UserSystem= <Path to Trojan>
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\UserSystem= <Path to Trojan>
and delete it if it exists.
Close the registry editor and reboot your computer.
More Information
Troj/Search-A is a backdoor Trojan that allows unauthorised access to the user's computer.
The Trojan is usually downloaded to the user's computer, into C:\y.exe or C:\Program Files\Windows Media Player\wmplayer.exe.
When run as one of the above files Troj/Search-A attempts to create a copy of itself as one of the following and attempts to delete the original file by dropping and executing a temporary batch file:
C:\Windows\iexplorer.exe
C:\Windows\system32\kazaa.exe
C:\Windows\system\internet.exe
C:\Program Files\directx\directx.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Windows\Media\wmplayer.exe
C:\Windows\Help\helpcvs.exe
C:\Program Files\Accessories\accesss.exe
C:\Games\systemcritical.exe
C:\funny.exe
Troj/Search-A sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
UserSystem= <Path to Trojan>
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
UserSystem= <Path to Trojan>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
UserSystem= <Path to Trojan>
Troj/Search-A adds the following entries to the
C:\Windows\system32\drivers\etc\hosts file to block access to selected anti-spyware and security websites:
127.0.0.1 forums.spywareinfo.com
127.0.0.1 www.spywareinfo.com
127.0.0.1 spywareinfo.com
127.0.0.1 www.computercops.biz
127.0.0.1 computercops.biz
127.0.0.1 dslreports.com
127.0.0.1 www.dslreports.com
127.0.0.1 www.lavasoftsupport.com
127.0.0.1 lavasoftsupport.com
127.0.0.1 www.lurkhere.com
127.0.0.1 lurkhere.com
127.0.0.1 forums.net-integration.net
127.0.0.1 www.pctalk.info
127.0.0.1 pctalk.info
127.0.0.1 www.suggestafix.com
127.0.0.1 suggestafix.com
127.0.0.1 forums.thiefware.com
127.0.0.1 www.tomcoyote.org
127.0.0.1 tomcoyote.org
127.0.0.1 www.wilderssecurity.com
127.0.0.1 wilderssecurity.com
127.0.0.1 www.winguides.com
127.0.0.1 winguides.com
127.0.0.1 www.spybot-spyware.com
127.0.0.1 spybot-spyware.com
127.0.0.1 1spybot.com
127.0.0.1 www.1spybot.com
127.0.0.1 www.lavasoftusa.com
127.0.0.1 lavasoftusa.com
127.0.0.1 www.spychecker.com
127.0.0.1 spychecker.com
127.0.0.1 www.grc.com
127.0.0.1 grc.com
127.0.0.1 www.cexx.org
127.0.0.1 cexx.org
127.0.0.1 security.kolla.de
127.0.0.1 www.security.kolla.de
127.0.0.1 simplythebest.net
127.0.0.1 www.simplythebest.net
127.0.0.1 www.spywareguide.com
127.0.0.1 spywareguide.com
127.0.0.1 www.spyware.co.uk
127.0.0.1 spyware.co.uk
127.0.0.1 www.lavasoft.de
127.0.0.1 lavasoft.de
127.0.0.1 www.webopedia.com
127.0.0.1 webopedia.com
127.0.0.1 www.ZeroSpyWare.com
127.0.0.1 ZeroSpyWare.com
127.0.0.1 www.spectorsoft.com
127.0.0.1 spectorsoft.com
127.0.0.1 www.Spy--Software.com
127.0.0.1 Spy--Software.com
127.0.0.1 www.sunbelt-software.com
127.0.0.1 sunbelt-software.com
127.0.0.1 www.spycleaner.net
127.0.0.1 spycleaner.net
127.0.0.1 www.EnigmaSoftwareGroup.com
127.0.0.1 EnigmaSoftwareGroup.com
127.0.0.1 www.no-spybot.com
127.0.0.1 no-spybot.com
Troj/Search-A runs in the background and from time to time downloads and executes backdoor commands from smartsearch.ws.
Troj/Search-A also terminates certain anti-adware/spyware-related processes and sets the startup page of Internet Explorer to smartsearch.ws.
|
