high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 10 June 2005 21:25:42 (GMT) |
| Last updated | 8 July 2005 12:08:23 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
Troj/SmutSrch-A is a Trojan for the Windows platform.
The Trojan downloads files from a remote site and then runs them. The Trojan uses the following filenames for downloaded files:
iau.exe
msiau.dll
msras.exe
ras.dll
stisvsq.exe
svshost.exe
msqdevl.exe
lssas.exe
mservice.exe
csrss.dll
winlogon.dll
smssa.dll
uvchost.dll
taskmgr.dll
dialer.dat
ie.dat
Troj/SmutSrch-A sets registry entries to automatically run the downloaded files each time a user logs on. The following registry entries may be created:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
<path to EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
<path to EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
<path to EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
<path to EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
<path to EXE>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
<path to EXE>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Internet Acceleration Utility
<path to EXE>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Connection Wizard
<path to EXE>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Games Acceleration
<path to EXE>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Internet Mail and News
<path to EXE>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Management Console
<path to EXE>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Multimedia extensions
<path to EXE>
The Trojan monitors URLs typed into Internet Explorer and redirects requests for certain search engines to an alternate site. The Trojan will hijack search requests with URLs that contain any of the following:
*.msn.com
*.xmlsearch.findwhat.com
*.yahoo.com
213.180.*.*
66.230.*.*
google.*
msn.com
webforuser.com
yahoo.com
The Trojam may also alter the search request parameters to one of the following:
adipex
adult
adult dating
adult dvd
adult movies
adult personals
air travel
airline tickets
airlines
alprazolam
amateur
amateur sex
ambien
anal
anal sex
antivirus
antivirus software
asian dating
asian porn
asian schoolgirls
asian sex
auto
auto insurance
baccarat
bank of america
betting
big tits
black jack
black porn
blackjack
blowjobs
bondage
bontril
boobs
breast enlargement
business
buy cialis
buy hydrocodone
buy phentermine
buy viagra
camera
car
car insurance
car rental
carisoprodol
cars
cartoons
cash advance
casino
casino on net
celebs
cell phones
cheap airline tickets
cheap phentermine
cialis
computer
computer virus
computers
credit
credit card
credit cards
credit report
credit reports
cruise deal
cruises
cumshot
dating
dating online
dating services
dating site
debt consolidation
debt relief
diazepam
didrex
diet
diet pills
directv
domain registration
ebony
education
electronics
fetish
fioricet
firewall
free online dating
free poker
free porn
free sex
free spyware
gambling
games
group sex
hardcore
hardcore sex
health
health insurance
hentai
hgh
home based business
home business
home equity loan
home loan
home mortgages
homes
hotels
hotmail
housewives
hydrocodone
hydrocodone online
incorporate
insurance
internet
internet casino
internet poker
interracial
interracial sex
ionamin
laptops
las vegas
latina
latina sex
lesbian
lesbian sex
lesbians
levitra
life insurance
live chat
live sex
loan
lortab
mature
mature porn
mature sex
merchant accounts
meridia
milf
money
mortgage
mortgage refinancing
movies
music
new cars
old sex
online betting
online casino
online gambling
online loan
online pharmacy
online poker
online shopping
online slot
oral sex
order viagra
order viagra online
pacific poker
pamela anderson
paris hilton
party poker
payday loan
payroll
penis enlargement
penis enlargement pill
penis pills
personal
personal photos
personals
pharmacy
phentermine
pissing
poker
pop up blocker
popup blocker
porn
porn video
porno
pornstars
propecia
pussy
real estate
refinance
ritalin
roulette
russian woman
sex
sex chat
sex dating
sex toys
sex video
sexual enhancement
sexual health
shemale sex
shemales
single girls
slot machines
software
soma
sport betting
spyware
spyware remove
spyware software
swingers
teen porn
teen sex
teens
texas holdem
tits
tramadol
travel
ultram
upskirt
used cars
valium
viagra
viagra online
vicodin
video
videos
vioxx
virus scan
voyeur
web hosting
web site
weight loss
work at home
xanax
xenical
xxx movie
xxx video
zoloft
zyrtec
|
