Troj/Spabot-E

Please follow the instructions for removing Trojans.

Troj/Spabot-E is a Trojan for the Windows platform.

Troj/Spabot-E drops the following files to the Windows system folder:

chp.dll
ddr64.dll

The file chp.dll is also detected as Troj/Spabot-E. The file ddr64.dll is a clean configuration file. If a file names chp.dll exists it may be moved to <System>\<random number>.dl_.

The file dropped as chp.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCU\Software\Classes\CLSID\
(429F4BB8-7BF7-4152-8011-3C6F9EB7E892)

HKCR\CLSID\(429F4BB8-7BF7-4152-8011-3C6F9EB7E892)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\(429F4BB8-7BF7-4152-8011-3C6F9EB7E892)

Troj/Spabot-E may set an entry at one of the following locations to run chp.dll:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad

Troj/Spabot-E contacts a remote URL to download configuration data and to report that the computer is infected. The Trojan may attempt to download the following configuration files to the <Temp> folder:

upd.txt
url.sys
tsk.sys
body.dat
mailz.dat

Troj/Spabot-E may be configured to download a file from a remote website to <Temp>\file.exe and execute it.

Troj/Spabot-E may be used to send configurable spam emails.

Troj/Spabot-E may delete its main exe file by running a file it drop to <Temp>\zbz.bat.

Troj/Spabot-E creates regisry entries under the following key:

HKCU\Software\Microsoft\Internet Explorer\Security\