high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 14 September 2004 10:58:22 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.
More Information
Troj/StartPa-CM changes settings for Microsoft Internet Explorer.
Troj/StartPa-CM consists of a Windows executable (with an extension of EXE) and a library DLL.
The Troj/StartPa-CM EXE may be installed/run via drive through browsing by certain versions of Troj/Psyme- such as Troj/Psyme-AU (for further information please refer to the Troj/Psyme-AU description).
The installation executable drops a DLL component to the Windows system folder with a random filename and an extension of DLL and registers the DLL as a COM object using a randomly generated class ID. The pathname of the DLL will be stored in the following new registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
SearchAssistant\Uninstall\UninstallString
= "regsvr32 /s /u <pathname of Troj/StartPa-CM DLL>
The class ID for the dropped DLL will be stored under the following new registry entry:
HKCR\CLSID\(<class ID for Troj/StartPa-CM DLL>)\InProcServer32 =
<pathname of Troj/StartPa-CM DLL>
The DLL is registered as a Browser Helper Object (BHO) for Microsoft Internet Explorer by using its class ID string to create a new sub-key of the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\
This will cause the Troj/StartPa-CM DLL to be loaded automatically each time Microsoft Internet Explorer is run.
The Troj/StartPa-CM DLL creates a file named sp.html in the TEMP folder and changes settings for Internet Explorer by setting the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\
Start Page = "about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\
Start Page = "about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\
HOMEOldSP = "about:blank"
HKLM\Software\Microsoft\Internet Explorer\Main\
HOMEOldSP = "about:blank"
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Bar = "file://%TEMP%\sp.html"
HKLM\Software\Microsoft\Internet Explorer\Main\
Search Bar = "file://%TEMP%\sp.html"
HKCU\Software\Microsoft\Internet Explorer\Main\
Search Page = "file://%TEMP%\sp.html"
HKLM\Software\Microsoft\Internet Explorer\Main\
Search Page = "file://%TEMP%\sp.html"
HKCU\Software\Microsoft\Internet Explorer\Search\
SearchAssistant = "file://%TEMP%\sp.html"
HKLM\Software\Microsoft\Internet Explorer\Search\
SearchAssistant = "file://%TEMP%\sp.html"
HKCU\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL = 1
HKLM\Software\Microsoft\Internet Explorer\Main\
Use Custom Search URL = 1
HKCU\Software\Microsoft\Internet Explorer\Main\
Use Search Asst = "no"
HKLM\Software\Microsoft\Internet Explorer\Main\
Use Search Asst = "no"
Troj/StartPa-CM can be uninstalled via the Add or Remove Programs dialog in the Windows Control Panel (Start -> Settings -> Control Panel -> Add/Remove Programs by selecting the entry "Search Assistant Uninstall".
The Troj/StartPa-CM DLL can be de-registered manually by running the following from a commandline (Start -> Run):
regsvr32 /S /U <pathname of Troj/StartPa-CM DLL>
|
