Troj/StartPa-EI

Aliases	Trojan.Win32.StartPage.qr
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	9 January 2005 15:24:07 (GMT)
Last updated	11 February 2005 22:37:46 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.

You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.

More Information

Summary
Action
More Information

Troj/StartPa-EI is a startpage Trojan.

The dropper component drops and loads a randomly-named DLL in the Windows system folder.

Troj/StartPa-EI attempts to download and execute files from a remote URL.

Troj/StartPa-EI is a DLL that modifies a number of registry entries relating to startpage settings including some of the following:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst
HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Use Custom Search URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\HOMEOldSP
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant

Troj/StartPa-EI sets entries in the registry under HKCR\CLSID\{generated clsid value}\InProcServer32 so as to point to itself and then sets these CLSID values at the following locations in the registry:

HKCR\PROTOCOLS\Filter\text/html\
CLSID

HKCR\PROTOCOLS\Filter\text/plain\
CLSID

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

Troj/StartPa-EI may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistantUninstall\
DisplayName
Search Assistant Uninstall

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistantUninstall\
UninstallString
regsvr32 /s /u C:\\NvRun\\dropped.dll

Troj/StartPa-EI may also attempt to modify the HOSTS file, adding a "#" to the start of lines containing the following strings so as to prevent these lines from being used:

windows-data.inf
channels.at
refer.cn
look-up.tv
count.cc
searchx.cc
google.com
yahoo.com
msn.com
netscape.com
ieautsearch

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/StartPa-EI

Summary

Action

More Information