Troj/StartPa-HB

Please follow the instructions for removing Trojans.

You will need to edit the following registry entries. Please read the warning about editing the registry.

Renaming the registry editor

• Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
• Rename the copy of Regedit.exe to Regedit.com.
• At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_CLASSES_ROOT entry:

Typically an unaltered registry entry will be set to

HKCR\exefile\shell\open\command\(default) = "%1" %*

the altered registry entry will be

HKCR\exefile\shell\open\command\(default) = <path to Trojan> "%1" %*

delete only the path to the Trojan. Do not delete anything else.

Locate the HKEY_CURRENT_USER entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar

right-click them and select 'Delete'. Click OK.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost

and delete it if it exists.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Internet Explorer\Main\Start Page

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page

HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar

HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant

right-click them and select 'Delete'. Click OK.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

right-click them and select 'Modify'. Delete the web address leaving only "http://". Click OK.

Close the registry editor.

Delete the links added by the Trojan from your Favorites folder in Internet Explorer.

Troj/StartPa-HB is a startpage Trojan.

Troj/StartPa-HB copies itself to SVCHOST.EXE in the Windows folder and sets the following registry entry so as to run it on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost

Troj/StartPa-HB also copies itself to SETDBG.EXE in the Windows folder and sets the following registry entry so as to run it before any EXE file:

HKCR\exefile\shell\Open\Command

Troj/StartPa-HB attempts to intercept the files IEXPLORE.EXE and OPERA.EXE as they open and make them start at its own website.

Troj/StartPa-HB sets the following registry entries to change various Start and Search pages:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\www

Troj/StartPa-HB also sets the following registry entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no"
HKLM\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no"

Troj/StartPa-HB adds files containing URL links called "Teens Anal Fucking.url" and "Sex.url" to the folder found in
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Favorites.

Troj/StartPa-HB moves the following registry entries to disable the handling of certain types of webpage:

HKCR\PROTOCOLS\Handler\its\CLSID to HKCR\PROTOCOLS\Handler\its\CLSID0
HKCR\PROTOCOLS\Handler\mhtml\CLSID to HKCR\PROTOCOLS\Handler\mhtml\CLSID0
HKCR\PROTOCOLS\Handler\ms-its\CLSID to HKCR\PROTOCOLS\Handler\ms-its\CLSID0