Troj/StartPa-ME

Please follow the instructions for removing Trojans.

In Windows 2000/XP/2003, remove the Trojan files and perform the following actions in Safe Mode with command prompt only.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the command prompt type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_CLASSES_ROOT entry:

HKCR\MIME\Database\Content Type\application/hta

and delete it if it exists.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysSearch = "C:/WINDOWS/REGEDIT.EXE -s c:/WINDOWS/sysreg.reg"

HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

and delete them if they exist.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

HKLM\Software\Microsoft\Internet Explorer\Main\Search Page

and delete the Trojan URL. Leave blank, or copy from another computer.

Locate the HKEY_CURRENT_USER entries:

HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL

HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout

and delete them if they exist.

Locate the HKEY_CURRENT_USER entry:

HKCU\Software\Microsoft\Internet Explorer\Search URL

delete the Trojan URL. Leave blank, or copy from another computer.

Locate the HKEY_CURRENT_USER entries:

HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant

HKCU\Software\Microsoft\Internet Explorer\Main\Search Page

HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar

right-click the entry and select 'Delete'. Click OK.

Close the registry editor.

At the command prompt type "Explore" to start Windows Explorer.

Search your computer for the file sysreg.reg, and delete it if it exists.

The following registry entry

HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\
(00000566-0000-0010-8000-00AA006D2EA4)\Compatibility Flags

may be used to exploit a vulnerability. Read and follow the advice given in Microsoft Knowledge Base Article 870669, repatching if necessary. On single computers, update with all relevant security patches from Windows update.

Troj/StartPa-ME is a Trojan that changes registry entries related to Internet Explorer.

When first run, the Trojan creates the file sysreg.reg in the Windows folder and copies its contents into the registry by executing the following command:

regedit -s sysreg.reg

In order to run automatically at system start, Troj/StartPa-ME creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SysSearch = "C:/WINDOWS/REGEDIT.EXE -s c:/WINDOWS/sysreg.reg"

The Trojan also modifies the following registry entries in order to change Internet Explorer behaviour:

HKCU\Software\Microsoft\Internet Explorer\Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst
HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKLM\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout
HKCR\MIME\Database\Content Type\application/hta
HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\
(00000566-0000-0010-8000-00AA006D2EA4)\Compatibility Flags
HKCR\PROTOCOLS\Handler\mhtml\
HKCR\PROTOCOLS\Handler\mhtml\CLSID