Troj/Autotroj-C

Please follow the instructions for removing Trojans.

You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the Trojan.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Update2
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Update2

and delete them if they exist.

Close the registry editor.

Troj/Autotroj-C is a simple Trojan that moves itself to the Windows System folder as a file with a name selected from the following list:

wininet.exe
webcheck.exe
winspool.exe
wupdmgr.exe
services.exe
svchost.exe
taskmon.exe
taskman.exe
system.exe
winlogon.exe
explorer.exe
update.exe

Troj/Autotroj-C will set one of the registry entries below to point to the newly copied file, ensuring that it will be executed on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System Update2
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\System Update2

Troj/Autotroj-C may also set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\PrivData2

HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\UserTime2

HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\EnableAutodial

HKCU\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\ProxyEnable

Troj/Autotroj-C may attempt to connect to one of a list of web sites and use a running instance of a web browser to display the page.