Troj/Chorus-A

Please follow the instructions for removing Trojans.

Troj/Chorus-A is a Start Page Trojan.

When first run Troj/Chorus-A copies itself to:

<Windows folder>\htmlsync.exe
<Windows system folder>\isystem.exe
<Windows system folder>\ldriver.exe
<Windows folder>\zlibc.exe

and creates the following files internet shortcut files:

<Favorites>\Car Insurance ! Great deal !.url
<Favorites>\Online Pharmacy.url
<Favorites>\Viagra At Cheap Rates. Online Pharmacy..url
<Favorites>\Your Computer maybe infected by Spyware ! Remove It !.url

The following registry entries are created to run htmlsync.exe, isystem.exe, ldriver.exe and zlibc.exe on startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows folder>\htmlsync.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
run
<Windows folder>\zlibc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ldriver
<Windows system folder>\ldriver.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
isystem
<Windows system folder>\isystem.exe

Troj/Chorus-A changes settings for Microsoft Internet Explorer, including Start Page and search settings, by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\