high
Summary
Summary
Action- More Information
| Included in our products from | August 2004 (3.84) |
|---|---|
| Protection available since | 7 July 2004 08:11:12 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
In Windows 2000/XP/2003, remove the Trojan files and perform the following actions in Safe Mode with command prompt only.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_CURRENT_USER entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
and delete the Trojan URL. Leave blank, or copy from another computer.
Locate the HKEY_CURRENT_USER entry:
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\provider
right-click the entry and select 'Delete'. Click OK.
Locate the HKEY_LOCAL_MACHINE entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
runwin32 = %WINDOWS%\runwin32.exe
and delete it if it exists.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch
and delete the Trojan URL. Leave blank, or copy from another computer.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant
right-click the entry and select 'Delete'. Click OK.
Close the registry editor.
More Information
Troj/ESearch-A changes browser settings for Microsoft Internet Explorer, launches executables named wininet32.exe and dialup.exe in the Windows folder and periodically tries to download and run updates of dialup.exe.
Troj/ESearch-A changes settings for Internet Explorer by modifying the following registry entries:
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\SearchUrl\provider
The Trojan assumes that it has been installed to the Windows folder as runwin32.exe and creates the following registry entry to run itself automatically on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
runwin32 = %WINDOWS%\runwin32.exe
The Trojan tries to launch wininet32.exe and - after a 5 minutes delay - dialup.exe.
The Trojan then runs continuously in the background.
After every 5 minute interval the Trojan refreshes all of the registry entries mentioned above.
Every 20 minutes the Trojan launches wininet32.exe and dialup.exe and tries to download and run an updated version of dialup.exe.
|
