Troj/Madtol-A

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\Currentversion\
Run\ <Trojan filename> = <SYSTEM>\<Trojan filename>

and delete it if it exists.

Close the registry editor.

Troj/Madtol-A allows other malware to run on the system without being detected.

Troj/Madtol-A can be configured to hide processes, files, folders, registry entries and Netstat entries.

The Trojan will typically be dropped and installed by other malware. When first run, Troj/Madtol-A copies itself to the Windows System folder and adds its pathname to the following registry entry to run itself automatically on startup:

HKLM\Software\Microsoft\Windows\Currentversion\
Run\ <Trojan filename> = <SYSTEM>\<Trojan filename>

Troj/Madtol-A drops the files Explorer.dll and Iexplorer.dll to the Windows System folder. Whilst the Trojan is active these files may be invisible as may the above registry entry and any files, folders, registry entries or Netstat entries that the Trojan has been configured to hide.

The Trojan injects its stealthing code into the system EXPLORER process, thus disinfection requires the computer to be restarted.