high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | September 2004 (3.85) |
| Protection available since | 6 August 2004 20:58:40 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_CURRENT_USER entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\
Trust Providers\Software Publishing\Trust Database\0\
ppcimdnnnjbeahepfabjipfginloedkg egckak = "CDT inc."
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\
Trust Providers\Software Publishing\Trust Database\0\
goicfboogidikkejccmclpieicihhlpo ejemdn = "MediaTickets"
HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\
Trust Providers\Software Publishing\Trust Database\0\
goicfboogidikkejccmclpieicihhlpo bihgbp = "Integrated Search Technologies"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
MinLevel = "Code Download"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunActiveXControls = dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunScripts = dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Safety Warning Level = "SucceedSilent"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\blazefind.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\blazefind.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\clickspring.net\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\flingstone.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\mt-download.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\my-internet.info\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\searchbarcash.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\searchmeup.cc\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\searchmiracle.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\skoobidoo.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\slotch.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\xxxtoolbar.com\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Ranges\Range1\* = dword:00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Ranges\Range1\:Range = "69.31.87.223"
and delete them if they exist.
Locate the following HKEY_CURRENT_USER entries and modify as indicated:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Trust Warning Level = "No Security"
right-click it and select 'Modify'. Replace "No Security" with "Medium" or "High". Click OK.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
1004 = dword:00000000
right-click it and select 'Modify'. Replace "0" with "1". Click OK.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
1201 = dword:00000000
right-click it and select 'Modify'. Replace "0" with "1". Click OK.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
1C00 = dword:00000300
right-click it and select 'Modify'. Replace "300" with "30000". Click OK.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
CurrentLevel = dword:00010000
right-click it and select 'Modify'. Replace "10000" with "0". Click OK.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
Flags = dword:0000009b
right-click it and select 'Modify'. Replace the current entry with with "47". Click OK.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\blazefind.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\clickspring.net\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\flingstone.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\mt-download.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\my-internet.info\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\searchbarcash.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\searchmeup.cc\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\searchmiracle.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\skoobidoo.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\slotch.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Domains\xxxtoolbar.com\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Ranges\Range1\* = dword:00000002
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ ZoneMap\Ranges\Range1\:Range = "69.31.87.223"
and delete them if they exist.
Locate the HKEY_USER entries:
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
MinLevel = "Code Download"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunActiveXControls = dword:01000000
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunScripts = dword:01000000
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Safety Warning Level = "SucceedSilent"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Trust Warning Level = "No Security"
and delete them if they exist.
Close the registry editor.
More Information
Troj/Small-AP is a Trojan that reduces or removes various security settings on the compromised computer increasing the risk of further infection.
The following registry entries are created:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
MinLevel = "Code Download"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunActiveXControls = dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunScripts = dword:01000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Safety Warning Level = "SucceedSilent"
The following registry entries are created within the subtrees
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
and
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap\Domains\blazefind.com\* = dword:00000002
ZoneMap\Domains\clickspring.net\* = dword:00000002
ZoneMap\Domains\flingstone.com\* = dword:00000002
ZoneMap\Domains\mt-download.com\* = dword:00000002
ZoneMap\Domains\my-internet.info\* = dword:00000002
ZoneMap\Domains\searchbarcash.com\* = dword:00000002
ZoneMap\Domains\searchmeup.cc\* = dword:00000002
ZoneMap\Domains\searchmiracle.com\* = dword:00000002
ZoneMap\Domains\skoobidoo.com\* = dword:00000002
ZoneMap\Domains\slotch.com\* = dword:00000002
ZoneMap\Domains\xxxtoolbar.com\* = dword:00000002
ZoneMap\Ranges\Range1\* = dword:00000002
ZoneMap\Ranges\Range1\:Range = "69.31.87.223"
Zones\2\2001 = dword:00000000
Zones\2\2004 = dword:00000000
The following registry entries are created within the subtree
HKCU\Software\Microsoft\Windows\CurrentVersion\
WinTrust\Trust Providers\Software Publishing\Trust Database\0\
ppcimdnnnjbeahepfabjipfginloedkg egckak = "CDT inc."
WinTrust\Trust Providers\Software Publishing\Trust Database\0\
goicfboogidikkejccmclpieicihhlpo ejemdn = "MediaTickets"
WinTrust\Trust Providers\Software Publishing\Trust Database\0\
goicfboogidikkejccmclpieicihhlpo bihgbp = "Integrated Search Technologies"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
MinLevel = "Code Download"
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunActiveXControls = dword:01000000
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Security_RunScripts = dword:01000000
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Safety Warning Level = "SucceedSilent"
The Following registry entries are modified to turn off security settings
in Internet Explorer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Trust Warning Level = "No Security"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
1004 = dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
1201 = dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
1C00 = dword:00000300
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
CurrentLevel = dword:00010000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\
Flags = dword:0000009b
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Trust Warning Level = "No Security"
Once the Internet Explorer security settings have been altered Troj/Small-AP will also attempt to download components and install them.
|
