Trojan.VBS.StartPage.hw

Technical Details
Payload
Removal instructions

Technical Details

A trojan program that carries out destructive actions on the user's computer. It is a Visual Basic Script file. 803 bytes.

Payload

After launching, the trojan changes the value of the system registry key as follows:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "www.5***iling.com"
"Search Page" = "www.5***ling.com"
"default_page_url" = "www.5***ling.com"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe

This changes the default home page and search page on the Internet Explorer browser. It also automatically launches a file named "coiome.exe" every time the system is started up.

Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

1. Delete the original trojan file (its location on the infected computer will depend on how the program got onto the computer).
2. Restore the changed parameter values for the system registry key (how to work with the registry?):

   [HKCU\Software\Microsoft\Internet Explorer\Main]
   "Start Page"
   "Search Page"
   "default_page_url"
   

3. Delete the system registry key:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "safe360" = "%ProgramFiles%\Common Files\sebsbvx\coiome.exe
   

4. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):

   %Temporary Internet Files%

5. Run a full Kaspersky Antivirus scan with updated antivirus databases (download trial version).

md5: D7444767D527E6E97BD3EB85D60E800D
sha1: 3CB0844C24AB2CA5CD881F14DBC8F70002092941