CLEAN INSTRUCTIONS

1. Open Task Manager (press Ctrl+Alt+Del simultaneously) and select Processes.

2. Select the dwdsregt.exe process, right-click it and select End Process.

3. Open Windows Explorer, navigate to the C:\Windows\System32 folder, then locate and delete the dwdsregt.exe file.

4. Go to Start > Run, type regedit and press OK.

NB! Before you edit the registry, export the keys that you plan to edit, or create a backup of the system.

5. Navigate to the:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

6. Locate and delete the following key:
{3B-B7-7C-C1-ZN}, that have the value c:\windows\system32\dwdsregt.exe CHA001

7. Open Windows Explorer, navigate to: C:\Documents and Settings\User\Start Menu\Programs\Startup
and delete the TA_Start.lnk file

SYMPTOMS

1. The dwdsregt.exe appear in the process list

2. Pop-ups appear based on your search keywords on different web search engines

DESCRIPTION

1. Once it is executed it will create a copy of itself in the Windows system folder with the name dwdsregt.exe

2. It will start a new process from the dwdsregt.exe file

3. It will create a link named TA_Start on the Startup folder

4. It will create the key:

{3B-B7-7C-C1-ZN}, with the value c:\windows\system32\dwdsregt.exe CHA001 in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

5. It will create the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\, EnableAutodial
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\, MigrateProxy - it is set to 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\, ProxyEnable - it is set to 0

6. It will delete the following registry keys: