IE homepage hijacked by http://www.geocities.com/PEROCAIRO/

Description

IE homepage hijacked by http://www.geocities.com/PEROCAIRO

Default home page was changed to "www.geocities.com/perocairo". 

If the user switches back to its own startpage the virus changed back again.

Solution

Follow the method for manual removal:

1- Terminate the process "WScript.exe" into Windows Task Manager

2- into the registry editor, search the "VirusRemoval_Pero.vbs"

   Remove all seek out the most important, in addition att

   HKEY_Local_Michine \ Software \ winnt \ CurrentVersion \ Winlogon \ userinit

3- Change HKEY_Local_Michine \ Software \ winnt \ CurrentVersion \ Winlogon \ userinit

   Key, remove C: \ WINNT \ System32 \ WScript.exe C: \ WINNT \ System32 \ VirusRemoval_PERO.vbs.

   Keep just the normalaC: \ WINNT \ System32 \ Userinit.exe.

4- Change the code HKEY_Current_User \ Software \ Microsoft \ Internet Explorer \ Main Next

   Home back to your startpage e.i. http://www.microsoft.com 

5- Restart the computer

Additional information

WScript.exe is based on the Windows Scripting Host, let the script directly in Windows to run.

WSH (Windows Script Host) support the use of Microsoft Visual Basic Scripting Edition (VBScript) or JavaScript written scripts. 

When you start a script, the script host reads and sends the specified file content scripts to the registered script engine.

But it also offers activities to the script platform virus, run virus can not utanWSH.

Reference documents:http://support.microsoft.com/kb/232211/zh-cn