JS.Exception.Exploit - Removal

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan and delete all the files detected as JS.Exception.Exploit.
3. Delete the value that was added to the registry.
   

For specific details on each of these steps, read the following instructions.

IMPORTANT NOTES. PLEASE READ BEFORE YOU CONTINUE:

• These are general removal instructions for the most commonly distributed variant of JS.Exception.Exploit. If JS.Exception.Exploit has run on an unpatched system that did not have current virus definitions, other registry values or keys may have been changed or added and files may have been copied to your system. These instructions will reverse the most common changes. If you need assistance, please obtain the services of a qualified virus removal or computer consultant.
• Several cases have been reported in which JS.Exception.Exploit was received in a compressed file. (This has not been confirmed by Symantec Security Response.) In general, while Symantec antivirus products will detect an infected file that is contained within a compressed file, by design it cannot extract or remove it. If you receive an alert for this or any threat on a compressed file (such as a .zip file) we recommend that you simply delete the compressed file using Windows Explorer.
• Removal is only necessary if you detect this threat after it has actually run and made changes to your system. (You can confirm this by disconnecting from the Web and then running a full system scan. If nothing is found during a full system scan, your computer is not infected.
  

1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as JS.Exception.Exploit.
3. In the registry key
   
   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
   
   examine the text in the Data column for these values:
   
   Start Page
   Search Page
   Default_Page_URL
   Default_Search_URL
   
4. If any refer to a suspicious address (for example, http:/ /jethomepage.com), clear the value data.
   

For details on how to do this, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
• Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
  
  The Intelligent Updater virus definitions are available. Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
2. Run a full system scan.
3. If any files are detected as infected with JS.Exception.Exploit , click Delete.

3. Deleting the value from the registry

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
3. Navigate to the key:
   
   HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
   
4. In the right pane look for the following values:
   
   Start Page
   Search Page
   Default_Page_URL
   Default_Search_URL
   
5. For each one that you find, double-click the value. The Edit String dialog box appears.
6. If the text in the Value data box points to a suspicious Web page, such as the http:/ /jethomepage.com value that appears in this graphic:
   
   
   
   then delete all of the text in the Value data box, as shown here:
   
   
   
7. Click OK. (It is not necessary to enter anything in the box.)
8. After you have done this for all of the values mentioned in step 4, click Registry, and click Exit.

Technical Details