What it does:
Loads a file from the \system32\drivers folder, creates a stsheets.dat file
in the windows folder, creates a separate hosts file in the \windows directory
and resets the default home page to http://rl.webtracer.cc/--/?bayzm/, or apparently
other variations set it to other pages..
To repair:
Before anything, set your computer to view all files, including hidden & system files, and protected operating system files and unhide extensions for known file types. Click here for a walk through on viewing all files.
Restart.
Boot into safe mode command prompt. (By hitting F8 BEFORE Windows boots, then choosing with your up/down arrow keys safe mode command prompt.
Logon (as the user that can see all the files, as described above)
When windows boots, type exit at the command prompt.
Hit Ctl-Alt-Del. In the task manager, go to file, new task, type regedit. Do a search for stsheets.
You should find a reference in HKLM\System\ControlSet. Make a note of which file it's loading, which should be something in the \system32\drivers directory. Run thekillbox on the file in the system32\drivers directory, and again to kill the stsheets.dat file, eere.exe, ffre.exe, etc.. Also while in safe mode command prompt I like to edit the hosts file in \system32\drivers\etc, as well as the one it had created in \windows, removing all entries except localhost, then if you are running XP Pro or Win2k Pro, set deny permissions for every user (and system). Sorry, you can't do this step with XP Home edition.