How to remove TROJ_POPHOT.O and the svchosd.exe infection.

The TROJ_POPHOT.O Trojan is installed form other malware downloaded off of the Internet.  When run, this Trojan will install the following files on your computer:

  • C:\Windows\System32\inf\scsys16_080725.dll
  • C:\Windows\System32\inf\sppdcrs080725.scr
  • C:\Windows\System32\inf\svchosd.exe
  • C:\Windows\dcbdcatys32_080725a.dll
  • C:\Windows\system\sgcxcxxaspf080725.exe
  • C:\Windows\tawisys.ini
  • C:\Windows\wftadfi16_080725a.dll

The Trojan will also add a registry entry to start itself every time you restart this computer. This registry entry will start C:\Windows\System32\inf\svchosd.exe, which is actually a renamed rundll32.exe, which will be used to load the code found in the wftadfi16_080725a.dll DLL file.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

DownloadDownload Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

svchosd.exe


Delete these files:
Lean how to remove files

C:\Windows\System32\inf\scsys16_080725.dll
C:\Windows\System32\inf\sppdcrs080725.scr
C:\Windows\System32\inf\svchosd.exe
C:\Windows\dcbdcatys32_080725a.dll
C:\Windows\system\sgcxcxxaspf080725.exe
C:\Windows\tawisys.ini
C:\Windows\wftadfi16_080725a.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\run
initnyuser = “%System%\inf\svchosd.exe %WINDOWS%\wftadfi16_080725a.dll tanlt88″

del.icio.us:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  digg:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  spurl:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  wists:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  simpy:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  newsvine:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  blinklist:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  furl:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  reddit:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  fark:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  blogmarks:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  Y!:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  smarking:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  magnolia:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  segnalo:How to remove TROJ_POPHOT.O and the svchosd.exe infection.  gifttagging:How to remove TROJ_POPHOT.O and the svchosd.exe infection.

This entry was posted on Wednesday, July 30th, 2008 at 1:10 pm and is filed under Malware Removal Guide, Trojan. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “How to remove TROJ_POPHOT.O and the svchosd.exe infection.”

  1. foo Says:
    September 12th, 2008 at 12:07 am

    Excellent instruction. Note that dates at the end of some listed files will correspond to the day it was downloaded.
    Files on my machine were named:
    scsys16_080910.dll
    sppdcrs080910.scr
    svchoct.exe
    dcbdcatys32_080910a.dll
    sgcxcxxaspf080910.exe
    tawisys.ini
    wftadfi16_080910a.dll
    I also had two different dated registry entries, wftadfi16_080825a.dll & wftadfi16_080910a.dll

  2. Rick Dillman Says:
    October 30th, 2008 at 11:16 am

    Good job on the information and on the instructions. I did it manually, but the fact you also gave an automatic solution is excellent! Thank you very much for the help!!!

Leave a Reply