Archive for the 'Trojan' Category

How to remove the WORM_KOOBFACE.D Facebook worm.

Tuesday, August 19th, 2008

The WORM_KOOBFACE.D worm is malware that spreads itself through the online social site called Facebook.  When a user becomes infected with this worm, it will install a copy of itself as C:\Windows\fbtre6.exe and then further download the following files:

  • C:\5465465465463.BAT
  • C:\Windows\fmark2.dat

When fbtre6.exe is run it will display the following message in Windows:

Error installing Codec. Please contact support.

It is important to note that this infection will delete itself if it detects that you have not used Facebook.com on the infected computer.  If Facebook cookies are found, though, it will add a link to a location where it can be downloaded in the infected user’s Facebook profile.  It is through these links in infected user’s profiles that the infection spreads.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.

DownloadDownload Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

fbtre6.exe


Delete these files:
Lean how to remove files

C:\Windows\fbtre6.exe
C:\5465465465463.BAT
C:\Windows\fmark2.dat

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysftray = “C:\Windows\fbtre6.exe”

Posted in Backdoor, Malware Removal Guide, Trojan, Worms | No Comments »

How to remove TROJ_POPHOT.O and the svchosd.exe infection.

Wednesday, July 30th, 2008

The TROJ_POPHOT.O Trojan is installed form other malware downloaded off of the Internet.  When run, this Trojan will install the following files on your computer:

  • C:\Windows\System32\inf\scsys16_080725.dll
  • C:\Windows\System32\inf\sppdcrs080725.scr
  • C:\Windows\System32\inf\svchosd.exe
  • C:\Windows\dcbdcatys32_080725a.dll
  • C:\Windows\system\sgcxcxxaspf080725.exe
  • C:\Windows\tawisys.ini
  • C:\Windows\wftadfi16_080725a.dll

The Trojan will also add a registry entry to start itself every time you restart this computer. This registry entry will start C:\Windows\System32\inf\svchosd.exe, which is actually a renamed rundll32.exe, which will be used to load the code found in the wftadfi16_080725a.dll DLL file.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

DownloadDownload Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

svchosd.exe


Delete these files:
Lean how to remove files

C:\Windows\System32\inf\scsys16_080725.dll
C:\Windows\System32\inf\sppdcrs080725.scr
C:\Windows\System32\inf\svchosd.exe
C:\Windows\dcbdcatys32_080725a.dll
C:\Windows\system\sgcxcxxaspf080725.exe
C:\Windows\tawisys.ini
C:\Windows\wftadfi16_080725a.dll

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\run
initnyuser = “%System%\inf\svchosd.exe %WINDOWS%\wftadfi16_080725a.dll tanlt88″

Posted in Malware Removal Guide, Trojan | 2 Comments »

How to remove the Trojan.Proscks.C Malware

Tuesday, July 29th, 2008

The Proscks Trojan modifies files on the compromised computer and connects to a remote server. Once infected you will be shown pop-up advertisements on your computer.

When infected the Trojan.Proscks.C malware will create the following files:

  • %Temp%\RarSFX0\IPHOST.DLL
  • %Temp%\RarSFX0\iphy.dll
  • %Temp%\RarSFX0\xExe.dll
  • %Temp%\RarSFX0\loaderSvc.exe
  • %System%\IPHOST.DLL
  • %System%\_proxy.dll
  • %System%\iphy.dll
  • %System%\fhpatch.dll
  • %System%\fiplock.dll
  • %System%\IpSvchostF.dll

Next, the Trojan copies the file %System%\svchost.exe to the following location:

%System%\[EIGHT RANDOM CHARACTERS]

It then modifies %System%\svchost.exe so that the following file is executed every time Windows starts:

%System%\IPHOST.DLL

The Trojan then downloads a .dll file from a remote location and saves it as %System%\IPHACTION.dll.

Automatic Removal Method

If you are infected with this malware, then we suggest you use Symantec Antivirus to remove this infection. The current definitions for Symantec Antivirus contains methods of removing this virus.

DownloadDownload Symantec Antivirus to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

loaderSvc.exe

Delete these files:


Lean how to remove files

%Temp%\RarSFX0\IPHOST.DLL
%Temp%\RarSFX0\iphy.dll
%Temp%\RarSFX0\xExe.dll
%Temp%\RarSFX0\loaderSvc.exe
%System%\IPHOST.DLL
%System%\_proxy.dll
%System%\iphy.dll
%System%\fhpatch.dll
%System%\fiplock.dll
%System%\IpSvchostF.dll

Posted in Malware Removal Guide, Trojan | No Comments »

How to remove the Troj_Renos.ACO or lphc3pgj0e3ct.exe infection.

Thursday, July 24th, 2008

A new variant of the Troj_Renos.ACO infection was discovered that installs a file called lphc3pgj0e3ct.exe into your C:WindowsSystem32folder. This infection is installed on your computer by one of the following three methods:

  • This Trojan may be downloaded from remote site(s) by other malware.
  • It may be dropped by other malware.
  • It may be downloaded unknowingly by a user when visiting malicious Web site(s).

When started, the infection will connect to a remote web site to download and run another file that is also detected as Troj_Renos.ACO.  It then copies itself to C:WindowsSystem32lphc3pgj0e3ct.exe and adds a entry into the Windows Registry to start the file everytime you boot your computer.

This infection will also change your Windows desktop wallpaper to look like:

Trojan Renos Wallpaper

Trojan Renos Wallpaper

Automatic Removal Method

If you are infected with this malware, then we suggest you use Trend Micro antivirus to remove this infection. It is know to be able to remove this malware and it is included in its current virus definitions.  A big thumbs up for Trend Micro for being able to remove this infection so quickly.

DownloadDownload Trend Micro Antivirus to scan your computer

Manual Removal Instructions for

End these processes:

Learn how to end processes

lphc3pgj0e3ct.exe


Delete these files:
Lean how to remove files

C:WindowsSystem32lphc3pgj0e3ct.exe
C:WindowsSystem32phc3pgj0e3ct.bmp
C:WindowsSystem32blphc3pgj0e3ct.scr

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
lphc3pgj0e3ct = “%System%lphc3pgj0e3ct.exe”

Posted in Malware Removal Guide, Trojan | No Comments »

How to remove the USS.exe Trojan

Thursday, July 17th, 2008

THe USS.exe Trojan is an executable that gets installed on your computer along with other malware.  This infection will also install a service called wasfsd that uses the filename C:\Windows\System32\drivers\System32. When running, this Trojan will display fake alerts that state your computer is being attacked or is infected with particular infections.  It will then ask if you would like to block or fix these infections, and if you specify yes, will open up an Internet Explorer window where it prompts you to buy Trusted Antivirus.

alert2 alert
Fake alerts from USS.exe

Automatic Removal Method

We recommend that you install Spyware Doctor from PCTools in order to remove USS.exe Trojan from your computer. Spyware Doctor has an incredible track record for removing and detecting the latest malware.

DownloadDownload Spyware Doctor to scan your computer for free

Manual Removal Instructions for

End these processes:

Learn how to end processes

USS.exe


Delete these files:
Lean how to remove files

c:\END
c:\Program Files\USS
c:\Program Files\USS\unins000.dat
c:\Program Files\USS\unins000.exe
c:\Program Files\USS\USS.exe
c:\Program Files\USS\#agents
c:\Program Files\USS\#agents\53
c:\Program Files\USS\#agents\53\#startup
c:\Program Files\USS\#monitors
c:\Program Files\USS\#monitors\DirMonitor
c:\Program Files\USS\#monitors\FileMonitor
c:\Program Files\USS\#monitors\RegMonitor
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.dll
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\GESPlugin.xml
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\kernel.dll
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.dat
c:\Program Files\USS\{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}\unins000.exe
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AMPlugin.xml
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\AsAgents.xml
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcp71.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\msvcr71.dll
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.dat
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\unins000.exe
c:\Program Files\USS\{D1957FF4-EA22-4b4a-81A1-C62068479DED}\wasffNT.exe
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\GSCRPlugin.dll
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.dat
c:\Program Files\USS\{EC572088-91C7-4293-93F9-93D40B0E0B36}\unins000.exe
c:\WINDOWS\system32\drivers\wasfsd.sys

Remove these Registry keys:

Learn how to remove Windows Registry entries

Warning: Editing the Windows Registry incorrectly can cause problems with your computer that may cause it not to operate correctly.  Please edit the Registry only if you know what you are doing.  Otherwise, please use the automated removal method above.

HKEY_CURRENT_USER\Software\USLst
HKEY_CURRENT_USER\Software\USS
HKEY_CLASSES_ROOT\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}
HKEY_CLASSES_ROOT\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422}
HKEY_CLASSES_ROOT\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42622}
HKEY_CLASSES_ROOT\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422}
HKEY_CLASSES_ROOT\wasfsd.CreationNotifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{826F15BF-1A4C-4290-BFD1-794AF7A2CB8F}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{D1957FF4-EA22-4b4a-81A1-C62068479DED}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{EC572088-91C7-4293-93F9-93D40B0E0B36}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1
HKEY_LOCAL_MACHINE\SOFTWARE\USS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wasfsd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wasfsd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run => USS

Posted in Malware Removal Guide, Rogue Anti-Spyware, Trojan | No Comments »