Variant: Backdoor.Dalsk
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows Vista, Windows XP, Windows 7
Backdoor.Dalsk is a newly discovered Trojan horse (Dec. 30, 2010) that opens a backdoor which in turn gives remote access and possibly full admin control on the infected system. The one responsible for the Trojan may perform the following actions: download files, capture image screenshots, creates, edit and/ or delete user accounts, services, files, etc…
What’s a Backdoor?
A backdoor [computer system] is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected [Source: Wikipedia]
Here’s how to remove Backdoor.Dalsk manually:
• Temporarily disable system restore (Windows ME/ XP) - Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.
• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.
• Show hidden files and folders – Open My Computer, click Folder Options and choose View Tab. Tick Show hidden files and folders, tick hide protected operating system files.
• Navigate and delete the following registry values: - Click Start, run, then type regedit.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\incs
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipcdr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irpfit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScardClt
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Navigate and delete the following Backdoor.Dalsk created files:
%System%\Setup\wuauclt1.exe
%System%\rshx16.bak
%System%\rshx16.dll
%System%\Setup\hid32.log
%System%\scardclt.exe
%System%\drivers\ipcdr.sys
%System%\drivers\ipcdr.bak
%System%\ntmsapi16.dll
%System%\igxpgb32.dll
%System%\drivers\irpfit.sys
%System%\drivers\irpfit.bak
%System%\hid32.dll
%System%\hid32.bak
%System%\incs.exe
%System%\msvfw16.dll
%System%\dmome.dll
• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer, then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.
• Restart and boot under normal mode
• Update AV definition files
• Run Anti-Virus full system scan
Variant: W32.Rotinom [Symantec], Trojan.Win32.Agent2.ldt [Kaspersky], Trojan:Win32/Folstart.A [Microsoft], TR/Agent2.ldt.36 [Avira]
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7
W32.Rotinom is a computer worm that copies itself and spreads via removable drives or network shared drives.
How does it propagates?
The worm makes copies of itself using the folder names found on the root directory of the targeted removable or network drives, adds an “EXE” file extension, then it sets the infected folder attribute settings to hidden. Be wary, the hidden malware executable icon is cleverly disguised as a typical windows folder.
Step by step manual removal guide:
• Disable system restore (Windows ME and XP users only)
• Reboot and login under safe mode with networking (Press the F8 key on Windows boots up)
• Show hidden files and folders – Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.
• Navigate and delete W32.Rotinom created files:
• Navigate and restore the following registry entries to their original values: (Click Start → run → type regedit → click OK)
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Update Anti-Virus definition files
• Run Anti-Virus full system scan
• Re-enable system restore (Windows ME and XP users only)
• Reboot and login under normal mode
Variant: Trojan.Karagany
Operating Systems Affected: Windows 9x, 2000, XP, Server 2003, Vista, 7
Trojan.Karagany is a computer trojan horse that bypasses normal authentication process of the Windows Operating System thus, manipulates its way into accessing the system without being detected. The backdoor trojan has the potential of being destructive and could compromise any confidential data stored on your computer. If you’re infected with it, follow the steps indicated below to manually remove the trojan.
Step by step manual removal guide:
• Temporarily disable system restore (Windows ME/ XP) Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.
• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.
• Show hidden files and folders - Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.
• Navigate and delete the Trojan.Karagany created files:
• Navigate and delete the Trojan.Karagny created folder:
%ProgramFiles%\Common Files\WmiModules
• Navigate and delete the Trojan.Karagany registry added values: (Start → run → type regedit → OK)
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer, then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.
• Update AV definition files
• Run Anti-Virus full system scan
• Restart and boot under normal mode
Pluses: Has a huge “threat” data base which is updated unbelievably often. Really quick scans. Small operating system footprint.
Drawbacks: No antivirus unless you purchase “Spyware Doctor with Antivirus” for an additional (albeit small) charge.
Consensus: A top performing AntiSpyware program. With each updated release the gap between Spyware Doctor and the competition widens.
Spyware Doctor, created by PCTools, is an industry leader in the Anti-Spyware category. Praised by internet security experts, this “world-renowned” program detects, removes and protects PC’s from thousands of potential spyware, adware, trojans, viruses, keyloggers, spybots and tracking threats. We counted at least 31 different industry awards without digging very far. Here are just a few of the highlights;
The overall ease of use was a huge benefit. From the download to the 1st scan, only took about 2 minutes. Once the scan was initialized, it identified parasites immediately. A few cookies, but a handful of more serious threats as well. Adware, malware and at least 1 trojan was found and cleaned. Here is a screen shot from a second scan we did that found additional issues;
There are a few key features that really set Spyware Doctor apart from the competition. Although the technology may or may not be completely unique to PCTools, they have done a remarkable job in advancing and taking these features to a higher level. Here is a brief description of the key features;
- *Sliding Signatures - a PC Tools technology with the ability to detect threats known to frequently modify or morph. They are designed to find the common patterns within these types of deceptive morphing threats and promptly alert Spyware Doctor to execute immediate removal.
- Full screen mode for gamers and media junkies – this means zero interruptions and low CPU usage while you are engaging in other activities on your PC.
- Real-time power with *IntelliGuard - blocking both known and unknown Malware threats before they can be installed on your computer.
- Advanced Rootkit detection – rootkits are incredibly complex threats. They are hidden and require a deep scanning capability which Spyware Doctor has.
- Smart Update function – updates are automatically installed. Threat signatures are updated every business day or even within hours of a more serious threat identification. Priceless.
- NEW! Download Guard checks your downloads against a cloud-based network.
The user interface is nicely laid out. Appropriate sized font, easy on the eyes color scheme and no clutter.
Curious as to what the industry has to say about Spyware Doctor?
“… Spyware Doctor 5.0 was the clear winner, outperforming the competition at detecting and removing…”
- PC World Best Buy August 2007
“This latest edition of Spyware Doctor cleaned up infested test systems better than any product I’ve tested with my current sample set.”
- PC Magazine, July 21, 2008
“…cleaned up infested test systems better than any product I’ve tested” – PC Magazine, 2008
“If only every anti-spyware tool were so ready to bring your PC back to its rightful state of health.”
- Editor’s Choice PC Answers UK April 20
“It also removed all of the malware samples that use rootkit techniques to hide themselves.”
- PC Magazine Editor’s Choice
The system requirements are important and are as follows;
Microsoft Windows 7 (32bit, 64bit), Windows Vista SP1+ (32bit, 64bit), Windows XP SP2+ (32bit)
Spyware Doctor also has top notch service and support. 24/7 Help available in 10 languages during your subscription period. 4 convenient options for you – you can reach support staff by phone, email, live chat or web. 30-day 100% money-back guarantee to protect your purchase and your PC.
In conclusion, you’ll be hard pressed to find a better Anti-Spyware program at a better price. In fact we don’t think you can. From the massive and daily updated database, lightning quick PC scans, and ease of use all the way through to the product support 24/7 and 100% money back guarantee ( although we don’t think you will need it ), Spyware Doctor is the clear winner. And we highly recommend it.
Variant: TROJ_FAKEAV.WKA [Trend Micro], Rogue:Win32/FakeSpypro [Microsoft]
Operating Systems Affected: Windows 9x, Windows 2000, Windows XP, Windows Vista, Windows 7
TROJ_FAKEAV.WKA is a Trojan that disguises itself as a legitimate Anti-Virus program. The fake AV application will connect to a website then downloads the core component of the trojan which is TROJ_FAKEAV.WKA. Once the system is infected, the said malware will display a fake scan result showing you that you have multiple virus infection. After that, it gives you the option to purchase the software to be able to remove the pseudo infection. If you click on purchase, you will be redirected to particular website asking you to enter credit card information. Don’t be deceive, do not buy the fake Anti-Virus program!
• Disable system restore (Windows ME and XP only)
• Reboot and login under safe mode with networking
• Navigate and delete the Trojan added registry values:
• Navigate and restore the original registry values:
• Navigate and delete this registry key:
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
Windows XP Registry Backup
Windows 7 Registry Backup
• Update Anti-Virus definition files
• Run Anti-Virus full system scan
• Re-enable system restore (Windows ME and XP only)
• Reboot and login under normal mode
Variant: Adware.Magoo
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows Vista, Windows XP, Windows 7
[Image shown above is not the actual Adware.Magoo pop ups but is just an example of the annoying pop up windows that we constantly encounter on the web]
Adware.Magoo is not a virus, trojan or a worm – it is an adware program that displays annoying pop up ads while surfing the web.
What is an Adware?
Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. [Source: Wikipedia]
Step by step manual removal guide:
• Disable system restore (Windows ME, XP users only)
• Reboot and login under safe mode with networking (Press the F8 key on Windows boots up)
• Delete temporary internet files
(IE 8 → Safety menu → delete browsing history → tick temporary internet files, cookies, and history → delete)
(Firefox→ tools menu → select clear recent internet history/ cookies → drop-down menu → select the desired range → click clear now)
• Show hidden files and folders (Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.)
• Delete the following infected files:
• Delete the infected registry key: (Start → run → type regdit → navigate to the listed entry and delete)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Mightymagoo” = “%ProgramFiles%\Mighty Magoo\mightymagoo32.exe a”
• Delete the following infected registry values:
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Update Anti-Malware definition files
• Run Anti-Malware full system scan
• Re-enable system restore (Windows ME, XP users only)
• Reboot and login under normal mode
Variant: Infostealer.Spunst
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7
Infostealer.Spunst is a Trojan horse that is primarily designed to steal personal confidential information on a compromised computer.
A Trojan horse, or Trojan, is a malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system.[source: Wikipedia]
Step by step manual removal guide:
• Temporarily disable system restore (Windows ME/ XP) Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.
• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.
• Show hidden files and folders - Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.
• Navigate and delete Infostealer.Spunst infected files:
%UserProfile%\Application Data\colectinf.tag
%UserProfile%\Application Data\dllcache32.exe
• Navigate and delete Infostealer.Spunst registry added value: Start → run → type regedit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”NoDriveTypeAutoRun” = “dllcache32.exe”
{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}
• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer, then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.
• Update AV definition files
• Run Anti-Virus full system scan
• Restart and boot under normal mode
Variant: Trojan.Bohu
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7
Trojan.Bohu is a recently discovered Trojan horse dated January 19, 2011. The malware is primarily designed to disable cloud based Antivirus software and its corresponding web dependent service. It proliferates through social networking sites by sharing the download link of the trojan, a bogus video playback application as shown in the image above.
The Trojan.Bohu threat is acknowledged as the first of its kind that targets cloud-based antivirus application but definitely not the last one.
A Trojan horse, or Trojan, is a malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system. [source: Wikipedia]
Step by step manual removal guide:
• Temporarily disable system restore [Windows ME / XP only]
• Reboot and login under safe mode with networking
[Press the F8 key on Windows boots up]
• Temporarily show hidden files and folders
[My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK]
• Navigate and delete the Trojan.Bohu created files:
• Navigate and delete the Trojan.Bohu created registry key:
[Click Start → run → type regedit → click OK]
• Navigate and delete the Trojan.Bohu created registry subkeys:
• Navigate and restore the original registry value:
Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!
Windows XP Registry Backup
Windows 7 Registry Backup
• Update Antivirus definition files
• Run Antivirus full system scan
• Restore hidden files and folders settings
[My Computer → Tools → Folder Options → View Tab → untiick show hidden folders, files and drives → tick hide operating systems files → OK]
• Re-enable system restore [Windows ME / XP only]
• Reboot and login under normal mode
Variant: TROJ_RANSOM.QOWA [Trojan Ransomware]
Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7
TROJ_RANSOM.QOWA is the latest ransomware trojan that has been detected by Trend Micro. The malware threat is consistently on the rise and getting to be more destructive by the day than the previous variant of the trojan.
Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration. [source: Wikipedia.org]
Once your system is infected with the Trojan ransomware, it displays an image as shown above which locks the user’s desktop thus preventing access to the computer. At the same time, the malware provides a paid access number to dial for sms communication. Don’t send any sms to the listed number! Don’t be scammed by this ransomware blackmail!
Step by step manual removal guide:
• Disable system restore [Windows XP and ME]
• Boot from Windows Installation CD
• Remove the Windows Install CD
• Restart Windows and boot under normal mode
• Navigate and restore the original registry value:
{Disclaimer: Registry modification is done at your own risk!}
• Update Anti-Virus Definiton files
• Run an Anti-Virus full system scan
• Re-enable system restore [Windows XP and ME]
• Restart the computer
Variant: Trojan.Ransomlock.F
Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
WARNING!
You surfed gay porn videos for three hours.
The free viewing time has expired.
To pay for the service, you need to make an online payment through the Beeline system to 9646280479 for the amount of $400 USD.
Upon receipt of the payment you will be given an activation code.
Enter it in the box below and press Enter.
[message shown above is a Russian to English translated text from the actual Trojan.Ransomlock.F pop up screen image]
Trojan.Ransomlock.F is a newly discovered Trojan horse (December 20, 2010) that locks PC user’s desktop thus making it unusable. First, the malware adds a registry value to make itself load up every time Windows boots up. Once it’s activated it will stop running programs and processes making the operating system unstable. Then, it will disable the keyboard and mouse functionalities. Finally, it then displays the image with a message in Russian context and a lewd picture at the bottom right portion of the image.
Follow the listed steps below to remove Trojan.Ransomlock.F infection:
• Disable system restore (Windows ME and Windows XP users only)
• Boot to Safe Mode with Networking (press the F8 key before the Windows Logo appears then choose safe mode with networking → hit enter → and login on an account with Administrator credentials)
• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)
• Navigate and Delete the Trojan.Ransomlock.F file
%UserProfile%\15886941\15886941.exe
• Navigate and Delete the Trojan.Ransomlock.F added registry key (Start → run → regedit → navigate and delete the listed registry entry)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”15886941″ = “%UserProfile%\15886941\15886941.exe
• Update anti-virus definition files
• Run a full anti-virus system scan
• Re-enable System Restore (Windows ME and Windows XP users only)
• Restart the computer
