Variant: Backdoor.Dalsk

Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows Vista, Windows XP, Windows 7

Backdoor.Dalsk is a newly discovered Trojan horse (Dec. 30, 2010) that opens a backdoor which in turn gives remote access and possibly full admin control on the infected system. The one responsible for the Trojan may perform the following actions: download files, capture image screenshots, creates, edit and/ or delete user accounts, services, files, etc…

What’s a Backdoor?
A backdoor [computer system] is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected  [Source: Wikipedia]

Here’s how to remove Backdoor.Dalsk manually:

• Temporarily disable system restore (Windows ME/ XP) - Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.

• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.

• Show hidden files and folders – Open My Computer, click Folder Options and choose View Tab. Tick Show hidden files and folders, tick hide protected operating system files.

• Navigate and delete the following registry values: - Click Start, run, then type regedit.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\incs
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipcdr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irpfit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ScardClt

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Navigate and delete the following Backdoor.Dalsk created files:

%System%\Setup\wuauclt1.exe
%System%\rshx16.bak
%System%\rshx16.dll
%System%\Setup\hid32.log
%System%\scardclt.exe
%System%\drivers\ipcdr.sys
%System%\drivers\ipcdr.bak
%System%\ntmsapi16.dll
%System%\igxpgb32.dll
%System%\drivers\irpfit.sys
%System%\drivers\irpfit.bak
%System%\hid32.dll
%System%\hid32.bak
%System%\incs.exe
%System%\msvfw16.dll
%System%\dmome.dll

• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer,  then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.

• Restart and boot under normal mode

• Update AV definition files

• Run Anti-Virus full system scan

Variant: W32.Rotinom [Symantec], Trojan.Win32.Agent2.ldt [Kaspersky], Trojan:Win32/Folstart.A [Microsoft], TR/Agent2.ldt.36 [Avira]

Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7

W32.Rotinom is a computer worm that copies itself and spreads via removable drives or network shared drives.
How does it propagates?
The worm makes copies of itself using the folder names found on the root directory of the targeted removable or network drives, adds an “EXE” file extension, then it sets the infected folder attribute settings to hidden. Be wary, the hidden malware executable icon is cleverly disguised as a typical windows folder.

Step by step manual removal guide:

• Disable system restore (Windows ME and XP users only)

• Reboot and login under safe mode with networking (Press the F8 key on Windows boots up)

• Show hidden files and folders – Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.

• Navigate and delete W32.Rotinom created files:

• Navigate and restore the following registry entries to their original values: (Click Start → run → type regedit → click OK)

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Update Anti-Virus definition files

• Run Anti-Virus full system scan

• Re-enable system restore (Windows ME and XP users only)

• Reboot and login under normal mode

Variant: Trojan.Karagany

Operating Systems Affected: Windows 9x, 2000, XP, Server 2003, Vista, 7

Trojan.Karagany is a computer trojan horse that bypasses normal authentication process of the Windows Operating System thus, manipulates its way into accessing the system without being detected. The backdoor trojan has the potential of being destructive and could compromise any confidential data stored on your computer. If you’re infected with it, follow the steps indicated below to manually remove the trojan.

Step by step manual removal guide:

• Temporarily disable system restore (Windows ME/ XP) Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.

• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.

• Show hidden files and folders - Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.

• Navigate and delete the Trojan.Karagany created files:

• Navigate and delete the Trojan.Karagny created folder:

%ProgramFiles%\Common Files\WmiModules

• Navigate and delete the Trojan.Karagany registry added values: (Start → run → type regedit → OK)

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer,  then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.

• Update AV definition files

• Run Anti-Virus full system scan

• Restart and boot under normal mode

Variant: TROJ_FAKEAV.WKA [Trend Micro], Rogue:Win32/FakeSpypro [Microsoft]

Operating Systems Affected: Windows 9x, Windows 2000, Windows XP, Windows Vista, Windows 7

TROJ_FAKEAV.WKA is a Trojan that disguises itself as a legitimate Anti-Virus program. The fake AV application will connect to a website then downloads the core component of the trojan which is TROJ_FAKEAV.WKA. Once the system is infected, the said malware will display a fake scan result showing you that you have  multiple virus infection. After that, it gives you the option to purchase the software to be able to remove the pseudo infection. If you click on purchase, you will be redirected to particular website asking you to enter credit card information. Don’t be deceive, do not buy the fake Anti-Virus program!

• Disable system restore (Windows ME and XP only)
• Reboot and login under safe mode with networking
• Navigate and delete the Trojan added registry values:

• Navigate and restore the original registry values:

• Navigate and delete this registry key:

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

Windows XP Registry Backup
Windows 7 Registry Backup

Variant: Adware.Magoo

Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows Vista, Windows XP, Windows 7

[Image shown above is not the actual Adware.Magoo pop ups but is just an example of the annoying pop up windows that we constantly encounter on the web]

Adware.Magoo is not a virus, trojan or a worm – it is an adware program that displays annoying pop up ads while surfing the web.

What is an Adware?
Adware, or advertising-supported software, is any software package which automatically plays, displays, or downloads advertisements to a computer. [Source: Wikipedia]

Step by step manual removal guide:

• Disable system restore (Windows ME, XP users only)

• Reboot and login under safe mode with networking (Press the F8 key on Windows boots up)

• Delete temporary internet files

(IE 8 → Safety menu → delete browsing history → tick temporary internet files, cookies, and history → delete)

(Firefox→ tools menu → select clear recent internet history/ cookies → drop-down menu → select the desired range → click clear now)

• Show hidden files and folders (Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.)

• Delete the following infected files:

• Delete the infected registry key: (Start → run → type regdit → navigate to the listed entry and delete)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Mightymagoo” = “%ProgramFiles%\Mighty Magoo\mightymagoo32.exe a”

• Delete the following infected registry values:

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Update Anti-Malware definition files

• Run Anti-Malware full system scan

• Re-enable system restore (Windows ME, XP users only)

• Reboot and login under normal mode

Variant: Infostealer.Spunst

Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7

Infostealer.Spunst is a Trojan horse that is primarily designed to steal personal confidential information on a compromised computer.

A Trojan horse, or Trojan, is a malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system.[source: Wikipedia]

Step by step manual removal guide:

• Temporarily disable system restore (Windows ME/ XP) Click Start, right-click My Computer then click Properties. Click the System Restore tab, select Turn off System Restore or Turn off System Restore on all drives check box. Click OK.

• Reboot and login under safe mode with networking – While booting, press and hold the F8 Key.On the Windows Advanced Options Menu use arrow keys to move and choose Safe Mode with Networking then press Enter key.

• Show hidden files and folders - Open my computer, click folder options and choose view tab. Tick show hidden files and folders, untick hide protected operating system files.

• Navigate and delete Infostealer.Spunst infected files:

%UserProfile%\Application Data\colectinf.tag
%UserProfile%\Application Data\dllcache32.exe

• Navigate and delete Infostealer.Spunst registry added value: Start → run → type regedit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”NoDriveTypeAutoRun” = “dllcache32.exe”

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Re-enable system restore (Windows ME/ XP) - Click Start, right-click My Computer,  then click Properties. Click the System Restore tab, clear the Turn off System Restore or Turn off System Restore on all drives check box.Click OK.

• Update AV definition files

• Run Anti-Virus full system scan

• Restart and boot under normal mode

Variant: Trojan.Bohu

Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7

Trojan.Bohu is a recently discovered Trojan horse dated January 19, 2011. The malware is primarily designed to disable cloud based Antivirus software and its corresponding web dependent service. It proliferates through social networking sites by sharing the download link of the trojan, a bogus video playback application as shown in the image above.

The Trojan.Bohu threat is acknowledged as the first of its kind that targets cloud-based antivirus application but definitely not the last one.

A Trojan horse, or Trojan, is a malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access of the user’s computer system. [source: Wikipedia]

Step by step manual removal guide:

• Temporarily disable system restore [Windows ME / XP only]
• Reboot and login under safe mode with networking
[Press the F8 key on Windows boots up]
• Temporarily show hidden files and folders
[My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK]
• Navigate and delete the Trojan.Bohu created files:


• Navigate and delete the Trojan.Bohu created registry key:
[Click Start → run → type regedit → click OK]

• Navigate and delete the Trojan.Bohu created registry subkeys:

• Navigate and restore the original registry value:

Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!

Windows XP Registry Backup
Windows 7 Registry Backup

• Update Antivirus definition files
• Run Antivirus full system scan
• Restore hidden files and folders settings
[My Computer → Tools → Folder Options → View Tab → untiick show hidden folders, files and drives → tick hide operating systems files → OK]
• Re-enable system restore [Windows ME / XP only]
• Reboot and login under normal mode

Variant: TROJ_RANSOM.QOWA [Trojan Ransomware]

Operating Systems Affected: Windows 2000, Windows 9x, Windows Me, Windows NT, Windows Server, Windows XP, Windows Vista, Windows 7

TROJ_RANSOM.QOWA is the latest ransomware trojan that has been detected by Trend Micro.  The malware threat is consistently on the rise and getting to be more destructive by the day than the previous variant of the trojan.

Ransomware is computer malware which holds a computer system, or the data it contains, hostage against its user by demanding a ransom for its restoration. [source: Wikipedia.org]

Once your system is infected with the Trojan ransomware, it displays an image as shown above which locks the user’s desktop thus preventing access to the computer.  At the same time, the malware provides a paid access number to dial for sms communication. Don’t send any sms to the listed number! Don’t be scammed by this ransomware blackmail!

Step by step manual removal guide:

• Disable system restore [Windows XP and ME]
• Boot from Windows Installation CD

• Remove the Windows Install CD
• Restart Windows and boot under normal mode
• Navigate and restore the original registry value:

{Disclaimer: Registry modification is done at your own risk!}

• Update Anti-Virus Definiton files
• Run an Anti-Virus full system scan
• Re-enable system restore [Windows XP and ME]
• Restart the computer

Variant: Trojan.Ransomlock.F

Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

WARNING!

You surfed gay porn videos for three hours.
The free viewing time has expired.

To pay for the service, you need to make an online payment through the Beeline system to 9646280479 for the amount of $400 USD.

Upon receipt of the payment you will be given an activation code.
Enter it in the box below and press Enter.

[message shown above is a Russian to English translated text from the actual Trojan.Ransomlock.F pop up screen image]

Trojan.Ransomlock.F is a newly discovered Trojan horse (December 20, 2010) that locks PC user’s desktop thus making it unusable. First, the  malware adds a registry value to make itself load up every time Windows boots up. Once it’s activated it will stop running programs and processes making the operating system unstable. Then, it will disable the keyboard and mouse functionalities. Finally, it then displays the image with a message in Russian context and a lewd picture at the bottom right portion of the image.

Follow the listed steps below to remove Trojan.Ransomlock.F infection:

• Disable system restore (Windows ME and Windows XP users only)

• Boot to Safe Mode with Networking (press the F8 key before the Windows Logo appears then choose safe mode with networking → hit enter → and login on an account with Administrator credentials)

• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)

• Navigate and Delete the Trojan.Ransomlock.F file

%UserProfile%\15886941\15886941.exe

• Navigate and Delete the Trojan.Ransomlock.F added registry key (Start → run → regedit → navigate and delete the listed registry entry)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”15886941″ = “%UserProfile%\15886941\15886941.exe

• Update anti-virus definition files

• Run a full anti-virus system scan

• Re-enable System Restore (Windows ME and Windows XP users only)

• Restart the computer

Variant: Backdoor.Riken

Operating Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Backdoor.Riken is a malicious Trojan that exploits Adobe Acrobat PDF vulnerability. Once the Trojan is activated, it will try to download and install other malware files to the already infected system. The Trojan then edits the registry to add itself to the startup list, so that every time Windows boots up, it automatically starts as well. Backdoor.Riken’s main objective is to embed snippets or coded scripts to steal PC users confidential account log-in information from online banking sites.

Step by step instructions on manual removal of  Backdoor.Riken :

• Disable system restore (Windows ME and Windows XP users only) Right click My Computer → Properties → System Restore tab → Tick  turn off system restore on all drives box → Restart Computer

• Boot to Safe Mode (Press the F8 key before the Windows Logo appears then log in on an account with administrator credentials)

• Show hidden files and folders (My Computer → Tools → Folder Options → View Tab → Tick show hidden folders, files and drives → Untick hide operating systems files → OK)

• Delete Backdoor.Riken created files:

%System%\svcvc.exe
%System%\UsbStorageLog.txt

• Delete Backdoor.Riken added registry values: (Start → run → regedit → navigate and delete the listed registry entries)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SamPs” = “C:\WINDOWS\system32\svcvc.exe”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List\”C:\WINDOWS\system32\svcvc.exe”  = “C:\WINDOWS\system32\svcvc.exe:*:Enabled:svcvc.exe”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Window\”monstate” = “ID”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Window\”KeyKill” = “ID”

{Disclaimer: Registry modification is done at your own risk. Backup the registry before making any changes!}

• Update anti-virus definition files

• Run anti-virus full system scan

• Re-enable System Restore (Windows ME and XP users only) Right click My Computer → Properties → System Restore tab → Untick  turn off system restore on all drives box.

• Restart the computer