Tojans : Removal Part 1

SMC.EXE

Symantec: Infostealer.Ebod:

Seen very recently in September 2009, this Trojan proved that it could affect almost any Windows platform and can be run in every environment. However, it doesn't damage the target's system much. It opens a backdoor in the computer from where all the information is sent to a http. The Trojan enters the computer when the User downloads applications from unknown websites. Once executed, the Trojan creates a copy of itself in the "C:\WINDOWS\System" folder and a registry entry is also created in order to execute this copy at every system startup. The Trojan also creates a copy of itself in the %temp% folder. Here, the name of the Trojan can possibly be anything. When connected to the Internet, the Trojan sends the saved log file consisting of the Administrator information and passwords to the http. A heavy network activity can be detected during this part of execution of the virus. When the attacker has the Administrator information, he can operate any directory in the computer. The Trojan is also capable of stealing the cookies of the Internet Explorer and Mozilla Firefox. An update of this Trojan can be expected very shortly and thus it should be removed as soon as possible. Here are the removal instructions of the Backdoor.

Manual instructions to remove smc.exe:

1. Lets begin with the Registry modification. To do this, the computer should be restarted in the Safe Mode first. When you're running in the Safe Mode, go to Start --> Run and type "regedit" to enter the Windows Registry Tools.
2. In the Registry, navigate to the following key
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
   
   On your right-hand side, search for the following item and delete it
   "smc = %System%\smc.exe"
3. Once it is removed, you're almost done. Reboot your system again in the Safe Mode and delete the file "C:\WINDOWS\System\smc.exe". The file can also be present in your "C:\WINDOWS\System32" folder depending on the Operating System that you are running. It could also be hidden. So open the Command Prompt, type "attrib -r -a -s -h C:\WINDOWS\System\smc.exe" in it and press Enter. You'll unlock the file. This way you can delete the Trojan directly.
4. The Trojan will never run on your computer unless you download it once again and execute it or if you'll run any suspicious application from your %temp% folder. Go to Start --> Run and type "%temp%" in the box. Delete all the files and folders in that directory.
5. You're now completely free from the Trojan. Just remember not to download any suspicious files from unknown https again.
   

Posts that might help you here:

Enabling Safe Mode booting, enabling the Registry, enable hidden files and folders option and enabling the Command Prompt.

NTOS.EXE

McAfee: PWS-Zbot:

This is a Trojan program that was first seen in the year 2007. But recently, an update of this program was found spreading widely. When executed, it immediately drops a file named "ntos.exe" in the "C:\WINDOWS\System32" folder along with a few dlls. These are added to the registry such that the Trojan is run at every start-up of the system and a separate item is also added in the registry in order to connect the Trojan to the internet using a separate User profile due to which it even escapes the clutches of the Firewall. Registry keys are added to Network, Explorer and the Internet settings in order to achieve this. It is also capable of recording the keystrokes that is input in the computer and once a set of keystrokes are collected, it connects itself to the server and sends this log to the server. This way, the computer becomes insecure in order to open and manage any personal information such as online banking. The Trojan is also said to stop several applications from running. These applications may include Anti-virus programs and Firewalls or a few other programs that might create a difficulty for the Trojan to execute in its usual fashion. By updating this Trojan further, it may also get the capability of taking screenshots. So it is better to get rid of it before it is updated. Lets have a look at its removal instructions.

Manual instructions to remove ntos.exe:

1. Lets begin by starting the system in Safe mode. Once you're done, go to Start-->Run and type "regedit". The Windows registry editor will open where you need to navigate to the following point and modify this key
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   
   On your right-hand side, look for the string with the name "Userint". Open the key and remove “C:\%WINDIR%\system32\ntos.exe” from it. The string should look like this
   
   


2. Now go to this key and delete the following string values
   
   o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
   + UID = "%ComputerName%"
   
   o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
   + {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D
   
   o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   + ProxyEnable = 0x00000000


3. After that, reboot your system once again in the Safe mode and using the Windows Explorer, delete the file "C:\WINDOWS\System32\ntos.exe".
4. Unregister the following dlls
   C:\WINDOWS\Ssystem32\wsnpoem\audio.dll
C:\WINDOWS\Ssystem32\wsnpoem\video.dll


5. Now restart your computer and enjoy. You have successfully delete the Trojan.

Topics that might help you here:

Enable safe mode booting, enable Registry editing tools, unregistering DLL.

USB_MAGR.EXE

Bit Defender: Backdoor.IRCBot.ACTN:

Discovered in the August of 2009, this is a Backdoor Trojan that enters the Computer with the help of the Removable drives or through the Internet when you download unknown programs. This one fools the User by assuring that it is a Serial Bus service and disables the Anti-virus or the Firewall immediately so that the User wouldn't know what the system is actually going through. Like several other viruses, this one also drops a copy of it in the "C:\WINDOWS\" directory from where it is run on every startup. To make sure this is done without fail, a registry key is created by the Trojan itself when it is first run in the system. The Trojan names itself as "usb_magr.exe so that it cannot be recognized among the several Bus related services present. The virus may also inject itself into other processes such as the Services.exe which is a very easy target. However, to be sure of not getting detected by the Anti-viruses, the Trojan is being encrypted due to which the real code inside the virus cannot be over-looked. Once any removable disk is connected to the computer, a copy of "usb_magr.exe" is created inside the "Recycler" folder of the Disk in order to prevent itself from being detected easily. Like the other Pen-drive viruses, this one also creates an autorun.inf which consists of the code that points to the virus in the Recycler folder. It creates an opening in the system by pinging to a server or a web address from where it can be controlled and the personal information of that system can be updated. This virus also uses this server to update itself and hence it needs to be removed immediately to avoid any danger to your computer. The damage this Trojan can give is unpredictable and can even cause your computer to crash (if updated with interest). Here are the removal instructions for this Backdoor Trojan.

Manual instructions to remove usb_magr.exe:

1. Lets get started with the registry editing in order to stop the virus from launching at the startups. To do this, better reboot your system in the Safe Mode.
2. Go to Start-->Run and type "regedit". Navigate to the following registry key and delete it from there
   
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   On your right, look for the service with the name "Universal Serial Bus device" consisting of the value "usb_magr.exe". If you find it, delete it immediately.


3. Just to be sure that it is removed from the registry, press Ctrl+F and type the value "usb_magr.exe" in the box. If you find any entry, remove the path of the virus from it and close the registry.
4. Now again go to Start-->Run and type "Services.msc" and search for the service name "Universal Serial Bus device" having the value "usb_magr.exe". Stop it if you find it running. Open your Task Manager and in the processes tab, check for the process "usb_magr.exe". End the process immediately if you find it.
5. Reboot your computer for the changes to take effect and using the Windows explorer, navigate to the "C:\WINDOWS\" folder and delete the file "usb_magr.exe". Also go to the "C:\RECYCLER\{directory}" and delete any file that you think is associated with the Trojan.
6. Restart your computer once again for the sake of the new changes. When the computer starts again, you can enable your Anti-virus and Firewall. Congratulations! you just got rid of the virus.

Posts that might help you:
Enable Safe mode booting, enable Registry