Symptoms
Presence of the following entries in the registry :
- HKCR\retro64_loader.R64Loader
- HKCR\retro64_loader.R64Loader.1
- HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
- HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
- HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}
For registry key HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}, the subkey InProcServer32\(Default) will be set to the full path to the trojan.
For example, one can have
HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}\InProcServer32\(Default) = %Windir%\System32\aaa.dll
where aaa.dll is the Trojan.Downloader.3069.A
NOTE :
- by HKCR we mean HKEY_CLASSES_ROOT
- the entries above can be searched for using regedit utility (open Start->Run, type regedit).
Removal instructions:
Please boot your machine in Safe Mode and perform the following
1. Check the following registry entry (by using regedit or any registry editing utility) :
- HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}\InProcServer32\(Default)
It's value represents the full path to the trojan.
Please delete that file.
2.Delete the following registry entries (by using regedit or any registry editing utility)
- HKCR\retro64_loader.R64Loader.1
- HKCR\retro64_loader.R64Loader
- HKCR\CLSID\{288C5F13-7E52-4ADA-A32E-F5BF9D125F99}
- HKCR\TypeLib\{C7F00A9A-F1BC-436E-82C7-E8CAE6FD67F7}
- HKCR\Interface\{450B9E4D-4014-4DE3-B34E-014A81468293}
After these steps, please reboot your machine in Normal mode and perform a full system scan.
Analyzed By
Dan Lutas, virus researcher
SHARE
THIS ON