February 29, 2008

How to remove Trojan Backdoor.Robofo.A ?


1.Disable System Restore (Windows Me/XP).

2. Update the virus definitions.

3.Backup your system registry.

4.Restart your system in safe mode.

5. Run a full system scan.

6. Delete these values added to theregistry.

NB: Use this Symantec
Tool to reset shell\open\command registry keys if regedit (Registry editor)is not accessible .
1. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A9A3D40-2F32-45BF-9A89-AC9ED6C2FEDF}
2. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51435758-75D7-45FC-A91A-C84DF4ECF725}
3. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53A95719-7741-457D-8811-519C106E7B92}
4. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{695FB128-85C1-4DF3-A2BE-3123D13E2564}
5. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7455CC38-FC70-4785-9551-15FA0F5DBC98}
6. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83C7431A-035A-4D1E-8BD8-7FD2F78EE762}
7. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A934AEE3-8896-485F-8A55-ACF2A87BD010}
8. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2A74106-0416-43D8-8FE8-833E9AD098EA}
9. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.Cert
10. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.Cert.1
11. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CertChain
12. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CertChain.1
13. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CertColl
14. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CertColl.1
15. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CertStore
16. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CertStore.1
17. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CreateCS
18. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.CreateCS.1
19. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.KeyContainer
20. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.KeyContainer.1
21. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.PrivateKey
22. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.PrivateKey.1
23. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.PublicKey
24. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Chilkat.PublicKey.1
25. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCert
26. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCert.1
27. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCertChain
28. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCertChain.1
29. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCertColl
30. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCertColl.1
31. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCertStore
32. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCertStore.1
33. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCreateCS
34. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.ChilkatCreateCS.1
35. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.KeyContainer
36. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.KeyContainer.1
37. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.PrivateKey
38. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.PrivateKey.1
39. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.PublicKey
40. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChilkatCertificate.PublicKey.1
41. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06544919-F559-4AE5-9001-F903BD8A84E6}
42. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3296199A-B3A0-4AF1-8673-3F76C5FD6FD5}
43. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5CE8D2B6-FDE7-41D1-B563-B8E03EE008B9}
44. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{811AA1E0-4C88-4274-AABB-F8D171444D52}
45. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AC4A4CB2-140B-402B-822B-455EEA0A9976}
46. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C4C23B78-DB98-444C-B601-DCAC6EBBEC54}
47. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D338B7B4-0478-448E-AFC3-D005E6DFE790}
48. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D56C1AF1-3FDE-471C-9BC2-C52515F260C1}
49. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2138BF27-7383-435B-A6F5-89B1DEAB2130}
50. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
51. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMSELSERVICE
52. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMSELSERVICE\0000
53. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMSELSERVICE\0000\Control
54. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMSELService
55. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMSELService\Enum
56. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WMSELService\Security
57. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMSELSERVICE
58. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMSELSERVICE\0000
59. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMSELSERVICE\0000\Control
60. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSELService
61. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSELService\Enum
62. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSELService\Security
63. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
64. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c
65. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID
66. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
67. HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
68. HKEY_ALL_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
69. HKEY_ALL_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c
70. HKEY_ALL_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID
71. HKEY_ALL_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
72. HKEY_ALL_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon

Restore these values if required

1. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\inf\svchost\"svchost.exe" = "C:\WINDOWS\inf\svchost\svchost.exe:*:Enabled:svchost"
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\inf\svchost\"svchost.exe" = "C:\WINDOWS\inf\svchost\svchost.exe:*:Enabled:svchost"
3. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"

No comments: