Trojan Backdoor.Lancafdo creates a backdoor on infected system to perform an HTTP post operation to a remote site. This trojan register itself as "Microsoft security update service" on registry and copy itself to %System% folder as mssrv32.exe. It also injects malicious codes into Windows running process %System%\svchost.exe.
How to remove Trojan Backdoor.Lancafdo ?
1. Perform Standard procedure for Virus removal.
2. Edit Windows registry and remove these registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"Type" = "00000010"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"Start" = "00000002"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"ObjectName" = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"ImagePath" = "%System%\mssrv32.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"ErrorControl" = "00000000"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"DisplayName" = "Microsoft security update service"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate\"Description" = "This service downloading and installing Windows security updates"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AFD\Parameters\"DisableRawSecurity" = "00000001"
No comments:
Post a Comment