Services    Trojan info    Chat    Downloads      About Us      Contact  Us     Help Forum     Support Us    Search

Backhack

Once executed, the server opens up a dos window giving an error message then a netbus window pops up asking you to configure the server, basically this trojan gives itself away and shutting down the server configuration box will stop it from infecting you.

Removal: This trojan doesn't infect, but you may want to remove all the files and registry entries it has made
Go to start and then to run and type regedit. When regedit opens you will need to follow the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Net Solutions
Right click on the folder that says net solutions and choose delete key.

Now find these files and delete them from your windows system directory
c:\WINDOWS\SYSTEM\Log.txt Size: 0 bytes
c:\WINDOWS\SYSTEM\mypic.exe Size: 625,152 bytes
c:\WINDOWS\SYSTEM\NBHelp.dll Size: 71,680 bytes

Mosucker
This is a very dangerous trojan, it uses advanced autostart methods.


Removal all versions:
Removal is very difficult and should only be attempted if you feel comfortable making major system changes, any error made can result in your system becoming unstable and in some cases unbootable.

The trojan can use several different methods of autostarting, here is the removal instructions for all methods, please note; all methods may not be present, so if you cannot find the trojan in system.ini or winninit.ini etc, then it may not have used that method of start up.

Using a program that can kill running processes look for and kill any of the following files: Ars.exe, BCYUH.exe, BHFQX.exe, BMGPAD.exe, BRMADO.exe, BWSKFA.exe, CaIc.exe, DADRUQ.exe, DFJCWD.exe, DVVJPHAY.exe, FVEGPYYL.exe, HTTP.exe, KNJTUHH.exe, MSNETCFG.exe, MSWINUPD.exe, NETUPDATE.exe, ORCMW.exe, OXIIOIFR.exe, PLYOQMMC.exe, QHXCEM.exe, RQKUKIWC.exe, Register.exe, TUTGVCN.exe, unin0686.exe, then delete it.

Open up system.ini (click start, go to run and type system.ini). When system.ini opens look for the line that reads shell=explorer.exe MSNETCFG.exe (this file name could be anything), this will be near the top. Delete the MSNETCFG.exe (or whatever is written next to explorer.exe) part, so it now reads shell=explorer.exe, close system.ini and choose save changes. If there is nothing after explorer.exe then leave it and move onto the next part.

Open up regedit (click start, go to run and type regedit then hit ok) when regedit opens hit ctrl+f, and do a search for a value named wsockcfg, delete any found in the following paths:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Open up winstart.bat (click start, go to search and look for winstart.bat, when found drag the file onto an open windows notepad page)
Line 1:"if exists c:\windows\%anything% then goto it_exists"
Line 2:"copy%windir%\%anything2%c:\windows\%anything%"
Line3:"it_exists".
The bold anything means that this file name can be anything. Delete all three lines then close notepad and choose to save changes.

Open up winninit.ini (click start, go to run and type winninit.ini) and look for the following line: c:\windows\%anything%=c:\windows\%anything%
The bold anything means that this file name can be anything
This will be found under the heading [rename]
Delete the whole line, close winninit and choose to save changes.