Removing PWS Trojan Startup Entries

This section provides a tutorial example on how to remove startup program entries in the system registry installed by the PWS Trojan: System.exe and svchost.exe

After deleting malicious files from system folders, I want to see if this PWS Trojan installed any startup programs:

1. Click Start > Run and enter msconfig. The System Configuration Utility window showed up.

2. Click Startup tab. I saw two strange entries as show in this picture:
Password Stealer Startup Programs

Detail information of those 2 strange startup entries:

Startup item: System
Registry key and value: 
   HKLM\software\microsoft\windows\currentversion\run
   HBService32: System.exe

Startup item: svchost
Registry key and value: 
   HKCU\software\microsoft\windows NT\currentversion\windows
   load: C:\PROGRA~1\COMMON~1\Adobe\svchost.exe

System.exe was detected and deleted during the McAfee VirusScan On-Demand Scan process mentioned in the previous section. I deleted this startup entry in the registry with regedit.

I checked the Adobe folder, and could not find svchost.exe there. May be the Trojan failed to install this file. I deleted this startup entry in the registry with regedit.

But I also found 3 hidden files in the Adobe folder, and deleted them all:

C:\Program Files\Common Files\Adobe>dir /AH

10/26/2008  05:05 PM            20,992 avicap.dll
10/26/2008  05:05 PM               196 cfg.bin
10/26/2008  05:05 PM                14 obj.bin

Last update: 2006.

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

 Removing PWS Trojan Files

Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

 UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 PDF Printing Version