herss.exe/ bychft.exe

Bitdefender: Trojan.PWS.OnlineGames.KCVU

Discovered very recently in the September of 2009, this Trojan is a bit destructive and has to be removed as soon as possible since it also possesses the characteristics of a worm(making copies of itself). When first executed, this Trojan drops a copy of itself in the %temp% folder. Copies of the same are again created in all the drives of the computer with a different name along with an autorun.inf pointing to it. This way, whenever you open any drive on your PC, the autorun.inf launches the copy of the malicious file immediately. The Trojan also edits/modifies the registry such that it is executed at every system startup. It registers a dll which in turn inserts itself into the running processes thus stealing the passwords and other personal information of the User. It consists of a set of IP addresses to which this personal information is sent. The removal instructions for this Trojan is given below:

Manual instructions to remove herss.exe:
  1. First, reboot the system in the safe mode. Go to Start --> Run and type regedit to open the Registry editor.
  2. Now navigate to the following location in the Registry:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft]

    Here, look for the key pointing to the path %temp%\herss.exe and delete it. Also search for the registry keys having the name herss.exe using the "find" option in the registry.
  3. After getting rid of it from the registry, you'll need to go to the "%temp%" folder(type %temp% in run) and clear all the files present in it.
  4. As mentioned earlier, the Trojan saves copies of itself in the drives along with an autorun.inf file which points to it. These copies of the mallware can be removed using windows explorer but since the unhide option in the folder options would've already been screwed by the virus, you'll have to use the Command Prompt to perform this action.
  5. Type cmd in Start--> Run. The command shell opens in the home directory. Now remember, the virus saves itself in the root directory of every folder with the name bychft.exe. So you'll need to type cd\ to go to the root directory i.e C:. Type del bychft.exe to delete the virus and also del autorun.inf to remove the autorun file.
  6. Repeat this by going to every drive in your HDD. To navigate from one directory to another type the directory name followed by a colon(For example, D:, E:). After deleting the Trojan from every drive along with its autorun.inf, restart your system.
  7. Now sit back and enjoy. You're done!

Posts that might help you here:

Enabling Safe Mode booting, enabling the Registry, enable hidden files and folders option and enabling the Command Prompt.
VShop
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme