Virus Threats and Removal Tools

You are here: HOME > COMPUTER > ANTIVIRUS

PWSteal.Wowcraft.C

Reported: 24-Jan-2006

 

Description:

PWSteal.Wowcraft.C has the capability to steal sensitive information related to online games and logs it. It will then be sent to a remote attacker.

Technical Name:

PWSteal.Wowcraft.C

Threat Level:

Low

Type:

Trojan Horse

Systems Affected:

Windows All

Detection Date:

January 24, 2006

 

 

PWSteal.Wowcraft.C removal procedures requires technical know-how on  computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer if modifications on Services and Registry have to be done.

 

MANUAL REMOVAL:

1. Disable System Restore (Windows Me/XP).  [how to]
2. Update the virus definitions.
3. Run a full system scan and delete all the files detected.
4. Delete any values added to the registry.
Navigate to the subkey and delete value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: "ToP" = "%Windir%\LSASS.exe"

Navigate to the subkey and delete value:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowFiles\Shell\
Open\Command
Value: "(Default)" = "%Windir%\EXERT.exe "%1" %*"

Navigate to the subkey and delete value:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe
Value: "(Default)" = "WindowFiles"

Navigate to the subkey and delete value:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\
INTEXPLORE.pif
Value: "(Default)" = "%ProgramFiles%\common~1\INTEXPLORE.pif"

Navigate to the subkey and delete value:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
Microsoft Soft Debuger\Settings
Value: "GUID" = "[RANDOM STRING]"

Navigate to the subkey and reset the value if applicable:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value: "Check_Associations" = "No"

Navigate to the subkeys and reset the value if applicable:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command
Value: "(Default)" = "%ProgramFiles%\Internet Explorer\INTEXPLORE.com" %1"

Navigate to the subkey and reset the values if applicable:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command
Values:
"(Default)" = "%ProgramFiles%\Internet Explorer\INTEXPLORE.com" -nohome"
"(Default)" = "%ProgramFiles%\common~1\INTEXPLORE.pif" %1""

Navigate to the subkey and reset the value if applicable:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command
Value: "(Default)" = "%ProgramFiles%\common~1\INTEXPLORE.pif" -nohome""

 

5. Exit registry and re-start the computer

***If it makes changes to Windows registry that may prevent you from running executable files. A tool to reset registry values to the default value is available for download. Click Here.

 

6. In order to make sure that trojan pwsteal.wowcraft.c is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

 

  FREE ON-LINE VIRUS SCANNER

Click here to proceed

 

  DOWNLOAD REGISTRY RESET TOOLS

Click here to download

Copyright 2005 PRECISESECURITYdotCOM
All Rights Reserved

  

home | computer : securing your pc | antivirus | firewall | anti-spyware | links & resources
pda : securing your handheld | antivirus | security | top top picks | links & resources
cellphone : securing your cellphone | top picks | links & resources