Trojan.Bebloh
This page contains detailed analysis on Trojan.Bebloh. To get rid of this Trojan, please use the removal guide below.
Trojan.Bebloh is a computer infection that will modify Internet explorer settings and reduce its security features. Trojan.Bebloh also modifies registry entries of the infected computer that disables proxies used by Internet browser. It may also monitor and steal users credential to certain online banking and financial web sites.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When Trojan.Bebloh is executed, it will drop the following file on the computer.
%Windir%/System32/[RANDOM NAME].exe
The Trojan will conceal its presence once inside the computer. It will inject malicious code on legitimate process “CSRSS.exe” that will increase file size to additional 256 bytes of data.
Then, the Trojan will make changes to system registry that will relocate the data for Internet browser’s cache file, cookies and history. It also targets the proxy settings. Trojan.Bebloh will alter the proxy server by modifying the following registry entry:
HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”ProxyEnable” = “0″
Other changes on the registry may lead to the force use of Internet Explorer. It will open Internet Explorer web browser when users try to execute any of these applications:
- Google Chrome
- Netscape Navigator
- Opera
- Safari
Finally, the Trojan will connect to a remote web site to receive additional command from an attacker and download additional malware in order to perform additional tasks as follows:
- Download and execute more harmful files from specified location.
- Block Internet access and redirect search result to unknown web sites.
- Redirect predefined URL to other web sites.
- Embed snippets to online banking web sites to steal sensitive information.
- Download configuration files and update itself.
- Receive commands from a remote attacker using HTTP request.
Distribution
Trojan.Bebloh may arrive on the computer as an attached file to spam email messages. Other malware found related to this Trojan also drops and install the harmful code by exploiting vulnerabilities in the system. Additionally, malicious web sites that employs drop-by-download method is used to spread Trojan.Bebloh.
How to Remove Trojan.Bebloh
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Open your antivirus program and update the virus definitions.
3. Restart Windows in Safe Mode.
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry if there are any. Please refer to 'Added Registry Entries.'[how to edit registry]
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Trojan.Bebloh. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.
Alternative Removal Method for Trojan.Bebloh
Option 1 : Use Windows System Restore to return Windows to previous state
If Trojan.Bebloh enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Trojan.Bebloh infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.
Option 2 : Trojan.Bebloh manual uninstall guide
IMPORTANT! Manual removal of Trojan.Bebloh requires technical skills. Deleting system files and registry entries by mistake may result to total disability of Windows system. We advise you to perform a backup of registry before proceeding with this guide.
1. Kill any running process that belongs to Trojan.Bebloh.
- Press Ctrl+Alt+Del on your keyboard.
- When Windows Task Manager appears, look for Trojan.Bebloh files (refer to Technical Reference) and click End Process.
2. Delete all registry entries that belong to this malware.
- Press [Windows Key]+R on your keyboard.
- In the 'Open' dialog box, type regedit and press Enter. This will open registry editor.
- Find and delete registry entries as mentioned in Technical Reference section below.
- Close registry editor. Changes made will be save automatically.
3. Scan the computer with antivirus program.
- Connect to Internet and open your antivirus software. Please update to obtain the latest database and necessary files.
- Restart the computer in Safe Mode.
- Just before Windows logo begins to load press F8 on your keyboard.
- On Windows Advanced Boot Options, select Safe Mode and press Enter.
4. Delete all files dropped by Trojan.Bebloh.
- While still in Safe Mode, search and delete malicious files. Please refer to 'Technical Reference'. Make sure that you execute 'End Task' first before deleting the file. Otherwise, the system will not let you perform this action.