How to remove TrustWarrior

TrustWarrior

Last Updated on Friday, 15 January 2010 13:12 Friday, 18 September 2009 08:53

TrustWarrior is reported to be a rogue application. There are several ways a fake/rogue application may enter into your computer.

1) You may have downloaded it knowingly or unknowingly mistaking it to be something else.
2) It may have automatically downloaded while you were visiting some harmful website
3) Your computer may have a trojan virus which in turn downloads such an application.

Recently I have noticed that the malware authors are also keeping track of the removal instructions published on the internet. As soon as they think that the malware is exposed, they change the file/folder names and the locations where they are saved on the hard disk. So keeping this in mind you will require the latest information of the malware in order to be able to remove it.

I have categorized this rogue application as nsProcess.dll group. You can find information of other rogue applications belonging to this group on this link

It is also reported at S!Ri.URZ blog that The Trojan-Downloader uses 2 files, the rogue installer and a trojan fake alert. This new version also comes with a RootKit and it patches files in memory: (dump_atapi.sys and dump_WMILIB.SYS). If that happens then there will be a virus component running in the memory while you are trying to remove it. If you are unable to search and delete its files as mentioned in this article, try to do a memory scan using your antivirus application, Also do a scheduled boot time scan in order to find and delete the virus infected files, during the boot time. Usually most of the antivirus applications do a memory scan as well as a scheduled boot scan.

You can find latest ThreatExpert analysis reports of this rogue on this link

If you happen to have the rogue installer, you can submit it to threatexpert site and get it analyzed. That will help you to get the precise information about the virus.

Files Associated

These are the different EXE file names that are used in this malware

TrustWarrior.exe
TrustWarriorSvc.exe
20xekbhu.exe
and several semi randomly generated files in the C:\Windows directory

Trying system restore

If you know the duration since your computer is infected, you can try to restore your computer at a prior date, that will work like a miracle in removing the infection

Using system restore in windows XP
- Using system restore in windows Vista

Free removal tools

Special tools to remove a single virus or a family of virus.
Free Online virus scanners
Fully functioning antivirus/ antispyware

All these tools are listed below

Free tools for windows XP
- Free tools for windows Vista

Manual Removal

These are the steps to be taken, if you want to or need to remove the infected files manuall. You may not find all the files that are mentioned below on an infected computer. The virus adds different files depending on its variation. I have listed all the names found in the reports available.

Boot in safe mode

Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them.

How to boot in safe in windows XP

How to boot in safe mode in windows Vista

Remove Processes from Task Manager

Press Ctrl Shift Esc to open Task Manager. See in the list of the processes for TrustWarrior.exe, TrustWarriorSvc.exe, 20xekbhu.exe Select and press End Process button, Confirm to terminate the process and Close Task Manager.

Alternately you can use Windows Defender to see the path of a currently running program/ process and its publisher, so as to differentiate malware processes from processes belonging to legitimate publishers. You may find such processes listed under Unknown Publisher in windows defender.

How to use Windows Defender in windows XP
- How to use Windows Defender in windows Vista

Or you can use Sysinternal's Process Explorer for easy detection and removal of virus processes.

How to use Sysinternal's Process Explorer

Removing entry from windows startup

The system configuration can be started in xp and in vista by typing msconfig in the run box/ start menu search box. In xp by clicking on Start > run . The windows startup is reversible, therefore you can check / uncheck any entry from windows startup any number of times.

After the system configuration window is open, Click on the Startup tab, that will list all the programs that are scheduled to start with windows. Expand the middle column using your mouse pointer so that you can see the full path of the program. Locate and uncheck "TrustWarrior", "TrustWarrior Software" or TrustWarrior.exe, TrustWarriorSvc.exe, 20xekbhu.exe (look for any other suspicious names) Press Apply , Press Close/Ok , Select "do not restart" at the next prompt.

Removing windows Service

This malware creates a new windows service named "TrustWarriorSvc" or TrustWarrior Security Service. By default is is stopped. This service can be removed after deleting the file "TrustWarriorSvc.exe" and then removing it from the registry, easily done by running CCleaner.

View Hidden Files

Before you could delete TrustWarrior and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders

How to Enable to View Hidden Files and Folders in Windows XP
- How to Enable to View Hidden Files and Folders in Windows Vista

Deleting files

After restarting the computer, use the windows search utility to search for "TrustWarrior" and also search for the names that you found and removed in the task manager or in the startup list. This search should find all its folders on the hard disk , delete the folders from the hard disk.

These are some folders that were found on different infected computers.

C:\Documents and Settings\All Users\Start Menu\Programs\TrustWarrior
C:\Program Files\TrustWarrior Software
C:\Program Files\TrustWarrior Software\TrustWarrior

%Temp%\nsh2.tmp
%Temp%\nsz3.tmp
(the file names in temp folder also differ from computer to computer)

Delete the above folders.
These are the locations of its exe files.
C:\Program Files\TrustWarrior Software\TrustWarrior\TrustWarrior.exe
C:\Windows\System32\20xekbhu.exe
C:\Documents and Settings\[UserName]\Local Settings\Temp\20xekbhu.exe
and some other files
%Temp%\nsz3.tmp\time.dll%Temp%\nsq2.tmp\nsProcess.dll
C:\Windows\System32\ntvdm.exe
(these two files seem to be common in this group)
Apart from the above folder several other files were found in the C:\Windows directory they are listed below. These are semi random named, you need to look inside the C:\Windows directoy and delete similar files if found. These files were found on a single computer. These names will be different on every infected computer, but you can be certain that they would begin with 1 or 2 , and have OCX, BIN, CPL, EXE, DLL extentions. They will be approx 13-20 characters long. Will include letters and numbers. And some garbled text will be found inserted in between, such as not-a-virus, virus, hack, backdoor, worm , spambot and so on. This is the analysis report where I found these files.

10258spy2z89.cpl
10545t59j661z.bin
1055z5roj29.ocx
10753spamb9t580z.dll
109a5hreaz4263.dll
10acbackdoorz8975.bin
11719tr5j3ze.cpl
1193zddw59e139.ocx
12008v9r5z45f.ocx
12915szy22a.dll
13607zroj5479.exe
1391tzi5f2617.exe
13940not-a-vir9s5zf.cpl
14051zpy955.ocx
140fsp95sz2679.exe
14164za9kto5l763.dll
14253spazbot954.cpl
142az5ief1609.dll
14529virus9zc.ocx
14650wo5m5z49.cpl
148zir5947a.exe
14907zackto595dc.cpl
152dst9zl335.ocx
15375viru51b9z.exe
1548not-a-vzrus390.dll
15692hazk5ool62.dll
157edoznloader11329.exe
157troj95z.dll
15b0ba9zdoor2915.bin
15z4th5ef15719.bin
16275wz9m6e9.exe
1658ztroj294.dll
1697t5reat4775z.dll
16f95hiez549.ocx
16z44n5t-a-virus95b.ocx
16z99worm515.exe
174259ozm353.exe
1756spa9bo511z.bin
17633viru59cz.dll
178zthief95995.dll
17914hzc5tool997.ocx
18615not-a-vzr59432.exe
18965hackto59z2d.dll
18981hackzool5e.exe
18e1steal9z53.cpl
19050virzs15c.dll
1907z5yware462.exe
19299hackt5oz463.bin
19553zorm2ef.exe
19554szy110.ocx
195z9t9oj6e3.bin
19797worz25a.bin
19959spz64a.exe
19bdvir124z5.exe
19c1addware985z.dll
19cfvir5z5.exe
19z79ddw5re1073.ocx
1a4zv953248.bin
1a95downloaderz918.exe
1b29thre5tz5932.ocx
1b64s5az9e2052.exe
1ez0thief58719.ocx
1f13spa5sez9.cpl
1fadthre5t159z8.ocx
1z594vi5us492.dll
1z747sp59bot72f.ocx
1z90addwar5995.dll
1z915hackto5l1eb9.ocx
1zfbb5ck9oor970.bin
20537z9cktool5af.cpl
20542troj589z.dll
20805hac9tool58z.bin
2093threatz89175.cpl
209ethiez2501.bin
20csparse2z59.ocx
20d0tzrea5159099.ocx
2119do5nloazer610.ocx
21225w9rm615z.cpl
2159stealz579.bin
218ddo9nloadez45.dll
21z7ste9l515.bin
22290t95j3z0.bin
2240bac5d9zr2938.dll
22z50spambo97ec.dll
234479acktooz52.bin
23789spam5otz98.bin
23995hac9tool3z4.bin
23995ot-a-virus9e6z.bin
23dzspyw5r92018.dll
241z195y52d.dll
24275vi59z153.exe
244519acktool6z0.ocx
244z75ot-a9virus91.cpl
24951vz5us6d5.dll
25162worm23z9.ocx
25357spy967z.cpl
2539zro524.bin

Run CCleaner

After deleting TrustWarrior and its associated files , as there will be leftover entries in the windows regitry. CCleaner is a free temp files/registry cleaner, that will automatically clean the registry as well as remove the temp files . Click here to read more

Edit Registry

if you are comfortable in using the regedit command. You can find the registry modifications in any of the reports mentioned in the begining of this article.

How to edit registry in windows XP
- How to edit registry in windows Vista

More help

Download/ install and run a free tool called TrendMicro Hijackthis. This program will generate a logfile "hijackthis.log" save it and mail it to support(at)comprolive.com for analysis.

Reprinted with permission from ThreatExpert.com.