|
Malware -
Harmful EXE
|
fxstaller.exe is a filename that has appeared recently in several infections of a Trojan Horse/Backdoor Virus, which has following characteristics. 1) Creates a new subfolder in the Temp folder 2) creates an entry in the startup 3) Connects to a remote host 4) Opens TCP ports 5) installs a keylogger that can steal your important information. This article provides thorough detection and removal instructions based on the threatexpert reports. All the tools/ software mentioned in this article are freeware.
| Aliases: There are a number of aliases, You can find a list of them on this link
| Delete Files: The place where fxstaller.exe could be found is %Windir%\fxstaller.exe these are additional files, that may be found depending the variation of th infection, it seems that there are a number of variations. %Temp%\IXP000.TMP (this folder is common anomg all the variations, and these files are created under this folder. If you use a Temp files cleaner, they will be automatically removed. It seems that these files are added in a random manner, although the names does not look random.
bawtoz.exe report1
photoo.exe report2
hardco~1.exe report3
Test.exe report4
bn3w.exe report5 contacts the remote host "oni.servebeer.com"
burz.exe report6 contacts the remote host "dddd.burimche.net"
exb.exe report7
bnwz.exe report9 contacts the remote host "dddd.burimche.net"
bb.exe report10 contacts the remote host "aacccc.ebukura.de"
%AppData%\Microsoft\Crypto\RSA\S-1-5-21-606747145-764733703-839522115-1003\fd3d51cb17e35b519458d3c03e176cc1_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 report8 contacts remote host "h3do1123.cufii.ch" If your computer has fxstaller.exe, and you did not locate any of the additional files above, you can search these reoprts for additional filenames %Temp% refers to temporary folder. By default C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP)
%Windir% refers to Windows installation folder. By default C:\Windows or C:\Winnt
%AppData% refers to the file system directory that serves as a common repository for application-specific data. typical path C:\Documents and Settings\[UserName]\Application Data | | View Hidden Files: Before you could delete fxstaller.exe, and its associated files you need to search for them, and before doing that you need to enable to view hidden files and folders Click here to read more... | | Boot in safe mode: Sometimes you will not be able to delete a file even if you find it, in that case you should boot in safe mode and then try to delete it/ them. Click here to read more... | | End Process in the Task Manager: If you find fxstaller.exe running in the Task Manager, you can select it and press End process button, that will help you to delete it from the hard disk later. Click here to read more... | Remove entry from Windows Startup: Look in the windows startup, by opening the system configuration utility and remove the entry of fxstaller.exe if found. Click here to read more...
| | Unable to open Task Manager: If that happens, you can try these free tools to enable the task manager again. Click here to read more... | | Run CCleaner : If you manage to find fxstaller.exe and associated files and delete it, even then there will be associated entries in the windows registry. If you run a free temp files/registry cleaner called CCleaner, that will help you to automatically clean the registry from the virus entries. Click here to read more... | Block the sites: These are some of the remote hosts, which are contacted by this virus. It has been noticed that this virus changes uses different remote hosts in it's different infections. Further it connects to a remote IRC Server, so keep it in mind and protect yourself with a firewall accordingly. dddd.burimche.net
yestes.enderra.de
h3do1123.cufii.ch
skl.realsunix.com
shpend.endrra.org
das.shqipkiss.org
aacccc.ebukura.de
oni.servebeer.com
| Delete the registry keys manually: If you are brave enough to do so. You can edit the registry by using the windows built in registry editor. Click here to read more... You can find the registry entries created by this malware on the reports links provided in the "Delete Files" section. Best of Luck reference with permission from Threatexpert |
|
