Removal tool for Magania.bzmw (Taterf.B,Win32.Inhoo) Trojan

 

- Magania trojan Sets the drive to autoplay by creating autorun.inf file in its root directory. If the drive is shared across the network then other remote computers can be infected any time they try to access this share.

- Downloads/requests other files from Internet.

- Creates a startup registry entry.

 

 

Severity Level : 9/10

 

Alias:

• Mal/EncPk-JS [Sophos]
• Trojan-GameThief.Win32.Magania.bzmw [Kaspersky Lab]
• Heuristic.LooksLike.Win32.SuspiciousPE.B [McAfee-GW-Edition]
• Trojan-GameThief.Win32.Magania.bzmw [F-Secure]
• TR/Crypt.ZPACK.Gen [AntiVir]
• Generic Worm [Panda]
• Worm:Win32/Taterf.B [Microsoft]
• Trojan.Win32.Inhoo [Ikarus]

 

VirusTotal Report : (Click Here)

 

File System Modifications

The following files were created in the system:

 

• %systemdrive%\ewqij.bat
• %systemdrive%\ b.bat
• %systemdrive%\ autorun.inf
• %Temp%\herss.exe
• %Temp%\ cvasds0.dll
• %Temp%\ cvasds1.dll
• %Temp%\cvasds2.dll

 

Note:

• %systemdrive% is a variable that refers to the System Drive . By default, this is “C:\” (Windows NT/2000/XP).
• %Temp% is a variable that refers to the Temp Folder . Like “C:\Documents and Settings\Administrator\Local Settings\Temp\” (Windows NT/2000/XP).
• If you have more than one partition like C: , D: , …etc, and while your PC infected you plugged in any of external USB devices you will find b.bat and autorun.inf in it so be careful .

 

Memory Modifications

There were new processes created in the system:

 

Process Name	Process Filename
herss.exe	%Temp%\herss.exe
Iexplore.exe	%ProgramFiles%\Internet Explorer\iexplore.exe
am.exe	%Temp%\am.exe

 

Registry Modifications

The newly created or modified Registry Value is:

 

• [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] > “cdoosoft” = %Temp%\herss.exe
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] > “CheckedValue”=dword:00000000
  

 

The following Internet action was started (the retrieved bits are saved into the local file):

 

URL to be downloaded	Filename for the downloaded bits
http://gir88e.net/1mg/am1.rar	%Temp%\am1.rar
http://qer67.com/1mg/am.rar	%Temp%\am.rar

 

For auto removal :

Download Magania.bzmw Trojan removal tool that provided by virusexperts.org you can download it from Here.

 

 

 

 

 

For manual removal First download these tools:

1- RRT : Registry, Task Manager and Folder Options Repair Tool (Click Here).

2- KillBox : Kill the Process if your Access Denied (Click Here).

3- Task Manager Enabler : (Click Here).

4- Registry Enabler : (Click Here).

 

Now Follow these instructions :

Recommend Removal from Safe Mode

To Start in Safe mode Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

 

 

Kill these Process, by using Killbox

• herss.exe

 

Delete These Files

Note : When you want to open any Partition or USB drive don’t double click on it,  just click on FOLDERS in the upper buttons then choose your drive from the left tree menu.

• %Temp%\herss.exe
• C:\b.bat (it will be in other partition or usb drives)
  
• C:\autorun.inf (it will be in other partition or usb drives)
  
• C:\ewqij.bat (it will be in other partition or usb drives)
  
• %Temp%\ cvasds0.dll
• %Temp%\ cvasds1.dll
• %Temp%\ cvasds2.dll

[ No Exact Information about Files, search above related files in Program files Folder ] If you have any of these files in running process from task manger, end the process before removal.

Note: if task manager is disabled, Download Task Manager Enabler and Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.

 










 

Click Start, Run,Type regedit,Click OK.

 

• Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
  and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode.
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it].
• Or Download Regfile to enable Registry editor and Open it with Registry editor.

 

 

 

Related posts:

1. How to Remove All Types of Magania (W32_Gammima,Trojan-GameThief,Taterf,Win32.Inhoo) Trojan
2. How to Remove olhrwef.exe (Magania Trojan / Worm) Manually
3. Removal tool for Oficla.H!dll, Win32.Fregee.av (reader_s.exe, file1.exe) Trojan
4. Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
5. Removal tool for Dybalom.gd Trojan and Key logger not detected yet