Removal tool for Oficla.H!dll, Win32.Fregee.av (reader_s.exe, file1.exe) Trojan

 

Sample Submitted By Sven Berger

 

 

 

 

Severity Level : 6/10

 

Alias:

• Mal/Generic-A, Mal / Oficla-A [Sophos]
• SpyAgent-br.dll [McAfee]
• Trojan.Win32.Fregee.av [Kaspersky Lab]
• Trojan:Win32/Oficla.H!dll [Microsoft]

 

reader_s.exe VirusTotal Report : (Click Here)

file1.exe VirusTotal Report : (Click Here)

 

File System Modifications

The following files were created in the system:

 

• %system%\onyc.ffo
  
• %system%\ reader_s.exe
  
• %UserProfile%\reader_s.exe
• %UserProfile%\Local Settings\Temp\?.tmp
• %UserProfile%\Local Settings\Temp\file1.exe

 

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

 

Memory Modifications

There were new processes created in the system:

 

Process Name	Process Filename
reader_s.exe	%system%\ reader_s.exe
onyc.ffo	%system%\onyc.ffo

 

Registry Modifications

The newly created or modified Registry Value is:

 

• [HKCR\idid]
• [HKLM\SOFTWARE\AGprotect]
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>“reader_s” = %system%\reader_s.exe
• [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>“reader_s” = %system%\reader_s.exe
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>“Shell” = explorer.exe rundll32.exe onyc.ffo hgikqnb

 

For auto removal :

Download Fregee.av, Trojan.Win32.Fregee.av Trojan removal tool that provided by VirusExperts.org you can download it from Here.

 

 

For manual removal First download these tools:

1- RRT : Registry, Task Manager and Folder Options Repair Tool (Click Here).

2- KillBox : Kill the Process if your Access Denied (Click Here).

3- Task Manager Enabler : (Click Here).

4- Registry Enabler : (Click Here).

 

Now Follow these instructions :

Recommend Removal from Safe Mode

To Start in Safe mode Restart your Computer, Press F8 Repeatedly, when your Screen turns on, Select Safe mode, press enter.

 

 

Kill these Process, by using Killbox

•  reader_s.exe

 

Delete These Files

• %system%\reader_s.exe
  
• %system%\ onyc.ffo
  
• %UserProfile%\Local Settings\Temp\?.tmp
  
• %UserProfile%\Local Settings\Temp\file1.exe   

[ No Exact Information about Files, search above related files in Program files Folder ] If you have any of these files in running process from task manger, end the process before removal.

Note: if task manager is disabled, Download Task Manager Enabler and Open it with Regedit.exe [%system32\regedit.exe], then it Confirms Add to registry Yes or No, Confirm Yes, then click Ok.

 

 

Click Start, Run,Type regedit,Click OK.

 

• Download this UnHookExec.inf, [ Right Click - Save Target As/Linked Content As ]
  and then continue with the removal. Save it to your Windows desktop. Do not run it at this time, download it only.
• After booting into the Safe Mode or VGA Mode.
• Right-click the UnHookExec.inf file and click Install. [This is a small file. It does not display any notice or boxes when you run it].
• Or Download Regfile to enable Registry editor and Open it withma Registry editor.

 

 

 

Related posts:

1. Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
2. Removal tool for Troj/DwnLdr-ICI, Win32.Genome.aodo (windowsupdate.exe, updt.exe) Trojan
3. Removal tool for Magania.bzmw (Taterf.B,Win32.Inhoo) Trojan
4. Removal tool for Dybalom.gd Trojan and Key logger not detected yet
5. Removal tool for Sus/Delf-J, Trojan.Heur.GZ.kGX@bKStsDeG (Foto_253.com, javahr.exe, javahr2.exe, javahu.exe) Trojan