Friday
2008-11-29, 18:41
The following instructions have been created to help you to get rid of "Erazor" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
The file server.exe copies itself to Windows folder and renames itself to msgnet32.exe, it is hidden and executes itself.
It also adds itself to Autorun under the Name of Microsoft Net.
It connects 2 times to www.icq.com --> notifying ICQ UIN:216010426 (see Author) with nothing showing up on the display.
The client.exe enables remote access:
Erazor enables complete remote control, such as access to registry, desktop settings, fileaccess etc.
Supposed Functionality:
The file server.exe serves as a remote server, it does not appear to have any fake function.
The file client.exe seems to do exactly what it is supposed to do.
Privacy Statement:
no privacy information available
client.exe :Erazer v1.1
coded by (v)aster
03-09-2004 (Austria)
www.forcedcontrol.com
contact: (v)aster
icq:216010426
mail:_master_e@web.de
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "Microsoft Net" and pointing to "<$WINDIR>\MsgNet32.exe".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
A file with an unknown location named "Server.exe".
A file with an unknown location named "Client.exe".
The file at "<$WINDIR>\MsgNet32.exe".
The file at "<$WINDIR>\TEMP\097845.TMP".
Make sure you set your file manager to display hidden and system files. If Erazor uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Browser:
The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).
Please check your bookmarks for links to "www.forcedcontrol.com".
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
trojan
Description:
The file server.exe copies itself to Windows folder and renames itself to msgnet32.exe, it is hidden and executes itself.
It also adds itself to Autorun under the Name of Microsoft Net.
It connects 2 times to www.icq.com --> notifying ICQ UIN:216010426 (see Author) with nothing showing up on the display.
The client.exe enables remote access:
Erazor enables complete remote control, such as access to registry, desktop settings, fileaccess etc.
Supposed Functionality:
The file server.exe serves as a remote server, it does not appear to have any fake function.
The file client.exe seems to do exactly what it is supposed to do.
Privacy Statement:
no privacy information available
client.exe :Erazer v1.1
coded by (v)aster
03-09-2004 (Austria)
www.forcedcontrol.com
contact: (v)aster
icq:216010426
mail:_master_e@web.de
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "Microsoft Net" and pointing to "<$WINDIR>\MsgNet32.exe".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
A file with an unknown location named "Server.exe".
A file with an unknown location named "Client.exe".
The file at "<$WINDIR>\MsgNet32.exe".
The file at "<$WINDIR>\TEMP\097845.TMP".
Make sure you set your file manager to display hidden and system files. If Erazor uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Browser:
The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).
Please check your bookmarks for links to "www.forcedcontrol.com".
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.