How to remove Trojan.VB.AQT
THREAT NAME
Trojan.VB.AQT
CLEAN INSTRUCTION
1. Restart the computer in Safe mode.
2. Open Windows Explorer, go to Tools > FolderOptions.
3. Click on the View tab and select Show hidden files and folder.
4. Uncheck Hide protected operating system files and click OK.
5. With Windows Explorer, locate and delete the following files:
C:\autorun.inf
C:\Recycled\destop.ini
C:\Recycled\info2
C:\Recycled\Recycled\ctfmon.exe
6. Click on Start > Programs > Startup, then right click on ctfmon.exe and select Delete.
(Attention, do NOT left-click on it!)
7. After that, empty the Recycle Bin.
SYMPTOMS
1. Presence of the autorun.inf file in the root of the C drive.
2. Presence of the ctfmon.exe in the Startup folder.
3. Your computer may work slower.
DESCRIPTION
1. This is a trojan, written in Visual Basic that is designed to spread via USB cards, flashes etc.
2. When it is run, it creates a directory called Recycled in the root of the drive.
3. Creates and a file called info2 and one called desktop.ini that has the following contents:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
4. In the C:\Recycled folder it will create a subfolder called Recycled.
5. In there, it will create an own copy with the name ctfmon.exe
6. Creates the file C:\autorun.inf with the following contents:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)
Those files will also be created in the infected removable drives.
7. It gets the path of the Startup folder of the current user and puts there a copy of the ctfmon.exe.
Author:
The BullGuard Team