Troj/Tfactory-A

Category: Viruses and Spyware Protection available since:05 Aug 2006 00:00:00 (GMT)
Type: Trojan Last Updated:05 Aug 2006 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Tfactory-A is a Trojan which claims to remove spyware and adware from the computer.

Troj/Tfactory-A sets various registry entries and downloads various dummy files, so that it can then report these dummy installations of spyware and adware, in an attempt to coerce users into buying spyware and adware removal software. Troj/Tfactory-A is a Trojan which claims to remove spyware and adware from the computer.

Troj/Tfactory-A sets various registry entries and downloads various dummy files, so that it can then report these dummy installations of spyware and adware, in an attempt to coerce users into buying spyware and adware removal software.

Troj/Tfactory-A displays popup messages with text such as:

'This notice is brought to you by Windows Security Center.'
'Download spyware remover now and run full system scan to remove trojans, viruses and spyware from your PC...'
'Your computer running slower than usual! It maybe infected with dangerous spyware or adware. Full system scan is highly recommended to remove possible malicious spyware from your computer.'
'Windows Security Center - Alert!'
'Windows Security Center has detected spyware activity on your computer! Click here to remove spyware...'
'Click here to remove spyware and adware from your computer immediately...'
'Click to remove spyware and adware from your computer...'
'Click here to remove spyware, adware, trojans and viruses from your computer...'
'Protect your computer. Download spyware remover to remove spyware and protect your data and privacy.'
'Windows has detected spyware on your computer! Full system scan is highly recommended to remove spyware.'
'Danger! Spyware activity detected on your computer...'

Troj/Tfactory-A installs itself as follows:

&ltSystem&gt\office_pnl.dll
&ltSystem&gt\officescan.exe
&ltSystem&gt\smartdrv.exe
&ltSystem&gt\winblsrv.dll

Troj/Tfactory-A downloads and installs the following additional files:

&ltWindows&gt\bg_bg.gif
&ltWindows&gt\big_red_x.gif
&ltWindows&gt\buy_now.gif
&ltWindows&gt\click_for_free_scan.gif
&ltWindows&gt\close_ico.gif
&ltWindows&gt\download.gif
&ltWindows&gt\download_product.gif
&ltWindows&gt\free_scan_red_btn.gif
&ltWindows&gt\icon_warning_big.gif
&ltWindows&gt\infected.gif
&ltWindows&gt\infected_top_bg.gif
&ltWindows&gt\logo.gif
&ltWindows&gt\navibar_bg.gif
&ltWindows&gt\navibar_corner_left.gif
&ltWindows&gt\navibar_corner_right.gif
&ltWindows&gt\product_box.gif
&ltWindows&gt\red_warning_ico.gif
&ltWindows&gt\remove_spyware_header.gif
&ltWindows&gt\safe_and_trusted.gif
&ltWindows&gt\spyware_detected.gif
&ltWindows&gt\win_logo.gif
&ltWindows&gt\yellow_warning_ico.gif
&ltWindows&gt\alexaie.dll
&ltWindows&gt\alxie328.dll
&ltWindows&gt\alxtb1.dll
&ltWindows&gt\BTGrab.dll
&ltWindows&gt\dlmax.dll
&ltWindows&gt\Pynix.dll
&ltWindows&gt\susp.exe
&ltWindows&gt\ZServ.dll
&ltSystem&gt\mshtml32.tdb
&ltSystem&gt\a.exe
&ltSystem&gt\alxres.dll
&ltSystem&gt\bridge.dll
&ltSystem&gt\dailytoolbar.dll
&ltSystem&gt\jao.dll
&ltSystem&gt\questmod.dll
&ltSystem&gt\runsrv32.dll
&ltSystem&gt\runsrv32.exe
&ltSystem&gt\smaexp32.dll
&ltSystem&gt\tcpservice2.exe
&ltSystem&gt\txfdb32.dll
&ltSystem&gt\udpmod.dll
&ltSystem&gt\winlogon.ini
&ltSystem&gt\wstart.dll

The file office_pnl.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B53455DB-5527-4041-AC41-F86E6947AA47}
HKCR\TypeLib\{8B076501-1D1B-4B26-9492-FDB8EEE00D7F}
HKCR\office_pnl.office_panel
HKCR\Interface\{900FBC20-6AEE-4E05-ABA9-AC46E309C029}
HKCR\CLSID\{B53455DB-5527-4041-AC41-F86E6947AA47}

Troj/Tfactory-A sets the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adware.Srv32
&ltSystem&gt\runsrv32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\Srv32 spool service
Adware.Srv32
&ltno value&gt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Srv32 spool service
Adware.Srv32
&ltno value&gt

HKCR\AppID\WStart.DLL
WStart
wstart.dll

HKCR\AppID\DailyToolbar.DLL
DailyToolbar
dailytoolbar.dll

HKCR\AppID\{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}
(Default)
&ltno value&gt

HKCR\AppID\{951B3138-AE8E-4676-A05A-250A5F111631}
(Default)
&ltno value&gt

Troj/Tfactory-A creates the following registry entries:

HKLM\SOFTWARE\Transponder
HKLM\SOFTWARE\Software\TPS108
HKLM\SOFTWARE\RespondMiter
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bridge
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa Toolbar
HKCU\Software\Microsoft\IPCheck
HKLM\SOFTWARE\WSoft
HKLM\SOFTWARE\NIX Solutions\DailyToolbar
HKLM\SOFTWARE\DailyToolbar
HKLM\SOFTWARE\Alexa Toolbar
HKLM\SOFTWARE\Alexa Internet
HKCR\WStart.WHttpHelper.1
HKCR\WStart.WHttpHelper
HKCR\url_relpacer.URLResolver
HKCR\Popup.PopupKiller
HKCR\Popup.HTMLEvent.
HKCR\PopMenu.Menu
HKCR\jao.jao
HKCR\IEToolbar.AffiliateCtl
HKCR\DailyToolbar.SysMgr
HKCR\DailyToolbar.IEBand
HKCR\Bridge.brdg
HKCR\AlxTB.BHO

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy