Troj/Prorat-L

Please follow the instructions for removing Trojans.

Troj/Prorat-L is a backdoor Trojan backdoor Trojan which allows a remote intruder to gain access and control over the computer.

The Trojan also includes functionality to send notification messages to remote locations.

When first run the Trojan copies itself to:

%WINDOWS%\services.exe
%SYSTEM%\sservice.exe
%SYSTEM%\fservice.exe

and creates the following files:

%SYSTEM%\reginv.dll - Troj/Prorat-L
%SYSTEM%\winkey.dll - Troj/Prorat-H

In order to run each time Explorer initialises, Troj/Prorat-L will set the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
DirectX For Microsoft® Windows
%SYSTEM%\fservice.exe

In order to run automatically each time a user logs in, Troj/Prorat-L will modify the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
<Old value> %SYSTEM%\fservice.exe

where the old value may be, for example, Explorer.exe

Troj/Prorat-L will also install itself as an Active Setup component and create the following registry entry:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\(5Y99AE78-58TT-11dW-BE53-Y67078979Y)
StubPath
%SYSTEM%\sservice.exe

Troj/Prorat-L will add entries to the following registry branch:

HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag

Troj/Prorat-L will attempt to disable the Windows XP Internet Connection Firewall and System Restore service by modifying the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

HKLM\SYSTEM\CurrentControlSet\Services\srservice\Start

Troj/Prorat-L may attempt to drop a Trojan detected as Troj/LdPinch-AG.