Troj/Tofger-C

Please follow the instructions for removing Trojans.

Troj/Tofger-C is used to start a proxy server, enabling a remote attacker to relay network traffic through the compromised computer and thereby hiding its real IP address when accessing internet sites.

The Trojan drops the files svchost.exe, msto32.dll and sysini.ini into the Windows folder and the files svchostc.exe and svchosts.exe into the Windows system folder.

In order to be executed automatically when Windows starts up Troj/Tofger-C creates the following registry entry pointing to the file svchost.exe:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Online Service

The Trojan may log the content of various windows to the file sysini.txt in the Windows folder and may also open a backdoor that allows a malicious user remote access to the infected computer.

The Trojan sets the registry entry HKLM\Software\Microsoft\Mserv\Idwin and attempts to start the two processes svchosts.exe -p<port1> and svchosts.exe -p<port2> where port1 is a random port number between 1200 and 10000 and port2 = port1 + 2.

Troj/Tofger-C registers itself as a service process. The Trojan creates internet shortcuts in the users Favorites folder pointing to adult web sites and attempts to download and run the file surte.exe from an internet address.