Troj/KillProc-F

Aliases	ProcKill-CQ Trojan-Dropper.Win32.Small.wi
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	June 2005 (3.94)
Protection available since	2 May 2005 21:20:46 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/KillProc-F is a Trojan for the Windows platform.

When executed Troj/KillProc-F will copy itself to the Windows folder with the filename STRTO.EXE and create the following registry entry to ensure it is run on Windows login:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
strto
<Windows folder>\strto.exe

The Trojan will also create a DLL within the Windows system folder named JAVAFIX4.DLL and create the following registry entries to register the DLL as a BrowserHelp Object:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{DE23A040-D6AA-43ca-9B86-D9BE3DAA6FE7}\

HKCR\CLSID\{DE23A040-D6AA-43ca-9B86-D9BE3DAA6FE7}\InProcServer32
(default)
<Windows system folder>\javafix4.dll

HKCR\CLSID\{DE23A040-D6AA-43ca-9B86-D9BE3DAA6FE7}\InProcServer32
ThreadingModel
Apartment

The Trojan may also set the following registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main
setupd
ok

Troj/KillProc-F will attmept to kill the following Anti-virus and security related processes:

ALOGSERV.EXE
AVSYNMGR.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCSETMGR.EXE
GCASCLEANER
GCASDTSERV
GCASINSTALLHELPER
GCASNOTICE
GCASSERV
GCASSERVALERT
GCASSWUPDATER
GCIPTOHOSTQUEUE
GIANTANTISPYWAREMAIN
GIANTANTISPYWAREUPDATER
KAV.EXE
KAVSEND.EXE
KAVSVC.EXE
NAVAPSVC.EXE
NMAIN.EXE
QCLEAN.EXE
RULAUNCH.EXE
SAVSCAN.EXE
SYMLCSVC.EXE
VSSTAT.EXE

Troj/KillProc-F will also attempt to delete all files from within the following folders:

C:\Program Files\Common Files\Network Associates\
C:\Program Files\Common Files\Symantec Shared\
C:\Program Files\Norton Antivirus\
C:\Program Files\McAfee\
C:\Program Files\Kaspersky Lab\
C:\Program Files\Microsoft AntiSpyware\

Troj/KillProc-F will also delete the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
gcasServ

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Advanced Tools Check

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp

Troj/KillProc-F may also attempt to download a file from a pre-defined website.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/KillProc-F

Summary

Action

More Information