Troj/Narod-D

Please follow the instructions for removing Trojans.

Change any data that may have become compromised.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\

and remove any reference to any file you deleted.

Locate the following HKEY_CLASSES_ROOT entry:

HKCR\CLSID\<CLSID>\InProcServer32\
default
systemp.dll

and remove any reference to any file you deleted.

Close the registry editor.

Troj/Narod-D is a password stealing Trojan for the Windows platform.

When first run Troj/Narod-D copies itself to the Windows system folder as systemp.exe and drops two DLL components to the same folder. The DLL components have the filenames sysp.dll and systemp.dll. A copy of the Trojan is also created with the filename sp.dat.

Troj/Narod-D may also open a backdoor and await commands from a remote attacker. Troj/Narod-D is a password stealing Trojan for the Windows platform.

When first run Troj/Narod-D copies itself to the Windows system folder as systemp.exe and drops two DLL components to the same folder. The DLL components have the filenames sysp.dll and systemp.dll. A copy of the Trojan is also created with the filename sp.dat.

Troj/Narod-D creates the following registry entries in order to run as a service process:

HKCR\CLSID\<CLSID>\InProcServer32\
default
systemp.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
systemp<CLSID>

Where <CLSID> is randomly generated.

Troj/Narod-D may also open a backdoor on port 3128 and await commands from a remote user.