Thursday, May 10, 2007 2:08 PM
cmosby
Symantec Security Response Weblog: Removal Instructions for Trojan.Kardphisher
Removal Instructions for Trojan.Kardphisher
In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan, which "attempts to steal credit card numbers by tricking the user into entering their credit card details to activate Windows." This entry explains how to remove the Trojan.
Removal instructions
1. Reboot the infected machine. You can do that by simply clicking the "No" and "Next" buttons, or by doing a good-old fashioned hard reboot.
2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.
3. Click Start > Run.
4. Type regedit
5. Click OK.
6. Navigate to and delete these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soft2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
(If it exists)
7. Exit the Registry Editor.
Alternatively, you can input FAKE credit card details and private information like this:
Email: abc@localhost
Phone number: 0123
Name on card: abc
Credit card number: 0123456789012345
ATM PIN: 0123
Expiry date: January 2007
CVV2 code: 0123
After this, the Trojan.Kardphisher removes itself and enables Task Manager.
Now, go to regedit and navigate to and delete this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soft2
Posted by Takashi Katsuki on May 10, 2007 10:00 AM
Source: Symantec Security Response Weblog: Removal Instructions for Trojan.Kardphisher
Filed under: Security and Anti-Virus, AntiVirus Information, Virus Removal Tools, Internet Hacks, Spam\Phishing