am.exe/apiqq.exe/arking.exe

Avira: TR/Drop.Small.fyi
Bitdefender: Trojan.Generic.KDV.33026
Panda: Trj/Small.SDL
Eset: Win32/PSW.OnLineGames.PPA


Viruses are spreading rapidly in the form of Trojans that infect the target's computer in several ways. This is another Trojan that was recently discovered which is capable of opening up the ports in the computer through registry modification and thus allowing unauthorised users to access the target's system. Another major activity of this Trojan is that it pings to various servers and updates itself. It is also notorious in downloading several malicious programs. Like many other viruses, it creates several copies of itself and also modifies the registry to launch at every start up. However, this Trojan can only run on 2000, XP and 2003 versions of Windows. So if you are a user of Windows 7, these removal instructions are not for you. Coming back to  the activities of this virus, it was observed that it saves its malicious code in a dll(Dynamic Link Library) file that is injected into processes such as the Explorer.exe and thus a dedicated thread is being assigned by this Trojan to itself through these processes. The virus runs from a very commonly viewed directly i.e the temporary folder. Since it was packed with a runtime packer, the virus escapes from being detected by several antiviruses. This Backdoor Trojan must be removed as soon as possible to avoid further problems. The removal instructions are shown below:

Manual instructions to remove apiqq.exe:

  1. Reboot your system in the Safe Mode thus allowing only particular Windows processes to execute at the Startup. See the instructions here if you're having trouble starting your system in Safe Mode.
  2. Lets begin by deleting the .exe files created by the virus manually. For this, type %temp% in your Run and you will be directed to the temporary folder. Delete the files am.exe, am1.rar and apiqq0.dll in the folder. You'll get a confirmation message asking if you'd like to delete the hidden items as well. Select the Yes button confidently. This will kill the .exe files along with the dlls and if a couple of files are not getting deleted, don't panic. Keep following the instructions below.
  3. Now navigate to the C:\WINDOWS\System32 in XP or C\WINNT\System32 in 2000, and delete the file with the name arking.exe. This is another Trojan that is initially downloaded by the virus at its first execution.
  4. Now go to Start --> Run and type "regedit". This will open the Registry editing tool provided by Windows. Navigate to the following entry
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    In the above location, on the right side, delete the values
    • "King_ar"="%SYSDIR%\arking.exe"
    • "api32"="%TEMPDIR%\apiqq.exe"
    Also navigate to
    [HKLM\SOFTWARE\Classes\CLSID\MADOWN]
    and delete the value
    • "urlinfo"="dfrswq.w"
    These are the registry entries created by the Trojan to execute itself at the Startup.
  5. Its time to unregister the dlls that were injected to your processes during the first launch of the Trojan. The dlls registered are apiqq0.dll and arking0.dll. Go to the command prompt and type the following code in it
    regsvr32 /u name_of_the_file.dll
  6. Now your system is free from these two back-door Trojans. 

Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.

Also see this for getting more assistance on deleting this Trojan with the Command Prompt.
VShop
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme