Remove Downloader.Picproot Trojan from the System - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Downloader.Picproot Trojan from the System

trojan_horseDownloader.Picproot is a recently discovered Trojan horse that is detected by Symantec. The Trojan affects the Windows operating system. Even though its threat level is considered low, Downloader Picproot should be removed timely so that severe consequences are avoided. A full system scan performed by a legitimate AV solution is recommended before any other actions are taken.

Download a System Scanner, to See If Your System Has Been Affected By Downloader.Picproot.

Downloader.Picproot General Description and Distribution

The Trojan horse affects the following, as reported by security researchers:

  • Windows 2000.
  • Windows 7.
  • Windows 95.
  • Windows 98.
  • Windows Me.
  • Windows NT.
  • Windows Vista.
  • Windows XP.

Users should note that Downloader.Picproot may be dropped by a binary file that has been attached to an email message. Be sure always to analyze received emails before opening anything. Various types of malware may be distributed through the execution of malicious email attachments and corrupted hyperlinks. If the user is tricked into executing the binary, Downloader.Picproot may start copying itself to:

  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll
  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.exe
  • %UserProfile%\Application Data\Microsoft\SystemCertificates\CREDRIVER.dll
  • %UserProfile%\Application Data\Microsoft\SystemCertificates\Desktop.ini

Then, Downloader.Picproot may proceed towards creating the following files:

  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.dat
  • %UserProfile%\Application Data\Microsoft\Credentials\Credentials.bak
  • %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].tmp
  • %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi

After performing those malicious activities, the Trojan may delete files with the .dta extension. Such files may be located in

→%UserProfile%\Application Data\Tasks.

Next on the list of Downloader.Picproot is creating a new registry entry so that the threat runs every time the Windows is rebooted:

→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Credentials” = “rundll32.exe “%UserProfile%\Application Data\Microsoft\Credentials\Credentials.dll”,Embedding”

Also, keep in mind that Trojans can modify the Windows registry. In the case of Downloader.Picproot the following registry key may be altered:

→HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\lsa\”forceguest” = “0”

Then, the Trojan is activating the user’s HelpAssistant and adding it to the Administrators group. This is done so that Downloader.Picproot controls the incoming traffic through TCP ports 135, 139, and 445. Trojan horses are also known to connect to remote locations. Downloader.Picproot does not make an exception. Here is a list of possible remote servers that the malware may connect to:

→air88.ns01.us, info.acmetoy.com, ware.compress.to, bbs.ccdog.net, ph11.dns1.us, 113.10.221.89, cham.com.tw

The final touch of the threat is downloading a corrupted image file and saving it to %UserProfile%\Application Data\Tasks\Zup[ONE OR MORE LETTER FILE NAME].tmp or %UserProfile%\Application Data\Tasks\up[ONE OR MORE LETTER FILE NAME].msi. Finally, the payload is decrypted and hidden from the user.

Downloader.Picproot Removal Options

Affected users should proceed towards scanning the system as soon as possible. Install a trustworthy anti-malware program to detect and eliminate the threat. For future reference, always analyze incoming emails to bypass infecting the system.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove Downloader.Picproot
2. Remove Downloader.Picproot automatically with Spy Hunter Malware - Removal Tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.