JS.Proslikefan

By Domesticus in Trojans | 16 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
 More... More

JS.Proslikefan Description

JS.Proslikefan is a JavaScript worm that proliefrates through file-sharing programs, removable drives and mapped network shares. While being executed, JS.Proslikefan may replicate itself to the particular locations. JS.Proslikefan can make modifications to several files in order to change the computer user’s home page. JS.Proslikefan may contact the command-and-control (C&C) server. JS.Proslikefan collects information from the affected computer including installed anti-virus software information, computer name, OS version, user name, script information and sends it to the C&C server. If the Internet user is logged in to Facebook, JS.Proslikefan may perform the certain actions, such as setup a chat, Like a page, or become a fan of a page. JS.Proslikefan modifies the hosts file in order to blockt access to numerous security-related domains.

Type: Spyware

How Can You Detect JS.Proslikefan?

Download SpyHunter’s Detection Scanner
to Detect JS.Proslikefan.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

JS.Proslikefan Removal Details

JS.Proslikefan creates the following files in the system:

  • %UserProfile%\Application Data\uc\cu.js
  • %DriveLetter%\autorun.inf
  • %ProgramFiles%\3db7\3cb3.js
  • %UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
  • %DriveLetter%\[SCRIPT NAME].js
  • %UserProfile%\Start Menu\Programs\Startup\[ENCODED STRING].js
  • %UserProfile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\user.js
  • %SystemDrive%\prospect\knock

JS.Proslikefan creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”ProxyEnable” = “0″
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”DisableCMD” = “1″
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\”HomePage” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”UpdatesDisableNotify” = “1″
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoControlPanel” = “1″
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”DisableTaskMgr” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”Hidden” = “2″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\”SystemRestoreDisableSR” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\”Start Page”22 = “[VALUE FROM CONFIGURATION FILE]”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\”Default” = “[VALUE FROM CONFIGURATION FILE]”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\”ParseAutoexec” = “0″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”AntiVirusDisableNotify” = “1″
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”NoDispCPL” = “1″
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NoWindowsUpdate” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\”DisableConfig” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”AntiVirusOverride” = “1″
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\”DisableRegistryTools” = “1″
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\”HideFileExt” = “1″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\”www” = “[VALUE FROM CONFIGURATION FILE]”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”cu” = “%UserProfile%\Application Data\uc\cu.js”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”MigrateProxy” = “0″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\”EnableFirewall” = “0″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”FirewallDisableNotify” = “1″
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\”NofolderOptions” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\”HomePage” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\”DontReportInfectionInformation” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\”FirewallOverride” = “1″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\”Start” = “4″
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Start Page” = “[VALUE FROM CONFIGURATION FILE]”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\”Default” = “[VALUE FROM CONFIGURATION FILE]“

Important Article Disclaimer

ESG Support Center

This entry was last updated on 09/14/12 and posted on 09/14/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« MBR:SST
JS:Trojan.Crypt.EM »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.