How to remove Rating.exe Trojan that spreads itself via social networks

1 Star2 Stars3 Stars4 Stars5 Stars (41 votes, average: 5.00 out of 5)
loadingLoading...

We have become aware of the fact that right now many popular social networks are being attacked with new phishing Trojan called Rating.exe. Upon successful download and installation it redirects all social networks via HOSTs file to certain malicious IP address which subsequently is engaged in phishing activities. The mechanism of its activity is as follows. Suddenly the user, while surfing the account of certain social network, faces the link for download of the file called Rating.exe. The offer says that by downloading it users may increase the rating of their own page in this social network. However, this is just the bunch of lies and is far away from reality. By downloading Rating.exe users make their PC and personal information vulnerable and exposed to cyber criminals and frauds that want to gather more and more information about you as their potential victim. When users agree to install Rating.exe Trojan this makes their system exposed to more severe malwares subsequently.

The mechanism of activity of this Trojan is as follows. First, upon launching, the above-mentioned Trojan modifies the important system file %system%\drivers\etc\hosts Afterwards all inquiries from social network sites will be rerouted to some malicious IP address. Then the Trojan installs the attributes «hidden» and «read only» for the modified file, afterwards, for misleading the user, it creates another file with the name: %system%\drivers\etc\hOsts (with some random letter instead of “o”) This file contains the following lines:

  • windows1
  • 0cad11ca6b68a61eae504faea2302d4f1ffcfcdd
  • 0cad11ca6b68a61eae504faea2302d4f1ffcfcdd
  • 0cad11ca6b68a61eae504faea2302d4f1ffcfcdd
  • 0cad11ca6b68a61eae504faea2302d4f1ffcfcdd
  • 0cad11ca6b68a61eae504faea2302d4f1ffcfcd
    • Thus, while browsing the catalogue containing such file the user would only see the fake file (unless your system files do not have “hidden” attribute established). If your computer has been infected with this malicious program then for its removal you need to perform the following actions:

      1. Remove the original file of the Trojan (its location on the infected PC depends on the mode by which the malware program penetrated into the PC).
      2. Remove the file: %system%\drivers\etc\hOsts (with some random letter instead of “o”)
      3. Restore modified file «%System%\drivers\etc\hosts» using any standard application (for example, Notepad»). You need to remove all infected lines added by the Trojan.
      4. Download the latest version of GridinSoft Trojan Killer to clear (not infected) computer, install and run it. In addition you may use the Tools tab of GridinSoft Trojan Killer and choose the option “Reset HOSTs file”.

Related posts:

Leave a Comment

*