Click on screenshot to zoom
Danger level 6
Type: Trojans
Common infection symptoms:
  • Blocks internet connection
  • Connects to the internet without permission
  • Installs itself without permissions
  • Slow Computer
  • Slow internet connection

PWSteal.Sacanph.A

PWSteal.Sacanph.A is a harmful and seditious Trojan which enters the system surreptitiously and sneakily performs all of its actions in the background, avoiding detection from the user or any installed security software. This Trojan is also known as TROJ_SPNR.07FC11, and was first released on July 10, 2011 and is classified as a severe threat. PWSteal.Sacanph.A is known to steal URL history and other sensitive information from the user’s applications. It also modifies Hosts files to prevent the user from accessing the Internet.

This Trojan can enter the system in a variety of ways. The most popular method of infiltration seems to be through bundled third party downloads. PWSteal.Sacanph.A can bundle itself with other seemingly legitimate software applications and security updates, and in this way avoid detection by security applications. It is also spread with suspect email attachments, and through instant messaging applications.

Because of its stealth infiltration, the user will be unaware of PWSteal.Sacanph.A’s presence. It does not have any tangible symptoms to identify its presence on the system, but the presence of the following file will indicate PWSteal.Sacanph.A’s presence on the system:

%AppData%\wintemp\csrss.exe

PWSteal.Sacanph.A will also add the following lines to your Hosts file in an effort to block you from accessing the Internet, while still allowing itself access to the Internet:

127.0.0.1 www.virustotal.com
127.0.0.1 http://virusscan.jotti.org/de

Some of the applications PWSteal.Sacanph.A will steal information from and relay to the information to its developers are:

COREFTP
Emule
FileZilla
ICQ
Miranda
SmartFTP
Trillian
Windows Live Messenger

The Trojan will connect to a remote server to relay all the stolen information to its developers, and to receive further instructions. The remote server it will connect to is as follows:

blaaaaaaaah.1x.de via port 80

Because this Trojan is so difficult to detect and remove, the user should make use of a proper security tool to get rid of PWSteal.Sacanph.A permanently. This will guarantee that all traces of PWSteal.Sacanph.A is deleted, and it will also protect the user from similar attacks in future.

Download Spyware Removal Tool to Remove* PWSteal.Sacanph.A
  • Quick & tested solution for PWSteal.Sacanph.A removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove PWSteal.Sacanph.A

Files associated with PWSteal.Sacanph.A infection:

Update.exe
KBDAZ2.dll
icoidrap.dll
acdlsd.dll
wredbdt.dll
aadrive32.exe
DBREnxs.dll
scanquery.dll
rereflsy.dll
questscan149.exe
AdVantage.exe
vsbntlo.exe
systemupdate.exe
sccsccp32.exe
questscan146.exe
msvbvm6032.dll
lsass.exe
loader.exe
howcodecsrv.exe
hdupdater.exe
cr3.exe
078.dll
winupdate.exe
syitm.exe
kfb0.dll
FileName.exe

PWSteal.Sacanph.A DLL's to remove:

KBDAZ2.dll
icoidrap.dll
acdlsd.dll
wredbdt.dll
DBREnxs.dll
scanquery.dll
rereflsy.dll
msvbvm6032.dll
078.dll
kfb0.dll

PWSteal.Sacanph.A processes to kill:

Update.exe
aadrive32.exe
questscan149.exe
AdVantage.exe
vsbntlo.exe
systemupdate.exe
sccsccp32.exe
questscan146.exe
lsass.exe
loader.exe
howcodecsrv.exe
hdupdater.exe
cr3.exe
winupdate.exe
syitm.exe
FileName.exe
Disclaimer

Comments

  1. Remove PWSteal.Sacanph.A Jul 19, 2011

    I am very happy to get this antivirus because it has removed virus in my

  2. Craig Jul 19, 2011

    Thank you VERY much for this guide! Excellent job! It helped me prevent this

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.