Trojan.Sofacy.C is a Trojan that steals information from the computers that it infects and downloads malicious files. It creates the following files on infected systems:
- %Temp%\nvsdata.dat
- %Temp%\nvgdata.dat
- %System%\netui.dll
In addition to creating these files, it also creates the following registry entries:
- HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ “id” = “[BINARY DATA]”
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\”id” = “[BINARY DATA]”
- HKEY_CLASSES_ROOT\CLSID\ {61113868-6B5D-4195-8966-B26462B909FA}\ InProcServer32\ “[DEFAULT]” = “%System%\ netui.dll”
- HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\ Windows\ CurrentVersion\ Explorer\ SharedTaskScheduler\ “{61113868-6B5D-4195-8966-B26462B909FA}” = “Network User Interface”
Finding these files and these registry settings is an indication that you are infected with this Trojan. Before removing the infection, backup your registry following the steps here.
Then, remove the infection as follows:
- Press [Windows Key] + [R], type REGEDIT and click OK.
- Navigate to the registry key: HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorerr
- Delete the registry entry: “id” = “[BINARY DATA]”
- Navigate to the registry key: HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer
- Delete the registry entry: “id” = “[BINARY DATA]”
- Navigate to the registry key: HKEY_CLASSES_ROOT\CLSID\ {61113868-6B5D-4195-8966-B26462B909FA}\ InProcServer32
- Delete the registry entry: “[DEFAULT]” = “%System%\ netui.dll”
- Navigate to the registry key: HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ SharedTaskScheduler
- Delete the registry entry: “{61113868-6B5D-4195-8966-B26462B909FA}” = “Network User Interface”
- Close the Registry Editor and re-boot your PC.