Gphone.exe
July 22, 2009 Threat level:
(6 / 10)
Gphone.exe description
Gphone.exe is a dangerous worm; once on board a computer, it blocks security applications.
Gphone infects computers by tricking people into downloading the infection manually. It sends a message via instant messengers inviting contacts to click a link. Visiting a website automatically installs Gphone.exe on victim’s machine. Gphone worm usually send the following message to everyone on user’s contacts list:
There is in the worst of fortune the best of chances for a happy change
There is only one way to happiness and that is to cease worrying about things which are beyond the power of our will
The wisest mind has something yet to learn
The wise man in the storm prays God, not for safety from danger, but for deliverance from fear
Happiness is a choice that requires effort at times
Action may not always bring happiness; but there is no happiness without action
Happiness is not a destination. It is a method of life
The best way to cheer yourself up is to try to cheer somebody else up
If you want truly to understand something, try to change it
I am a strong believer in luck and I find the harder I work the more I have of it
View my webcam (private) [LINK]
Gphone.exe usually spreads via Yahoo! Messenger and Google Talk programs.
Gphone.exe websites
rnd009.googlepages.com Learn how to block rogue websitesNew processes created
DEFAULT_NOT_SET.exeNew Folder.exe
gphone.exe Learn how to remove malicious processes
New Gphone.exe registry entries created
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\"shared" = "[ROOT FOLDER]\New Folder.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "%System%\gphone.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe gphone.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\”AtTaskMaxHours” = "0"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\"NextAtJobId" = "2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Page_URL" = "http://rnd009.googlepages.com/google.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://rnd009.googlepages.com/google.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "http://rnd009.googlepages.com/google.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "http://rnd009.googlepages.com/google.html"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://rnd009.googlepages.com/google.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "1" Download RegistryBooster 2010 to scan your registry errors
Learn how to remove malicious registry entries
New files and directories created
%Windir%\gphone.exe%System%\gphone.exe
%System%\DEFAULT_NOT_SET.exe
C:\Documents and Settings\All Users\Desktop\gphone.exe
%Temp%\gphone.exe
%System%\gphone.exe
%DriveLetter%\New Folder.exe
%DriveLetter%\gphone.exe
[ROOT FOLDER]\New Folder.exe
[ROOT FOLDER]\gphone.exe
%DriveLetter%\autorun.inf
%Windir%\Tasks\At1.job
[ROOT FOLDER]\autorun.inf
C:\disk.txt
%System%\autorun.ini
%System%\setting.ini
%Temp%\log_[TIME AND DATE].txt Learn how to unregister malicious DLL files
How to remove Gphone.exe
To remove Gphone.exe manually you must block rogue Gphone.exe related websites, remove malicious processes and registry entries, unregister dlls and delete all malicious Gphone.exe files from your computer.
Please note: cleaning your computer is a difficult and dangerous task, manually editing registry entries and removing processes and files may cause serious damage to your system. We strongly recommend scanning your computer with one of the legitimate antispyware scanners.