How to identify if you are "infected":

- new service:

trojan06.png

trojan07.png

- new files:
trojan08.png

- client.cfg or fahlog.txt with User name: SMTeam_Server_Farm (Team 11583)
- fahcore_xx.exe and benchmrk.exe are running in task manager


Manual Uninstallation:

In order to uninstall this trojan, you'll have to:

1. stop the service "svchosl"
dos prompt: net stop svchosl

C:\>net stop svchosl

The svchosl service was stopped successfully.


2. remove the service "svchosl"
with WinXP, you should be able to do this using the built-in tool sc.exe.
with WinNT4/2K, you can use the same tool but it's part of the ResourceKit

dos prompt: sc delete svchosl
Example:
C:\>sc delete svchosl
[SC] DeleteService SUCCESS

(in this example, sc.exe is in the path)

3. if they are still running, kill benchmrk.exe and FahCore_XX.exe from the task manager

4. Remove trojan & F@h files
In C:\Documents and Settings\Administrator , remove:
- benchmrk.exe
- client.cfg
- fahcore_*.exe
- fahlog.txt
- fahlog-prev.txt , if it exists
- myfolding.html
- queue.dat
- setup.exe
- setup.reg
- update.exe , if it exists
- srvyce.exe
- the \work directory

JY.