In the blog entry MS Needs Your Credit Card Details?, we detailed the behavior of the Kardphisher Trojan,which "attempts to steal credit card numbers by tricking the user intoentering their credit card details to activate Windows." This entryexplains how to remove the Trojan.
Removal instructions
1. Reboot the infected machine. You can do that by simply clickingthe "No" and "Next" buttons, or by doing a good-old fashioned hardreboot.
2. While Windows is starting, press the function 8 key (F8 key) to enter Safe Mode.
3. Click Start > Run.
4. Type regedit
5. Click OK.
6. Navigate to and delete these subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\soft2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Policies\System\DisableTaskMgr
(If it exists)
7. Exit the Registry Editor.
Alternatively, you can input FAKE credit card details and private information like this:
Email: abc@localhost
Phone number: 0123
Name on card: abc
Credit card number: 0123456789012345
ATM PIN: 0123
Expiry date: January 2007
CVV2 code: 0123
After this, the Trojan.Kardphisher removes itself and enables Task Manager.
Now, go to regedit and navigate to and delete this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\soft2