It is a Trojan horse that attempts to steal user names and passwords for certain Internet banking sites, by capturing screenshots and logging keystrokes.
Monitors the URL field in Internet Explorer for the following strings:
e-gold; bank; hsbc; halifax; barclays; openplan; lloyds; abbey; cahoot; nationwide; nwolb; natwest; nationet; woolwich
- Stores keystrokes and the content of the clipboard in the file, %System%\Usert\<10digits>_<8digits>.txt, where the digits are derived from the system time.
- Stores screenshots in the file, %System%\Usert\<10digits>_<8digits>.bmp, where these digits are derived from the system time.
- Using %System%\Winrr.exe, which it previously created, the Trojan creates the RAR file, %System%\Usert, which contains the keystrokes and screeenshots.
- Attempts to send the RAR file to a remote Web server.
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Default System Research" = "%Windir%\vhchost.exe"
Or use antivirus (also check How To Remove section)Startup Optimizer to automatically remove it from startup.