Deadly gphone.exe virus on Vista machine.

Recently, I came across a virus on my sister’s Vista machine. Its "gphone.exe".

It is a trojan that changes the IE homepage and tries to open gtalk and yahoo messenger. It even sends messages to gtalk contacts. Not only this, it also kills cmd.exe and Task Manager as soon as they are run. This doesn’t allow us to kill the running gphone.exe. How clever! 🙂

It’s icon is just like that of folder icon and people click on it thinking of this being a folder and thus get infected by the virus.

First you must know what does gphone virus looks like. It is a 260KB exe file. The biggest problem is that it takes the name of the folder it is in!! For E.g.: If it is in a folder named "share", it will take name "share.exe" in that folder!!

On my sister’s machine, the gphone virus was on each and every folder. What a mess!

To remove this virus, we have to delete all the gphone exes present in all the folders. The easiest way to do it is:

1) go to Search ->Advanced Search.
2) Gave Name: *.exe
3) Location: Everywhere
4) Size(KB): 260 KB and then click on search.

It gives the list of all the gphone viruses present on the machine. Then select all and delete. The virus will try to run when you try to delete it as well. Just remember not to grant access to it when Vista UAC asks you.

Still there will be one instance of the virus left on the machine which you can’t delete this way because it is running. We cannot kill it from Task Manager also as Task Manager gets killed as soon as you run it. We can’t even kill it from cmd because of the same problem.

To kill it, goto run and enter command: "TaskKill /IM gphone.exe". This will kill the running process and then we can delete the last left virus. After deleting this, the virus is removed completely from the machine!!