Comm100 Support > Account & Security & Others > Security & Privacy
How to Remove Trojan from the Agent Console Windows Desktop App v10.0.8

This vulnerability incident has limited scope to Agent Console Windows Desktop App users who used Comm100 Agent Console Windows Desktop App with version 10.0.8 from 11 PM PT, Sep 27th, 2022 to 8 AM PT, Sep 29th, 2022.

This incident has a Trojan infection with the following footprints in the Windows directories:

  • C:\ProgramData\Cisco Core\
  • C:\ProgramData\FAOS
  • C:\ProgramData\KSW
  • C:\ProgramData\USOShared\Logs\Local
  • C:\ProgramData\WebFrameWork
  • C:\ProgramData\MicrosoftFrameWork

The C:\ProgramData\Cisco Core\ folder includes the following files:

  • CoreConnect.exe
  • CoreVPN.exe
  • MidlrtMd.dll
  • License

The C:\ProgramData\FAOS folder includes the following files:

  • FAOS.exe
  • FFAOS.exe
  • MidlrtMd.dll
  • Local.log

The C:\ProgramData\KSW folder includes the following files/folder: 

  • Marge.exe 
  • Kdump64.dll 
  • Html.xml 
  • Log folder 

The C:\ProgramData\USOShared\Logs\Local folder includes the following files: 

  • Local.log 
  • Locallog.exe 
  • MidlrtMd.dll 

The C:\ProgramData\WebFrameWork folder includes the following files: 

  • Copyright.txt 
  • MidlrtMd.dll 
  • WebAccess.exe 

The C:\ProgramData\MicrosoftFrameWork folder includes the following files: 

  • Log.bsh 
  • MidlrtMd.dll 
  • MicrosoftFrameWork.exe


Steps to Remove Trojan

To remove Trojan from the Comm100 Agent Console Windows Desktop App version 10.0.8, follow these steps:

  1. Upgrade Comm100 Agent Console Windows Desktop App to the latest version (10.0.9). If not, download and install the latest version (10.0.9) from https://dash11.comm100.io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe .
    Note: You can confirm the latest version (10.0.9) from Windows Control Panel\Programs\Programs and Features.
    t1.png
  2. The Trojan spawns a new instance of the notepad.exe process in the background. Therefore, close your Notepad windows and verify the remaining ones running in the Task Manager > Details. Right-click the notepad.exe process and choose End task to kill the process. 
  3. Verify for these folders in your Windows and purge it from your system:
    • C:\ProgramData\Cisco Core\
    • C:\ProgramData\FAOS
    • C:\ProgramData\KSW
    • C:\ProgramData\USOShared\Logs\Local
    • C:\ProgramData\WebFrameWork
    • C:\ProgramData\MicrosoftFrameWork
  4. The Trojan may have altered your Windows registry in your system to add an Auto Logon item in the following entry: HKEY_CURRENT_USER\Environment\UserInitMprLogonScript. Check if this registry entry exists: 
    1. Check the value for this registry entry, if it is not in one of the folders listed in Step #3, make sure you purge the folder listed in this registry entry.
    2. Then delete this registry entry.
  5. Perform a full scan on your Windows system using built-in Windows Defender or other third-party antivirus software. Fix if any Trojan or threat is found.
  6. Restart your Windows.
  7. Again, go to Task Manager > Details and confirm that there’s no notepad.exe process running in the background.  
  8. Again, perform a full scan on your Windows system using built-in Windows Defender or other third-party antivirus software. Fix if any Trojan or threat is found.