Ticno Trojan - How to remove

Ticno trojan has been recently detected by the Russian cyber security company Dr.Web as Trojan.Ticno.1537. Despite the fact that this trojan is distributed in the manner similar to such simple malicious programs as adwares or browser hijackers, which is the method of free software bundling, Ticno trojan has elaborate anti-detection mechanisms such as the scanning of the targeted system to get the information, which would let decide whether the system aimed at is a real computer or an artificially modeled system developed specifically for malware analysis. It goes without saying that Ticno malware will abort all the processes, if it detects that the system is fake.

Coming to Know the Ticno Trojan

Ticno malware has been programmed to scan the for these processes:

irise.exe, IrisSvc.exe, wireshark.exe, ZxSniffer.exe, Regshot.exe, ollydbg.exe, PEBrowseDbg.exe, Syser.exe, VBoxService.exe, VBoxTray.exe, SandboxieRpcSs.exe, SandboxieDcomLaunch.exe, windbg.exe, ollydbg.exe, vmtools.exe

The following registry values are searched by Ticno trojan as well:

HKCUSoftwareCommView
HKLMSYSTEMCurrentControlSetServicesIRIS5
HKCUSoftwareeEye Digital Security
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallWireshark
hklmSOFTWAREZxSniffer
HKCUSoftwareWin Sniffer
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMenuOrderStart Menu2ProgramsAPIS32
HKCUSoftwareSyser Soft
hklmSOFTWAREMicrosoftWindowsCurrentVersionUninstallOracle VM VirtualBox Guest Additions
HKLMSYSTEMCurrentControlSetServicesVBoxGuest
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallSandboxie
HKCUSoftwareClassesFoldershellsandbox
HKCUSoftwareClasses*shellsandbox

More than three of the above listed processes and registry entries signify Ticno virus to abort its installation on the system, since it can be the artificial one. On the other hand, if there have been less than three of the processes and registry keys detected, the trojan will initiate its downloading procedure on the system pre-checked. As we have already clarified, Ticno malware travels bundled with freeware. When the infected piece of software is being set on the system up, the following dialog box is popped up.

As you can see, the pop up window offers to save a ZIP file named 1.zip to the Desktop. This may seem strange even for a user, who is not very keen on technology, engineering, programming or, specifically, cyber security, unfortunately, many of such users, even being quite a bit disturbed, click the Save button completely unaware of a virus infiltration. However, if you have been reading our posts, you should have known by now by heart that the supplemental documentation of the installation contains valuable information recommended to be looked through. The same is with this malicious offer of installation. At the left bottom of the pop up there is a link in Russian, which, when clicked, displays another pop up.

You are presented with an entire list of unwanted installs to take place during the install of the program. As you can see all of them are pre-ticked. Nevertheless, the tick boxes are active and the user himself can make selections.

The first in the list is [email protected] application, developed by Mail.ru. Indeed, it is a legitimate program and would not fall into the bucket of PUPs (Potentially Unwanted Applications). The second app in the list is also the legitimate software, namely, Amigo browser. However, the following part of the list contains mostly ad-supported software, detected as Trojan.ChromePatch.1, Trojan.Ticno.1548, Trojan.BPlug.1590, Trojan.Triosir.718, Trojan.Clickmein.1 and Adware.Plugin.1400 by the security software of Dr. Web. These are mainly malicious Google Chrome web browser extensions or fake malicious software compatible with Windows OS.

If, however, the link has been overlooked and the Save button has been clicked, the Save As dialog window turns into a Downloader of the Ticno trojan:

As you can observe, the screen does not reveal what file is being downloaded to the system. So, again, unsuspecting users can wait for the process is over. While, it would be advised to click the Cancel button to stop the installation process.

If you have missed to cancel the downloading of the trojan, try running Spyhunter or Malwarebytes to remove the Ticno malware, which is responsible for the downloading of the malicious programs listed above, which, for the most part, deal with the display of advertising scams.

Automatic Malware removal tools

Manual removal