[Route of Infection]

Trojan.Win32.PSWIGames.58880.E does not spread out as itself, and it is downloaded/installed from hacked site or other install programs such as spyware, adware, dropper, and etc.

[Symptom of Infection]

1. Trojan.Win32.PSWIGames.58880.E is a *.hlp file, and the windf.hlp file is an additional file for performing many malicious behaviors. 

2. After loading the malicious code to memory, user can check the below strings from memory.

3. By hooking system functions, this malicious code does monitor running game processes and leak the personal information.

4. It collects user account, password and OTP numbers.

5. It creates its process and injects a certain malicious module to Explorer and Internet Explorer. Whenever IE is executed, this malicious code is also executed and steals user's online game account.

[How to repair]

1. If you are WinXP/ME users, please be inactivate System Recovery Function.
The reason why being inactivate of the system recovery is to clean the virus completely.
You can refer to MS technical documents(Q263455) for more details.

2. Update the engine module for the latest one.
To repair this virus, you need to update the engine for the latest one.

a. ViRobot products users
     -Download the latest engine files via our website (www.hauri.net)

b. Non-ViRobot products users
     - Use the LiveCall (Free Scan) via the website (http://www.livecall.co.kr)
     - Use the trial version of ViRobot products (30days only)

3. How to scan the virus.

a. Run your ViRobot, and choose "all files" in scan option.
  
- ViRobot Desktop 5.0 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files
- ViRobot Desktop 5.5 : [Tools] -> [Configuration] -> [Virus Scan] : Check all files
- LiveCall (Free Scan) : [Advanced Scan] : Check

b. Repair all viruses detected.

c. If [Auto-repair after rebooting] message shows up, please try to re-scan after rebooting the PC.