Chthonic Banking Trojan

Also Known As: Chthonic virus
Type: Trojan
Distribution: Low
Damage level: Severe

Chthonic virus removal guide

What is Chthonic?

Chthonic is a Trojan-type program that gets installed through emails sent from hijacked/stolen PayPal accounts. They lead to a fake Google Chrome update file that is promoted on hijacked website. Its visitors are informed that their Chrome browser is outdated and needs to be updated by clicking the "Update Chrome" button which leads to download of a malicious file that is used to install the Chthonic banking trojan.

Chthonic malware

Cyber criminals use legitimate (most likely stolen) PayPal accounts, they send emails that are presented as money requests. These emails contain some message and a website link that supposed to lead to some page regarding this "money request" matter. However, it opens a legitimate, yet hijacked website which suggests that its visitor's Google Chrome browser is outdated and encourages to update it by downloading the update downloader/installer. The downloaded file has nothing to do with Chrome updates. This website downloads JavaScript file that, once opened, eventually downloads and installs Chthonic banking trojan. Additionally, the same script installs the AZORult malware as well, which is also a trojan-type program. Chthonic's main purpose is to collect (steal) bank account details such as passwords and logins. It is capable of hijacking banking and other payments-related websites and to save entered information (logins, passwords) on some remote server. Generally speaking, this is a trojan designed to generate revenue for cyber criminals by stealing various accounts. Cyber criminals could use stolen data to make transactions, purchases and so on. Having a computer infected with a trojan of this kind could lead to financial loss. AZORult is also categorized as trojan, it is designed to steal various personal information. It is capable of hijacking browsers and recording entered data such as browsing history, logins, passwords, cookies and so on. As with Chthonic, cyber criminals use it to generate revenue by misusing stolen information. Newer versions of this malicious programs are capable of taking screenshots, recording data from various messengers like Skype, Jabber and so on. Having both of these high-risk trojans could cause serious privacy, browsing safety problems, financial loss and other problems. We recommend to uninstall these or any other installed trojans immediately.

Threat Summary:
Name Chthonic virus
Threat Type Trojan, Password stealing virus, Banking malware, Spyware
Detections Avira (HEUR/Suspar.Gen), F-Secure (Heuristic.HEUR/Suspar.Gen), TrendMicro (HEUR_JSRANSOM.O2), Full List (VirusTotal)
Malicious Process Name(s) Microsoft ® Windows Based Script Host (generic name of Windows Script Host process name)
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet.

To eliminate Chthonic virus our malware researchers recommend scanning your computer with Spyhunter.
▼ Download Spyhunter
Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Other examples of Trojan-type programs are Emotet, LokiBot, and Adwind. However, there are many others. Most of these programs are designed to steal sensitive data. However, some of these computer infections could be designed to spread other viruses like ransomware. Having programs of this type installed usually leads not only to financial but to data loss as well.

How did Chthonic infiltrate my computer?

Chthonic is proliferated through spam campaign that is sent using PayPal account and presented as money request. Like many spam campaigns of this type, it contains a website link that leads to a malicious file. Once downloaded and opened, it causes the download and installation of the particular Trojan. In this case the JavaScript file installs two Trojans at once, Chthonic and AZORult. It is very common for cyber criminals to spread viruses through spam campaigns. As a rule, they send emails that contain either malicious attachments or website links that lead to some infected files.

How to avoid installation of malware?

In order to prevent a computer from being infected with Trojans or other malicious programs, it is important to browse the Internet, download, install and update software with care. Do not open attachments or web links that are included in emails received from unknown or suspicious addresses, or/and these emails are irrelevant. It is important to keep installed software updated, however, it should be done using implemented, official tools that are provided by official software developers only. Additionally, all software should be downloaded using official websites and direct download links. It is not recommended to use various third party downloaders (or installers), Peer-to-Peer networks, unofficial/questionable pages and other similar sources. Same applies to various software 'cracking' tools, these tools should not be trusted. Their usage is a cyber crime and programs of this type often download and install viruses instead but do not activate software as expected. Moreover, have a reputable anti-virus or anti-spyware software installed and keep it enabled at all times. Tools of this type usually detect and remove various infections before they can do any damage. If you believe that your computer is already infected, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

Hijacked website that is used to soread Chthonic banking trojan by presenting it as Google Chrome update:

hijacker webbsite distributing Chthonic

Screenshot of a fake Google Chrome update archive identified as a malicious file:

fake google chrome update file identified as virus

Instant automatic removal of Chthonic virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Chthonic virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task, usually it's better to let antivirus or anti-malware programs do it automatically. To remove this malware we recommend using  Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here's an example of a suspicious program running on user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager and identified a program that looks suspicious you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":


manual malware removal step 3Extract the downloaded archive and run Autoruns.exe file.

extract and run autoruns.exe

manual malware removal step 4In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by Autoruns application and locate the malware file that you want to eliminate.

You should write down it full path and name. Note that some malware hides their process names under legitimate Windows process names. At this stage it's very important to avoid removing system files. After you locate he suspicious program you want to remove right click your mouse over it's name and choose "Delete"

locate the malware file you want to remove

After removing the malware through Autoruns application (this ensures that the malware won't run automatically on the next system startup) you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware be sure to remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should help remove any malware from your computer. Note that manual threat removal requires advanced computer skills, it's recommended to leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it's better to avoid getting infected that try to remove malware afterwards. To keep your computer safe be sure to install latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections we recommend scanning it with Spyhunter for Windows.