Tofsee Trojan

Also Known As: Tofsee malware
Type: Trojan
Distribution: Low
Damage level: Severe

Tofsee virus removal guide

What is Tofsee?

Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various credentials, updating itself and more. Cyber criminals mainly use it as a email-oriented tool (they target user's email accounts), however, having Tofsee installed can lead to a lot of various other problems as well.

Tofsee malware

Cyber criminals use this program to hijack (steal) email accounts, they use them to spread various spam campaigns that may contain malicious attachments, change contents of received emails (but leave original "From" and "To" headers, timestamps, subject etc.), steal email addresses from user's inbox and so on. Tofsee can be used to hijack e-mail client software (i.e. Microsoft Outlook) as well. Note that by having access to user's email accounts cyber criminals could get access to other accounts as well. It concerns users who are using the same passwords or/and emails for several accounts. Besides, password recovery service could be used for the same purpose too. Unfortunately, there are many other things that can be done with this malicious program. Tofsee is capable of using the hijacked system for DDoS attacks, stealing POP3 credentials and FTP, downloading and installing malicious services (opening backdoors for other threats), removing other malware that is already installed to prevent interference, communicating with a Command & Control (C&C) server. Also, it can block access to certain IP addresses. It may be used to prevent users from accessing cyber security websites and other web pages. Additionally, it is capable of installing cryptocurrency mining software. It means that user's computer could be used for mining purposes. That would cause higher electricity bills and decreased computer's performance, or even overheat of hardware. Moreover, Tofsee is capable of updating and spreading itself via Twitter, Facebook, Skype and/or USB drives. It spreads itself through Facebook by using cookies and sending malicious attachments/links leading to them to a number of user's Facebook friends. To spread itself through Twitter it uses cookies as well, then can download a list of followers and send them private messages with malicious links. To spread itself through Skype it simply sends malicious messages to user's contacts. It can also place a malicious executable into the USB drive and replace its AutoRun file, which means it can make infected USB drive to run a malicious executable every time that USB drive is opened.

Threat Summary:
Name Tofsee malware
Threat Type Trojan, Password stealing virus, Banking malware, Spyware, Remote access trojan
Detection Names (zgttwhzu.exe_)
Avast (Win32:BankerX-gen [Trj]), AVG (Win32:BankerX-gen [Trj]), BitDefender (Gen:Variant.Ulise.34872), ESET-NOD32 (a variant of Win32/Kryptik.GRUQ), Kaspersky (), Full List (VirusTotal)
Malicious Process Name(s) The analyzed sample ran a process with a blank name.
Symptoms Trojans are designed to stealthily infiltrate victim's computer and remain silent thus no particular symptoms are clearly visible on an infected machine.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, software cracks.
Damage Stolen banking information, passwords, identity theft, victim's computer added to a botnet, additional system infections.

To eliminate Tofsee malware our malware researchers recommend scanning your computer with Spyhunter.
▼ Download Spyhunter
Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Tofsee is a powerful malicious program that can cause a lot of damage, including financial loss and computer infections. One way or another, cyber criminals use it to generate as much revenue as possible. Besides, it is very likely that by having it installed users will unintentionally cause problems to other people too. The Internet is full of various Trojan-type malicious programs, here are some other examples: Emotet, Adwind, Pony and Trickbot. Quite often main purpose of these programs is to steal personal data and cause additional computer infections.

How did Tofsee infiltrate my computer?

Typically, cyber criminals spread malicious programs using spam campaigns, Trojans, fake software updaters, software cracking tools and untrustworthy software download sources. They use spam campaigns by sending emails that contain infected attachments or links that lead to them. These attachments usually are Microsoft Office or PDF documents, executables (.exe) files, archives (like ZIP, RAR and so on), JavaScript files and so on. In order to infect systems, these attachments must be opened. When opened, they download and install malicious programs. Another way to spread malware is through Trojans - malicious programs that are designed to cause chain infections. However, to cause any damage they must be installed first. Fake software updaters spread computer infections by downloading and installing them instead of updates (fixes and so on), or by exploiting outdated software's bugs, flaws. People use software cracking tools bypass activations of software that is licensed (not free). However, these tools can be used by cyber criminals and designed to install malware instead of activating installed software or operating system. Untrustworthy software download sources such as freeware download websites, free file hosting websites, Peer-to-Peer networks (i.e. torrent clients, eMule), various third party downloaders can be used by cyber criminals as well. They use them to present malicious software/files as legitimate and harmless. In other words, they use sources of this kind to trick people into downloading and installing malicious programs by themselves.

How to avoid installation of malware?

Attachments or links that are presented in emails received from unknown, suspicious addresses should not be opened. Besides, they usually are included in irrelevant emails, therefore, presented as official and important. Emails of this type should be ignored. We also recommend to download software using official, trustworthy sources/websites (and direct download links) over any of the other sources that we mentioned above. Update software or operating system using tools or implemented functions that are provided by official developers only. Do not use software cracking tools to activate installed programs. They are illegal (their usage is considered as cyber crime) and often infect computers. Have a reputable anti-spyware or anti-virus software installed (and enabled), these tools can effectively prevent computers fro being infected with various viruses. If you believe that your computer is already infected, we recommend running a scan with Spyhunter for Windows to automatically eliminate infiltrated malware.

Screenshot of the Tofsee using CPU's resources:

Tofsee using CPU resources

Instant automatic removal of Tofsee malware: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Tofsee malware. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

How to remove malware manually?

Manual malware removal is a complicated task, usually it's better to let antivirus or anti-malware programs do it automatically. To remove this malware we recommend using  Spyhunter for Windows. If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here's an example of a suspicious program running on user's computer:

malicious process running on user's computer sample

If you checked the list of programs running on your computer, for example using task manager and identified a program that looks suspicious you should continue with these steps:

manual malware removal step 1 Download a program called Autoruns. This program shows auto-start applications, Registry and file system locations:

screenshot of autoruns application

manual malware removal step 2Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":


manual malware removal step 3Extract the downloaded archive and run Autoruns.exe file.

extract and run autoruns.exe

manual malware removal step 4In the Autoruns application click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure click the "Refresh" icon.

Click 'Options' at the top and uncheck 'Hide Empty Locations' and 'Hide Windows Entries' options

manual malware removal step 5Check the list provided by Autoruns application and locate the malware file that you want to eliminate.

You should write down it full path and name. Note that some malware hides their process names under legitimate Windows process names. At this stage it's very important to avoid removing system files. After you locate he suspicious program you want to remove right click your mouse over it's name and choose "Delete"

locate the malware file you want to remove

After removing the malware through Autoruns application (this ensures that the malware won't run automatically on the next system startup) you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the file of the malware be sure to remove it.

searching for malware file on your computer

Reboot your computer in normal mode. Following these steps should help remove any malware from your computer. Note that manual threat removal requires advanced computer skills, it's recommended to leave malware removal to antivirus and anti-malware programs. These steps might not work with advanced malware infections. As always it's better to avoid getting infected that try to remove malware afterwards. To keep your computer safe be sure to install latest operating system updates and use antivirus software.

To be sure your computer is free of malware infections we recommend scanning it with Spyhunter for Windows.