Skip to content
  • Active
  • Severity: High
  • Malware
  • Windows
  • Verified · Dec 2018

How to remove iTranslator virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

iTranslator virus is a man-in-the-middle malware that is capable of controlling Windows systems

iTranslator virus

iTranslator virus is a dangerous trojan that was discovered by Fortinet[1] security experts and is designed to infiltrate Windows-based systems and monitor browsing activities on Google Chrome, Internet Explorer, Mozilla Firefox, Safari, and other browsers. Trojans usually infiltrate machines with the help of various deceptive methods, including phishing websites, spam emails, file-sharing sites, repacked installers, etc. The main malware executable is itranslator_02.exe (which is signed by an invalid certificate that expired in 2015), although it is also known as itransppa.exe, itranslator20041_se.exe, itransVes.exe, and Setup.exe. Once the exe file is opened, iTranslator malware creates itranslator folder in the Program files directory, and places wintrans.exe inside. Virus automatically executes the wintrans.exe file and actively communicates with C&C server and installs two divers: OpenSCManagerA and CreateServiceA.

Name  iTranslator 
Type  Malware/trojan
Infiltration  Malicious downloads, fake updates
Main executable  itranslator_02.exe
Purpose  Controls Windows machine and monitors users' browsing activities, redirects to specific sites
Elimination  Use powerful security software
Optimization  We recommend using FortectIntego to clean and restore your computer to the original state

The wintrans.exe file also executes iTranslator file directly into the Windows folder, which is then protected by VMProtect packer. For that reason, iTranslator malware removal can be quite complicated. However, using reputable anti-virus solutions should be able to help you get rid of the threat. Nevertheless, we provided full instructions below.

To ensure persistence, iTranslator malware creates the registry subkey, ensuring that the virus loads with every system boot. Next, the malware downloads iTranslator.dll file that can be used for 32-bit and 64-bit operating system, places it in the same directory as wintrans.exe, and performs the following actions:

  • Loads the net filter driver
  • Communicates with both drivers
  • Injects the SSL certificate without users' knowledge
  • Follows web traffic

The whole project was based on a NetFilter SDK (a legitimate network filtering toolkit), and iTranslator virus uses its certificate to avoid detection. This is when man-in-the-middle[2] comes into play: the interception is done secretly. None of the browsers will prevent the execution because Sample CA 2.cer is in the trusted Root Certificate Authorities list.

iTranslator can modify the packet content on both HTTPS and HTTP requests with the help of a man-in-the-middle attack. Additionally, Javascript[3] is inserted and, as soon as the browser receives the response, it is executed to perform more malicious activities.

As soon as iTranslator malware fully establishes, users who visit regular websites like Facebook are redirected to advert-filled sites which promote various deals, offers, coupons and similar. Furthermore, users may land on a phishing website, which can prompt them to download and install bogus software. 

To remove iTranslator virus, you will have to enter Safe Mode with Networking, and either get rid of the malware manually or scan it with reputable security engine. After the elimination is complete, security experts recommend using FortectIntego or repair the system.

iTranslator malware

Beware of executables, even if they look legitimate

We cannot stress enough about the downloading and clicking on executable files. Remember, ANY executable can be malware, even if it has a legitimate name. Therefore, it is highly recommended avoiding dodgy third-party websites that host cracked software, illegal keygens, and similar pirated stuff. If you are willing to risk, however, you can do it much more safely if you scan each executable with security software before opening it. There is a high chance that it will recognize the threat and warn you.

Another malware distribution technique is via the backdoor. Some modules are capable of automatically downloading and installing additional malicious files without users' permission. In such a case, the machine can be compromised even more, and such threats as ransomware can end up on your machine. To prevent this from happening, regularly scan your computer for viruses.

Remove iTranslator malware from your machine

To remove iTranslator virus from your computer entirely, you will have to enter Safe Mode with Networking, as explained below. Once in the safe mode, download and install reputable security tool and run a full system scan. The anti-malware should be able to take care of everything automatically. If not, you should try different options – there are plenty of reputable software available. Note that each vendor relies on databases that are continually updated. However, it might take time before each vendor includes the new malware into their database. Hence, some AV engines might not detect the threat.

While not recommended, you can opt for manual iTranslator virus removal (novice users should stay away from this method). Here's what to do:

  • Enter Safe Mode as explained below
  • Delete the following files: %WINDIR%\iTranslator, %WINDIR%\system32\iTranslator.dll
  • Delete the following folders: %WINDIR%\nss, %WINDIR%\SSL, %ProgramData%\itranslator
  • Delete subkeys: HKLM\SYSTEM\CurrentControlSet\services\iTranslatorSvc, HKLM\SYSTEM\CurrentControlSet\services\NetfilterSvc
  • Remove Sample CA 2 certificate from all browsers

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.