ll.exe - Dangerous

ll.exe

Manual removal instructions:

Antivirus Report of ll.exe:
ll.exe Malware
ll.exeDangerous
ll.exeHigh Risk
ll.exe
We suggest you to remove bgdferw0.dll from your computer as soon as possible.
Bgdferw0.dll is Trojan/Backdoor.
Kill the file bgdferw0.dll and remove bgdferw0.dll from Windows startup.

File: ll.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.12 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.08.12 Win32/Heur.dropper
BitDefender 7.2 2009.08.12 Trojan.Generic.2193470
Comodo 1956 2009.08.12 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.0.12182 2009.08.12 Trojan.MulDrop.31482
F-Secure 8.0.14470.0 2009.08.12 Trojan-GameThief.Win32.Magania.awuq
Kaspersky 7.0.0.125 2009.08.12 Trojan-GameThief.Win32.Magania.awuq
Microsoft 1.4903 2009.08.12 TrojanDropper:Win32/Small.RZ
NOD32 4330 2009.08.12 Win32/TrojanDropper.Agent.NJV
Symantec 1.4.4.12 2009.08.12 Spyware.Screenspy
Additional information
File size: 193024 bytes
MD5 : a4446297db3f10203cfea79231c3173a
SHA1 : 3cc2f17343d10dcff80100a39195d6ef987262a8

-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:0
----------------------------------

----------------------------------
Keys added:22
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\MNDOWN
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}
HKLM\SOFTWARE\Microsoft\DownloadManager

----------------------------------
Values deleted:0
----------------------------------

----------------------------------
Values added:22
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\MNDOWN\urlinfo: "mvvf95f"
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\VersionIndependentProgID\: "IEHlprObj.IEHlprObj"
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\ProgID\: "IEHlprObj.IEHlprObj.1"
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\InprocServer32\: "C:\WINDOWS\system32\bgdferw0.dll"
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}\: "IEHlprObj Class"
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\TypeLib\: "{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}"
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{F171A44F-7AF5-43E1-AFED-EDC826A1B0F5}\: "IIEHlprObj"
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\0\win32\: "C:\WINDOWS\system32\bgdferw0.dll"
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\HELPDIR\: "C:\WINDOWS\system32\"
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{F171A442-7AF5-43E1-AFED-EDC826A1B0F5}\1.0\: "IEHelper 1.0 Type Library"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\: "IEHlprObj.IEHlprObj.1"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj\: "IEHlprObj Class"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\: "{F171A450-7AF5-43E1-AFED-EDC826A1B0F5}"
HKLM\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\: "IEHlprObj Class"
HKCU\Software\Microsoft\CTF\MSUTB\ShowDeskBand: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\hjdsdse: "C:\WINDOWS\system32\oukdfgr.exe"

----------------------------------
Values modified:20
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A83B229
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A83B5AD
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A83B850
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A83B931
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A83B229
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A83B5AD
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A83B850
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A83B931
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000004
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000005

----------------------------------
Files added:8
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\ker1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\ker2.tmp
C:\WINDOWS\system32\bgdferw0.dll
C:\WINDOWS\system32\hyrteas0.dll
C:\WINDOWS\system32\hyrteas1.dll
C:\WINDOWS\system32\oukdfgr.exe
C:\autorun.inf
C:\lhylec9x.cmd

----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\ll.exe

----------------------------------
Files [attributes?] modified:0
----------------------------------

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:73
----------------------------------

-------------------------------------------------------------------------------------
Internet activity:

Code:
HTTP GET hxxp://nhjuy1.com/hg2/ll.rar
HTTP GET hxxp://nhjuy1.com/hg2/ll.exe
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: {F171A450-7AF5-43E1-AFED-EDC826A1B0F5}
Author:
Related File: C:\WINDOWS\system32\bgdferw0.dll
Type: Browser Helper Objects

Item Name: oukdfgr.exe
Author: Unknown
Related File: C:\WINDOWS\system32\oukdfgr.exe
Type: Detected using Heuristic Algorithm

Item Name: hjdsdse
Author: Unknown
Related File: C:\WINDOWS\system32\oukdfgr.exe
Type: Registry Run

Item Name: C:\autorun.inf
Author: Unknown
Related File: C:\autorun.inf
Type: Autorun.inf

Item Name: hyrteas1.dll
Author: Unknown
Related File: C:\WINDOWS\system32\hyrteas1.dll
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove ll.exe now!

Reviewed by:

by

ll.exe Dangerous Rating: 5 out of 5

Jeff's Story:

My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.

I sought a solution on the Internet and discovered your product and tried out the trial of UnHackMe.

You quickly found the rootkit and SAVED my PC!

I haven't had any problems since, and I'm extremely grateful.