DF9D.EXE is Adware WSearch

March 11, 2012 by NightWatcher
Filed under: Adware 
: Solved!

Fix it immediately:

We received the file DF9D.EXE and detected that DF9D.EXE is not good.
DF9D.EXE is Adware. You should remove the file DF9D.EXE.
Kill the process DF9D.EXE and remove DF9D.EXE from Windows.

Malware Analysis of DF9D.EXE
Full path on a computer: %WinDir%\df9d.exe

Detected by UnHackMe:

DF9D.EXE
Default location: %WinDir%\df9d.exe

Removal Results: Success
Number of reboot: 1

DF9D.EXE is known as:

Adware.WSearch

DF9D.EXE hash:

  • MD5: 11b91dec9c36ccfce217c1865a30569b
The file tries to download information from some web sites.
How to quickly detect DF9D.EXE presence?

Registry:
  • HKLM\Software\Classes\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}\InprocServer32\: “%SysDir%\727o.dll”
  • HKLM\Software\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}\1.0\0\win32\: “%SysDir%\727o.dll”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\plc: “c:\windows\system32\rundll32.exe %SysDir%/2bee.dll,Always”
  • HKLM\System\CurrentControlSet\Services\Eventlog\Application\OSTD\EventMessageFile: “%SysDir%\2bed.exe”
  • HKLM\System\CurrentControlSet\Services\OSTD\ImagePath: “%SysDir%\2bed.exe”
Files:
  • %Common Startmenu%\Programs\Startup\ktv.lnk
  • %Common Startmenu%\Programs\Startup\star.lnk
  • %SysDir%\2bed.exe
  • %SysDir%\2bee.dll
  • %SysDir%\727o.dll
  • %WinDir%\Tasks\ms.job
  • %WinDir%\df9d.exe
  • %WinDir%\df9d.flv
  • %WinDir%\df9u.bmp


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Adware, DF9D.EXE, WSearch

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.