Warning: call_user_func_array() [function.call-user-func-array]: First argument is expected to be a valid callback, 'stdClass::has_cap' was given in /home/greatisc/public_html/blog/wp-includes/capabilities.php on line 1109
HEUR:Exploit.Java.CVE-2012-0507.gen
Remove HEUR:Exploit.Java.CVE-2012-0507.gen
HEUR:Exploit.Java.CVE-2012-0507.gen also know as Trojan-GameThief.Win32.Magania
Malware Analysis of HEUR:Exploit.Java.CVE-2012-0507.gen
Created files (HEUR:Exploit.Java.CVE-2012-0507.gen):
“%System%\drivers\6a034934.sys
%Temp%\rar.css
Modified files (HEUR:Exploit.Java.CVE-2012-0507.gen):
%System%\wshtcpip.dll
Detected by UnHackMe:
HEUR:Exploit.Java.CVE-2012-0507.gen Remove now!
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
23556fb1360f366337f97c924e76ead3.exe
Trojan 23556fb1360f366337f97c924e76ead3.exe:
%HOMEPATH%\Start Menu\Programs\Startup\23556fb1360f366337f97c924e76ead3.exe
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Recover deleted TCPIP.SYS
Recover TCPIP.SYS
If you have missed TCPIP.SYS, deleted by a rootkit or AVAST antivirus, use TCPIP.SYS Restore Tool:
Download TCPIP.SYS Restore Tool
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
MIKEY.EXE is trojan KeyLogger
Is the file MIKEY.EXE located on your computer? Then your computer is infected.
We do suggest you should remove MIKEY.EXE from your computer as soon as possible.
MIKEY.EXE is Trojan/Backdoor.
Kill the process MIKEY.EXE and remove MIKEY.EXE from the Windows startup.
Malware Analysis of MIKEY.EXE
Full path on a computer: C:\Drivers\media\mikey.exe
Detected by UnHackMe:
Item Name: SvService
Author: NBG
Related File: C:\DRIVERS\MEDIA\MIKEY.EXE
Type: Registry Run
Item Name: mikey.exe
Author: NBG
Related File: C:\DRIVERS\MEDIA\MIKEY.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
MIKEY.EXE is known as:
Spyware.KeyLogger, Trojan-Downloader.Bancos
MIKEY.EXE hash:
- MD5: 2409CF22DEFE0D8104D41A0E23D4A747
Files:- C:\Drivers\media\lap.bat
- C:\Drivers\media\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest
- C:\Drivers\media\Microsoft.VC90.CRT\msvcm90.dll
- C:\Drivers\media\Microsoft.VC90.CRT\msvcp90.dll
- C:\Drivers\media\Microsoft.VC90.CRT\msvcr90.dll
- C:\Drivers\media\mikey.exe
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Another Google redirects. DNS changer 93.188.163.66 93.188.166.5
Another Google redirects. DNS changer!
Several modifications of TDL rootkit changes DNS server addresses on the infected computers if the rootkit could not infect the system driver.
In this case there is not rootkit on the computer, but all network activity is controlled by the hackers.
Dangerous DNS addresses list:
93.188.161.221
93.188.161.223
93.188.161.224
93.188.161.227
93.188.161.228
93.188.161.229
93.188.161.238
93.188.162.81
93.188.162.83
93.188.162.84
93.188.162.87
93.188.162.88
93.188.162.89
93.188.163.66
93.188.163.66
93.188.163.67
93.188.166.5
93.188.166.6
All addresses are related to the RBN network. Locations is Ukraine.
DNS Changer Removal:
Change the DNS servers to your settings.
Open Control Panel, Network Connections, TCP/IP settings.
Usually the settings are received automatically from your ISP.
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Google Redirects to 212.117.178.25
The virus adds a line to the Windows hosts file:
212.117.178.25 www.google.com
Removal:
Remove Google search redirection line from hosts file.
Default hosts files location:
C:\WINDOWS\system32\drivers\etc\hosts
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: C:\Documents and Settings\All Users\TempDir\mspro32.scr, start.bat (Locker from Russia)
Malware: exe(193).exe
Removed: C:\Documents and Settings\All Users\TempDir\mspro32.scr
C:\Documents and Settings\All Users\TempDir\start.bat
—————————————————————————————————————————-
Detected by UnHackMe:
Item Name: AAPatch
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\TEMPDIR\START.BAT
Type: Registry Run
Item Name: mspro32.scr
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\TEMPDIR\MSPRO32.SCR
Type: Running Processes
Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
How to quickly detect malware presence?
Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AAPatch
Value: “C:\Documents and Settings\All Users\TempDir\start.bat”
Folder:
C:\Documents and Settings\All Users\TempDir
Files:
C:\Documents and Settings\All Users\TempDir\mspro32.scr
C:\Documents and Settings\All Users\TempDir\rdb.bat
C:\Documents and Settings\All Users\TempDir\start.bat
—————————————————————————————————————————-
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| F-Secure | 9.0.15370.0 | 2010.08.20 | Suspicious:W32/Malware!Gemini |
| Kaspersky | 7.0.0.125 | 2010.08.20 | - |
| Microsoft | 1.6103 | 2010.08.20 | - |
| NOD32 | 5381 | 2010.08.20 | - |
—————————————————————————————————————————-
Additional information
MD5 : 1691cf4121895606617df25cce2b5072
SHA1 : 4b86080aed3656b099dac97f738936878e9c466e
SHA256: 2ecfb690bb3aeed20efbbafc761029c7a6d1dd92f4938fb964b6e648652a89c7
—————————————————————————————————————————- Read more
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
How to resolve “msls52.dll not found” problem
How to resolve “msls52.dll not found” problem?
“This application has been failed to start because msls52.dll was not found. Re-installing the application may fix this problem“.
Your computer could not boot even after click on the OK.
After that you will get the same error again and your computer will hang.
What’s happened?
Your computer is infected by MSLS52 Trojan.
Recently your antivirus detected and remove %SysDir%\msls52.dll.
VirusTotal Report: msls52.dll
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| a-squared | 5.0.0.30 | 2010.06.24 | Packed.Win32.Katusha!IK |
| AhnLab-V3 | 2010.06.24.01 | 2010.06.24 | Packed/Win32.Katusha |
| AntiVir | 8.2.4.2 | 2010.06.24 | TR/PCK.Katusha.O.24 |
| Antiy-AVL | 2.0.3.7 | 2010.06.24 | Packed/Win32.Katusha |
But your antivirus did not detect the changes made by Trojan in the UXTHEME.DLL.
The infected UXTHEME.DLL loads the msls52.dll.
The simple way for resolving the problem: use boot CD.
The good choice is “RegRun Warrior“.
You will find the “%SysDir%\uxtheme.dll~RF31166.TMP” (or with similar name) backed up by virus .
Rename “uxtheme.dll~RF31166c.TMP” to the “uxtheme.dll”.
The Warrior boot CD includes the best file manager (Far Manager) that automatically displays hidden files.
Restart your computer and continue your good day!
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
How to resolve “themed32.dll not found” problem
If you got “themed32.dll not found” message during Windows startup – you was infected by “Themed32″ trojan.
Your computer could not boot because after clicking OK you will get the same error from Wininit.exe and your computer will hang.
What’s happened?
Recently your antivirus detected and remove %SysDir%\themed32.dll.
VirusTotal Report: themed32.dll
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| a-squared | 5.0.0.30 | 2010.06.24 | Packed.Win32.Katusha!IK |
| AhnLab-V3 | 2010.06.24.01 | 2010.06.24 | Packed/Win32.Katusha |
| AntiVir | 8.2.4.2 | 2010.06.24 | TR/PCK.Katusha.O.24 |
| Antiy-AVL | 2.0.3.7 | 2010.06.24 | Packed/Win32.Katusha |
The problem is that your antivirus does not good the cleaning.
Themed32 virus infects system DLL “%SysDir%\uxtheme.dll“.
It changes the import table of the uxtheme.dll for auto loading the Themed32.DLL.
The Themed32 virus uses this method for auto starting with Windows system.
The simple way for resolving the problem: use boot CD.
The good choice is “RegRun Warrior“.
You will find the “%SysDir%\uxtheme.dll~RF5bac.TMP” (or with similar name) backed up by virus .
Rename “uxtheme.dll~RF5bac.TMP” to the “uxtheme.dll”.
The Warrior boot CD includes the best file manager (Far Manager) that automatically displays hidden files.
Restart your computer and continue your good day!
Result: 17/40 (42.50%)
Antivirus
Version
Last Update
Result
a-squared
5.0.0.30
2010.06.24
Packed.Win32.Katusha!IK
AhnLab-V3
2010.06.24.01
2010.06.24
Packed/Win32.Katusha
AntiVir
8.2.4.2
2010.06.24
TR/PCK.Katusha.O.24
Antiy-AVL
2.0.3.7
2010.06.24
Packed/Win32.Katusha
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: pp12.exe
Malware: C:\sand-box\videomach.exe
Removed: C:\windows\pp12.exe
Classification:
Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2009.11.20 -
Kaspersky 7.0.0.125 2009.11.22 Trojan.Win32.Assist.alr
McAfee 5809 2009.11.21 Generic.dx!gzz
Microsoft 1.5302 2009.11.22 Worm:Win32/Koobface.gen!D
NOD32 4627 2009.11.21 Win32/Koobface.NBH
Symantec 1.4.4.12 2009.11.22 Backdoor.Trojan
Additional information
File size: 36352 bytes
MD5 : 5a57ef8732d5ef1bdeaf85e826089201
SHA1 : 3c336bb285e2e9a3cf98c809645531793545ab6d
SHA256: 68026e15a2d667c4214f58ffa539f718d319d205ed6a5a210fee09b0c7767dc4
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:3
----------------------------------
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default
----------------------------------
Keys added:0
----------------------------------
----------------------------------
Values deleted:3
----------------------------------
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Default\: "C:\WINDOWS\media\Windows Navigation Start.wav"
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\.Current\: "%SystemRoot%\media\Windows Navigation Start.wav"
HKCU\AppEvents\Schemes\Apps\Explorer\Navigating\: ""
----------------------------------
Values added:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp: "C:\windows\pp12.exe"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:2
----------------------------------
C:\WINDOWS\fdgg34353edfgdfdf
C:\WINDOWS\pp12.exe
----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\videomach.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:10
----------------------------------
Detected by UnHackMe:
Item Name: pp
Author: Gromada.com
Related File: C:\windows\pp12.exe
Type: Registry Run
Item Name: pp12.exe
Author: Gromada.com
Related File: C:\WINDOWS\PP12.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: msdrv32.exe
Malware: malware.exe
Removed: C:\WINDOWS\msdrv32.exe
Classification:
Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2009.11.11 -
Kaspersky 7.0.0.125 2009.11.14 -
McAfee 5801 2009.11.13 -
Microsoft 1.5202 2009.11.14 -
NOD32 4606 2009.11.14 -
Symantec 1.4.4.12 2009.11.14 -
Additional information
File size: 91648 bytes
MD5 : de1cc671bb9fb9da49c8e2baa366e6a0
SHA1 : d3bb214165ee2cd466f2b3c4ec584c5055258b51
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:2
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:2
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Microsoft Driver Setup: "C:\WINDOWS\msdrv32.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup: "C:\WINDOWS\msdrv32.exe"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:2
----------------------------------
C:\WINDOWS\logfile32.txt
C:\WINDOWS\msdrv32.exe
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:6
----------------------------------
Detected by UnHackMe:
Item Name: Microsoft Driver Setup
Author: DOSBox Team
Related File: C:\WINDOWS\msdrv32.exe
Type: Explorer Run
Item Name: msdrv32.exe
Author:
Related File: C:\WINDOWS\msdrv32.exe
Type: Detected using Heuristic Algorithm
Item Name: msdrv32.exe
Author:
Related File: C:\WINDOWS\MSDRV32.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: mscert.dll, rdolib.dll, photo_id.exe
Malware: your_exe.exe
Removed: C:\WINDOWS\system32\mscert.dll
C:\WINDOWS\system32\rdolib.dll
C:\WINDOWS\system32\photo_id.exe
C:\Documents and Settings\Administrator\photo_id.exe
Classification:
Antivirus Version Last Update Result F-Secure 9.0.15370.0 2009.11.11 Suspicious:W32/Malware!Gemini Kaspersky 7.0.0.125 2009.11.16 Trojan-Downloader.Win32.Murlo.cxc McAfee 5803 2009.11.15 Generic Downloader.x!bqv Microsoft 1.5202 2009.11.16 TrojanDownloader:Win32/Harnig.gen!J NOD32 4610 2009.11.15 Win32/Kryptik.BAK.gen Symantec 1.4.4.12 2009.11.16 Downloader
Additional information
File size: 21504 bytes
MD5 : d3ae177528e106bc6f8ba32484b5e752
SHA1 : ab18e2e275902b327b1457b2cde220a527c646f4
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:2
———————————-
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
———————————-
Values deleted:0
———————————-
———————————-
Values added:7
———————————-
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name: “dntddho.exe”
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\ID: 0x45DB0D4B
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\photo_id: “C:\WINDOWS\system32\photo_id.exe”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: “C:\RECYCLER\S-1-5-21-2745073639-3584219299-749805838-5150\wnzip32.exe”
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\AppSecDll: “C:\WINDOWS\system32\mscert.dll”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\photo_id: “C:\Documents and Settings\Administrator\photo_id.exe”
———————————-
Values modified:4
———————————-
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “C:\WINDOWS\system32\rdolib.dll”
HKLM\SYSTEM\CurrentControlSet\Services\Partizan\Start: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Services\Partizan\Start: 0×00000003
———————————-
Files added:11
———————————-
C:\Documents and Settings\Administrator\photo_id.exe
C:\RECYCLER\S-1-5-21-2745073639-3584219299-749805838-5150\Desktop.ini
C:\RECYCLER\S-1-5-21-2745073639-3584219299-749805838-5150\wnzip32.exe
C:\WINDOWS\system32\mscert.dll
C:\WINDOWS\system32\photo_id.exe
C:\WINDOWS\system32\rdolib.dll
C:\asvkaj.exe
C:\onchtjgp.exe
C:\ukvmuey.exe
C:\xlksmnok.exe
C:\ymvur.exe
———————————-
Files [attributes?] modified:0
———————————-
———————————-
Folders added:1
———————————-
C:\RECYCLER\S-1-5-21-2745073639-3584219299-749805838-5150
———————————-
Folders deleted:0
———————————-
———————————-
Folders attributes changed:1
———————————-
C:\RECYCLER
———————————-
Total changes:27
———————————-
Detected by UnHackMe:
Item Name: AppSecDll
Author: Microsoft Corporation
Related File: C:\WINDOWS\system32\mscert.dll
Type: Application Security DLLs
Item Name: taskman
Author: Unknown
Related File: C:\RECYCLER\S-1-5-21-2745073639-3584219299-749805838-5150\wnzip32.exe
Type: Winlogon System
Item Name: AppInit_DLLs
Author: Unknown
Related File: C:\WINDOWS\system32\rdolib.dll
Type: List of Injected DLLs
Item Name: photo_id
Author: Unknown
Related File: C:\Documents and Settings\Administrator\photo_id.exe
Type: Registry Run
Item Name: photo_id
Author: Unknown
Related File: C:\WINDOWS\system32\photo_id.exe
Type: Registry Run
Item Name: photo_id.exe
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\PHOTO_ID.EXE
Type: Running Processes
Item Name: photo_id.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\PHOTO_ID.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: autorun.inf, herss.exe
Malware: C:\sand-box\malware.exe
Removed: C:\Documents and Settings\Administrator\Local Settings\Temp\herss.exe
C:\autorun.inf
Classification:
Antivirus Version Last Update Result F-Secure 9.0.15370.0 2009.11.09 - Kaspersky 7.0.0.125 2009.11.11 - McAfee 5798 2009.11.10 PWS-OnlineGames.a Microsoft 1.5202 2009.11.11 Worm:Win32/Taterf.B NOD32 4594 2009.11.11 a variant of Win32/Pacex.Gen Symantec 1.4.4.12 2009.11.11 -
Additional information
File size: 114311 bytes
MD5 : 0ced4d5f9d073ed733ed1f76a955ced0
SHA1 : 1e6d31a0640b5235ee9af142e71f5bc9767737f3
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:2
———————————-
HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM\SOFTWARE\Microsoft\DownloadManager
———————————-
Values deleted:0
———————————-
———————————-
Values added:3
———————————-
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo: “dsa2whj.i”
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0×00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cdoosoft: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\herss.exe”
———————————-
Values modified:2
———————————-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0×00000000
———————————-
Files added:6
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\cvasds0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\cvasds1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\herss.exe
C:\autorun.inf
C:\g12g.exe
C:\l61yyp.exe
———————————-
Files deleted:1
———————————-
C:\sand-box\malware.exe
———————————-
Files [attributes?] modified:0
———————————-
———————————-
Folders added:0
———————————-
———————————-
Folders deleted:0
———————————-
———————————-
Total changes:14
———————————-
Detected by UnHackMe:
Item Name: cdoosoft
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\herss.exe
Type: Registry Run
Item Name: C:\autorun.inf
Author: Unknown
Related File: C:\autorun.inf
Type: Autorun.inf
Removal Results: Success
Number of reboot: 1
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: autorun.inf, xvassdf.exe
Malware: malware.exe
Removed: C:\Documents and Settings\Administrator\Local Settings\Temp\xvassdf.exe
C:\autorun.inf
Classification:
Antivirus Version Last Update Result F-Secure 9.0.15370.0 2009.11.09 - Kaspersky 7.0.0.125 2009.11.11 - McAfee 5798 2009.11.10 - Microsoft 1.5202 2009.11.10 Worm:Win32/Taterf.B NOD32 4593 2009.11.10 a variant of Win32/Pacex.Gen Symantec 1.4.4.12 2009.11.11 -
Additional information
File size: 110388 bytes
MD5 : 572baca4eba53e6948e354dd803ba453
SHA1 : 74d98148e8da0cc61fce1d85e0d1cd0d6cc92527
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:2
———————————-
HKLM\SOFTWARE\Classes\CLSID\MADOWN
HKLM\SOFTWARE\Microsoft\DownloadManager
———————————-
Values deleted:0
———————————-
———————————-
Values added:3
———————————-
HKLM\SOFTWARE\Classes\CLSID\MADOWN\urlinfo: “nmevdg.e”
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0×00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\54dfsger: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xvassdf.exe”
———————————-
Values modified:2
———————————-
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0×00000000
———————————-
Files added:6
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\4tddfwq0.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\4tddfwq1.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\xvassdf.exe
C:\autorun.inf
C:\meabwpjj.exe
C:\r1wvuyxh.exe
———————————-
Files deleted:1
———————————-
C:\sand-box\malware.exe
———————————-
Files [attributes?] modified:0
———————————-
———————————-
Folders added:0
———————————-
———————————-
Folders deleted:0
———————————-
———————————-
Total changes:14
———————————-
Detected by UnHackMe:
Item Name: C:\autorun.inf
Author: Unknown
Related File: C:\autorun.inf
Type: Autorun.inf
Item Name: 54dfsger
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xvassdf.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
Removed: spoolsv.exe, svchost.exe, blsys.bln, mrsys.exe, explorer.exe
Malware: X.exe
Removed: C:\WINDOWS\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\blsys.bln
C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe
C:\WINDOWS\system32\explorer.exe
Classification:
Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2009.11.09 -
Kaspersky 7.0.0.125 2009.11.11 Trojan.Win32.VB.yfq
McAfee 5798 2009.11.10 -
Microsoft 1.5202 2009.11.10 -
NOD32 4593 2009.11.10 -
Symantec 1.4.4.12 2009.11.11 -
Additional information
File size: 192533 bytes
MD5 : fa638274367f78526cc305545278e9e0
SHA1 : c53a4b5a60f94c8700ad3c1a1db5876eacd243d9
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:8
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR
HKCU\Software\VB and VBA Program Settings
HKCU\Software\VB and VBA Program Settings\Explorer
HKCU\Software\VB and VBA Program Settings\Explorer\Process
HKCU\Software\VB and VBA Program Settings\Svchost
HKCU\Software\VB and VBA Program Settings\Svchost\Process
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:14
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath: "C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe MR"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer: "c:\windows\system32\explorer.exe RU"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost: "c:\windows\svchost.exe RU"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Explorer: "c:\windows\system32\explorer.exe RO"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Svchost: "c:\windows\svchost.exe RO"
HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours: 0x00000048
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Type: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000
HKCU\Software\VB and VBA Program Settings\Explorer\Process\LO: "0"
HKCU\Software\VB and VBA Program Settings\Explorer\Process\BL: ""
HKCU\Software\VB and VBA Program Settings\Explorer\Process\NF: "0"
HKCU\Software\VB and VBA Program Settings\Svchost\Process\BL: ""
----------------------------------
Values modified:4
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\WINDOWS\explorer.exe, c:\windows\system32\explorer.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId: 0x00000002
----------------------------------
Files added:12
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF1561.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF262F.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE8B1.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF746.tmp
C:\WINDOWS\system32\blsys.bln
C:\WINDOWS\system32\cmsys.cmn
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\blsys.bln
C:\WINDOWS\spoolsv.exe
C:\WINDOWS\svchost.exe
----------------------------------
Files deleted:0
----------------------------------
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:38
----------------------------------
Detected by UnHackMe:
Item Name: spoolsv.exe
Author:
Related File: C:\WINDOWS\spoolsv.exe
Type: Detected using Heuristic Algorithm
Item Name: svchost.exe
Author:
Related File: C:\WINDOWS\svchost.exe
Type: Detected using Heuristic Algorithm
Reanimator was blocked by the virus.
We restarted computer to the "Safe mode with command prompt".
In this we were able to start Reanimator.
Detected by Reanimator:
Item Name: spoolsv.exe
Author:
Related File: C:\WINDOWS\spoolsv.exe
Type: Detected using Heuristic Algorithm
Item Name: svchost.exe
Author:
Related File: C:\WINDOWS\svchost.exe
Type: Detected using Heuristic Algorithm
Item Name: Svchost
Author:
Related File: c:\windows\svchost.exe RU
Type: Registry Run
Item Name: Svchost
Author:
Related File: c:\windows\svchost.exe RO
Type: Registry RunOnce
Item Name: At2
Author:
Related File: c:\windows\svchost.exe
Type: Scheduled Tasks
Item Name: At1
Author:
Related File: c:\windows\svchost.exe
Type: Scheduled Tasks
Item Name: shell
Author: Unknown
Related File: C:\WINDOWS\explorer.exe, c:\windows\system32\explorer.exe
Type: System.ini
Item Name: {Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}
Author:
Related File: C:\Documents and Settings\Administrator\Local Settings\Application Data\mrsys.exe MR
Type: ActiveSetup
Item Name: blsys.bln
Author: Unknown
Related File: C:\WINDOWS\blsys.bln
Type: Detected using Heuristic Algorithm
Removal Results: Success
Number of reboot: 2
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Recommended: UnHackMe anti-rootkit and anti-malware
Premium software: RegRun Security Suite (Good choice for removal and protection)
