STKSCAN.DLL is Trojan Sirefef.BP

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

Rootkit STKSCAN.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of STKSCAN.DLL may be a very difficult process.
You should use anti-rootkit software to fix the STKSCAN.DLL problem.

Malware Analysis of STKSCAN.DLL
Full path on a computer: %SysDir%\StkScan.dll

Detected by RegRun Warrior:

STKSCAN.DLL
Default location: %SysDir%\StkScan.dll

Removal Results: Success
Number of reboot: 1

STKSCAN.DLL is known as:

Trojan.Sirefef.BP, TR.Sirefef.BP.1, Troj.ZAccess-AB, W32.ZeroAccess.D.tr

STKSCAN.DLL hash:

  • MD5: b89cfbe8cb247b57d8c10adaa66b462b
How to quickly detect STKSCAN.DLL presence?

Registry:
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\Service: “SNP2STD”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\DeviceDesc: “Acedrv07″
  • HKLM\System\CurrentControlSet\Services\SNP2STD\Parameters\ServiceDll: “%systemroot%\system32\StkScan.dll”
  • HKLM\System\CurrentControlSet\Services\SNP2STD\DisplayName: “Acedrv07″
  • HKLM\System\CurrentControlSet\Services\SNP2STD\Description: “New service would allow parents to control their children’s online activity.”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”
Folders:
  • %WinDir%\$NtUninstallKB3057$
Files:
  • %Local Appdata%\3308c706\@
  • %Local Appdata%\3308c706\X
  • %WinDir%\assembly\GAC_MSIL\Desktop.ini
  • %SysDir%\dds_log_trash.cmd
  • %SysDir%\StkScan.dll

Remove it now!

Tags: Sirefef.BP, STKSCAN.DLL, Trojan

%Local Appdata%\3308c706\X is Rootkit ZeroAccess

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Rootkit 
Install UnHackMe Install RegRun

Rootkit \3308c706\X is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of \3308c706\X may be a very difficult process.
You should use anti-rootkit software to fix the \3308c706\X problem.

Malware Analysis of X
Full path on a computer: %Local Appdata%\3308c706\X

Detected by UnHackMe:

Item Name: shell
Author: Unknown
Related File: %Local Appdata%\3308c706\X
Type: User Shell

Item Name: Rootkit: ZeroAccess 32/64.4
Author: Unknown
Related File:
Type: Devices in Memory

Detected by RegRun Warrior:

Item Name: shell
Author: Unknown
Related File: %Local Appdata%\3308c706\X
Type: User Shell

Item Name: netbt.sys
Author: Unknown
Related File: %SYSDIR%\DRIVERS\NETBT.SYS
Type: System Drivers Infected by Rootkit

STKSCAN.DLL
Default location: %SYSDIR%\STKSCAN.DLL
MD5: B89CFBE8CB247B57D8C10ADAA66B462B
SHA1: A4023B8E 38F1E18D 0DFFB435 67C5E0AE F6C8086B
File Size: 5 120

Removal Results: Success
Number of reboot: 1

X is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

X hash:

  • MD5: fde7e556abc385a39b73919e470fbb1d
How to quickly detect X presence?

Registry:
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\Service: “SNP2STD”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\DeviceDesc: “Acedrv07″
  • HKLM\System\CurrentControlSet\Services\SNP2STD\Parameters\ServiceDll: “%systemroot%\system32\StkScan.dll”
  • HKLM\System\CurrentControlSet\Services\SNP2STD\DisplayName: “Acedrv07″
  • HKLM\System\CurrentControlSet\Services\SNP2STD\Description: “New service would allow parents to control their children’s online activity.”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”
Folders:
  • %WinDir%\$NtUninstallKB3057$
Files:
  • %Local Appdata%\3308c706\@
  • %Local Appdata%\3308c706\X
  • %WinDir%\assembly\GAC_MSIL\Desktop.ini
  • %SysDir%\dds_log_trash.cmd
  • %SysDir%\StkScan.dll

Remove it now!

Tags: Rootkit, X, ZeroAccess

PCDRNT.DLL is Rootkit ZeroAccess

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Rootkit 
Install UnHackMe Install RegRun

Rootkit PCDRNT.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of PCDRNT.DLL may be a very difficult process.
You should use anti-rootkit software to fix the PCDRNT.DLL problem.

Malware Analysis of PCDRNT.DLL
Full path on a computer: %SysDir%\PcdrNt.dll

Detected by RegRun Warrior:

PCDRNT.DLL
Default location: %SysDir%\PcdrNt.dll

Removal Results: Success
Number of reboot: 1

PCDRNT.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

PCDRNT.DLL hash:

  • MD5: b89cfbe8cb247b57d8c10adaa66b462b
How to quickly detect PCDRNT.DLL presence?

Registry:
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ANTIVIRSCHEDULER\0000\Service: “antivirscheduler”
  • HKLM\System\CurrentControlSet\Services\antivirscheduler\Parameters\ServiceDll: “%systemroot%\system32\PcdrNt.dll”
  • HKLM\System\CurrentControlSet\Services\antivirscheduler\DisplayName: “Epsonstatusagent2″
  • HKLM\System\CurrentControlSet\Services\antivirscheduler\Description: “New service would allow parents to control their children’s online activity.”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”
Folders:
  • %WinDir%\$NtUninstallKB3057$
Files:
  • %Local Appdata%\3308c706\@
  • %Local Appdata%\3308c706\X
  • %WinDir%\assembly\GAC_MSIL\Desktop.ini
  • %SysDir%\dds_log_trash.cmd
  • %SysDir%\PcdrNt.dll

Remove it now!

Tags: PCDRNT.DLL, Rootkit, ZeroAccess

MAYA70DOCSERVER.DLL is Rootkit ZeroAccess

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Rootkit 
Install UnHackMe Install RegRun

Rootkit MAYA70DOCSERVER.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of MAYA70DOCSERVER.DLL may be a very difficult process.
You should use anti-rootkit software to fix the MAYA70DOCSERVER.DLL problem.

Malware Analysis of MAYA70DOCSERVER.DLL
Full path on a computer: %SysDir%\maya70docserver.dll

Detected by UnHackMe:

After first reboot detected by UnHackMe:

Detected by RegRun Warrior:

MAYA70DOCSERVER.DLL
Default location:

Removal Results: Success
Number of reboot: 1

MAYA70DOCSERVER.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

MAYA70DOCSERVER.DLL hash:

  • MD5: 11028c6a84a967070cb1286550f2058f
How to quickly detect MAYA70DOCSERVER.DLL presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\w810mgmt\Parameters\ServiceDll: “%systemroot%\system32\maya70docserver.dll”
  • HKLM\System\CurrentControlSet\Services\w810mgmt\DisplayName: “Cercsr6″
Folders:
  • %WinDir%\$NtUninstallKB62478$
Files:
  • %SysDir%\maya70docserver.dll

Remove it now!

Tags: MAYA70DOCSERVER.DLL, Rootkit, ZeroAccess

INETACCELERATOR.EXE is Trojan Foreign

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

The file INETACCELERATOR.EXE is malware related.
You must delete the file INETACCELERATOR.EXE immediately!
Delete the file INETACCELERATOR.EXE without delay!
Kill the process INETACCELERATOR.EXE and remove INETACCELERATOR.EXE from the Windows startup.

Malware Analysis of INETACCELERATOR.EXE
Full path on a computer: %SYSTEM%\INETACCELERATOR.EXE

Detected by RegRun Warrior:

INETACCELERATOR.EXE
Default location: %SYSTEM%\INETACCELERATOR.EXE

Removal Results: Success
Number of reboot: 1

INETACCELERATOR.EXE is known as:

Trojan.Foreign

INETACCELERATOR.EXE hash:

  • MD5: 95b6951075b43fae354217bb57c07427
How to quickly detect INETACCELERATOR.EXE presence?

Files:
  • %SYSTEM%\INETACCELERATOR.EXE

Remove it now!

Tags: Foreign, INETACCELERATOR.EXE, Trojan

_EX-68.EXE is Trojan Banload

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

We checked some samples of _EX-68.EXE and detected the file _EX-68.EXE as threat.
Remove the _EX-68.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of _EX-68.EXE
Full path on a computer: %Windir%\Temp\_ex-68.exe

Detected by RegRun Warrior:

_EX-68.EXE
Default location: %Windir%\Temp\_ex-68.exe

Removal Results: Success
Number of reboot: 1

_EX-68.EXE is known as:

Trojan.Banload

_EX-68.EXE hash:

  • MD5: a7e4e91ebd829c972fd5b6fc38b957cf
How to quickly detect _EX-68.EXE presence?

Registry:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent: “%Windir%\temp\_ex-68.exe”
Files:
  • %Temp%\1.tmp
  • %Windir%\Temp\_ex-68.exe

Remove it now!

Tags: Banload, Trojan, _EX-68.EXE

OTYTKF.EXE is Worm Palevo

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Worm 
Install UnHackMe Install RegRun

The file OTYTKF.EXE is malware related.
You must delete the file OTYTKF.EXE immediately!
Delete the file OTYTKF.EXE without delay!
Kill the process OTYTKF.EXE and remove OTYTKF.EXE from the Windows startup.

Malware Analysis of OTYTKF.EXE
Full path on a computer: %UserProfile%\otytkf.exe

Detected by UnHackMe:

OTYTKF.EXE
Default location: %UserProfile%\otytkf.exe

Removal Results: Success
Number of reboot: 1

OTYTKF.EXE is known as:

Worm.Palevo, Trojan.Rimecud

OTYTKF.EXE hash:

  • MD5: aad4dac994bf75727bc12b0555d529a8
How to quickly detect OTYTKF.EXE presence?

Registry:
  • HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: “%UserProfile%\otytkf.exe”
Files:
  • %UserProfile%\otytkf.exe

Remove it now!

Tags: OTYTKF.EXE, Palevo, Worm

FUNSHIONINSTALL.EXE is Trojan Delf

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

Is the file FUNSHIONINSTALL.EXE located on your computer? Then your computer is infected.
We do suggest you should remove FUNSHIONINSTALL.EXE from your computer as soon as possible.
FUNSHIONINSTALL.EXE is Trojan/Backdoor.
Kill the process FUNSHIONINSTALL.EXE and remove FUNSHIONINSTALL.EXE from the Windows startup.

Malware Analysis of FUNSHIONINSTALL.EXE
Full path on a computer: %Temp%\FunshionInstall.exe

Detected by RegRun Warrior:

FUNSHIONINSTALL.EXE
Default location: %Temp%\FunshionInstall.exe

Removal Results: Success
Number of reboot: 1

FUNSHIONINSTALL.EXE is known as:

Trojan.Delf

FUNSHIONINSTALL.EXE hash:

  • MD5: c56e9f57356f0f48e1022ba6901aa608
How to quickly detect FUNSHIONINSTALL.EXE presence?

Files:
  • %Temp%\FunshionInstall.exe
  • %Temp%\FunshionInstall.exe.ini

Remove it now!

Tags: Delf, FUNSHIONINSTALL.EXE, Trojan

MAXTUDOXDB.EXE is Trojan CFI

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

We checked up the file MAXTUDOXDB.EXE and found it hazardous.
The file MAXTUDOXDB.EXE must be deleted from the system immediately.
Kill the process MAXTUDOXDB.EXE and remove MAXTUDOXDB.EXE from the Windows startup.

Malware Analysis of MAXTUDOXDB.EXE
Full path on a computer: C:\MAXTUDOXDB.exe

Detected by UnHackMe:

Item Name: MAXTUDOXDB
Author: Unknown
Related File: C:\\MAXTUDOXDB.EXE
Type: Registry Run

Item Name: MAXTUDOXDB.exe
Author: Unknown
Related File: C:\MAXTUDOXDB.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

MAXTUDOXDB.EXE is known as:

Trojan.CFI, Trojan.Toxaic

MAXTUDOXDB.EXE hash:

  • MD5: 8d51a95f4886a35e3b3f50da393602d4
How to quickly detect MAXTUDOXDB.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MAXTUDOXDB: “C:\\MAXTUDOXDB.exe”
Files:
  • C:\MAXTUDOXDB.exe

Remove it now!

Tags: CFI, MAXTUDOXDB.EXE, Trojan

MSDSCSC.EXE is Backdoor Finlosky

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Backdoor 
Install UnHackMe Install RegRun

The program MSDSCSC.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with MSDSCSC.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of MSDSCSC.EXE
Full path on a computer: %Personal%\MSDCSC\msdscsc.exe

Detected by UnHackMe:

Item Name: UserInit
Author: Unknown
Related File: %SysDir%\userinit.exe,%Personal%\MSDCSC\msdscsc.exe
Type: UserInit Value

Item Name: MicroUpdate
Author: Microsoft Corp.
Related File: %PERSONAL%\MSDCSC\MSDSCSC.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

MSDSCSC.EXE is known as:

Backdoor.Finlosky, Backdoor.Krademok

MSDSCSC.EXE hash:

  • MD5: a4bbbebd9bb26f02a0a7bb7092ac3d06
The file tries to connect to the dangerous web site.
How to quickly detect MSDSCSC.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate: “%Personal%\MSDCSC\msdscsc.exe”
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%SysDir%\userinit.exe,%Personal%\MSDCSC\msdscsc.exe”
Files:
  • %Personal%\MSDCSC\msdscsc.exe

Remove it now!

Tags: Backdoor, Finlosky, MSDSCSC.EXE

PLUGIN01.EXE is Trojan Banker

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

The file PLUGIN01.EXE is malware related.
You must delete the file PLUGIN01.EXE immediately!
Delete the file PLUGIN01.EXE without delay!
Kill the process PLUGIN01.EXE and remove PLUGIN01.EXE from the Windows startup.

Malware Analysis of PLUGIN01.EXE
Full path on a computer: %WinDir%\plugin01.exe

Detected by UnHackMe:

Item Name:
Author: Unknown
Related File: %WinDir%\DISKETE.EXE
Type: Registry Run

Item Name: Plugin Live 64
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Registry Run

Item Name: Windows Plugin Two
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Registry Run

Item Name: Windows Plugin Three
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Registry Run

Item Name: Windows Plugin One
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Registry Run

Item Name: plugin64.exe
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Running Processes

Item Name: plugin02.exe
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Running Processes

Item Name: plugin03.exe
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Running Processes

Item Name: plugin01.exe
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Running Processes

Item Name: Flash Plugin
Author: Unknown
Related File: %WinDir%\FLASH-PLUGIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

PLUGIN01.EXE is known as:

Trojan.Banker

PLUGIN01.EXE hash:

  • MD5: d3a84975c627bc0ff3d8ae7dd0901b3d
The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
How to quickly detect PLUGIN01.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “%WinDir%\diskete.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Plugin: “%WinDir%\flash-plugin.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Plugin Live 64: “%WinDir%\plugin64.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Plugin Two: “%WinDir%\plugin02.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin Three: “%WinDir%\plugin03.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin One: “%WinDir%\plugin01.exe”
Files:
  • %WinDir%\Fonts\eugvx.exe
  • %WinDir%\Fonts\iqpgi.exe
  • %WinDir%\Fonts\jtuuy.exe
  • %WinDir%\Fonts\lnmwm.exe
  • %WinDir%\Fonts\tcira.exe
  • %WinDir%\Fonts\vgdmr.exe
  • %WinDir%\Fonts\wwxtl.exe
  • %WinDir%\diskete.exe
  • %WinDir%\flash-plugin.exe
  • %WinDir%\plugin01.exe
  • %WinDir%\plugin02.exe
  • %WinDir%\plugin03.exe
  • %WinDir%\plugin64.exe

Remove it now!

Tags: Banker, PLUGIN01.EXE, Trojan

PLUGIN03.EXE is Trojan Banker

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

We checked some samples of PLUGIN02.EXE and detected the file PLUGIN02.EXE as threat.
Remove the PLUGIN02.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of PLUGIN03.EXE
Full path on a computer: %WinDir%\plugin03.exe

Detected by UnHackMe:

Item Name:
Author: Unknown
Related File: %WinDir%\DISKETE.EXE
Type: Registry Run

Item Name: Plugin Live 64
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Registry Run

Item Name: Windows Plugin Two
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Registry Run

Item Name: Windows Plugin Three
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Registry Run

Item Name: Windows Plugin One
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Registry Run

Item Name: plugin64.exe
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Running Processes

Item Name: plugin02.exe
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Running Processes

Item Name: plugin03.exe
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Running Processes

Item Name: plugin01.exe
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Running Processes

Item Name: Flash Plugin
Author: Unknown
Related File: %WinDir%\FLASH-PLUGIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

PLUGIN03.EXE is known as:

Trojan.Banker, Trojan.Scar

PLUGIN03.EXE hash:

  • MD5: 08fe5e2da71ddaf37597b029f6442fa2
The file tries to connect to the dangerous web site.
How to quickly detect PLUGIN03.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “%WinDir%\diskete.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Plugin: “%WinDir%\flash-plugin.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Plugin Live 64: “%WinDir%\plugin64.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Plugin Two: “%WinDir%\plugin02.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin Three: “%WinDir%\plugin03.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin One: “%WinDir%\plugin01.exe”
Files:
  • %WinDir%\Fonts\eugvx.exe
  • %WinDir%\Fonts\iqpgi.exe
  • %WinDir%\Fonts\jtuuy.exe
  • %WinDir%\Fonts\lnmwm.exe
  • %WinDir%\Fonts\tcira.exe
  • %WinDir%\Fonts\vgdmr.exe
  • %WinDir%\Fonts\wwxtl.exe
  • %WinDir%\diskete.exe
  • %WinDir%\flash-plugin.exe
  • %WinDir%\plugin01.exe
  • %WinDir%\plugin02.exe
  • %WinDir%\plugin03.exe
  • %WinDir%\plugin64.exe

Remove it now!

Tags: Banker, PLUGIN03.EXE, Trojan

PLUGIN02.EXE is Trojan Scar

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

The file PLUGIN02.EXE is malware related.
You must delete the file PLUGIN02.EXE immediately!
Delete the file PLUGIN02.EXE without delay!
Kill the process PLUGIN02.EXE and remove PLUGIN02.EXE from the Windows startup.

Malware Analysis of PLUGIN02.EXE
Full path on a computer: %WinDir%\plugin02.exe

Detected by UnHackMe:

Item Name:
Author: Unknown
Related File: %WinDir%\DISKETE.EXE
Type: Registry Run

Item Name: Plugin Live 64
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Registry Run

Item Name: Windows Plugin Two
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Registry Run

Item Name: Windows Plugin Three
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Registry Run

Item Name: Windows Plugin One
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Registry Run

Item Name: plugin64.exe
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Running Processes

Item Name: plugin02.exe
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Running Processes

Item Name: plugin03.exe
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Running Processes

Item Name: plugin01.exe
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Running Processes

Item Name: Flash Plugin
Author: Unknown
Related File: %WinDir%\FLASH-PLUGIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

PLUGIN02.EXE is known as:

Trojan.Scar

PLUGIN02.EXE hash:

  • MD5: 0f0f4c6fc34d387b557980288b730df5
The file tries to download information from some web sites.
How to quickly detect PLUGIN02.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “%WinDir%\diskete.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Plugin: “%WinDir%\flash-plugin.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Plugin Live 64: “%WinDir%\plugin64.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Plugin Two: “%WinDir%\plugin02.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin Three: “%WinDir%\plugin03.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin One: “%WinDir%\plugin01.exe”
Files:
  • %WinDir%\Fonts\eugvx.exe
  • %WinDir%\Fonts\iqpgi.exe
  • %WinDir%\Fonts\jtuuy.exe
  • %WinDir%\Fonts\lnmwm.exe
  • %WinDir%\Fonts\tcira.exe
  • %WinDir%\Fonts\vgdmr.exe
  • %WinDir%\Fonts\wwxtl.exe
  • %WinDir%\diskete.exe
  • %WinDir%\flash-plugin.exe
  • %WinDir%\plugin01.exe
  • %WinDir%\plugin02.exe
  • %WinDir%\plugin03.exe
  • %WinDir%\plugin64.exe

Remove it now!

Tags: PLUGIN02.EXE, Scar, Trojan

PLUGIN64.EXE is Trojan Bancos

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

Is the file PLUGIN64.EXE located on your computer? Then your computer is infected.
We do suggest you should remove PLUGIN64.EXE from your computer as soon as possible.
PLUGIN64.EXE is Trojan/Backdoor.
Kill the process PLUGIN64.EXE and remove PLUGIN64.EXE from the Windows startup.

Malware Analysis of PLUGIN64.EXE
Full path on a computer: %WinDir%\plugin64.exe

Detected by UnHackMe:

Item Name:
Author: Unknown
Related File: %WinDir%\DISKETE.EXE
Type: Registry Run

Item Name: Plugin Live 64
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Registry Run

Item Name: Windows Plugin Two
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Registry Run

Item Name: Windows Plugin Three
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Registry Run

Item Name: Windows Plugin One
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Registry Run

Item Name: plugin64.exe
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Running Processes

Item Name: plugin02.exe
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Running Processes

Item Name: plugin03.exe
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Running Processes

Item Name: plugin01.exe
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Running Processes

Item Name: Flash Plugin
Author: Unknown
Related File: %WinDir%\FLASH-PLUGIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

PLUGIN64.EXE is known as:

Trojan.Bancos

PLUGIN64.EXE hash:

  • MD5: 663b9da0ee94180cd06ad8ec90dcdc1e
The file tries to download information from some web sites.
How to quickly detect PLUGIN64.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “%WinDir%\diskete.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Plugin: “%WinDir%\flash-plugin.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Plugin Live 64: “%WinDir%\plugin64.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Plugin Two: “%WinDir%\plugin02.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin Three: “%WinDir%\plugin03.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin One: “%WinDir%\plugin01.exe”
Files:
  • %WinDir%\Fonts\eugvx.exe
  • %WinDir%\Fonts\iqpgi.exe
  • %WinDir%\Fonts\jtuuy.exe
  • %WinDir%\Fonts\lnmwm.exe
  • %WinDir%\Fonts\tcira.exe
  • %WinDir%\Fonts\vgdmr.exe
  • %WinDir%\Fonts\wwxtl.exe
  • %WinDir%\diskete.exe
  • %WinDir%\flash-plugin.exe
  • %WinDir%\plugin01.exe
  • %WinDir%\plugin02.exe
  • %WinDir%\plugin03.exe
  • %WinDir%\plugin64.exe

Remove it now!

Tags: Bancos, PLUGIN64.EXE, Trojan

DISKETE.EXE is BackDoor DirtJump

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Backdoor 
Install UnHackMe Install RegRun

The program DISKETE.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with DISKETE.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of DISKETE.EXE
Full path on a computer: %WinDir%\diskete.exe

Detected by UnHackMe:

Item Name:
Author: Unknown
Related File: %WinDir%\DISKETE.EXE
Type: Registry Run

Item Name: Plugin Live 64
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Registry Run

Item Name: Windows Plugin Two
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Registry Run

Item Name: Windows Plugin Three
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Registry Run

Item Name: Windows Plugin One
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Registry Run

Item Name: plugin64.exe
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Running Processes

Item Name: plugin02.exe
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Running Processes

Item Name: plugin03.exe
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Running Processes

Item Name: plugin01.exe
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Running Processes

Item Name: Flash Plugin
Author: Unknown
Related File: %WinDir%\FLASH-PLUGIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

DISKETE.EXE is known as:

BackDoor.DirtJump, Trojan.Sisron, Trojan.Scar

DISKETE.EXE hash:

  • MD5: 2a2db1107f779c5015657358fcbca67e
The file tries to download information from some web sites.
How to quickly detect DISKETE.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “%WinDir%\diskete.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Plugin: “%WinDir%\flash-plugin.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Plugin Live 64: “%WinDir%\plugin64.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Plugin Two: “%WinDir%\plugin02.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin Three: “%WinDir%\plugin03.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin One: “%WinDir%\plugin01.exe”
Files:
  • %WinDir%\Fonts\eugvx.exe
  • %WinDir%\Fonts\iqpgi.exe
  • %WinDir%\Fonts\jtuuy.exe
  • %WinDir%\Fonts\lnmwm.exe
  • %WinDir%\Fonts\tcira.exe
  • %WinDir%\Fonts\vgdmr.exe
  • %WinDir%\Fonts\wwxtl.exe
  • %WinDir%\diskete.exe
  • %WinDir%\flash-plugin.exe
  • %WinDir%\plugin01.exe
  • %WinDir%\plugin02.exe
  • %WinDir%\plugin03.exe
  • %WinDir%\plugin64.exe

Remove it now!

Tags: Backdoor, DirtJump, DISKETE.EXE

MTEFQ2.EXE is Trojan Swizzor

February 9, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

We checked up the file MTEFQ2.EXE and found it hazardous.
The file MTEFQ2.EXE must be deleted from the system immediately.
Kill the process MTEFQ2.EXE and remove MTEFQ2.EXE from the Windows startup.

Malware Analysis of MTEFQ2.EXE
Full path on a computer: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe

Detected by UnHackMe:

Item Name: shell
Author: Unknown
Related File: explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe
Type: User Shell

Item Name: taskman
Author: Unknown
Related File: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\MTEFQ2.EXE
Type: Winlogon System

Item Name: etef5
Author: Unknown
Related File: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\MTEFQ2.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

MTEFQ2.EXE is known as:

Trojan.Swizzor, Trojan.Menti

MTEFQ2.EXE hash:

  • MD5: cb57093ebf453b5465c7badc58bf0ac0
The file tries to download information from some web sites.
How to quickly detect MTEFQ2.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\etef5: “C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “explorer.exe,C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe”
Folders:
  • C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068
Files:
  • C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\Desktop.ini
  • C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-0068\mtefq2.exe

Remove it now!

Tags: MTEFQ2.EXE, Swizzor, Trojan

WINPROXY.DLL is Rootkit ZeroAccess

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Rootkit 
Install UnHackMe Install RegRun

Rootkit WINPROXY.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of WINPROXY.DLL may be a very difficult process.
You should use anti-rootkit software to fix the WINPROXY.DLL problem.

Malware Analysis of WINPROXY.DLL
Full path on a computer: %SysDir%\winproxy.dll

Detected by RegRun Warrior:

WINPROXY.DLL
Default location: %SysDir%\winproxy.dll

Removal Results: Success
Number of reboot: 1

WINPROXY.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

WINPROXY.DLL hash:

  • MD5: b89cfbe8cb247b57d8c10adaa66b462b
How to quickly detect WINPROXY.DLL presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\epson_pm_rpcv2_02\Parameters\ServiceDll: “%systemroot%\system32\winproxy.dll”
  • HKLM\System\CurrentControlSet\Services\epson_pm_rpcv2_02\Description: “New service would allow parents to control their children’s online activity.”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wqxout: “%Profile%\wqxout.exe /L”
Folders:
  • %WinDir%\$NtUninstallKB3057$
Files:
  • %Local Appdata%\3308c706\@
  • %Local Appdata%\3308c706\X
  • %Profile%\jdFfFL.exe
  • %Profile%\wqxout.exe
  • %WinDir%\assembly\GAC_MSIL\Desktop.ini
  • %SysDir%\dds_log_trash.cmd
  • %SysDir%\winproxy.dll

Remove it now!

Tags: Rootkit, WINPROXY.DLL, ZeroAccess

PCI.DLL is Rootkit ZeroAccess

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Rootkit 
Install UnHackMe Install RegRun

Rootkit PCI.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of PCI.DLL may be a very difficult process.
You should use anti-rootkit software to fix the PCI.DLL problem.

Malware Analysis of PCI.DLL
Full path on a computer: %SysDir%\pci.dll

Detected by RegRun Warrior:

PCI.DLL
Default location: %SysDir%\pci.dll

Removal Results: Success
Number of reboot: 1

PCI.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

PCI.DLL hash:

  • MD5: 11028c6a84a967070cb1286550f2058f
How to quickly detect PCI.DLL presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\orbpvr\Parameters\ServiceDll: “%systemroot%\system32\pci.dll”
Folders:
  • %WinDir%\$NtUninstallKB62478$
Files:
  • %SysDir%\dds_trash_log.cmd
  • %SysDir%\pci.dll

Remove it now!

Tags: PCI.DLL, Rootkit, ZeroAccess

NVNETBUS.DLL is Rootkit ZeroAccess

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

Rootkit NVNETBUS.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of NVNETBUS.DLL may be a very difficult process.
You should use anti-rootkit software to fix the NVNETBUS.DLL problem.

Malware Analysis of NVNETBUS.DLL
Full path on a computer: %SysDir%\nvnetbus.dll

Detected by UnHackMe:

NVNETBUS.DLL
Default location: %SysDir%\nvnetbus.dll

Removal Results: Success
Number of reboot: 1

NVNETBUS.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

NVNETBUS.DLL hash:

  • MD5: b89cfbe8cb247b57d8c10adaa66b462b
How to quickly detect NVNETBUS.DLL presence? 

Registry:
  • HKLM\System\CurrentControlSet\Services\infrastructure\Parameters\ServiceDll: “%systemroot%\system32\nvnetbus.dll”
  • HKLM\System\CurrentControlSet\Services\infrastructure\ImagePath: “%SystemRoot%\system32\svchost.exe -k netsvcs”
  • HKLM\System\CurrentControlSet\Services\infrastructure\Description: “New service would allow parents to control their children’s online activity.”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”
Folders:
  • %WinDir%\$NtUninstallKB3057$
Files:
  • %Local Appdata%\3308c706\@
  • %Local Appdata%\3308c706\X
  • %WinDir%\assembly\GAC_MSIL\Desktop.ini
  • %SysDir%\dds_log_trash.cmd
  • %SysDir%\nvnetbus.dll

Remove it now!

Tags: NVNETBUS.DLL, Sirefef.BP, Trojan

1029.URL is Backdoor Morix

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Backdoor 
Install UnHackMe Install RegRun

The program 1029.URL is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with 1029.URL.
Download for free: http://www.unhackme.com

Malware Analysis of 1029.URL
Full path on a computer: %Program Files%\%Program Files%\1029.URL

Detected by UnHackMe:

Item Name: laass.exe
Author: Microsoft Corporation
Related File: C:\PROGRA~1\%PROGR~1\LAASS.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

1029.URL is known as:

Backdoor.Morix, Spyware.Ardakey, Adware.Tencent

1029.URL hash:

  • MD5: 99eb9beb71b1ffe5aa51f4bf8564ba0f
The file tries to download information from some web sites.
How to quickly detect 1029.URL presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\WinAudio\ImagePath: “cmd.exe /c C:\PROGRA~1\%PROGR~1\Cest.bat”
  • HKLM\System\CurrentControlSet\Services\WinAudio\DisplayName: “WinAudio”
Folders:
  • %Program Files%\%Program Files%
Files:
  • %Program Files%\%Program Files%\1029.URL
  • %Program Files%\%Program Files%\1031.URL
  • %Program Files%\%Program Files%\Cest.bat
  • %Program Files%\%Program Files%\Dest.BAt
  • %Program Files%\%Program Files%\laass.exe

Remove it now!

Tags: 1029.URL, Backdoor, Morix

GWXYABCDE.GIF is Backdoor Farfli

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Backdoor 
Install UnHackMe Install RegRun

We received the file GWXYABCDE.GIF and detected that GWXYABCDE.GIF is not good.
GWXYABCDE.GIF is Adware. You should remove the file GWXYABCDE.GIF.
Kill the process GWXYABCDE.GIF and remove GWXYABCDE.GIF from Windows.

Malware Analysis of GWXYABCDE.GIF
Full path on a computer: %Program Files%\Bwxy\Gwxyabcde.gif

Detected by UnHackMe:

Item Name: Vwxyab Defghijk Mno
Author: Tencent
Related File: %PROGRAM FILES%\BWXY\GWXYABCDE.GIF
Type: Svchost DLLs

Removal Results: Success
Number of reboot: 1

GWXYABCDE.GIF is known as:

Backdoor.Farfli

GWXYABCDE.GIF hash:

  • MD5: 81da9161bfdab8f2ec59ff7532097c7d
The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
How to quickly detect GWXYABCDE.GIF presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\Vwxyab Defghijk Mno\Parameters\ServiceDll: “%Program Files%\Bwxy\Gwxyabcde.gif”
  • HKLM\System\CurrentControlSet\Services\Vwxyab Defghijk Mno\DisplayName: “Vwxyab Defghijk Mnopqrst Vwxy”
  • HKLM\System\CurrentControlSet\Services\Vwxyab Defghijk Mno\ObjectName: “LocalSystem”
  • HKLM\System\CurrentControlSet\Services\Vwxyab Defghijk Mno\Description: “Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij”
Folders:
  • %Program Files%\Bwxy
Files:
  • C:\Documents and Settings\temp.gif
  • C:\Documents and Settings\temp2.gif
  • %Program Files%\Bwxy\Gwxyabcde.gif

Remove it now!

Tags: Backdoor, Farfli, GWXYABCDE.GIF

RLJLZ.EXE is Worm Palevo

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Worm 
Install UnHackMe Install RegRun

The file RLJLZ.EXE is a computer worm.
The worm RLJLZ.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the RLJLZ.EXE problem as soon as possible!
Delete the file RLJLZ.EXE from all infected computers in your network.
Set up your network firewall against RLJLZ.EXE intervention.

Malware Analysis of RLJLZ.EXE
Full path on a computer: %Appdata%\rljlz.exe

Detected by UnHackMe:

Item Name: taskman
Author: Unknown
Related File: %APPDATA%\RLJLZ.EXE
Type: Winlogon System

Item Name: rljlz.exe
Author: Unknown
Related File: %APPDATA%\RLJLZ.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

RLJLZ.EXE is known as:

Worm.Palevo, Trojan.Rimecud, Trojan.Pincav

RLJLZ.EXE hash:

  • MD5: c0434902bd87094640b91639a051cae0
The file tries to download information from some web sites.
How to quickly detect RLJLZ.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: “%Appdata%\rljlz.exe”
Files:
  • %Appdata%\rljlz.exe

Remove it now!

Tags: Palevo, RLJLZ.EXE, Worm

A_V_AUTO.DLL is Trojan Agent

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

We checked up the file A_V_AUTO.DLL and found it hazardous.
The file A_V_AUTO.DLL must be deleted from the system immediately.
Kill the process A_V_AUTO.DLL and remove A_V_AUTO.DLL from the Windows startup.

Malware Analysis of A_V_AUTO.DLL
Full path on a computer: %Program Files Common%\Microsoft Shared\A_v_AuTo.dll

Detected by UnHackMe:

Item Name: Internet
Author: Sysinternals – www.sysinternals.com
Related File: %PROGRAM FILES COMMON%\MICROSOFT SHARED\SERVICES.EXE
Type: Registry Run

Item Name: services.exe
Author: Sysinternals – www.sysinternals.com
Related File: %PROGRAM FILES COMMON%\MICROSOFT SHARED\SERVICES.EXE
Type: Running Processes

Item Name: diskserver
Author: FlashFXP
Related File: %Program Files Common%\Microsoft Shared\A_v_AuTo.dll
Type: Auto Services

Removal Results: Success
Number of reboot: 1

A_V_AUTO.DLL is known as:

Trojan.Agent

A_V_AUTO.DLL hash:

  • MD5: e63c970e78c1425a880a92dca3555265
How to quickly detect A_V_AUTO.DLL presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Internet: “%Program Files Common%\Microsoft Shared\services.exe”
  • HKLM\System\CurrentControlSet\Services\diskserver\ImagePath: “%Program Files Common%\Microsoft Shared\A_v_AuTo.dll”
  • HKLM\System\CurrentControlSet\Services\diskserver\DisplayName: “windows Disk Manager”
Files:
  • %Program Files Common%\Microsoft Shared\A_v_AuTo.dll
  • %Program Files Common%\Microsoft Shared\A_v_DVD.dll
  • %Program Files Common%\Microsoft Shared\A_v_TT.dll
  • %Program Files Common%\Microsoft Shared\services.exe

Remove it now!

Tags: Agent, A_V_AUTO.DLL, Trojan

TKLMNOPQR.JPG is Backdoor Farfli

February 8, 2012 by NightWatcher · Leave a Comment
Filed under: Backdoor 
Install UnHackMe Install RegRun

The program TKLMNOPQR.JPG is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with TKLMNOPQR.JPG.
Download for free: http://www.unhackme.com

Malware Analysis of TKLMNOPQR.JPG
Full path on a computer:

Detected by UnHackMe:

Item Name: Jklmno Qrstuvwx Abc
Author: Tencent
Related File: %PROGRAM FILES%\OKLM\TKLMNOPQR.JPG
Type: Svchost DLLs

Removal Results: Success
Number of reboot: 1

TKLMNOPQR.JPG is known as:

Backdoor.Farfli

TKLMNOPQR.JPG hash:

  • MD5: 3f0686cd7c8d7ec919325409d3ab3fe8
The file tries to connect to the dangerous web site.
How to quickly detect TKLMNOPQR.JPG presence?

Registry:
  • HKLM\Software\116276615\Parameters\ServiceDll: “%Program Files%\Oklm\Tklmnopqr.jpg”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_JKLMNO_QRSTUVWX_ABC\0000\Service: “Jklmno Qrstuvwx Abc”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_JKLMNO_QRSTUVWX_ABC\0000\DeviceDesc: “Jklmno Qrstuvwx Abcdefgh Jklm”
  • HKLM\System\CurrentControlSet\Services\Jklmno Qrstuvwx Abc\Parameters\ServiceDll: “%Program Files%\Oklm\Tklmnopqr.jpg”
  • HKLM\System\CurrentControlSet\Services\Jklmno Qrstuvwx Abc\DisplayName: “Jklmno Qrstuvwx Abcdefgh Jklm”
  • HKLM\System\CurrentControlSet\Services\Jklmno Qrstuvwx Abc\Description: “Jklmnopq Stuvwxyab Defghij Lmnopqrs Uvw”
Folders:
  • %Program Files%\Oklm
Files:
  • C:\Documents and Settings\temp.gif
  • C:\Documents and Settings\temp2.gif
  • %Program Files%\Oklm\Tklmnopqr.jpg

Remove it now!

Tags: Backdoor, Farfli, TKLMNOPQR.JPG

EVERVACCINE.EXE is Adware VirusCure

February 7, 2012 by NightWatcher · Leave a Comment
Filed under: Adware 
Install UnHackMe Install RegRun

The file EVERVACCINE.EXE is a part of Fake Antiviral software.
You must delete the file EVERVACCINE.EXE immediately!
Delete the file EVERVACCINE.EXE without delay!
Kill the process EVERVACCINE.EXE and remove EVERVACCINE.EXE from the Windows startup.

Malware Analysis of EVERVACCINE.EXE
Full path on a computer: %Program Files%\EverVaccine\EverVaccine.exe

Detected by UnHackMe:

Item Name: EverVaccineMain
Author: Ebiz Networks
Related File: %PROGRAM FILES%\EVERVACCINE\EVERVACCINE.EXE
Type: Registry Run

Item Name: EverVaccine.exe
Author: Ebiz Networks
Related File: %PROGRAM FILES%\EVERVACCINE\EVERVACCINE.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

EVERVACCINE.EXE is known as:

Adware.VirusCure

EVERVACCINE.EXE hash:

  • MD5: 10df4a038e393878435f4c4079eefc17
The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
How to quickly detect EVERVACCINE.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EverVaccineMain: “”%Program Files%\EverVaccine\EverVaccine.exe” /Scan”
Folders:
  • %Program Files%\EverVaccine
Files:
  • %Program Files%\EverVaccine\etc\EverVaccineFD.SYS
  • %Program Files%\EverVaccine\etc\EverVaccineMon.exe
  • %Program Files%\EverVaccine\etc\EverVaccineReg.exe
  • %Program Files%\EverVaccine\etc\EverVaccineReport.exe
  • %Program Files%\EverVaccine\EverVaccine.exe
  • %Program Files%\EverVaccine\EverVaccineUpdate.exe

Remove it now!

Tags: Adware, EVERVACCINE.EXE, VirusCure

QUESTBASIC.EXE is AdWare AdLoad

February 7, 2012 by NightWatcher · Leave a Comment
Filed under: Adware 
Install UnHackMe Install RegRun

We received the file QUESTBASIC.EXE and detected that QUESTBASIC.EXE is not good.
QUESTBASIC.EXE is Adware. You should remove the file QUESTBASIC.EXE.
Kill the process QUESTBASIC.EXE and remove QUESTBASIC.EXE from Windows.

Malware Analysis of QUESTBASIC.EXE
Full path on a computer: %Program Files%\QuestBasic\questbasic.exe

Detected by UnHackMe:

Item Name: QuestBasic Service
Author:
Related File: “%Program Files%\QuestBasic\questbasic.exe” “%Program Files%\QuestBasic\questbasic.dll” cilelilog zawuwesu
Type: Auto Services

Item Name: questbasic.exe
Author: Unknown
Related File: %PROGRAM FILES%\QUESTBASIC\QUESTBASIC.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

QUESTBASIC.EXE is known as:

AdWare.AdLoad

QUESTBASIC.EXE hash:

  • MD5: 2033ba486c6255ea5c9794ff8e8af5c0
How to quickly detect QUESTBASIC.EXE presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\QuestBasic Service\ImagePath: “”%Program Files%\QuestBasic\questbasic.exe” “%Program Files%\QuestBasic\questbasic.dll” tehunuqi wajorupu”
  • HKLM\System\CurrentControlSet\Services\QuestBasic Service\DisplayName: “QuestBasic Service”
  • HKLM\System\CurrentControlSet\Services\QuestBasic Service\Description: “Update and control for QuestBasic”
  • HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{86F14831-D88C-4BC8-B871-C8FB24D95D9B}\DisplayName: “QuestBasic”
Folders:
  • %Program Files%\QuestBasic
Files:
  • %Common Appdata%\QuestBasic\questbasic114.exe
  • %Program Files%\QuestBasic\questbasic.dll
  • %Program Files%\QuestBasic\questbasic.exe
  • %Program Files%\QuestBasic\uninstall.exe
  • %WinDir%\Temp\QUE7.tmp\upgrade.cab

Remove it now!

Tags: Adload, Adware, QUESTBASIC.EXE

HDDLOF.EXE is Backdoor Yoddos

February 7, 2012 by NightWatcher · Leave a Comment
Filed under: Backdoor 
Install UnHackMe Install RegRun

The program HDDLOF.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with HDDLOF.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of HDDLOF.EXE
Full path on a computer: %Program Files%\Internet Explorer\hddlof.exe

Detected by UnHackMe:

Item Name: Microsoft Updatembt.exe
Author: (C)360.cn Inc.All Rights Reserved.
Related File: %Program Files%\Internet Explorer\hddlof.exe
Type: Auto Services

Removal Results: Success
Number of reboot: 1

HDDLOF.EXE is known as:

Backdoor.Yoddos

HDDLOF.EXE hash:

  • MD5: bc1fdc8db7d10ab59167daeaf8685cc6
The file tries to download information from some web sites.
How to quickly detect HDDLOF.EXE presence?

Registry:
  • HKLM\System\CurrentControlSet\Services\Microsoft Updatembt.exe\ImagePath: “%Program Files%\Internet Explorer\hddlof.exe”
  • HKLM\System\CurrentControlSet\Services\Microsoft Updatembt.exe\DisplayName: “Microsoft Updateqhe Software is private services”
  • HKLM\System\CurrentControlSet\Services\Microsoft Updatembt.exe\Description: “Microsoft Providehpan Software Update services for windows.”
Files:
  • %Program Files%\Internet Explorer\hddlof.exe

Remove it now!

Tags: Backdoor, HDDLOF.EXE, Yoddos

USB.EXE is Trojan Injector

February 7, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

The file USB.EXE is identified as a virus dropper.
The dropper USB.EXE is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
The file USB.EXE loads into the computer memory and tries to connect to the dangerous web site.
Usually the USB.EXE dropper does not infect the files on the computer and does not replicate itself on other computers.
Kill the USB.EXE process and delete the file USB.EXE.

Malware Analysis of USB.EXE
Full path on a computer: %SysDir%\usb.exe

Detected by UnHackMe:

Item Name: Supports RAS Connections
Author: AVG Technologies CZ, s.r.o.
Related File: %SysDir%\SVHOST.EXE
Type: Registry Run

Item Name: Windows Data Serivce
Author: VIT Software, LLC
Related File: %WinDir%\DN.EXE
Type: Registry Run

Item Name: svhost.exe
Author: AVG Technologies CZ, s.r.o.
Related File: %SYSDIR%\SVHOST.EXE
Type: Detected using Heuristic Algorithm

Item Name: dn.exe
Author: VIT Software, LLC
Related File: %WinDir%\DN.EXE
Type: Detected using Heuristic Algorithm

Item Name: Windows Service Agents
Author: VIT Software, LLC
Related File: %SysDir%\USB.EXE
Type: Registry Run

Item Name: usb.exe
Author: VIT Software, LLC
Related File: %SYSDIR%\USB.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

USB.EXE is known as:

Trojan.Injector

USB.EXE hash:

  • MD5: 1e52c27ab0ab3fbc46873274b0bffac4
The file tries to connect to the dangerous web site.
How to quickly detect USB.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Supports RAS Connections: “svhost.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Agents: “usb.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Data Serivce: “dn.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Supports RAS Connections: “svhost.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Service Agents: “usb.exe”
  • HKLM\Software\Microsoft\yOLE\Supports RAS Connections: “svhost.exe”
  • HKLM\System\CurrentControlSet\Control\Lsa\Supports RAS Connections: “svhost.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Supports RAS Connections: “svhost.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Agents: “usb.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Supports RAS Connections: “svhost.exe”
  • HKCU\Software\Microsoft\yOLE\Supports RAS Connections: “svhost.exe”
  • HKCU\SYSTEM\CurrentControlSet\Control\Lsa\Supports RAS Connections: “svhost.exe”
Files:
  • %SysDir%\svhost.exe
  • %SysDir%\usb.exe
  • %WinDir%\dn.exe
  • %WinDir%\nigzss.txt
  • C:\msn.exe

Remove it now!

Tags: Injector, Trojan, USB.EXE

FXGLDRV.DLL is Trojan Sefnit

February 6, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

Is the file FXGLDRV.DLL located on your computer? Then your computer is infected.
We do suggest you should remove FXGLDRV.DLL from your computer as soon as possible.
FXGLDRV.DLL is Trojan/Backdoor.
Kill the process FXGLDRV.DLL and remove FXGLDRV.DLL from the Windows startup.

Malware Analysis of FXGLDRV.DLL
Full path on a computer: %Local Appdata%\AgereobjCtrl\fxGLdrv.dll

Detected by UnHackMe:

Item Name: fxGLdrv
Author: Unknown
Related File: %LOCAL APPDATA%\AGEREOBJCTRL\FXGLDRV.DLL
Type: Registry Run

Removal Results: Success
Number of reboot: 1

FXGLDRV.DLL is known as:

Trojan.Sefnit

FXGLDRV.DLL hash:

  • MD5: e9067f7bbeec4261dc4e3d84e937d96a
How to quickly detect FXGLDRV.DLL presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\fxGLdrv: “rundll32.exe “%Local Appdata%\AgereobjCtrl\fxGLdrv.dll”,wmiobjNetM QuickMouseppm”
Folders:
  • %Local Appdata%\AgereobjCtrl
Files:
  • %Local Appdata%\AgereobjCtrl\fxGLdrv.dll

Remove it now!

Tags: FXGLDRV.DLL, Sefnit, Trojan

TSYSTEM.EXE is Trojan Banload

February 5, 2012 by NightWatcher · Leave a Comment
Filed under: Malware 
Install UnHackMe Install RegRun

The file TSYSTEM.EXE is malware related.
You must delete the file TSYSTEM.EXE immediately!
Delete the file TSYSTEM.EXE without delay!
Kill the process TSYSTEM.EXE and remove TSYSTEM.EXE from the Windows startup.

Malware Analysis of TSYSTEM.EXE
Full path on a computer: %Local Appdata%\Noroeste\TSystem.exe

Detected by UnHackMe:

Item Name: TSystem.exe
Author: FileSystem
Related File: %LOCAL APPDATA%\NOROESTE\TSYSTEM.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

TSYSTEM.EXE is known as:

Trojan.Banload, Trojan.AVKill

TSYSTEM.EXE hash:

  • MD5: 81e22936e6157e08515ecf8541cf38af
How to quickly detect TSYSTEM.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TSystem.exe: “%Local Appdata%\Noroeste\TSystem.exe”
Folders:
  • %Local Appdata%\Noroeste
Files:
  • %Local Appdata%\Noroeste\TSystem.exe

Remove it now!

Tags: Banload, Trojan, TSYSTEM.EXE

Next Page »