Malware Analysis and Removal

LUA5.1-32.DLL

NightWatcher — Wed, 16 May 2012 12:11:29 +0000

The file LUA5.1-32.DLL is not a virus.
The program LUA5.1-32.DLL is a system security tool.
But the LUA5.1-32.DLL tool may be used to compromise computer security by the hacker.
Use the LUA5.1-32.DLL file at your own risk!
You can delete the LUA5.1-32.DLL program from your computer with problems.

Malware Analysis of LUA5.1-32.DLL
Full path on a computer: C:\temp\[hostex.org]\CETFF1.tmp\extracted\lua5.1-32.dll

Detected by UnHackMe:

LUA5.1-32.DLL
Default location: C:\temp\[hostex.org]\CETFF1.tmp\extracted\lua5.1-32.dll

LUA5.1-32.DLL is known as:

Not-a-Virus

LUA5.1-32.DLL hash:

MD5: 859be12ad1e4ace1418ff3a069b35115

How to quickly detect LUA5.1-32.DLL presence?

Folders:

C:\temp\[hostex.org]
C:\temp\[hostex.org]\CETFF1.tmp
C:\temp\[hostex.org]\CETFF1.tmp\extracted
C:\temp\[hostex.org]\CETFF1.tmp\extracted\win32

Files:

C:\temp\[hostex.org]\CETFF1.tmp\CET_Archive.dat
C:\temp\[hostex.org]\CETFF1.tmp\extracted\defines.lua
C:\temp\[hostex.org]\CETFF1.tmp\extracted\GHOSTv1,0.EXE
C:\temp\[hostex.org]\CETFF1.tmp\extracted\lua5.1-32.dll
C:\temp\[hostex.org]\CETFF1.tmp\extracted\win32\dbghelp.dll
C:\temp\[hostex.org]\CETFF1.tmp\GHOSTv1,0.EXE

NVSMART.EXE is Trojan Sasfis

NightWatcher — Wed, 16 May 2012 10:32:01 +0000

We checked up the file NVSMART.EXE and found it hazardous.
The file NVSMART.EXE must be deleted from the system immediately.
Kill the process NVSMART.EXE and remove NVSMART.EXE from the Windows startup.

Malware Analysis of NVSMART.EXE
Full path on a computer: %AllUsersProfile%\SxS\NvSmart.exe

Detected by UnHackMe:

NVSMART.EXE
Default location: %AllUsersProfile%\SxS\NvSmart.exe

Removal Results: Success
Number of reboot: 1

NVSMART.EXE is known as:

Trojan.Sasfis

NVSMART.EXE hash:

MD5: 09b8b54f78a10c435cd319070aa13c28

How to quickly detect NVSMART.EXE presence?

Registry:

HKLM\SYSTEM\CurrentControlSet\Services\Icmipv6\ImagePath: “”%AllUsersProfile%\SxS\NvSmart.exe” 200 0″

Files:

%AllUsersProfile%\SxS\boot.ldr
%AllUsersProfile%\SxS\bug.log
%AllUsersProfile%\SxS\NvSmart.exe
%AllUsersProfile%\SxS\NvSmartMax.dll

WIN32.EXE is Backdoor Fynloski

NightWatcher — Wed, 16 May 2012 10:23:39 +0000

The program WIN32.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with WIN32.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of WIN32.EXE
Full path on a computer: C:\MSDCSC\win32.exe

Detected by UnHackMe:

Item Name: UserInit
Author: Unknown
Related File: %SysDir%\userinit.exe,C:\MSDCSC\win32.exe
Type: UserInit Value

Item Name: System
Author:
Related File: C:\MSDCSC\WIN32.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

WIN32.EXE is known as:

Backdoor.Fynloski, Trojan.Injector, Backdoor.Poison, Trojan.VbCrypt

WIN32.EXE hash:

MD5: 3fa62a9fd01a9b3b6b9dc4802042eac1

How to quickly detect WIN32.EXE presence?

Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\System: “C:\MSDCSC\win32.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%SysDir%\userinit.exe,C:\MSDCSC\win32.exe”

Folders:

C:\MSDCSC

Files:

C:\MSDCSC\win32.exe

LIB32WAOO.EXE is Worm Roxin

NightWatcher — Wed, 16 May 2012 09:49:52 +0000

The file LIB32WAOO.EXE is a computer worm.
The worm LIB32WAOO.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the LIB32WAOO.EXE problem as soon as possible!
Delete the file LIB32WAOO.EXE from all infected computers in your network.
Set up your network firewall against LIB32WAOO.EXE intervention.

Malware Analysis of LIB32WAOO.EXE
Full path on a computer: %System%\lib32waoo.exe

Detected by UnHackMe:

LIB32WAOO.EXE
Default location: %System%\lib32waoo.exe

Removal Results: Success
Number of reboot: 1

LIB32WAOO.EXE is known as:

Worm.Roxin

LIB32WAOO.EXE hash:

MD5: 6eb5420eacd95d3def91cbea45da16f6

How to quickly detect LIB32WAOO.EXE presence?

Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS\Temp\servcie11102F27.exe: “%Windir%\Temp\servcie11102F27.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS\Temp\servcie11103027.exe: “%Windir%\Temp\servcie11103027.exe”

Files:

c:\395500.dll
%Profiles%\LocalService\Favorites\Desktop.ini
c:\Net-Temp.ini
c:\NT_Path.jpg
%ProgramFiles%\133109\ms133234.dll
%ProgramFiles%\133109\system
%ProgramFiles%\Jbrj\Imhulawbk.bmp
%System%\einuBGK.exe
%System%\glswBGK.exe
%System%\JTahovz.exe
%System%\lib32waoo.exe
%Windir%\Temp\servcie11103027.exe
%System%\Rfmcthy.cc3
%System%\rvAFJOT.exe
%Windir%\Temp\servcie11102F27.exe

CBEVTSVC.EXE is Trojan Agent

NightWatcher — Wed, 16 May 2012 03:59:47 +0000

We checked up the file CBEVTSVC.EXE and found it hazardous.
The file CBEVTSVC.EXE must be deleted from the system immediately.
Kill the process CBEVTSVC.EXE and remove CBEVTSVC.EXE from the Windows startup.

Malware Analysis of CBEVTSVC.EXE
Full path on a computer: %SysDir%\CbEvtSvc.exe

Detected by UnHackMe:

Item Name: CbEvtSvc
Author:
Related File: %WinDir%\System32\CbEvtSvc.exe -k netsvcs
Type: Auto Services

Removal Results: Success
Number of reboot: 1

CBEVTSVC.EXE is known as:

Trojan.Agent, Trojan.Zlob, Trojan.Revelation

CBEVTSVC.EXE hash:

MD5: 69d105a56cc43f42dd32ef288a51d906

How to quickly detect CBEVTSVC.EXE presence?

Registry:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\Service: “CbEvtSvc”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000\DeviceDesc: “CbEvtSvc”
HKLM\System\CurrentControlSet\Services\CbEvtSvc\ImagePath: “%SystemRoot%\System32\CbEvtSvc.exe -k netsvcs”
HKLM\System\CurrentControlSet\Services\CbEvtSvc\DisplayName: “CbEvtSvc”

Files:

%SysDir%\CbEvtSvc.exe

TEMP90.EXE is Backdoor Kelihos

NightWatcher — Wed, 16 May 2012 03:27:27 +0000

The program TEMP90.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with TEMP90.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of TEMP90.EXE
Full path on a computer: %WinDir%\Temp\temp90.exe

Detected by UnHackMe:

Item Name: AmdAgent
Author: Unknown
Related File: %WinDir%\TEMP\TEMP90.EXE
Type: Registry Run

Item Name: temp90.exe
Author: Unknown
Related File: %WinDir%\TEMP\TEMP90.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

TEMP90.EXE is known as:

Backdoor.Kelihos

TEMP90.EXE hash:

MD5: 3d58527bbad08796c9ec6ffa9b7e116b

How to quickly detect TEMP90.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AmdAgent: “%WinDir%\Temp\temp90.exe”

Files:

%SysDir%\drivers\npf.sys
%SysDir%\Packet.dll
%SysDir%\wpcap.dll
%WinDir%\Temp\temp90.exe

HGOGLE.EXE is Backdoor Poison

NightWatcher — Tue, 15 May 2012 07:32:24 +0000

The program HGOGLE.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with HGOGLE.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of HGOGLE.EXE
Full path on a computer: %System%\hgogle.exe

Detected by UnHackMe:

HGOGLE.EXE
Default location: %System%\hgogle.exe

Removal Results: Success
Number of reboot: 1

HGOGLE.EXE is known as:

Backdoor.Poison

HGOGLE.EXE hash:

MD5: dcf5c725c908548b3f32c97533f9e5ea

How to quickly detect HGOGLE.EXE presence?

Registry:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{BA8415FC-57D2-132F-1BC1-DAB924800386}\StubPath: “%System%\hgogle.exe”

Files:

%System%\hgogle.exe

ANTIWPA.DLL is Not-a-Virus HackTool.Wpakill

NightWatcher — Tue, 15 May 2012 05:58:14 +0000

The file ANTIWPA.DLL is not a virus.
The program ANTIWPA.DLL is a system security tool.
But the ANTIWPA.DLL tool may be used to compromise computer security by the hacker.
Use the ANTIWPA.DLL file at your own risk!
You can delete the ANTIWPA.DLL program from your computer with problems.

Malware Analysis of ANTIWPA.DLL
Full path on a computer: %SysDir%\antiwpa.dll

Detected by UnHackMe:

ANTIWPA.DLL
Default location: %SysDir%\antiwpa.dll

Removal Results: Success
Number of reboot: 1

ANTIWPA.DLL is known as:

Not-a-Virus.HackTool.Wpakill

ANTIWPA.DLL hash:

MD5: 98c332990684cd9f113fbd495841c6fa

How to quickly detect ANTIWPA.DLL presence?

Files:

%Temp%\RarSFX0\AntiWPA3.exe
%Temp%\RarSFX0\lisans.exe
%Temp%\RarSFX0\wgafix.exe
%Temp%\RarSFX1\AMD64\antiwpa.dll
%Temp%\RarSFX1\AntiWPA3.cmd
%Temp%\RarSFX1\IA64\antiwpa.dll
%Temp%\RarSFX1\X86\antiwpa.dll
%SysDir%\antiwpa.dll

WEB2NET.EXE is Trojan Injector

NightWatcher — Tue, 15 May 2012 05:52:58 +0000

The file WEB2NET.EXE is identified as a virus dropper.
The dropper WEB2NET.EXE is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
The file WEB2NET.EXE loads into the computer memory and tries to connect to the dangerous web site.
Usually the WEB2NET.EXE dropper does not infect the files on the computer and does not replicate itself on other computers.
Kill the WEB2NET.EXE process and delete the file WEB2NET.EXE.

Malware Analysis of WEB2NET.EXE
Full path on a computer: %Appdata%\web2net.exe

Detected by UnHackMe:

WEB2NET.EXE
Default location: %Appdata%\web2net.exe

Removal Results: Success
Number of reboot: 1

WEB2NET.EXE is known as:

Trojan.Injector, Trojan.VB

WEB2NET.EXE hash:

MD5: b8480bfcfb1d2fe9503463740d386a68

How to quickly detect WEB2NET.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Login access: “%Appdata%\web2net.exe”

Files:

%Appdata%\web2net.exe

SOGOUPINYINUP.EXE is Trojan QQPass

NightWatcher — Tue, 15 May 2012 05:02:44 +0000

The file SOGOUPINYINUP.EXE is malware related.
You must delete the file SOGOUPINYINUP.EXE immediately!
Delete the file SOGOUPINYINUP.EXE without delay!
Kill the process SOGOUPINYINUP.EXE and remove SOGOUPINYINUP.EXE from the Windows startup.

Malware Analysis of SOGOUPINYINUP.EXE
Full path on a computer: %Program Files%\SogouPinyinUp.exe

Detected by UnHackMe:

SOGOUPINYINUP.EXE
Default location: %Program Files%\SogouPinyinUp.exe

Removal Results: Success
Number of reboot: 1

SOGOUPINYINUP.EXE is known as:

Trojan.QQPass, Trojan.Agent

SOGOUPINYINUP.EXE hash:

MD5: a670ff4997247322200fd925cc78c94f

How to quickly detect SOGOUPINYINUP.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IDO Port: “%Program Files%\SogouPinyinUp.exe”

Folders:

%Program Files%\common

Files:

%Program Files%\common\Utility.dll
%Program Files%\SogouPinyinUp.exe
%SysDir%\info.dat

DHNCHINA.EXE is Adware Tencent

NightWatcher — Tue, 15 May 2012 03:35:47 +0000

We checked some samples of DHNCHINA.EXE and detected the file DHNCHINA.EXE as threat.
Remove the DHNCHINA.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of DHNCHINA.EXE
Full path on a computer: %SysDir%\dhnchina.exe

Detected by UnHackMe:

Item Name: dhnchina.exe
Author: TENCENT
Related File: %SYSDIR%\DHNCHINA.EXE
Type: Registry Run

Item Name: cdhnchina.exe
Author: Unknown
Related File: %SYSDIR%\CDHNCHINA.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

DHNCHINA.EXE is known as:

Adware.Tencent, Packed.Klone

DHNCHINA.EXE hash:

MD5: 8b729637f9e56f679e78fbcf017126bc

How to quickly detect DHNCHINA.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\dhnchina.exe: “%SysDir%\dhnchina.exe”

Files:

%SysDir%\cdhnchina.dll
%SysDir%\cdhnchina.exe
%SysDir%\dhnchina.exe

SVCCHOSTT.EXE is Worm Nayrabot

NightWatcher — Tue, 15 May 2012 03:22:31 +0000

The file SVCCHOSTT.EXE is a computer worm.
The worm SVCCHOSTT.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the SVCCHOSTT.EXE problem as soon as possible!
Delete the file SVCCHOSTT.EXE from all infected computers in your network.
Set up your network firewall against SVCCHOSTT.EXE intervention.

Malware Analysis of SVCCHOSTT.EXE
Full path on a computer: %Appdata%\svcchostt.exe

Detected by UnHackMe:

Item Name: svcchostt.exe
Author: Unknown
Related File: %APPDATA%\SVCCHOSTT.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

SVCCHOSTT.EXE is known as:

Worm.Nayrabot, Trojan.Kuluoz, Trojan.Dapato, Trojan.Diple

SVCCHOSTT.EXE hash:

MD5: a7da70c07f8daccbc034aab35e58b85f

How to quickly detect SVCCHOSTT.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svcchostt.exe: “”%Appdata%\svcchostt.exe”"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svcchostt.exe: “”%Appdata%\svcchostt.exe”"

Files:

%Appdata%\svcchostt.exe

WINDOWSFILEDK.EXE is Trojan ProxyChanger

NightWatcher — Tue, 15 May 2012 02:49:28 +0000

We checked up the file WINDOWSFILEDK.EXE and found it hazardous.
The file WINDOWSFILEDK.EXE must be deleted from the system immediately.
Kill the process WINDOWSFILEDK.EXE and remove WINDOWSFILEDK.EXE from the Windows startup.

Malware Analysis of WINDOWSFILEDK.EXE
Full path on a computer: %Appdata%\moka\windowsfiledk.exe

Detected by UnHackMe:

Item Name: windowsfiledk
Author: JXhQ
Related File: %APPDATA%\MOKA\WINDOWSFILEDK.EXE
Type: Registry Run

Item Name: windowsfiledk.exe
Author: JXhQ
Related File: %APPDATA%\MOKA\WINDOWSFILEDK.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

WINDOWSFILEDK.EXE is known as:

Trojan.ProxyChanger, Trojan.Injector, Virus.VBInje

WINDOWSFILEDK.EXE hash:

MD5: 8627d1b4e5799c5f77952fbdc8f27395

The file tries to download information from some web sites.

How to quickly detect WINDOWSFILEDK.EXE presence?

Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windowsfiledk: “%Appdata%\moka\windowsfiledk.exe”

Files:

%Appdata%\moka\windowsfiledk.exe
%Temp%\19768.dmp
%Temp%\87dc_appcompat.txt
%Temp%\8A00.dmp
%Temp%\8f04_appcompat.txt

DNSHELPER.DLL is Backdoor BlackHawk

NightWatcher — Mon, 14 May 2012 03:13:05 +0000

The program DNSHELPER.DLL is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with DNSHELPER.DLL.
Download for free: http://www.unhackme.com

Malware Analysis of DNSHELPER.DLL
Full path on a computer: %SysDir%\dnsHelper.DLL

Detected by UnHackMe:

Item Name: dnsHelper
Author: Unknown
Related File: %SYSDIR%\DNSHELPER.DLL
Type: Svchost DLLs

Removal Results: Success
Number of reboot: 1

DNSHELPER.DLL is known as:

Backdoor.BlackHawk

DNSHELPER.DLL hash:

MD5: cf077b679d26e52dba706682e5a9060e

The file tries to connect to the dangerous web site.

How to quickly detect DNSHELPER.DLL presence?

Registry:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DNSHELPER\0000\Service: “dnsHelper”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_DNSHELPER\0000\DeviceDesc: “Smart Card dnsHelper”
HKLM\System\CurrentControlSet\Services\dnsHelper\Parameters\ServiceDll: “%SysDir%\dnsHelper.DLL”
HKLM\System\CurrentControlSet\Services\dnsHelper\DisplayName: “Smart Card dnsHelper”
HKLM\System\CurrentControlSet\Services\dnsHelper\Description: “Management of this computer to take on the smart card read dnsHelper”

Files:

%SysDir%\dnsHelper.DLL

ITUNES_SERVICE01.EXE is Trojan RansomGimemo

NightWatcher — Sun, 13 May 2012 03:33:31 +0000

Ransom Screen Locker ITUNES_SERVICE01.EXE is a malicious program. ITUNES_SERVICE01.EXE blocks user access to a computer that it infects. ITUNES_SERVICE01.EXE demands a ransom paid for unlocking the computer.

Malware Analysis of ITUNES_SERVICE01.EXE
Full path on a computer: %Appdata%\itunes_service01.exe

Detected by RegRun Warrior:

Item Name: shell
Author: Unknown
Related File: %Appdata%\itunes_service01.exe
Type: System.ini

Item Name: UserInit
Author: Unknown
Related File: %Appdata%\itunes_service01.exe,%WinDir%\System32\userinit.exe,
Type: UserInit Value

Item Name: d31ybB8YFv9cUxg
Author: Unknown
Related File: %APPDATA%\ITUNES_SERVICE01.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

ITUNES_SERVICE01.EXE is known as:

Trojan.RansomGimemo, Trojan.LockScreen

ITUNES_SERVICE01.EXE hash:

MD5: fd3f7aaef6b290ac4c1d6ebcb36209c9

The file tries to download information from some web sites.

How to quickly detect ITUNES_SERVICE01.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\d31ybB8YFv9cUxg: “%Appdata%\itunes_service01.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d31ybB8YFv9cUxg: “%Appdata%\itunes_service01.exe”
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Appdata%\itunes_service01.exe”
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%Appdata%\itunes_service01.exe,%WinDir%\System32\userinit.exe,”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Appdata%\itunes_service01.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%Appdata%\itunes_service01.exe,%WinDir%\System32\userinit.exe,”

Files:

%Appdata%\itunes_service01.exe

68Y0EOY0LT.EXE is Dropper Dapato

NightWatcher — Sat, 12 May 2012 03:08:32 +0000

The program 68Y0EOY0LT.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with 68Y0EOY0LT.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of 68Y0EOY0LT.EXE
Full path on a computer: %Appdata%\68Y0EOY0LT.exe

Detected by UnHackMe:

68Y0EOY0LT.EXE
Default location: %Appdata%\68Y0EOY0LT.exe

Removal Results: Success
Number of reboot: 1

68Y0EOY0LT.EXE is known as:

Dropper.Dapato, Virus.ILCrypt, Backdoor.Blackshades, Worm.Ainslot

68Y0EOY0LT.EXE hash:

MD5: 49c64108587681117d9db258514b4fa8

How to quickly detect 68Y0EOY0LT.EXE presence?

Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender: “%Appdata%\WinDefender\windefender.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows: “%Appdata%\Windows\windows.exe”

Files:

%Appdata%\68Y0EOY0LT.exe
%Appdata%\svchost
%Appdata%\WinDefender\windefender.exe
%Appdata%\Windows\windows.exe
%Temp%\chrome.exe
%Temp%\svchost.exe

SOUNDVOL32.EXE is Trojan Sdbot

NightWatcher — Fri, 11 May 2012 04:06:53 +0000

We checked up the file SOUNDVOL32.EXE and found it hazardous.
The file SOUNDVOL32.EXE must be deleted from the system immediately.
Kill the process SOUNDVOL32.EXE and remove SOUNDVOL32.EXE from the Windows startup.

Malware Analysis of SOUNDVOL32.EXE
Full path on a computer: %SysDir%\soundvol32.exe

Detected by UnHackMe:

Item Name: Microsoft
Author: Unknown
Related File: %SysDir%\SOUNDVOL32.EXE
Type: Registry Run

Item Name: soundvol32.exe
Author: Unknown
Related File: %SYSDIR%\SOUNDVOL32.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

SOUNDVOL32.EXE is known as:

Trojan.Sdbot, Trojan.Jorik

SOUNDVOL32.EXE hash:

MD5: 2c44fe67124cc9fa68360d42174673b9

How to quickly detect SOUNDVOL32.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft: “soundvol32.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft: “soundvol32.exe”
HKCU\Software\ASProtect\Microsoft: “soundvol32.exe”

Files:

%SysDir%\soundvol32.exe

CSDRIVE32.EXE is Worm Kolab

NightWatcher — Fri, 11 May 2012 02:55:05 +0000

The file CSDRIVE32.EXE is a computer worm.
The worm CSDRIVE32.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the CSDRIVE32.EXE problem as soon as possible!
Delete the file CSDRIVE32.EXE from all infected computers in your network.
Set up your network firewall against CSDRIVE32.EXE intervention.

Malware Analysis of CSDRIVE32.EXE
Full path on a computer: %WinDir%\csdrive32.exe

Detected by UnHackMe:

Item Name: Microsoft Driver Setup
Author: Unknown
Related File: %WinDir%\CSDRIVE32.EXE
Type: Explorer Run

Item Name: csdrive32.exe
Author: Unknown
Related File: %WinDir%\CSDRIVE32.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

CSDRIVE32.EXE is known as:

Worm.Kolab, Backdoor.Rbot, Worm.Pushbot

CSDRIVE32.EXE hash:

MD5: 7f088fba47368255f9e35fada086a86a

How to quickly detect CSDRIVE32.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Microsoft Driver Setup: “%WinDir%\csdrive32.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup: “%WinDir%\csdrive32.exe”

Files:

%WinDir%\csdrive32.exe

ARTEENBARCELONA2.DLL is Adware MSNAgent

NightWatcher — Thu, 10 May 2012 06:19:45 +0000

We received the file ARTEENBARCELONA2.DLL and detected that ARTEENBARCELONA2.DLL is not good.
ARTEENBARCELONA2.DLL is Adware. You should remove the file ARTEENBARCELONA2.DLL.
Kill the process ARTEENBARCELONA2.DLL and remove ARTEENBARCELONA2.DLL from Windows.

Malware Analysis of ARTEENBARCELONA2.DLL
Full path on a computer: %Program Files%\www.arteenbarcelona.com\arteenbarcelona2.dll

Detected by UnHackMe:

Item Name: {4B976F76-B0BC-4db6-BC34-121A7C9D4A28}
Author: IE Toolbar
Related File: C:\PROGRA~1\WWWART~1.COM\ARTEEN~1.DLL
Type: Browser Helper Objects

Item Name: {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A}
Author:
Related File: %PROGRAM FILES%\WWW.ARTEENBARCELONA.COM\ARTEENBARCELONA2.DLL
Type: Toolbars

Removal Results: Success
Number of reboot: 1

ARTEENBARCELONA2.DLL is known as:

Adware.MSNAgent, Adware.Istbar, Adware.Toolbar.Eztracks, Adware.Mostofate, Adware.Softomate

ARTEENBARCELONA2.DLL hash:

MD5: eeb02caf9fabd673443c42e8bcc4ca8b

The file tries to connect to the dangerous web site.

How to quickly detect ARTEENBARCELONA2.DLL presence?

Registry:

HKLM\Software\Classes\CLSID\{25F97EB4-1C02-45BA-BA0C-E67AACE64D4A}\InprocServer32\: “%Program Files%\www.arteenbarcelona.com\arteenbarcelona2.dll”
HKLM\Software\Classes\CLSID\{4B976F76-B0BC-4db6-BC34-121A7C9D4A28}\InprocServer32\: “C:\PROGRA~1\WWWART~1.COM\ARTEEN~1.DLL”
HKLM\Software\Classes\TypeLib\{B9DDDDA0-87DF-4003-9D7C-84B0765CEF76}\1.0\0\win32\: “%Program Files%\www.arteenbarcelona.com\arteenbarcelona2.dll”
HKLM\Software\Classes\TypeLib\{B9DDDDA0-87DF-4003-9D7C-84B0765CEF76}\1.0\HELPDIR\: “%Program Files%\www.arteenbarcelona.com\”

Folders:

%Program Files%\www.arteenbarcelona.com

Files:

%Program Files%\www.arteenbarcelona.com\arteenbarcelona.bmp
%Program Files%\www.arteenbarcelona.com\arteenbarcelona2.crc
%Program Files%\www.arteenbarcelona.com\arteenbarcelona2.dll
%Program Files%\www.arteenbarcelona.com\basis.xml
%Program Files%\www.arteenbarcelona.com\error.html
%Program Files%\www.arteenbarcelona.com\icons.bmp
%Program Files%\www.arteenbarcelona.com\msvcp60.dll
%Program Files%\www.arteenbarcelona.com\msvcrt.dll
%Program Files%\www.arteenbarcelona.com\options.html
%Program Files%\www.arteenbarcelona.com\version.txt

OSJK8S.EXE is Virus Virut

NightWatcher — Thu, 10 May 2012 05:42:01 +0000

We checked up the file OSJK8S.EXE and found it hazardous.
The file OSJK8S.EXE must be deleted from the system immediately.
Kill the process OSJK8S.EXE and remove OSJK8S.EXE from the Windows startup.

Malware Analysis of OSJK8S.EXE
Full path on a computer: %Appdata%\osjk8s.exe

Detected by UnHackMe:

Item Name: NWCWorkstation
Author: Microsoft Corporation
Related File: %SYSDIR%\NWCWKS.DLL
Type: Svchost DLLs

Item Name: MouseDriver
Author:
Related File: %Appdata%\MouseDriver.bat
Type: Auto Services

Item Name: aqjunayn
Author: YthqO
Related File: %SYSDIR%\AQJUNAYN.EXE
Type: Registry Run

Item Name: Regedit32
Author:
Related File: %SysDir%\regedit.exe
Type: Registry Run

Item Name: aqjunayn.exe
Author: YthqO
Related File: %PROFILE%\AQJUNAYN.EXE
Type: Detected using Heuristic Algorithm

Item Name: tcpudp
Author: Unknown
Related File: %WinDir%\BN6.TMP
Type: Registry Run

Item Name: osjk8s
Author:
Related File: %APPDATA%\OSJK8S.EXE
Type: Registry Run

Item Name: l3yg2h61ay
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\L3YG2H61AY.EXE
Type: Registry Run

Item Name: osjk8s.exe
Author:
Related File: %APPDATA%\OSJK8S.EXE
Type: Detected using Heuristic Algorithm

Item Name: l3yg2h61ay.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\L3YG2H61AY.EXE
Type: Running Processes

Item Name: BN6.tmp
Author: Unknown
Related File: %TEMP%\BN6.TMP
Type: Running Processes

Item Name: VRT5.tmp
Author: Unknown
Related File: %WinDir%\TEMP\VRT5.TMP
Type: Running Processes

After first reboot detected by UnHackMe:

Item Name: Rootkit: NECURS
Author: Unknown
Related File:
Type: Devices in Memory

Detected by RegRun Warrior:

Item Name: MouseDriver
Author:
Related File: %APPDATA%\MOUSEDRIVER.BAT
Type: Drivers

Item Name: 4d067d35f313de7
Author:
Related File: %SYSDIR%\DRIVERS\4D067D35F313DE7.SYS
Type: Drivers

Item Name: 5cf2180pgz
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\5CF2180PGZ.EXE
Type: Registry Run

Item Name: osjk8s
Author:
Related File: %APPDATA%\OSJK8S.EXE
Type: Registry Run

Item Name: l3yg2h61ay
Author: Unknown
Related File: %PROFILE%\L3YG2H61AY.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

OSJK8S.EXE is known as:

Virus.Virut

OSJK8S.EXE hash:

MD5: 672e6894ded72ced69fc8a8a0f48f835

The file tries to connect to the dangerous web site.

How to quickly detect OSJK8S.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\aqjunayn: “%WinDir%\System32\aqjunayn.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\osjk8s: “%Appdata%\osjk8s.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\l3yg2h61ay: “C:\Documents and Settings\All Users\l3yg2h61ay.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Regedit32: “%SysDir%\regedit.exe”
HKLM\Software\tgs90gv74r\tgs90gv74rexepath: “%Appdata%\osjk8s.exe”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MOUSEDRIVER\0000\Service: “MouseDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MOUSEDRIVER\0000\DeviceDesc: “MouseDriver”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\Service: “NWCWorkstation”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION\0000\DeviceDesc: “Client Service for NetWare”
HKLM\System\CurrentControlSet\Services\MouseDriver\ImagePath: “%Appdata%\MouseDriver.bat”
HKLM\System\CurrentControlSet\Services\MouseDriver\DisplayName: “MouseDriver”
HKLM\System\CurrentControlSet\Services\NWCWorkstation\Parameters\ServiceDll: “%SystemRoot%\system32\nwcwks.dll”
HKLM\System\CurrentControlSet\Services\NWCWorkstation\DisplayName: “Client Service for NetWare”
HKLM\System\CurrentControlSet\Services\NWCWorkstation\Description: “Provides access to file and print resources on NetWare networks.”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\tcpudp: “%WinDir%\BN5.tmp”

Files:

%Appdata%\MouseDriver.bat
%Appdata%\osjk8s.exe
%Appdata%\osjk8s.log
%Temp%\BN5.tmp
%Profile%\aqjunayn.exe
C:\Documents and Settings\All Users\l3yg2h61ay.exe
%SysDir%\aqjunayn.exe
%SysDir%\nwcwks.dll
%WinDir%\Temp\VRT1.tmp
%WinDir%\Temp\VRT2.tmp
%WinDir%\Temp\VRT3.tmp
%WinDir%\Temp\VRT4.tmp
%WinDir%\Temp\VRT6.tmp
%WinDir%\BN5.tmp

SVCGHOST.EXE is Backdoor Umbra

NightWatcher — Thu, 10 May 2012 03:40:49 +0000

The program SVCGHOST.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with SVCGHOST.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of SVCGHOST.EXE
Full path on a computer: %WinDir%\svcghost.exe

Detected by UnHackMe:

Item Name: Windows Updater
Author: Unknown
Related File: %WinDir%\SVCGHOST.EXE
Type: Registry Run

Item Name: svcghost.exe
Author: Unknown
Related File: %WinDir%\SVCGHOST.EXE
Type: Running Processes

SVCGHOST.EXE
Default location: %WinDir%\svcghost.exe

Removal Results: Success
Number of reboot: 1

SVCGHOST.EXE is known as:

Backdoor.Umbra, Trojan.Dapato, Trojan.Malex

SVCGHOST.EXE hash:

MD5: 9b29acb54e0b4e4a7adbb5d3801f895f

How to quickly detect SVCGHOST.EXE presence?

Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater: “”%WinDir%\svcghost.exe”"

Files:

%WinDir%\svcghost.exe

FINDLOCK.DLL is Trojan ATRAPS

NightWatcher — Wed, 09 May 2012 03:50:48 +0000

We checked some samples of FINDLOCK.DLL and detected the file FINDLOCK.DLL as threat.
Remove the FINDLOCK.DLL file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of FINDLOCK.DLL
Full path on a computer: %Appdata%FindLockfindlock.dll

Detected by UnHackMe:

FINDLOCK.DLL
Default location: %Appdata%FindLockfindlock.dll

Removal Results: Success
Number of reboot: 1

FINDLOCK.DLL is known as:

Trojan.ATRAPS, SecurityRisk.Downldr

FINDLOCK.DLL hash:

MD5: 8ee9fc48d2c868e1b72f3924df2b6017

The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.

How to quickly detect FINDLOCK.DLL presence?

Folders:

%Appdata%FindLock

Files:

%Appdata%FindLockfindlock.dll
%Appdata%FindLockfl_dn.exe
%Appdata%FindLockfl_install.exe

WINOWIS.DLL is Backdoor Delf

NightWatcher — Wed, 09 May 2012 03:30:58 +0000

The program WINOWIS.DLL is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with WINOWIS.DLL.
Download for free: http://www.unhackme.com

Malware Analysis of WINOWIS.DLL
Full path on a computer: %SysDir%winowis.dll

Detected by UnHackMe:

Item Name: windows user
Author: Unknown
Related File: %SYSDIR%WINOWIS.DLL
Type: Svchost DLLs

Removal Results: Success
Number of reboot: 1

WINOWIS.DLL is known as:

Backdoor.Delf, Backdoor.Graybird, BackDoor.Pigeon

WINOWIS.DLL hash:

MD5: 16b8700dcb051034f062668365b8533c

The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.

How to quickly detect WINOWIS.DLL presence?

Registry:

HKLMSystemCurrentControlSetEnumRootLEGACY_WINDOWS_USER000Service: “windows user”
HKLMSystemCurrentControlSetEnumRootLEGACY_WINDOWS_USER000DeviceDesc: “windows user”
HKLMSystemCurrentControlSetServiceswindows userParametersServiceDll: “%SysDir%winowis.dll”
HKLMSystemCurrentControlSetServiceswindows userDisplayName: “windows user”
HKLMSystemCurrentControlSetServiceswindows userDescription: “windows user”

Files:

%SysDir%winowis.dll

MSDCSC.EXE is Trojan Agent

NightWatcher — Wed, 09 May 2012 03:29:05 +0000

The file MSDCSC.EXE is malware related.
You must delete the file MSDCSC.EXE immediately!
Delete the file MSDCSC.EXE without delay!
Kill the process MSDCSC.EXE and remove MSDCSC.EXE from the Windows startup.

Malware Analysis of MSDCSC.EXE
Full path on a computer: C:MSDCSCmsdcsc.exe

Detected by UnHackMe:

MSDCSC.EXE
Default location: C:MSDCSCmsdcsc.exe

Removal Results: Success
Number of reboot: 1

MSDCSC.EXE is known as:

Trojan.Agent, Trojan.Injector, Backdoor.Fynloski

MSDCSC.EXE hash:

MD5: 8c82de32ab2b407451b9fc054c09f717

The file tries to connect to the dangerous web site.

How to quickly detect MSDCSC.EXE presence?

Registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicroUpdate: “C:MSDCSCmsdcsc.exe”
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit: “%SysDir%userinit.exe,C:MSDCSCmsdcsc.exe”

Folders:

%Appdata%dclogs
C:MSDCSC

Files:

C:MSDCSCmsdcsc.exe

MODDEDMAPAIO.EXE is Trojan Injector

NightWatcher — Wed, 09 May 2012 03:27:49 +0000

The file MODDEDMAPAIO.EXE is malware related.
You must delete the file MODDEDMAPAIO.EXE immediately!
Delete the file MODDEDMAPAIO.EXE without delay!
Kill the process MODDEDMAPAIO.EXE and remove MODDEDMAPAIO.EXE from the Windows startup.

Malware Analysis of MODDEDMAPAIO.EXE
Full path on a computer: %Appdata%ModdedMapAIO.exe

Detected by UnHackMe:

MODDEDMAPAIO.EXE
Default location: %Appdata%ModdedMapAIO.exe

Removal Results: Success
Number of reboot: 1

MODDEDMAPAIO.EXE is known as:

Trojan.Injector, Trojan.Dapato

MODDEDMAPAIO.EXE hash:

MD5: d5ac40362376abbccedba6a1919913d4

The file tries to download information from some web sites.

How to quickly detect MODDEDMAPAIO.EXE presence?

Registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunJava Enviroment: “%Appdata%ModdedMapAIO.exe”

Files:

%Appdata%Keylog
%Appdata%KGAPBSMQCO.exe
%Appdata%ModdedMapAIO.exe
%Appdata%XOmDQ.txt

GUAJI27.EXE is Trojan Clons

NightWatcher — Wed, 09 May 2012 03:24:48 +0000

Is the file GUAJI27.EXE located on your computer? Then your computer is infected.
We do suggest you should remove GUAJI27.EXE from your computer as soon as possible.
GUAJI27.EXE is Trojan/Backdoor.
Kill the process GUAJI27.EXE and remove GUAJI27.EXE from the Windows startup.

Malware Analysis of GUAJI27.EXE
Full path on a computer: GuaJi27.exe

Detected by UnHackMe:

GUAJI27.EXE
Default location: %Temp%GuaJi27.exe

Removal Results: Success
Number of reboot: 1

GUAJI27.EXE is known as:

Trojan.Clons, Trojan.MulDrop2, Trojan.Bumat

GUAJI27.EXE hash:

MD5: c04db7f5ca47ad017cf9b019cae57ded

The file tries to connect to the dangerous web site.

How to quickly detect GUAJI27.EXE presence?

Registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunDDGuaJi: “%Temp%GuaJi27.exe /tray”

Files:

%Temp%143562cds.rar
%Temp%202656draw.jpg
%Temp%GuaJi27.exe

THOR-BATISTA-ATROPELA-HOMEM.EXE is Trojan Banker

NightWatcher — Wed, 09 May 2012 03:14:51 +0000

The file THOR-BATISTA-ATROPELA-HOMEM.EXE is identified as the Trojan Program that is used for stealing bank information and users passwords.
To delete THOR-BATISTA-ATROPELA-HOMEM.EXE we suggest you should use UnHackMe:
http://www.unhackme.com

Malware Analysis of THOR-BATISTA-ATROPELA-HOMEM.EXE
Full path on a computer: %Appdata%Thor-Batista-atropela-homem.exe

Detected by UnHackMe:

Item Name: sbthost
Author: Microsoft
Related File: %APPDATA%THOR-BATISTA-ATROPELA-HOMEM.EXE
Type: Registry Run

Item Name: Thor-Batista-atropela-homem.exe
Author:
Related File: %APPDATA%THOR-BATISTA-ATROPELA-HOMEM.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

THOR-BATISTA-ATROPELA-HOMEM.EXE is known as:

Trojan.Banker, Trojan.ProxyChanger

THOR-BATISTA-ATROPELA-HOMEM.EXE hash:

MD5: 4fb71080eb11325b31ef006dd3108e35

The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.

How to quickly detect THOR-BATISTA-ATROPELA-HOMEM.EXE presence?

Registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsAutoConfigURL: “http://187.109.161.34/index1.php”
HKCUSoftwareMicrosoftWindowsCurrentVersionRunsbthost: “%Appdata%Thor-Batista-atropela-homem.exe”

Files:

%Appdata%tem.txt
%Appdata%Thor-Batista-atropela-homem.exe

ICAM5USB.DLL is Rootkit ZeroAccess

NightWatcher — Tue, 08 May 2012 14:29:09 +0000

Rootkit ICAM5USB.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of ICAM5USB.DLL may be a very difficult process.
You should use anti-rootkit software to fix the ICAM5USB.DLL problem.

Malware Analysis of ICAM5USB.DLL
Full path on a computer: %SysDir%\ICAM5USB.dll

Detected by RegRun Warrior:

ICAM5USB.DLL
Default location: %SysDir%\ICAM5USB.dll

Removal Results: Success
Number of reboot: 1

ICAM5USB.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef, Trojan.Agent, Backdoor.Maxplus

ICAM5USB.DLL hash:

MD5: 11028c6a84a967070cb1286550f2058f

How to quickly detect ICAM5USB.DLL presence?

Registry:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MR97310_USB_DUAL_CAMERA\0000\Service: “MR97310_USB_DUAL_CAMERA”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MR97310_USB_DUAL_CAMERA\0000\DeviceDesc: “Usbstor”
HKLM\System\CurrentControlSet\Services\MR97310_USB_DUAL_CAMERA\Parameters\ServiceDll: “%systemroot%\system32\ICAM5USB.dll”
HKLM\System\CurrentControlSet\Services\MR97310_USB_DUAL_CAMERA\DisplayName: “Usbstor”
HKLM\System\CurrentControlSet\Services\MR97310_USB_DUAL_CAMERA\Description: “Usbstor”

Folders:

%WinDir%\$NtUninstallKB62478$

Files:

%SysDir%\dds_trash_log.cmd
%SysDir%\ICAM5USB.dll

SECMAN.DLL is Trojan MailPassView

NightWatcher — Tue, 08 May 2012 14:24:44 +0000

The file SECMAN.DLL is malware related.
You must delete the file SECMAN.DLL immediately!
Delete the file SECMAN.DLL without delay!
Kill the process SECMAN.DLL and remove SECMAN.DLL from the Windows startup.

Malware Analysis of SECMAN.DLL
Full path on a computer: C:\Temp\secman.dll

Detected by UnHackMe:

SECMAN.DLL
Default location: C:\Temp\secman.dll

Removal Results: Success
Number of reboot: 1

SECMAN.DLL is known as:

Trojan.MailPassView

SECMAN.DLL hash:

MD5: ccad5c9028897be6f9ea4506772232fb

The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.

How to quickly detect SECMAN.DLL presence?

Registry:

HKLM\Software\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\: “c:\temp\secman.dll”
HKLM\Software\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\0\win32\: “c:\temp\secman.dll”

Folders:

%Appdata%\Microsoft\Outlook
%Local Appdata%\Microsoft\FORMS
%Local Appdata%\Microsoft\Outlook
%Temp%\outlook logging
C:\Temp

Files:

%Local Appdata%\Microsoft\FORMS\FRMCACHE.DAT
%Temp%\outlook logging\firstrun.log
C:\Temp\osmax.ocx
C:\Temp\Project1.exe
C:\Temp\secman.dll
C:\Temp\seta.bat

UFLM.EXE is Trojan Rimecud

NightWatcher — Tue, 08 May 2012 11:47:43 +0000

We checked up the file UFLM.EXE and found it hazardous.
The file UFLM.EXE must be deleted from the system immediately.
Kill the process UFLM.EXE and remove UFLM.EXE from the Windows startup.

Malware Analysis of UFLM.EXE
Full path on a computer: %Profile%\uflm.exe

Detected by UnHackMe:

UFLM.EXE
Default location: %Profile%\uflm.exe

Removal Results: Success
Number of reboot: 1

UFLM.EXE is known as:

Trojan.Rimecud

UFLM.EXE hash:

MD5: fe4b82d21f41e0721e183b412eb94b1c

The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.

How to quickly detect UFLM.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: “%Profile%\uflm.exe”

Files:

%Temp%\3852.exe
%Profile%\uflm.exe

Malware Analysis and Removal

LUA5.1-32.DLL

Malware Analysis of LUA5.1-32.DLL Full path on a computer: C:\temp\[hostex.org]\CETFF1.tmp\extracted\lua5.1-32.dll

Detected by UnHackMe:

LUA5.1-32.DLL is known as:

LUA5.1-32.DLL hash:

NVSMART.EXE is Trojan Sasfis

Malware Analysis of NVSMART.EXE Full path on a computer: %AllUsersProfile%\SxS\NvSmart.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

NVSMART.EXE is known as:

NVSMART.EXE hash:

WIN32.EXE is Backdoor Fynloski

Malware Analysis of WIN32.EXE Full path on a computer: C:\MSDCSC\win32.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

WIN32.EXE is known as:

WIN32.EXE hash:

LIB32WAOO.EXE is Worm Roxin

Malware Analysis of LIB32WAOO.EXE Full path on a computer: %System%\lib32waoo.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

LIB32WAOO.EXE is known as:

LIB32WAOO.EXE hash:

CBEVTSVC.EXE is Trojan Agent

Malware Analysis of CBEVTSVC.EXE Full path on a computer: %SysDir%\CbEvtSvc.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

CBEVTSVC.EXE is known as:

CBEVTSVC.EXE hash:

TEMP90.EXE is Backdoor Kelihos

Malware Analysis of TEMP90.EXE Full path on a computer: %WinDir%\Temp\temp90.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

TEMP90.EXE is known as:

TEMP90.EXE hash:

HGOGLE.EXE is Backdoor Poison

Malware Analysis of HGOGLE.EXE Full path on a computer: %System%\hgogle.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

HGOGLE.EXE is known as:

HGOGLE.EXE hash:

ANTIWPA.DLL is Not-a-Virus HackTool.Wpakill

Malware Analysis of ANTIWPA.DLL Full path on a computer: %SysDir%\antiwpa.dll

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

ANTIWPA.DLL is known as:

ANTIWPA.DLL hash:

WEB2NET.EXE is Trojan Injector

Malware Analysis of WEB2NET.EXE Full path on a computer: %Appdata%\web2net.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

WEB2NET.EXE is known as:

WEB2NET.EXE hash:

SOGOUPINYINUP.EXE is Trojan QQPass

Malware Analysis of SOGOUPINYINUP.EXE Full path on a computer: %Program Files%\SogouPinyinUp.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

SOGOUPINYINUP.EXE is known as:

SOGOUPINYINUP.EXE hash:

DHNCHINA.EXE is Adware Tencent

Malware Analysis of DHNCHINA.EXE Full path on a computer: %SysDir%\dhnchina.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

DHNCHINA.EXE is known as:

DHNCHINA.EXE hash:

SVCCHOSTT.EXE is Worm Nayrabot

Malware Analysis of SVCCHOSTT.EXE Full path on a computer: %Appdata%\svcchostt.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

SVCCHOSTT.EXE is known as:

SVCCHOSTT.EXE hash:

WINDOWSFILEDK.EXE is Trojan ProxyChanger

Malware Analysis of WINDOWSFILEDK.EXE Full path on a computer: %Appdata%\moka\windowsfiledk.exe

Detected by UnHackMe:

Removal Results: Success Number of reboot: 1

WINDOWSFILEDK.EXE is known as:

WINDOWSFILEDK.EXE hash:

DNSHELPER.DLL is Backdoor BlackHawk

Malware Analysis of DNSHELPER.DLL Full path on a computer: %SysDir%\dnsHelper.DLL

Malware Analysis of LUA5.1-32.DLL
Full path on a computer: C:\temp\[hostex.org]\CETFF1.tmp\extracted\lua5.1-32.dll

Malware Analysis of NVSMART.EXE
Full path on a computer: %AllUsersProfile%\SxS\NvSmart.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of WIN32.EXE
Full path on a computer: C:\MSDCSC\win32.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of LIB32WAOO.EXE
Full path on a computer: %System%\lib32waoo.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of CBEVTSVC.EXE
Full path on a computer: %SysDir%\CbEvtSvc.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of TEMP90.EXE
Full path on a computer: %WinDir%\Temp\temp90.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of HGOGLE.EXE
Full path on a computer: %System%\hgogle.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of ANTIWPA.DLL
Full path on a computer: %SysDir%\antiwpa.dll

Removal Results: Success
Number of reboot: 1

Malware Analysis of WEB2NET.EXE
Full path on a computer: %Appdata%\web2net.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of SOGOUPINYINUP.EXE
Full path on a computer: %Program Files%\SogouPinyinUp.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of DHNCHINA.EXE
Full path on a computer: %SysDir%\dhnchina.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of SVCCHOSTT.EXE
Full path on a computer: %Appdata%\svcchostt.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of WINDOWSFILEDK.EXE
Full path on a computer: %Appdata%\moka\windowsfiledk.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of DNSHELPER.DLL
Full path on a computer: %SysDir%\dnsHelper.DLL

Removal Results: Success
Number of reboot: 1

Malware Analysis of ITUNES_SERVICE01.EXE
Full path on a computer: %Appdata%\itunes_service01.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of 68Y0EOY0LT.EXE
Full path on a computer: %Appdata%\68Y0EOY0LT.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of SOUNDVOL32.EXE
Full path on a computer: %SysDir%\soundvol32.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of CSDRIVE32.EXE
Full path on a computer: %WinDir%\csdrive32.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of ARTEENBARCELONA2.DLL
Full path on a computer: %Program Files%\www.arteenbarcelona.com\arteenbarcelona2.dll

Removal Results: Success
Number of reboot: 1

Malware Analysis of OSJK8S.EXE
Full path on a computer: %Appdata%\osjk8s.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of SVCGHOST.EXE
Full path on a computer: %WinDir%\svcghost.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of FINDLOCK.DLL
Full path on a computer: %Appdata%FindLockfindlock.dll

Removal Results: Success
Number of reboot: 1

Malware Analysis of WINOWIS.DLL
Full path on a computer: %SysDir%winowis.dll

Removal Results: Success
Number of reboot: 1

Malware Analysis of MSDCSC.EXE
Full path on a computer: C:MSDCSCmsdcsc.exe

Removal Results: Success
Number of reboot: 1

Malware Analysis of MODDEDMAPAIO.EXE
Full path on a computer: %Appdata%ModdedMapAIO.exe

Removal Results: Success
Number of reboot: 1