Malware Analysis and Removal

STKSCAN.DLL is Trojan Sirefef.BP

NightWatcher — Thu, 09 Feb 2012 12:32:34 +0000

Rootkit STKSCAN.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of STKSCAN.DLL may be a very difficult process.
You should use anti-rootkit software to fix the STKSCAN.DLL problem.

Malware Analysis of STKSCAN.DLL
Full path on a computer: %SysDir%\StkScan.dll

Detected by RegRun Warrior:

STKSCAN.DLL
Default location: %SysDir%\StkScan.dll

Removal Results: Success
Number of reboot: 1

STKSCAN.DLL is known as:

Trojan.Sirefef.BP, TR.Sirefef.BP.1, Troj.ZAccess-AB, W32.ZeroAccess.D.tr

STKSCAN.DLL hash:

MD5: b89cfbe8cb247b57d8c10adaa66b462b

How to quickly detect STKSCAN.DLL presence?

Registry:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\Service: “SNP2STD”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\DeviceDesc: “Acedrv07″
HKLM\System\CurrentControlSet\Services\SNP2STD\Parameters\ServiceDll: “%systemroot%\system32\StkScan.dll”
HKLM\System\CurrentControlSet\Services\SNP2STD\DisplayName: “Acedrv07″
HKLM\System\CurrentControlSet\Services\SNP2STD\Description: “New service would allow parents to control their children’s online activity.”
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”

Folders:

%WinDir%\$NtUninstallKB3057$

Files:

%Local Appdata%\3308c706\@
%Local Appdata%\3308c706\X
%WinDir%\assembly\GAC_MSIL\Desktop.ini
%SysDir%\dds_log_trash.cmd
%SysDir%\StkScan.dll

%Local Appdata%\3308c706\X is Rootkit ZeroAccess

NightWatcher — Thu, 09 Feb 2012 12:29:49 +0000

Rootkit \3308c706\X is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of \3308c706\X may be a very difficult process.
You should use anti-rootkit software to fix the \3308c706\X problem.

Malware Analysis of X
Full path on a computer: %Local Appdata%\3308c706\X

Detected by UnHackMe:

Item Name: shell
Author: Unknown
Related File: %Local Appdata%\3308c706\X
Type: User Shell

Item Name: Rootkit: ZeroAccess 32/64.4
Author: Unknown
Related File:
Type: Devices in Memory

Detected by RegRun Warrior:

Item Name: shell
Author: Unknown
Related File: %Local Appdata%\3308c706\X
Type: User Shell

Item Name: netbt.sys
Author: Unknown
Related File: %SYSDIR%\DRIVERS\NETBT.SYS
Type: System Drivers Infected by Rootkit

STKSCAN.DLL
Default location: %SYSDIR%\STKSCAN.DLL
MD5: B89CFBE8CB247B57D8C10ADAA66B462B
SHA1: A4023B8E 38F1E18D 0DFFB435 67C5E0AE F6C8086B
File Size: 5 120

Removal Results: Success
Number of reboot: 1

X is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

X hash:

MD5: fde7e556abc385a39b73919e470fbb1d

How to quickly detect X presence?

Registry:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\Service: “SNP2STD”
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_SNP2STD\0000\DeviceDesc: “Acedrv07″
HKLM\System\CurrentControlSet\Services\SNP2STD\Parameters\ServiceDll: “%systemroot%\system32\StkScan.dll”
HKLM\System\CurrentControlSet\Services\SNP2STD\DisplayName: “Acedrv07″
HKLM\System\CurrentControlSet\Services\SNP2STD\Description: “New service would allow parents to control their children’s online activity.”
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”

Folders:

%WinDir%\$NtUninstallKB3057$

Files:

%Local Appdata%\3308c706\@
%Local Appdata%\3308c706\X
%WinDir%\assembly\GAC_MSIL\Desktop.ini
%SysDir%\dds_log_trash.cmd
%SysDir%\StkScan.dll

PCDRNT.DLL is Rootkit ZeroAccess

NightWatcher — Thu, 09 Feb 2012 12:08:13 +0000

Rootkit PCDRNT.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of PCDRNT.DLL may be a very difficult process.
You should use anti-rootkit software to fix the PCDRNT.DLL problem.

Malware Analysis of PCDRNT.DLL
Full path on a computer: %SysDir%\PcdrNt.dll

Detected by RegRun Warrior:

PCDRNT.DLL
Default location: %SysDir%\PcdrNt.dll

Removal Results: Success
Number of reboot: 1

PCDRNT.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

PCDRNT.DLL hash:

MD5: b89cfbe8cb247b57d8c10adaa66b462b

How to quickly detect PCDRNT.DLL presence?

Registry:

HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ANTIVIRSCHEDULER\0000\Service: “antivirscheduler”
HKLM\System\CurrentControlSet\Services\antivirscheduler\Parameters\ServiceDll: “%systemroot%\system32\PcdrNt.dll”
HKLM\System\CurrentControlSet\Services\antivirscheduler\DisplayName: “Epsonstatusagent2″
HKLM\System\CurrentControlSet\Services\antivirscheduler\Description: “New service would allow parents to control their children’s online activity.”
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Local Appdata%\3308c706\X”

Folders:

%WinDir%\$NtUninstallKB3057$

Files:

%Local Appdata%\3308c706\@
%Local Appdata%\3308c706\X
%WinDir%\assembly\GAC_MSIL\Desktop.ini
%SysDir%\dds_log_trash.cmd
%SysDir%\PcdrNt.dll

MAYA70DOCSERVER.DLL is Rootkit ZeroAccess

NightWatcher — Thu, 09 Feb 2012 11:23:18 +0000

Rootkit MAYA70DOCSERVER.DLL is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of MAYA70DOCSERVER.DLL may be a very difficult process.
You should use anti-rootkit software to fix the MAYA70DOCSERVER.DLL problem.

Malware Analysis of MAYA70DOCSERVER.DLL
Full path on a computer: %SysDir%\maya70docserver.dll

Detected by UnHackMe:

After first reboot detected by UnHackMe:

Detected by RegRun Warrior:

MAYA70DOCSERVER.DLL
Default location:

Removal Results: Success
Number of reboot: 1

MAYA70DOCSERVER.DLL is known as:

Rootkit.ZeroAccess, Trojan.Sirefef

MAYA70DOCSERVER.DLL hash:

MD5: 11028c6a84a967070cb1286550f2058f

How to quickly detect MAYA70DOCSERVER.DLL presence?

Registry:

HKLM\System\CurrentControlSet\Services\w810mgmt\Parameters\ServiceDll: “%systemroot%\system32\maya70docserver.dll”
HKLM\System\CurrentControlSet\Services\w810mgmt\DisplayName: “Cercsr6″

Folders:

%WinDir%\$NtUninstallKB62478$

Files:

%SysDir%\maya70docserver.dll

INETACCELERATOR.EXE is Trojan Foreign

NightWatcher — Thu, 09 Feb 2012 09:38:53 +0000

The file INETACCELERATOR.EXE is malware related.
You must delete the file INETACCELERATOR.EXE immediately!
Delete the file INETACCELERATOR.EXE without delay!
Kill the process INETACCELERATOR.EXE and remove INETACCELERATOR.EXE from the Windows startup.

Malware Analysis of INETACCELERATOR.EXE
Full path on a computer: %SYSTEM%\INETACCELERATOR.EXE

Detected by RegRun Warrior:

INETACCELERATOR.EXE
Default location: %SYSTEM%\INETACCELERATOR.EXE

Removal Results: Success
Number of reboot: 1

INETACCELERATOR.EXE is known as:

Trojan.Foreign

INETACCELERATOR.EXE hash:

MD5: 95b6951075b43fae354217bb57c07427

How to quickly detect INETACCELERATOR.EXE presence?

Files:

%SYSTEM%\INETACCELERATOR.EXE

_EX-68.EXE is Trojan Banload

NightWatcher — Thu, 09 Feb 2012 09:35:03 +0000

We checked some samples of _EX-68.EXE and detected the file _EX-68.EXE as threat.
Remove the _EX-68.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of _EX-68.EXE
Full path on a computer: %Windir%\Temp\_ex-68.exe

Detected by RegRun Warrior:

_EX-68.EXE
Default location: %Windir%\Temp\_ex-68.exe

Removal Results: Success
Number of reboot: 1

_EX-68.EXE is known as:

Trojan.Banload

_EX-68.EXE hash:

MD5: a7e4e91ebd829c972fd5b6fc38b957cf

How to quickly detect _EX-68.EXE presence?

Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent: “%Windir%\temp\_ex-68.exe”

Files:

%Temp%\1.tmp
%Windir%\Temp\_ex-68.exe

OTYTKF.EXE is Worm Palevo

NightWatcher — Thu, 09 Feb 2012 09:30:35 +0000

The file OTYTKF.EXE is malware related.
You must delete the file OTYTKF.EXE immediately!
Delete the file OTYTKF.EXE without delay!
Kill the process OTYTKF.EXE and remove OTYTKF.EXE from the Windows startup.

Malware Analysis of OTYTKF.EXE
Full path on a computer: %UserProfile%\otytkf.exe

Detected by UnHackMe:

OTYTKF.EXE
Default location: %UserProfile%\otytkf.exe

Removal Results: Success
Number of reboot: 1

OTYTKF.EXE is known as:

Worm.Palevo, Trojan.Rimecud

OTYTKF.EXE hash:

MD5: aad4dac994bf75727bc12b0555d529a8

How to quickly detect OTYTKF.EXE presence?

Registry:

HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman: “%UserProfile%\otytkf.exe”

Files:

%UserProfile%\otytkf.exe

FUNSHIONINSTALL.EXE is Trojan Delf

NightWatcher — Thu, 09 Feb 2012 09:21:12 +0000

Is the file FUNSHIONINSTALL.EXE located on your computer? Then your computer is infected.
We do suggest you should remove FUNSHIONINSTALL.EXE from your computer as soon as possible.
FUNSHIONINSTALL.EXE is Trojan/Backdoor.
Kill the process FUNSHIONINSTALL.EXE and remove FUNSHIONINSTALL.EXE from the Windows startup.

Malware Analysis of FUNSHIONINSTALL.EXE
Full path on a computer: %Temp%\FunshionInstall.exe

Detected by RegRun Warrior:

FUNSHIONINSTALL.EXE
Default location: %Temp%\FunshionInstall.exe

Removal Results: Success
Number of reboot: 1

FUNSHIONINSTALL.EXE is known as:

Trojan.Delf

FUNSHIONINSTALL.EXE hash:

MD5: c56e9f57356f0f48e1022ba6901aa608

How to quickly detect FUNSHIONINSTALL.EXE presence?

Files:

%Temp%\FunshionInstall.exe
%Temp%\FunshionInstall.exe.ini

MAXTUDOXDB.EXE is Trojan CFI

NightWatcher — Thu, 09 Feb 2012 04:25:53 +0000

We checked up the file MAXTUDOXDB.EXE and found it hazardous.
The file MAXTUDOXDB.EXE must be deleted from the system immediately.
Kill the process MAXTUDOXDB.EXE and remove MAXTUDOXDB.EXE from the Windows startup.

Malware Analysis of MAXTUDOXDB.EXE
Full path on a computer: C:\MAXTUDOXDB.exe

Detected by UnHackMe:

Item Name: MAXTUDOXDB
Author: Unknown
Related File: C:\\MAXTUDOXDB.EXE
Type: Registry Run

Item Name: MAXTUDOXDB.exe
Author: Unknown
Related File: C:\MAXTUDOXDB.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

MAXTUDOXDB.EXE is known as:

Trojan.CFI, Trojan.Toxaic

MAXTUDOXDB.EXE hash:

MD5: 8d51a95f4886a35e3b3f50da393602d4

How to quickly detect MAXTUDOXDB.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MAXTUDOXDB: “C:\\MAXTUDOXDB.exe”

Files:

C:\MAXTUDOXDB.exe

MSDSCSC.EXE is Backdoor Finlosky

NightWatcher — Thu, 09 Feb 2012 03:44:06 +0000

The program MSDSCSC.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with MSDSCSC.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of MSDSCSC.EXE
Full path on a computer: %Personal%\MSDCSC\msdscsc.exe

Detected by UnHackMe:

Item Name: UserInit
Author: Unknown
Related File: %SysDir%\userinit.exe,%Personal%\MSDCSC\msdscsc.exe
Type: UserInit Value

Item Name: MicroUpdate
Author: Microsoft Corp.
Related File: %PERSONAL%\MSDCSC\MSDSCSC.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

MSDSCSC.EXE is known as:

Backdoor.Finlosky, Backdoor.Krademok

MSDSCSC.EXE hash:

MD5: a4bbbebd9bb26f02a0a7bb7092ac3d06

The file tries to connect to the dangerous web site.

How to quickly detect MSDSCSC.EXE presence?

Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate: “%Personal%\MSDCSC\msdscsc.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%SysDir%\userinit.exe,%Personal%\MSDCSC\msdscsc.exe”

Files:

%Personal%\MSDCSC\msdscsc.exe

PLUGIN01.EXE is Trojan Banker

NightWatcher — Thu, 09 Feb 2012 03:36:49 +0000

The file PLUGIN01.EXE is malware related.
You must delete the file PLUGIN01.EXE immediately!
Delete the file PLUGIN01.EXE without delay!
Kill the process PLUGIN01.EXE and remove PLUGIN01.EXE from the Windows startup.

Malware Analysis of PLUGIN01.EXE
Full path on a computer: %WinDir%\plugin01.exe

Detected by UnHackMe:

Item Name:
Author: Unknown
Related File: %WinDir%\DISKETE.EXE
Type: Registry Run

Item Name: Plugin Live 64
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Registry Run

Item Name: Windows Plugin Two
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Registry Run

Item Name: Windows Plugin Three
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Registry Run

Item Name: Windows Plugin One
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Registry Run

Item Name: plugin64.exe
Author: Unknown
Related File: %WinDir%\PLUGIN64.EXE
Type: Running Processes

Item Name: plugin02.exe
Author: Unknown
Related File: %WinDir%\PLUGIN02.EXE
Type: Running Processes

Item Name: plugin03.exe
Author: Unknown
Related File: %WinDir%\PLUGIN03.EXE
Type: Running Processes

Item Name: plugin01.exe
Author: Unknown
Related File: %WinDir%\PLUGIN01.EXE
Type: Running Processes

Item Name: Flash Plugin
Author: Unknown
Related File: %WinDir%\FLASH-PLUGIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

PLUGIN01.EXE is known as:

Trojan.Banker

PLUGIN01.EXE hash:

MD5: d3a84975c627bc0ff3d8ae7dd0901b3d

The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.

How to quickly detect PLUGIN01.EXE presence?

Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “%WinDir%\diskete.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Flash Plugin: “%WinDir%\flash-plugin.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Plugin Live 64: “%WinDir%\plugin64.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Plugin Two: “%WinDir%\plugin02.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin Three: “%WinDir%\plugin03.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Plugin One: “%WinDir%\plugin01.exe”

Files:

%WinDir%\Fonts\eugvx.exe
%WinDir%\Fonts\iqpgi.exe
%WinDir%\Fonts\jtuuy.exe
%WinDir%\Fonts\lnmwm.exe
%WinDir%\Fonts\tcira.exe
%WinDir%\Fonts\vgdmr.exe
%WinDir%\Fonts\wwxtl.exe
%WinDir%\diskete.exe
%WinDir%\flash-plugin.exe
%WinDir%\plugin01.exe
%WinDir%\plugin02.exe
%WinDir%\plugin03.exe
%WinDir%\plugin64.exe

PLUGIN03.EXE is Trojan Banker

NightWatcher — Thu, 09 Feb 2012 03:31:33 +0000

We checked some samples of PLUGIN02.EXE and detected the file PLUGIN02.EXE as threat.
Remove the PLUGIN02.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of PLUGIN03.EXE
Full path on a computer: %WinDir%\plugin03.exe