Malware Analysis and Removal http://greatis.com/blog Malware Analysis and Removal Fri, 25 May 2012 03:34:15 +0000 en hourly 1 http://wordpress.org/?v=3.1.3 OMEGLEVIDSCHECK.EXE is Trojan Agent http://greatis.com/blog/how-to-remove-malware/omeglevidscheck-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/omeglevidscheck-exe.htm#comments Fri, 25 May 2012 03:34:15 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/omeglevidscheck-exe.htm Is the file OMEGLEVIDSCHECK.EXE located on your computer? Then your computer is infected.
We do suggest you should remove OMEGLEVIDSCHECK.EXE from your computer as soon as possible.
OMEGLEVIDSCHECK.EXE is Trojan/Backdoor.
Kill the process OMEGLEVIDSCHECK.EXE and remove OMEGLEVIDSCHECK.EXE from the Windows startup.

Malware Analysis of OMEGLEVIDSCHECK.EXE
Full path on a computer: %Appdata%\OmegleVidsCheck.exe

Detected by UnHackMe:

Item Name: OMessenger
Author:
Related File: %APPDATA%\OMEGLEVIDSCHECK.EXE
Type: Registry Run

Item Name: OmegleVidsCheck.exe
Author:
Related File: %APPDATA%\OMEGLEVIDSCHECK.EXE
Type: Detected using Heuristic Algorithm

Item Name: vbc.exe
Author: Unknown
Related File: %APPDATA%\VBC.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

OMEGLEVIDSCHECK.EXE is known as:

Trojan.Agent.1193472.O, a variant of MSIL.Injector.ACA, Trojan.MSIL.Crypt.qhp, Trojan.MulDrop3.50658, Trojan.MSIL.dyg, Backdoor.Fynloski.A, W32.Crypt.QHP.tr

OMEGLEVIDSCHECK.EXE hash:

  • MD5: dd82652dc041b93a9763f6d94b4e2c8c
How to quickly detect OMEGLEVIDSCHECK.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OMessenger: “%Appdata%\OmegleVidsCheck.exe”
Files:
  • %Appdata%\dsvgb.txt
  • %Appdata%\OmegleVidsCheck.exe
  • %Appdata%\vbc.exe
  • %Temp%\1C7CF.dmp
  • %Temp%\A4FA.dmp
  • %Temp%\dw.log

]]> http://greatis.com/blog/how-to-remove-malware/omeglevidscheck-exe.htm/feed 0 AFTER.EXE is Trojan Bocinex http://greatis.com/blog/how-to-remove-malware/after-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/after-exe.htm#comments Fri, 25 May 2012 03:07:56 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/after-exe.htm The file AFTER.EXE is malware related.
You must delete the file AFTER.EXE immediately!
Delete the file AFTER.EXE without delay!
Kill the process AFTER.EXE and remove AFTER.EXE from the Windows startup.

Malware Analysis of AFTER.EXE
Full path on a computer: %Appdata%\After.exe

Detected by UnHackMe:

Item Name: bs_stealth
Author: Unknown
Related File: %APPDATA%\AFTER.EXE
Type: Explorer Run

Detected by RegRun Warrior:

Item Name: bs_stealth
Author: Unknown
Related File: %APPDATA%\AFTER.EXE
Type: Explorer Run

Removal Results: Success
Number of reboot: 2

AFTER.EXE is known as:

Trojan.Bocinex, Trojan.DownLoader6, Mal.Keylog-A

AFTER.EXE hash:

  • MD5: 8025b55b4ebf5dd760b51ebb0e1681fa
How to quickly detect AFTER.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run\bs_stealth: “%Appdata%\After.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\bs_stealth: “%Appdata%\After.exe”
Files:
  • %Appdata%\After.exe
  • %Appdata%\bs_log.dat

]]> http://greatis.com/blog/how-to-remove-malware/after-exe.htm/feed 0 LIB32WAOQ.EXE is Trojan MSIL.Prash http://greatis.com/blog/how-to-remove-malware/lib32waoq-exe-2.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/lib32waoq-exe-2.htm#comments Fri, 25 May 2012 02:51:24 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/lib32waoq-exe-2.htm We checked some samples of LIB32WAOQ.EXE and detected the file LIB32WAOQ.EXE as threat.
Remove the LIB32WAOQ.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of LIB32WAOQ.EXE
Full path on a computer: %SysDir%\lib32waoq.exe

Detected by UnHackMe:

Item Name: MediaCenter
Author: IBM Corporation and others
Related File: %SYSDIR%\RGMRTIY.CC3
Type: Svchost DLLs

Item Name: sdTQNLxV
Author:
Related File: %SysDir%\Aywtrpm.exe
Type: Auto Services

Item Name: WaoqSvc
Author:
Related File: %WinDir%\System32\lib32waoq.exe
Type: Auto Services

Item Name: gzqrcddiut
Author:
Related File: %SysDir%\TaHoDkS.exe
Type: Auto Services

Item Name: \WINDOWS\Temp\servcie3252A53.exe
Author: Unknown
Related File: %WinDir%\TEMP\SERVCIE3252A53.EXE
Type: Registry Run

Item Name: \WINDOWS\Temp\servcie3252C53.exe
Author: Unknown
Related File: %WinDir%\TEMP\SERVCIE3252C53.EXE
Type: Registry Run

Item Name: \WINDOWS\Temp\servcie3252E53.exe
Author: Unknown
Related File: %WinDir%\TEMP\SERVCIE3252E53.EXE
Type: Registry Run

Item Name: Aywtrpm.exe
Author: Unknown
Related File: %SYSDIR%\AYWTRPM.EXE
Type: Running Processes

Item Name: lib32waoq.exe
Author: Unknown
Related File: %SYSDIR%\LIB32WAOQ.EXE
Type: Running Processes

Item Name: CkRygNF.exe
Author: Unknown
Related File: %SYSDIR%\CKRYGNF.EXE
Type: Running Processes

Item Name: fNubJqX.exe
Author: Unknown
Related File: %SYSDIR%\FNUBJQX.EXE
Type: Running Processes

Item Name: aHpWDlS.exe
Author: Unknown
Related File: %SYSDIR%\AHPWDLS.EXE
Type: Running Processes

Item Name: TaHoDkS.exe
Author: Unknown
Related File: %SYSDIR%\TAHODKS.EXE
Type: Running Processes

After first reboot detected by UnHackMe:

Item Name: Tcpz-x86
Author:
Related File: \??\C:\Tcpz-x86.sys
Type: Services detected by Partizan

Item Name: WaoqSvc
Author:
Related File: %WinDir%\System32\lib32waoq.exe
Type: Services detected by Partizan

Removal Results: Success
Number of reboot: 2

LIB32WAOQ.EXE is known as:

Trojan.MSIL.Prash, Trojan.Kazy, Troj.Agent

LIB32WAOQ.EXE hash:

  • MD5: 18582085f5f45ace6940fdda963fdd3d
How to quickly detect LIB32WAOQ.EXE presence?

Registry:
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TCPZ-X86\0000\Service: “Tcpz-x86″
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TCPZ-X86\0000\DeviceDesc: “Tcpz-x86″
  • HKLM\System\CurrentControlSet\Services\sdTQNLxV\ImagePath: “%SysDir%\Aywtrpm.exe”
  • HKLM\System\CurrentControlSet\Services\Tcpz-x86\ImagePath: “\??\C:\Tcpz-x86.sys”
  • HKLM\System\CurrentControlSet\Services\Tcpz-x86\DisplayName: “Tcpz-x86″
  • HKLM\System\CurrentControlSet\Services\WaoqSvc\ImagePath: “%WinDir%\System32\lib32waoq.exe”
Files:
  • %SysDir%\Aywtrpm.exe
  • %SysDir%\fdbzwus.exe
  • %SysDir%\knpruwy.exe
  • %SysDir%\lib32waoo.exe
  • %SysDir%\lib32waoq.exe

]]> http://greatis.com/blog/how-to-remove-malware/lib32waoq-exe-2.htm/feed 0 MMIOA5QV0P.EXE is Worm Ainslot http://greatis.com/blog/worm/mmioa5qv0p-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/mmioa5qv0p-exe.htm#comments Fri, 25 May 2012 02:31:02 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/mmioa5qv0p-exe.htm The file MMIOA5QV0P.EXE is a computer worm.
The worm MMIOA5QV0P.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the MMIOA5QV0P.EXE problem as soon as possible!
Delete the file MMIOA5QV0P.EXE from all infected computers in your network.
Set up your network firewall against MMIOA5QV0P.EXE intervention.

Malware Analysis of MMIOA5QV0P.EXE
Full path on a computer: %Appdata%\MMIOA5QV0P.exe

Detected by UnHackMe:

Item Name: Windows Defender
Author: Unknown
Related File: %APPDATA%\MMIOA5QV0P.EXE
Type: Explorer Run

Item Name: {F060EBA9-CABC-5AA7-BFEE-B366627F2AA0}
Author: Unknown
Related File: %APPDATA%\MMIOA5QV0P.EXE
Type: ActiveSetup

Item Name: MMIOA5QV0P.exe
Author: Unknown
Related File: %APPDATA%\MMIOA5QV0P.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

MMIOA5QV0P.EXE is known as:

Worm.Ainslot, Worm.AutoRun.cdlp, Trojan.VB, TrojWare.Cosmu.BHL, Trojan.Siggen2

MMIOA5QV0P.EXE hash:

  • MD5: 2b39891133a2653d4c68d4badd864320
How to quickly detect MMIOA5QV0P.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Active Setup\Installed Components\{F060EBA9-CABC-5AA7-BFEE-B366627F2AA0}\StubPath: “%Appdata%\MMIOA5QV0P.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender: “%Appdata%\MMIOA5QV0P.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender: “%Appdata%\MMIOA5QV0P.exe”
  • HKCU\Software\Microsoft\Active Setup\Installed Components\{F060EBA9-CABC-5AA7-BFEE-B366627F2AA0}\StubPath: “%Appdata%\MMIOA5QV0P.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender: “%Appdata%\MMIOA5QV0P.exe”
Files:
  • %Appdata%\MMIOA5QV0P.exe

]]> http://greatis.com/blog/worm/mmioa5qv0p-exe.htm/feed 0 MSIZPJ32.DLL is Trojan Downloader6 http://greatis.com/blog/how-to-remove-malware/msizpj32-dll.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/msizpj32-dll.htm#comments Thu, 24 May 2012 06:37:57 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/msizpj32-dll.htm We checked some samples of MSIZPJ32.DLL and detected the file MSIZPJ32.DLL as threat.
Remove the MSIZPJ32.DLL file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of MSIZPJ32.DLL
Full path on a computer: %SYSDIR%\MSIZPJ32.DLL

Detected by UnHackMe:

MSIZPJ32.DLL
Default location: %SYSDIR%\MSIZPJ32.DLL

Removal Results: Success
Number of reboot: 1

MSIZPJ32.DLL is known as:

Trojan.Downloader6

How to quickly detect MSIZPJ32.DLL presence?

Files:
  • %SYSDIR%\MSIZPJ32.DLL

]]> http://greatis.com/blog/how-to-remove-malware/msizpj32-dll.htm/feed 0 50DE5TEEYX.EXE is Trojan Cutwail http://greatis.com/blog/how-to-remove-malware/50de5teeyx-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/50de5teeyx-exe.htm#comments Thu, 24 May 2012 06:34:43 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/50de5teeyx-exe.htm The file 50DE5TEEYX.EXE is malware related.
You must delete the file 50DE5TEEYX.EXE immediately!
Delete the file 50DE5TEEYX.EXE without delay!
Kill the process 50DE5TEEYX.EXE and remove 50DE5TEEYX.EXE from the Windows startup.

Malware Analysis of 50DE5TEEYX.EXE
Full path on a computer: %UserProfile%\50de5teeyx.exe

Detected by UnHackMe:

50DE5TEEYX.EXE
Default location: %UserProfile%\50de5teeyx.exe

Removal Results: Success
Number of reboot: 1

50DE5TEEYX.EXE is known as:

Trojan.Cutwail, Trojan.Agent

50DE5TEEYX.EXE hash:

  • MD5: 3711a14bd5626d172a291b938e996923
How to quickly detect 50DE5TEEYX.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\50de5teeyx: “%UserProfile%\50de5teeyx.exe”
Files:
  • %UserProfile%\50de5teeyx.exe

]]> http://greatis.com/blog/how-to-remove-malware/50de5teeyx-exe.htm/feed 0 KLLKCH4.EXE is Trojan Agent http://greatis.com/blog/how-to-remove-malware/kllkch4-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/kllkch4-exe.htm#comments Thu, 24 May 2012 06:29:48 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/kllkch4-exe.htm Is the file KLLKCH4.EXE located on your computer? Then your computer is infected.
We do suggest you should remove KLLKCH4.EXE from your computer as soon as possible.
KLLKCH4.EXE is Trojan/Backdoor.
Kill the process KLLKCH4.EXE and remove KLLKCH4.EXE from the Windows startup.

Malware Analysis of KLLKCH4.EXE
Full path on a computer: %Windir%\kllkch4.exe

Detected by UnHackMe:

KLLKCH4.EXE
Default location: %Windir%\kllkch4.exe

Removal Results: Success
Number of reboot: 1

KLLKCH4.EXE is known as:

Trojan.Agent

KLLKCH4.EXE hash:

  • MD5: d592ad60b4440afc3a92c9d07e887fe4
How to quickly detect KLLKCH4.EXE presence?

Files:
  • %Windir%\kllkch4.exe
  • %System%\warifout.exe

]]> http://greatis.com/blog/how-to-remove-malware/kllkch4-exe.htm/feed 0 JL8ZG6FX1U.EXE is Trojan Agent http://greatis.com/blog/how-to-remove-malware/jl8zg6fx1u-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/jl8zg6fx1u-exe.htm#comments Thu, 24 May 2012 06:21:22 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/jl8zg6fx1u-exe.htm We checked up the file JL8ZG6FX1U.EXE and found it hazardous.
The file JL8ZG6FX1U.EXE must be deleted from the system immediately.
Kill the process JL8ZG6FX1U.EXE and remove JL8ZG6FX1U.EXE from the Windows startup.

Malware Analysis of JL8ZG6FX1U.EXE
Full path on a computer: %UserProfile%\jl8zg6fx1u.exe

Detected by UnHackMe:

JL8ZG6FX1U.EXE
Default location: %UserProfile%\jl8zg6fx1u.exe

Removal Results: Success
Number of reboot: 1

JL8ZG6FX1U.EXE is known as:

Trojan.Agent, Trojan.Siggen3

JL8ZG6FX1U.EXE hash:

  • MD5: 85210d6110a5a462481b4c68f1f3c8aa
How to quickly detect JL8ZG6FX1U.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jl8zg6fx1u: “%UserProfile%\jl8zg6fx1u.exe”
Files:
  • %UserProfile%\jl8zg6fx1u.exe

]]> http://greatis.com/blog/how-to-remove-malware/jl8zg6fx1u-exe.htm/feed 0 LIB32WAOQ.EXE is Backdoor Advo http://greatis.com/blog/backdoor/lib32waoq-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/backdoor/lib32waoq-exe.htm#comments Thu, 24 May 2012 06:14:26 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/lib32waoq-exe.htm The program LIB32WAOQ.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with LIB32WAOQ.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of LIB32WAOQ.EXE
Full path on a computer: %System%\lib32waoq.exe

Detected by UnHackMe:

LIB32WAOQ.EXE
Default location: %System%\lib32waoq.exe

Removal Results: Success
Number of reboot: 1

LIB32WAOQ.EXE is known as:

Backdoor.Advo, TrojanDropper.MSIL, MSIL.Prash

LIB32WAOQ.EXE hash:

  • MD5: 18582085f5f45ace6940fdda963fdd3d
How to quickly detect LIB32WAOQ.EXE presence?

Registry:
  • HKLM\SYSTEM\ControlSet001\Services\WaoqSvc\ImagePath: “%System%\lib32waoq.exe”
Files:
  • %System%\lib32waoq.exe

]]> http://greatis.com/blog/backdoor/lib32waoq-exe.htm/feed 0 BIN.EXE is Rootkit SpyEye http://greatis.com/blog/rootkit/bin-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/rootkit/bin-exe.htm#comments Thu, 24 May 2012 05:59:19 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/bin-exe.htm Rootkit BIN.EXE is software that enables continued privileged access to a computer while actively hiding its presence.
Detection and removal of BIN.EXE may be a very difficult process.
You should use anti-rootkit software to fix the BIN.EXE problem.

Malware Analysis of BIN.EXE
Full path on a computer: %Common Appdata%\default\bin.exe

Detected by UnHackMe:

Item Name: default
Author: Unknown
Related File: %COMMON APPDATA%\DEFAULT\BIN.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

BIN.EXE is known as:

Rootkit.SpyEye, Trojan.Hottrend

BIN.EXE hash:

  • MD5: 08ab7f68c6b3a4a2a745cc244d41d213
How to quickly detect BIN.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\default: “%Common Appdata%\default\bin.exe”
Files:
  • %Appdata%\Mozilla\Firefox\Profiles\gi17c3pt.default\user.js
  • %Common Appdata%\default\bin.exe

]]> http://greatis.com/blog/rootkit/bin-exe.htm/feed 0 G_SERVER.DLL is Backdoor Hupigon http://greatis.com/blog/backdoor/g_server-dll.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/backdoor/g_server-dll.htm#comments Thu, 24 May 2012 03:24:56 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/g_server-dll.htm The program G_SERVER.DLL is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with G_SERVER.DLL.
Download for free: http://www.unhackme.com

Malware Analysis of G_SERVER.DLL
Full path on a computer: %WinDir%\G_Server.exe

After first reboot detected by UnHackMe:

Item Name: PigeonServer
Author:
Related File: %WinDir%\G_Server.exe
Type: Auto Services

Item Name: PigeonServer
Author:
Related File: %WinDir%\G_SERVER.EXE
Type: Services detected by Partizan

Item Name: mchInjDrv
Author:
Related File: \??\%WinDir%\TEMP\mc21.tmp
Type: Services detected by Partizan

After second reboot detected by UnHackMe:

Item Name: G_Server.DLL
Author: Unknown
Related File: %WinDir%\G_SERVER.DLL
Type: Detected using Heuristic Algorithm

Item Name: G_ServerKey.DLL
Author: Unknown
Related File: %WinDir%\G_SERVERKEY.DLL
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 3

G_SERVER.DLL is known as:

Backdoor.Hupigon, Backdoor.Graybird

G_SERVER.DLL hash:

  • MD5: 70b1ddcd523542c0450ea64a5a241c12
How to quickly detect G_SERVER.DLL presence?

Registry:
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\Service: “mchInjDrv”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MCHINJDRV\0000\DeviceDesc: “mchInjDrv”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PIGEONSERVER\0000\Service: “PigeonServer”
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_PIGEONSERVER\0000\DeviceDesc: “Pigeon_Server”
  • HKLM\System\CurrentControlSet\Services\mchInjDrv\ImagePath: “\??\%WinDir%\TEMP\mc21.tmp”
  • HKLM\System\CurrentControlSet\Services\PigeonServer\ImagePath: “%WinDir%\G_Server.exe”
Files:
  • %WinDir%\G_Server.DLL
  • %WinDir%\G_Server.exe
  • %WinDir%\G_ServerKey.DLL
  • %WinDir%\G_Server_HOOk.DLL

]]> http://greatis.com/blog/backdoor/g_server-dll.htm/feed 0 AUDIO PERFORMER53484.EXE is Trojan InstallBrain http://greatis.com/blog/how-to-remove-malware/audio-performer53484-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/audio-performer53484-exe.htm#comments Wed, 23 May 2012 03:09:45 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/audio-performer53484-exe.htm The file AUDIO PERFORMER53484.EXE is malware related.
You must delete the file AUDIO PERFORMER53484.EXE immediately!
Delete the file AUDIO PERFORMER53484.EXE without delay!
Kill the process AUDIO PERFORMER53484.EXE and remove AUDIO PERFORMER53484.EXE from the Windows startup.

Malware Analysis of AUDIO PERFORMER53484.EXE
Full path on a computer: %Temp%\Audio Performer53484.exe

Detected by UnHackMe:

AUDIO PERFORMER53484.EXE
Default location: %Temp%\Audio Performer53484.exe

Removal Results: Success
Number of reboot: 1

AUDIO PERFORMER53484.EXE is known as:

Trojan.InstallBrain, Adware.Downware

AUDIO PERFORMER53484.EXE hash:

  • MD5: 13c5320aa895e481c527a36b53db48da
The file tries to connect to the dangerous web site.
How to quickly detect AUDIO PERFORMER53484.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Audio Performer53484.exe: “”%Temp%\Audio Performer53484.exe” /XML=”%Temp%\1.tmp” /STP=1:2″
Files:
  • %Temp%\Audio Performer53484.exe

]]> http://greatis.com/blog/how-to-remove-malware/audio-performer53484-exe.htm/feed 0 LINGPC.EXE is Trojan MSIL.KeyLogger http://greatis.com/blog/how-to-remove-malware/lingpc-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/lingpc-exe.htm#comments Wed, 23 May 2012 02:55:07 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/lingpc-exe.htm Is the file LINGPC.EXE located on your computer? Then your computer is infected.
We do suggest you should remove LINGPC.EXE from your computer as soon as possible.
LINGPC.EXE is Trojan/Backdoor.
Kill the process LINGPC.EXE and remove LINGPC.EXE from the Windows startup.

Malware Analysis of LINGPC.EXE
Full path on a computer: %Appdata%\Microsoft\Windows\Drivers\lingpc.exe

Detected by UnHackMe:

Item Name: Adobe Drivers
Author: Windows Photo Viewer
Related File: %APPDATA%\MICROSOFT\WINDOWS\DRIVERS\LINGPC.EXE
Type: Registry Run

Item Name: lingpc.exe
Author: Windows Photo Viewer
Related File: %APPDATA%\MICROSOFT\WINDOWS\DRIVERS\LINGPC.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

LINGPC.EXE is known as:

Trojan.MSIL.KeyLogger

LINGPC.EXE hash:

  • MD5: f67babe9f92b3b038146c14c497b1870
The file tries to download information from some web sites.
How to quickly detect LINGPC.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers: “%Appdata%\Microsoft\Windows\Drivers\lingpc.exe”
Files:
  • %Appdata%\Microsoft\Windows\Drivers\lingpc.exe
  • %Temp%\Software\ttreceipt.exe
  • %Temp%\Software\ttreceipt.jpg

]]> http://greatis.com/blog/how-to-remove-malware/lingpc-exe.htm/feed 0 NBJICJ98.EXE is Trojan Agent http://greatis.com/blog/how-to-remove-malware/nbjicj98-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/nbjicj98-exe.htm#comments Wed, 23 May 2012 02:45:39 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/nbjicj98-exe.htm The file NBJICJ98.EXE is malware related.
You must delete the file NBJICJ98.EXE immediately!
Delete the file NBJICJ98.EXE without delay!
Kill the process NBJICJ98.EXE and remove NBJICJ98.EXE from the Windows startup.

Malware Analysis of NBJICJ98.EXE
Full path on a computer: %Appdata%\nbjicj98.exe

Detected by UnHackMe:

Item Name: nbjicj98
Author: Unknown
Related File: %APPDATA%\NBJICJ98.EXE
Type: Registry Run

Item Name: nbjicj98.exe
Author: Unknown
Related File: %APPDATA%\NBJICJ98.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

NBJICJ98.EXE is known as:

Trojan.Agent, Trojan.DownLoad2

NBJICJ98.EXE hash:

  • MD5: 4a7ef491c4db956facd6026427dc2d54
The file is used for downloading and installing other malware, Trojans, viruses by the commands received from the Command Center.
How to quickly detect NBJICJ98.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\nbjicj98: “%Appdata%\nbjicj98.exe”
Files:
  • %Appdata%\nbjicj98.exe

]]> http://greatis.com/blog/how-to-remove-malware/nbjicj98-exe.htm/feed 0 SHIELD.EXE is Trojan CodecPack http://greatis.com/blog/how-to-remove-malware/shield-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/shield-exe.htm#comments Wed, 23 May 2012 02:36:29 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/shield-exe.htm We checked up the file SHIELD.EXE and found it hazardous.
The file SHIELD.EXE must be deleted from the system immediately.
Kill the process SHIELD.EXE and remove SHIELD.EXE from the Windows startup.

Malware Analysis of SHIELD.EXE
Full path on a computer: %SysDir%\Shield.exe

Detected by UnHackMe:

SHIELD.EXE
Default location: %SysDir%\Shield.exe

Removal Results: Success
Number of reboot: 1

SHIELD.EXE is known as:

Trojan.CodecPack, Trojan.Scar, Trojan.Jorik

SHIELD.EXE hash:

  • MD5: a45a1ccf6842b032b7f2ef2f2255c81c
How to quickly detect SHIELD.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Shield.exe: “%SysDir%\Shield.exe”
Files:
  • %SysDir%\Shield.exe

]]> http://greatis.com/blog/how-to-remove-malware/shield-exe.htm/feed 0 WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE http://greatis.com/blog/unknown/winrar-password-unlocker-2012-1-8v-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/unknown/winrar-password-unlocker-2012-1-8v-exe.htm#comments Tue, 22 May 2012 10:40:30 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/winrar-password-unlocker-2012-1-8v-exe.htm WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE is unknown, probably legitimate.
If the file WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE is located on your computer, download UnHackMe for free to fix the problem with WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE.

Malware Analysis of WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE
Full path on a computer: %TEMP%\WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE

Detected by UnHackMe:

WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE
Default location: %TEMP%\WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE

Removal Results: Success
Number of reboot: 1

How to quickly detect WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE presence?

Files:
  • %TEMP%\WINRAR PASSWORD UNLOCKER 2012 1.8V.EXE

]]> http://greatis.com/blog/unknown/winrar-password-unlocker-2012-1-8v-exe.htm/feed 0 DISPLAYOSD.EXE is Trojan Downloader5 http://greatis.com/blog/how-to-remove-malware/displayosd-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/displayosd-exe.htm#comments Tue, 22 May 2012 10:00:11 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/displayosd-exe.htm The file DISPLAYOSD.EXE is malware related.
You must delete the file DISPLAYOSD.EXE immediately!
Delete the file DISPLAYOSD.EXE without delay!
Kill the process DISPLAYOSD.EXE and remove DISPLAYOSD.EXE from the Windows startup.

Malware Analysis of DISPLAYOSD.EXE
Full path on a computer: %APPDATA%\MICROSOFT\WINDOWS\DISPLAYOSD.EXE

Detected by UnHackMe:

DISPLAYOSD.EXE
Default location: %APPDATA%\MICROSOFT\WINDOWS\DISPLAYOSD.EXE

Removal Results: Success
Number of reboot: 1

DISPLAYOSD.EXE is known as:

Trojan.Downloader5

How to quickly detect DISPLAYOSD.EXE presence?

Files:
  • %APPDATA%\MICROSOFT\WINDOWS\DISPLAYOSD.EXE
  • %PROFILE%\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\U98D4X8H\UPDATE1016[1].DAT
  • %APPDATA%\MICROSOFT\WINDOWS\PREFERENCES
  • %PROFILE%\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KHMHGZ4F\UPDATE1015[1].DAT
  • %APPDATA%\MICROSOFT\WINDOWS\SETUP.DAT

]]> http://greatis.com/blog/how-to-remove-malware/displayosd-exe.htm/feed 0 GOOGLEUP.EXE is Worm Prolaco http://greatis.com/blog/worm/googleup-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/googleup-exe.htm#comments Tue, 22 May 2012 09:55:58 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/googleup-exe.htm Is the file GOOGLEUP.EXE located on your computer? Then your computer is infected.
We do suggest you should remove GOOGLEUP.EXE from your computer as soon as possible.
GOOGLEUP.EXE is Trojan/Backdoor.
Kill the process GOOGLEUP.EXE and remove GOOGLEUP.EXE from the Windows startup.

Malware Analysis of GOOGLEUP.EXE
Full path on a computer: %System%\Googleup.exe

Detected by UnHackMe:

GOOGLEUP.EXE
Default location: %System%\Googleup.exe

Removal Results: Success
Number of reboot: 1

GOOGLEUP.EXE is known as:

Worm.Prolaco

GOOGLEUP.EXE hash:

  • MD5: 4d6501531228079afef5b87dd04af31a
How to quickly detect GOOGLEUP.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdaterv1: “%System%\Googleup.exe”
Files:
  • %Windir%\mswinsck.sys
  • %System%\explore.exe
  • %System%\Googleup.exe

]]> http://greatis.com/blog/worm/googleup-exe.htm/feed 0 SVCXDCL32.EXE is Troyan Barys http://greatis.com/blog/troyan-2/svcxdcl32-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/troyan-2/svcxdcl32-exe.htm#comments Tue, 22 May 2012 09:49:11 +0000 NightWatcher ]]> http://greatis.com/blog/how-to-remove-malware/svcxdcl32-exe.htm We checked up the file SVCXDCL32.EXE and found it hazardous.
The file SVCXDCL32.EXE must be deleted from the system immediately.
Kill the process SVCXDCL32.EXE and remove SVCXDCL32.EXE from the Windows startup.

Malware Analysis of SVCXDCL32.EXE
Full path on a computer: %AppData%\svcxdcl32.exe

Detected by UnHackMe:

SVCXDCL32.EXE
Default location: %AppData%\svcxdcl32.exe

Removal Results: Success
Number of reboot: 1

SVCXDCL32.EXE is known as:

Troyan.Barys

SVCXDCL32.EXE hash:

  • MD5: 8a0ddd3b425c49d201473ce3069353d6
How to quickly detect SVCXDCL32.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Svc2dll: “%AppData%\svcxdcl32.exe”
Files:
  • %AppData%\svcxdcl32.dat
  • %AppData%\svcxdcl32.exe
  • %AppData%\svcxdcl32_v.dll

]]> http://greatis.com/blog/troyan-2/svcxdcl32-exe.htm/feed 0 BITCOIN.EXE is Backdoor Qbot http://greatis.com/blog/backdoor/bitcoin-exe-2.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/backdoor/bitcoin-exe-2.htm#comments Tue, 22 May 2012 09:23:20 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/bitcoin-exe-2.htm The program BITCOIN.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with BITCOIN.EXE.
Download for free: http://www.unhackme.com

Malware Analysis of BITCOIN.EXE
Full path on a computer: %Temp%\tmp878dd1ff\bitcoin.exe

Detected by UnHackMe:

BITCOIN.EXE
Default location: %Temp%\tmp878dd1ff\bitcoin.exe

Removal Results: Success
Number of reboot: 1

BITCOIN.EXE is known as:

Backdoor.Qbot

BITCOIN.EXE hash:

  • MD5: 1bbb6ef0487c8100eb7acddfcb12fde8
How to quickly detect BITCOIN.EXE presence?

Files:
  • %AppData%\SCleaner\config
  • %AppData%\SCleaner\scleaner.exe
  • %AppData%\SCleaner\sndmgr.exe
  • %Temp%\tmp878dd1ff\bitcoin.exe
  • %AppData%\Segoep\uqyr.exi
  • %AppData%\Upilve\evis.exe
  • %Temp%\tmp90b9d3dc.bat

]]> http://greatis.com/blog/backdoor/bitcoin-exe-2.htm/feed 0 QGL6WO88SW.EXE is Trojan Cutwail http://greatis.com/blog/how-to-remove-malware/qgl6wo88sw-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/qgl6wo88sw-exe.htm#comments Tue, 22 May 2012 09:16:23 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/qgl6wo88sw-exe.htm The file QGL6WO88SW.EXE is malware related.
You must delete the file QGL6WO88SW.EXE immediately!
Delete the file QGL6WO88SW.EXE without delay!
Kill the process QGL6WO88SW.EXE and remove QGL6WO88SW.EXE from the Windows startup.

Malware Analysis of QGL6WO88SW.EXE
Full path on a computer: %UserProfile%\qgl6wo88sw.exe

Detected by UnHackMe:

QGL6WO88SW.EXE
Default location: %UserProfile%\qgl6wo88sw.exe

Removal Results: Success
Number of reboot: 1

QGL6WO88SW.EXE is known as:

Trojan.Cutwail

QGL6WO88SW.EXE hash:

  • MD5: 17c9efaf7f70581319b1cf2a3e66d20c
How to quickly detect QGL6WO88SW.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\qgl6wo88sw: “%UserProfile%\qgl6wo88sw.exe”
Files:
  • %UserProfile%\qgl6wo88sw.exe

]]> http://greatis.com/blog/how-to-remove-malware/qgl6wo88sw-exe.htm/feed 0 WWMY7SHQ7D.EXE is Trojan Downloader http://greatis.com/blog/how-to-remove-malware/wwmy7shq7d-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/wwmy7shq7d-exe.htm#comments Tue, 22 May 2012 07:39:43 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/wwmy7shq7d-exe.htm We checked some samples of WWMY7SHQ7D.EXE and detected the file WWMY7SHQ7D.EXE as threat.
Remove the WWMY7SHQ7D.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of WWMY7SHQ7D.EXE
Full path on a computer: %UserProfile%\wwmy7shq7d.exe

Detected by UnHackMe:

WWMY7SHQ7D.EXE
Default location: %UserProfile%\wwmy7shq7d.exe

Removal Results: Success
Number of reboot: 1

WWMY7SHQ7D.EXE is known as:

Trojan.Downloader

WWMY7SHQ7D.EXE hash:

  • MD5: 366bbaf55c66966bcff276556a1606ca
How to quickly detect WWMY7SHQ7D.EXE presence?

Registry:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wwmy7shq7d: “%UserProfile%\wwmy7shq7d.exe”
Files:
  • %UserProfile%\wwmy7shq7d.exe

]]> http://greatis.com/blog/how-to-remove-malware/wwmy7shq7d-exe.htm/feed 0 IQS.EXE is Trojan Facebook http://greatis.com/blog/how-to-remove-malware/iqs-exe-2.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/iqs-exe-2.htm#comments Tue, 22 May 2012 07:28:26 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/iqs-exe-2.htm The file IQS.EXE is a computer worm.
The worm IQS.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the IQS.EXE problem as soon as possible!
Delete the file IQS.EXE from all infected computers in your network.
Set up your network firewall against IQS.EXE intervention.

Malware Analysis of IQS.EXE
Full path on a computer: %WinDir%\iqs.exe

Detected by UnHackMe:

Item Name: Microsoft Firevall Engine
Author: Google Inc.
Related File: %WinDir%\IQS.EXE
Type: Registry Run

Item Name: iqs.exe
Author: Google Inc.
Related File: %WinDir%\IQS.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

IQS.EXE is known as:

Trojan.Facebook, Trojan.Gyimface, Trojan.Msil, Worm.Stekct

IQS.EXE hash:

  • MD5: 7a25f877bdab40a055cf8452885d1952
How to quickly detect IQS.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\iqs.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\iqs.exe”
Files:
  • %WinDir%\iqs.exe

]]> http://greatis.com/blog/how-to-remove-malware/iqs-exe-2.htm/feed 0 VM_STI.EXE is Trojan PWS.QQRob http://greatis.com/blog/how-to-remove-malware/vm_sti-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/vm_sti-exe.htm#comments Tue, 22 May 2012 03:44:12 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/vm_sti-exe.htm We checked some samples of VM_STI.EXE and detected the file VM_STI.EXE as threat.
Remove the VM_STI.EXE file from your computer right now.
Removal tool: http://www.unhackme.com

Malware Analysis of VM_STI.EXE
Full path on a computer: %SysDir%\VM_STI.exe

Detected by UnHackMe:

VM_STI.EXE
Default location: %SYSDIR%\VM_STI.EXE

Removal Results: Success
Number of reboot: 1

VM_STI.EXE is known as:

Trojan.PWS.QQRob, Worm.Mytob, Trojan.PWS.Qqrobber

VM_STI.EXE hash:

  • MD5: a9cfc6cf103b6335c4abb7b2f1b4ff9c
How to quickly detect VM_STI.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VM_STI: “%SysDir%\VM_STI.exe”
Files:
  • %SysDir%\VM_STI.exe

]]> http://greatis.com/blog/how-to-remove-malware/vm_sti-exe.htm/feed 0 LEXPLORER.EXE is Worm Rebhip http://greatis.com/blog/worm/lexplorer-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/lexplorer-exe.htm#comments Tue, 22 May 2012 03:19:03 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/lexplorer-exe.htm The file LEXPLORER.EXE is a computer worm.
The worm LEXPLORER.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the LEXPLORER.EXE problem as soon as possible!
Delete the file LEXPLORER.EXE from all infected computers in your network.
Set up your network firewall against LEXPLORER.EXE intervention.

Malware Analysis of LEXPLORER.EXE
Full path on a computer: C:\dir\install\install\lexplorer.exe

Detected by UnHackMe:

Item Name: Policies
Author: Oracle Corporation
Related File: C:\DIR\INSTALL\INSTALL\LEXPLORER.EXE
Type: Explorer Run

Item Name: {04OHYM65-37FP-1FE4-K76U-0KBA85HM3856}
Author:
Related File: C:\DIR\INSTALL\INSTALL\LEXPLORER.EXE
Type: ActiveSetup

Item Name: svchost
Author: Oracle Corporation
Related File: C:\DIR\INSTALL\INSTALL\LEXPLORER.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

LEXPLORER.EXE is known as:

Worm.Rebhip, Trojan.Rbot, Trojan.Injector, Backdoor.Ursap

LEXPLORER.EXE hash:

  • MD5: 4b9a61da95506308dba4f9dbd1122d07
How to quickly detect LEXPLORER.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Active Setup\Installed Components\{04OHYM65-37FP-1FE4-K76U-0KBA85HM3856}\StubPath: “C:\dir\install\install\lexplorer.EXE”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: “C:\dir\install\install\lexplorer.EXE”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\svchost: “C:\dir\install\install\lexplorer.EXE”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies: “C:\dir\install\install\lexplorer.EXE”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost: “C:\dir\install\install\lexplorer.EXE”
Folders:
  • C:\dir\install\install
Files:
  • %Appdata%\logs.dat
  • %Temp%\UuU.uUu
  • %Temp%\XxX.xXx
  • C:\dir\install\install\lexplorer.exe

]]> http://greatis.com/blog/worm/lexplorer-exe.htm/feed 0 ITUNES_SERVICE86.EXE is Trojan Ransom.Gimemo http://greatis.com/blog/how-to-remove-malware/itunes_service86-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/how-to-remove-malware/itunes_service86-exe.htm#comments Tue, 22 May 2012 02:58:28 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/itunes_service86-exe.htm Ransom Screen Locker ITUNES_SERVICE86.EXE is a malicious program. ITUNES_SERVICE86.EXE blocks user access to a computer that it infects. ITUNES_SERVICE86.EXE demands a ransom paid for unlocking the computer.

Malware Analysis of ITUNES_SERVICE86.EXE
Full path on a computer: %Appdata%\itunes_service86.exe

Detected by RegRun Warrior:

Item Name: shell
Author: Unknown
Related File: %Appdata%\itunes_service86.exe
Type: System.ini

Item Name: UserInit
Author: Unknown
Related File: %Appdata%\itunes_service86.exe,%WinDir%\System32\userinit.exe,
Type: UserInit Value

Item Name: VX5LWxsct4OYCCz
Author: Unknown
Related File: %APPDATA%\ITUNES_SERVICE86.EXE
Type: Registry Run

Removal Results: Success
Number of reboot: 1

ITUNES_SERVICE86.EXE is known as:

Trojan.Ransom.Gimemo, Trojan.Injector, Trojan.LockScreen, Trojan.ABot

ITUNES_SERVICE86.EXE hash:

  • MD5: 7944a9eaac350ae8c8a0d2ddfcc07201
The file tries to download information from some web sites.
How to quickly detect ITUNES_SERVICE86.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Active Setup\Installed Components\{XeJngJXf-ODXg-ffJf-IGRj-b8ZmzFObCacv}\VX5LWxsct4OYCCz: “”%Appdata%\itunes_service86.exe” /ActiveX”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VX5LWxsct4OYCCz: “%Appdata%\itunes_service86.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\VX5LWxsct4OYCCz: “%Appdata%\itunes_service86.exe”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Appdata%\itunes_service86.exe”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%Appdata%\itunes_service86.exe,%WinDir%\System32\userinit.exe,”
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%Appdata%\itunes_service86.exe”
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “%Appdata%\itunes_service86.exe,%WinDir%\System32\userinit.exe,”
Files:
  • %Appdata%\itunes_service86.exe

]]> http://greatis.com/blog/how-to-remove-malware/itunes_service86-exe.htm/feed 0 Worm Stekct http://greatis.com/blog/worm/worm_stekct.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/worm_stekct.htm#comments Mon, 21 May 2012 11:31:32 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/worm_stekct.htm The “Worm_Stekct” is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the “Worm_Stekct” problem as soon as possible!
Delete the “Worm_Stekct” from all infected computers in your network.
Set up your network firewall against “Worm_Stekct” intervention.

Malware Analysis of “Worm_Stekct”
Full path on a computer: %WinDir%\IQS.EXE

Detected by UnHackMe:

Item Name: Microsoft Firevall Engine
Author: Unknown
Related File: %WinDir%\IQS.EXE
Type: Registry Run

Item Name: IQS.EXE
Author: Unknown
Related File: %WinDir%\IQS.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

“Worm_Stekct” is known as:

Worm.Stekct, Worm.Daws, Worm.Multim

“Worm_Stekct” hash:

  • MD5: 8fb8586175c88a14efb805c7b427c095
The file tries to download information from some web sites.
How to quickly detect “Worm_Stekct” presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\IQS.EXE”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\IQS.EXE”
Files:
  • %WinDir%\IQS.EXE

]]> http://greatis.com/blog/worm/worm_stekct.htm/feed 0 IQS.EXE is Worm Stekct http://greatis.com/blog/worm/iqs-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/iqs-exe.htm#comments Mon, 21 May 2012 11:18:44 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/iqs-exe.htm The file IQS.EXE is a computer worm.
The worm IQS.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the IQS.EXE problem as soon as possible!
Delete the file IQS.EXE from all infected computers in your network.
Set up your network firewall against IQS.EXE intervention.

Malware Analysis of IQS.EXE
Full path on a computer: %WinDir%\IQS.EXE

Detected by UnHackMe:

Item Name: Microsoft Firevall Engine
Author: Unknown
Related File: %WinDir%\IQS.EXE
Type: Registry Run

Item Name: IQS.EXE
Author: Unknown
Related File: %WinDir%\IQS.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

IQS.EXE is known as:

Worm.Stekct, Worm.Daws, Worm.Multim

IQS.EXE hash:

  • MD5: 8fb8586175c88a14efb805c7b427c095
The file tries to download information from some web sites.
How to quickly detect IQS.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\IQS.EXE”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\IQS.EXE”
Files:
  • %WinDir%\IQS.EXE

]]> http://greatis.com/blog/worm/iqs-exe.htm/feed 0 Picture13.JPG_www.facebook.com is Worm Stekct http://greatis.com/blog/worm/picture13-jpg_www-facebook-com.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/picture13-jpg_www-facebook-com.htm#comments Mon, 21 May 2012 11:10:19 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/iqs-exe.htm The file Picture13.JPG_www.facebook.com is a computer worm.
The worm Picture13.JPG_www.facebook.com is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the Picture13.JPG_www.facebook.com problem as soon as possible!
Delete the file Picture13.JPG_www.facebook.com from all infected computers in your network.
Set up your network firewall against Picture13.JPG_www.facebook.com intervention.

Malware Analysis of Picture13.JPG_www.facebook.com
Full path on a computer: %WinDir%\IQS.EXE

Detected by UnHackMe:

Item Name: Microsoft Firevall Engine
Author: Unknown
Related File: %WinDir%\IQS.EXE
Type: Registry Run

Item Name: IQS.EXE
Author: Unknown
Related File: %WinDir%\IQS.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

Picture13.JPG_www.facebook.com is known as:

Worm.Stekct, Worm.Daws, Worm.Multim

IQS.EXE hash:

  • MD5: 8fb8586175c88a14efb805c7b427c095
The file tries to download information from some web sites.
How to quickly detect Picture13.JPG_www.facebook.com presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\IQS.EXE”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\IQS.EXE”
Files:
  • %WinDir%\IQS.EXE

]]> http://greatis.com/blog/worm/picture13-jpg_www-facebook-com.htm/feed 0 WINSRV.EXE is Worm Stekct http://greatis.com/blog/worm/winsrv-exe.htm#utm_source=feed&utm_medium=feed&utm_campaign=feed http://greatis.com/blog/worm/winsrv-exe.htm#comments Mon, 21 May 2012 10:56:58 +0000 NightWatcher http://greatis.com/blog/how-to-remove-malware/winsrv-exe.htm The file WINSRV.EXE is a computer worm.
The worm WINSRV.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the WINSRV.EXE problem as soon as possible!
Delete the file WINSRV.EXE from all infected computers in your network.
Set up your network firewall against WINSRV.EXE intervention.

Malware Analysis of WINSRV.EXE
Full path on a computer: %WinDir%\winsrv.exe

Detected by UnHackMe:

Item Name: Microsoft Firevall Engine
Author: Unknown
Related File: %WinDir%\WINSRV.EXE
Type: Registry Run

Item Name: winsrv.exe
Author: Unknown
Related File: %WinDir%\WINSRV.EXE
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

WINSRV.EXE is known as:

Worm.Stekct, Worm.Daws, Worm.Multim

WINSRV.EXE hash:

  • MD5: 8fb8586175c88a14efb805c7b427c095
The file tries to download information from some web sites.
How to quickly detect WINSRV.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\winsrv.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Firevall Engine: “c:\windows\winsrv.exe”
Files:
  • %WinDir%\winsrv.exe

]]> http://greatis.com/blog/worm/winsrv-exe.htm/feed 0