Removed: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe (worm Rayon)

Dmitry Sokolov recommends UnHackMe!


UnHackMe quickly removes pop-up ads, search redirecting, browser hijack, spyware, keyloggers, PC slowdown issues. Download Now!

Download free e-book [PDF]: "How to Easily Remove Malware with UnHackMe"

Join us on Facebook
Click to Download
Solved! The issue has been fixed!
5 Stars (5 / 5)


Share This:

Malware: C:\sand-box\cw2010.exe

Removed: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: Policies
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\EXPLORER.EXE
Type: Explorer Run


Your Vote?
0 0

Item Name: DCOM Client Launcher
Author:
Related File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe /service
Type: Auto Services

Item Name: explorer.exe
Author:
Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\EXPLORER.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies
Value: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe”

Registry: HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ImagePath
Value: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe /service”

Registry: HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
Value: “http://comicosy.com”

Files:
C:\Documents and Settings\Administrator\Local Settings\Temp\svcinstall.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.09.25 Trojan.Generic.4652263
Kaspersky 7.0.0.125 2010.09.25 Worm.Win32.Rayon.br
Microsoft 1.6201 2010.09.24 Trojan:Win32/Otran
NOD32 5477 2010.09.24 Win32/Agent.NHU

—————————————————————————————————————————-

MD5 9598abdbe216b9d479cf7c06a9434eeb

SHA1 1408e75a3493bb34a7bb7862f7f4eb5ea00986a5

SHA256 56e8706d617665a3db4e4b3b7ccd5504b2643e5e21056e196cbfc1a920439e77

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:4
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Security

———————————-
Values added:12
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Policies: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0×00000001
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Type: 0×00000010
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\Start: 0×00000002
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ErrorControl: 0×00000001
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ImagePath: “C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe /service”
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\DisplayName: “DCOM Client Launcher”
HKLM\System\CurrentControlSet\Services\DCOM Client Launcher\ObjectName: “LocalSystem”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0×00000001

———————————-
Values modified:5
———————————-
(-) HKLM\System\CurrentControlSet\Services\Dnscache\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\Dnscache\Start: 0×00000004
(-) HKLM\System\CurrentControlSet\Services\ERSvc\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\ERSvc\Start: 0×00000004
(-) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000004
(-) HKLM\System\CurrentControlSet\Services\wuauserv\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\wuauserv\Start: 0×00000004
(-) HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: “http://www.google.com/”
(+) HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: “http://comicosy.com”

———————————-
Files added:2
———————————-
C:\Documents and Settings\Administrator\Local Settings\Temp\svcinstall.txt
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\explorer.exe

———————————-
Files [attributes?] modified:1
———————————-
C:\sand-box\cw2010.exe

———————————-
Total changes:24
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

1. Download UnHackMe free 30-day version

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

What to do if you are unable to solve a problem?

UnHackMe Remote Assistant
  1. Open UnHackMe main screen.
  2. Click on a Remote Assistant button.
  3. Follow instructions on a screen.
  4. We will contact you and send a solution of your problem.
  5. Remote assistance is free during trial period.

Enjoy!

Dmitry Sokolov - author of UnHackMe