VWORD.EXE is trojan Injector

August 24, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

The file VWORD.EXE is malware related.
You must delete the file VWORD.EXE immediately!
Delete the file VWORD.EXE without delay!
Kill the process VWORD.EXE and remove VWORD.EXE from the Windows startup.

Malware Analysis of VWORD.EXE
Executed: file-2646487.exe
Removed: vWord.exe. Full path: %Appdata%\vWord\vWord.exe

Detected by UnHackMe:

Item Name: SPService
Author: Unknown
Related File: %COMMON APPDATA%\ASHAMPOO\SP.DLL
Type: Svchost DLLs

Item Name: MBR Rootkit
Author: Unknown
Related File: MBR Rootkit: TDL4
Type: MBR

Item Name: conhost
Author: Unknown
Related File: %APPDATA%\MICROSOFT\CONHOST.EXE
Type: Registry Run

Item Name: shell
Author: Unknown
Related File: explorer.exe, svdhalp.exe
Type: System.ini

Item Name: shell
Author: Unknown
Related File: explorer.exe,%Appdata%\dwm.exe
Type: User Shell

Item Name: Systems
Author: Unknown
Related File: %APPDATA%\SVCHOST.EXE
Type: Explorer Run

Item Name: {0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}
Author: Unknown
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\DAT8.TMP.EXE
Type: Drivers

Item Name: Pvesodurexur
Author: NETGEAR Corporation.
Related File: %WinDir%\MLGR32.DLL
Type: Registry Run

Item Name: vWord.exe
Author:
Related File: %APPDATA%\VWORD\VWORD.EXE
Type: Registry Run

Item Name: ch_Word.exe
Author:
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\VWORD\CH_WORD.EXE
Type: Registry Run

Item Name: Cxzqzs
Author: Unknown
Related File: %APPDATA%\CXZQZS.EXE
Type: Registry Run

Item Name: explorer.exe
Author: Unknown
Related File: %STARTUP%\EXPLORER.EXE
Type: Startup Folder

Removal Results: Success
Number of reboot: 1

VWORD.EXE is known as:

Trojan.Injector

VWORD.EXE hash:

  • MD5: 4f27b8a323f003e8ee09c238760e8a0d
  • SHA1: 756c7633de6038554f3ed51c93d6896ebdd73804
How to quickly detect VWORD.EXE presence? 

Registry:
  • HKLM\Software\Classes\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}\InProcServer32\: “%Common Appdata%\Ashampoo\sp.DLL”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Systems: “%Appdata%\svchost.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\conhost: “%Appdata%\Microsoft\conhost.exe”
  • HKLM\System\CurrentControlSet\Services\SPService\Parameters\ServiceDll: “%Common Appdata%\Ashampoo\sp.DLL”
  • HKLM\System\CurrentControlSet\Services\zinxkqexks\ImagePath: “”C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DAT8.tmp.exe” –SERVICE”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Pvesodurexur: “rundll32.exe “%WinDir%\mlgr32.dll”,Startup”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vWord.exe: “%Appdata%\vWord\vWord.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ch_Word.exe: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vWord\ch_Word.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Cxzqzs: “%Appdata%\Cxzqzs.exe”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “explorer.exe,%Appdata%\dwm.exe”
  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “explorer.exe, svdhalp.exe”
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe”
Folders:
  • %Appdata%\vWord
  • %Temp%\vWord
  • %Temp%\WER1911.dir00
  • %Temp%\WER3343.dir00
Files:
  • %Appdata%\Microsoft\conhost.exe
  • %Appdata%\1FB2.343
  • %Appdata%\Cxzqzs.exe
  • %Appdata%\dwm.exe
  • %Appdata%\svchost.exe
  • %Appdata%\vWord\vWord.exe
  • %Temp%\055f99
  • %Temp%\056055
  • %Temp%\0560aa
  • %Temp%\9.tmp
  • %Temp%\A.tmp
  • %Temp%\av.exe
  • %Temp%\avi.exe
  • %Temp%\axmgx.exe
  • %Temp%\csrss.exe
  • %Temp%\DAT8.tmp
  • %Temp%\DAT8.tmp.exe
  • %Temp%\dpfom.exe
  • %Temp%\gdqt.exe
  • %Temp%\gripwn.exe
  • %Temp%\rant.exe
  • %Temp%\tL1ff68J7y.tmp
  • %Temp%\vWord\ch_Word.exe
  • %Temp%\WER1911.dir00\appcompat.txt
  • %Temp%\WER1911.dir00\manifest.txt
  • %Temp%\WER1911.dir00\svchost.exe.hdmp
  • %Temp%\WER1911.dir00\svchost.exe.mdmp
  • %Temp%\WER3343.dir00\appcompat.txt
  • %Temp%\WER3343.dir00\manifest.txt
  • %Temp%\WER3343.dir00\svchost.exe.hdmp
  • %Temp%\WER3343.dir00\svchost.exe.mdmp
  • %Temp%\wqueauo.exe
  • %Temp%\wutei.exe
  • %Temp%\xadxfbn.exe
  • %Temp%\ypwobybw.exe
  • %Common Appdata%\Ashampoo\sp.DLL
  • %SysDir%\drivers\str.sys
  • %SysDir%\svdhalp.exe
  • %SysDir%\svdhalp.exe.ini
  • %WinDir%\mlgr32.dll
  • %WinDir%\syskey2i.drv


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Injector, Trojan, VWORD.EXE

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.