WMPRWISE.EXE – trojan Nedsym

March 4, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

We checked up the file WMPRWISE.EXE and found it hazardous.
The file WMPRWISE.EXE must be deleted from the system immediately.
Kill the process WMPRWISE.EXE and remove WMPRWISE.EXE from the Windows startup.

Malware Analysis of WMPRWISE.EXE
Executed: C:\sand-box\23.exe
Removed: WMPRWISE.EXE. Full path: C:\Documents and Settings\Administrator\Application Data\WMPRWISE.EXE

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: Microsoft Firewall 2.9
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\WMPRWISE.EXE
Type: Registry Run

Item Name: WMPRWISE.EXE
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\WMPRWISE.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Widows\CurrentVersion\Run\Microsoft Firewall 2.9
Value: “C:\Documents and Settings\Administrator\Application Data\WMPRWISE.EXE”

Files:
C:\Documents and Settings\Administrator\Application Data\ntuser.dat
C:\Documents and Settings\Administrator\Application Data\WMPRWISE.EXE
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2011.03.01 Gen:Variant.Kazy.8275
Kaspersky 7.0.0.125 2011.03.01 Trojan.Win32.Pakes.oqu
Microsoft 1.6603 2011.03.01 Trojan:Win32/Nedsym.G
NOD32 5915 2011.02.28 a variant of Win32/Extats.A

—————————————————————————————————————————-

MD5 e481c289782427f8122f393b9411a494

SHA1 3dd55afd31c31978650a23133b3612d62422ec3a

SHA256 c5b0a7ca9e8db7fd4091e06f232f4e6d853df87ed492d50e2deaa0a0ceb07ef5

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Values added:2
———————————-
HKCU\Software\Microsoft\Internet Explorer\LowRegistry\SavedLegacySettingsML: 36 33 37 34 32 37 30 31 32
HKCU\Software\Microsoft\Widows\CurrentVersion\Run\Microsoft Firewall 2.9: “C:\Documents and Settings\Administrator\Application Data\WMPRWISE.EXE”

———————————-
Files added:2
———————————-
C:\Documents and Settings\Administrator\Application Data\ntuser.dat
C:\Documents and Settings\Administrator\Application Data\WMPRWISE.EXE

———————————-
Files deleted:1
———————————-
C:\sand-box\23.exe

———————————-
Files [attributes?] modified:1
———————————-
C:\Documents and Settings\Administrator\Application Data\desktop.ini

———————————-
Total changes:6
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.