Removed: C:\WINDOWS\system32\MPK\mpk.exe (Keylogger – REFOG Personal Monitor)

Dmitry Sokolov recommends UnHackMe!


UnHackMe quickly removes pop-up ads, search redirecting, browser hijack, spyware, keyloggers, PC slowdown issues. Download Now!

Download step by step PDF manual

Join us on Facebook
Click to Download
Solved! The issue has been fixed!
5 Stars (5 / 5)


Share This:

Malware: personal-monitor.exe

Removed: C:\WINDOWS\system32\MPK\mpk.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: UserInit
Author: Unknown
Related File: c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\mpk.exe
Type: UserInit Value


Your Vote?
0 0

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Value: “c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\mpk.exe”

Folders:
C:\Documents and Settings\All Users\Application Data\MPK
C:\WINDOWS\system32\MPK

Files:
C:\WINDOWS\system32\MPK\mpk.exe

—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.15370.0 2010.10.10 -
Kaspersky 7.0.0.125 2010.10.10 -
Microsoft 1.6201 2010.10.10 -
NOD32 5518 2010.10.09 Win32/KeyLogger.Refog.615

—————————————————————————————————————————-

MD5 6125be3da196e7b934c1a735b2422c69

SHA1 de7df290deaeb8b35b2215685b47cb6f686e23ac

SHA256 5623b3294ab03982f94aeacd5a6fc0c12a690395d1aaf5185262fc79507da5e8

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:34
———————————-
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\Control
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\InprocServer32
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\Insertable
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\MiscStatus
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\ProgID
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\TypeLib
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\Version
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\VersionIndependentProgID
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\0
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\0\win32
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\FLAGS
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\HELPDIR
HKLM\Software\Classes\mpkreg
HKLM\Software\Classes\mpkreg\DefaultIcon
HKLM\Software\Classes\mpkreg\shell
HKLM\Software\Classes\mpkreg\shell\open
HKLM\Software\Classes\mpkreg\shell\open\command
HKLM\Software\Microsoft\Tracing\FWCFG
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKLM\Software\Refog Software
HKLM\System\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKLM\System\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKLM\System\CurrentControlSet\Services\napagent\LocalConfig\UI
HKCU\Software\Microsoft\Windows Script Host
HKCU\Software\Microsoft\Windows Script Host\Settings

———————————-
Values added:40
———————————-
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\VersionIndependentProgID\: “Sysmon”
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\Version\: “3.6″
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\TypeLib\: “{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}”
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\ProgID\: “Sysmon.3″
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\MiscStatus\: “”
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\Insertable\: “”
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\InprocServer32\: “C:\WINDOWS\system32\sysmon.ocx”
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\Control\: “”
HKLM\Software\Classes\CLSID\{306A35A4-DF58-4FEA-969E-FF56709C01E2}\: “Ekoca Class”
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\0\win32\: “C:\WINDOWS\system32\comuid.dll”
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\HELPDIR\: “C:\WINDOWS\system32\”
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\FLAGS\: “0″
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\0\: “”
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\1.0\: “ComExpS 1.0 Type Library”
HKLM\Software\Classes\TypeLib\{6A99B0C1-5C01-C335-3161-8BA9D686C7E8}\: “”
HKLM\Software\Classes\mpkreg\shell\open\command\: “C:\WINDOWS\system32\MPK\MPKView.exe 100 “%1″”
HKLM\Software\Classes\mpkreg\DefaultIcon\: “C:\WINDOWS\system32\MPK\MPKView.exe,0″
HKLM\Software\Classes\mpkreg\: “URL:Mpk registration protocol”
HKLM\Software\Classes\mpkreg\URL Protocol: “”
HKLM\Software\Microsoft\Tracing\FWCFG\EnableFileTracing: 0×00000000
HKLM\Software\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0×00000000
HKLM\Software\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
HKLM\Software\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
HKLM\Software\Microsoft\Tracing\FWCFG\MaxFileSize: 0×00100000
HKLM\Software\Microsoft\Tracing\FWCFG\FileDirectory: “%windir%\tracing”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: “710adbf0-ce88-40b4-a50d-231ada6593f0″
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: ” NAP_TRACE_BASE NAP_TRACE_NETSH”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: “stdout”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0×00000001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0×00000001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: “b0278a28-76f1-4e15-b1df-14b209a12613″
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: ” Error Unusual Info Debug”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: “stdout”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0×00000001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0×00000001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDataInformation: “0×111001″
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\WINDOWS\system32\MPK\Mpk.exe: “DisableNXShowUI”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\WINDOWS\system32\MPK\MpkView.exe: “DisableNXShowUI”
HKLM\Software\Refog Software\Param001: “111010_135555″
HKLM\Software\Refog Software\AppPath: “C:\WINDOWS\system32\MPK”

———————————-
Values modified:2
———————————-
(-) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “C:\WINDOWS\system32\userinit.exe,”
(+) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “c:\windows\system32\userinit.exe,C:\WINDOWS\system32\MPK\mpk.exe”
(-) HKCU\Software\Microsoft\CTF\MSUTB\Left: 0×00000400
(+) HKCU\Software\Microsoft\CTF\MSUTB\Left: 0x000003CA

———————————-
Files added:128
———————————-
C:\Documents and Settings\All Users\Application Data\MPK\1\D0000
C:\Documents and Settings\All Users\Application Data\MPK\1\S0000
C:\Documents and Settings\All Users\Application Data\MPK\CPDM\cpfm.bin
C:\Documents and Settings\All Users\Application Data\MPK\M0000
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Personal Monitor\Order now!.lnk
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Personal Monitor\REFOG Personal Monitor on the Web.lnk
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Personal Monitor\REFOG Personal Monitor.lnk
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Personal Monitor.lnk
C:\Documents and Settings\All Users\Application Data\MPK\S0000
C:\WINDOWS\system32\MPK\Help\English\alarms.htm
C:\WINDOWS\system32\MPK\Help\English\clipboard.htm
C:\WINDOWS\system32\MPK\Help\English\computer.htm
C:\WINDOWS\system32\MPK\Help\English\delivery.htm
C:\WINDOWS\system32\MPK\Help\English\file.htm
C:\WINDOWS\system32\MPK\Help\English\filters.htm
C:\WINDOWS\system32\MPK\Help\English\imhelp.htm
C:\WINDOWS\system32\MPK\Help\English\internet.htm
C:\WINDOWS\system32\MPK\Help\English\invisible.htm
C:\WINDOWS\system32\MPK\Help\English\keyboard.htm
C:\WINDOWS\system32\MPK\Help\English\logging.htm
C:\WINDOWS\system32\MPK\Help\English\log_size.htm
C:\WINDOWS\system32\MPK\Help\English\need_update_net.htm
C:\WINDOWS\system32\MPK\Help\English\password.htm
C:\WINDOWS\system32\MPK\Help\English\programs.htm
C:\WINDOWS\system32\MPK\Help\English\screenshot.htm
C:\WINDOWS\system32\MPK\Help\English\settings_node.htm
C:\WINDOWS\system32\MPK\Help\English\update.htm
C:\WINDOWS\system32\MPK\Help\English\users_node.htm
C:\WINDOWS\system32\MPK\Help\German\alarms.htm
C:\WINDOWS\system32\MPK\Help\German\clipboard.htm
C:\WINDOWS\system32\MPK\Help\German\computer.htm
C:\WINDOWS\system32\MPK\Help\German\delivery.htm
C:\WINDOWS\system32\MPK\Help\German\file.htm
C:\WINDOWS\system32\MPK\Help\German\filters.htm
C:\WINDOWS\system32\MPK\Help\German\imhelp.htm
C:\WINDOWS\system32\MPK\Help\German\internet.htm
C:\WINDOWS\system32\MPK\Help\German\invisible.htm
C:\WINDOWS\system32\MPK\Help\German\keyboard.htm
C:\WINDOWS\system32\MPK\Help\German\logging.htm
C:\WINDOWS\system32\MPK\Help\German\log_size.htm
C:\WINDOWS\system32\MPK\Help\German\need_update_net.htm
C:\WINDOWS\system32\MPK\Help\German\password.htm
C:\WINDOWS\system32\MPK\Help\German\programs.htm
C:\WINDOWS\system32\MPK\Help\German\screenshot.htm
C:\WINDOWS\system32\MPK\Help\German\settings_node.htm
C:\WINDOWS\system32\MPK\Help\German\users_node.htm
C:\WINDOWS\system32\MPK\Help\Spanish\alarms.htm
C:\WINDOWS\system32\MPK\Help\Spanish\clipboard.htm
C:\WINDOWS\system32\MPK\Help\Spanish\computer.htm
C:\WINDOWS\system32\MPK\Help\Spanish\delivery.htm
C:\WINDOWS\system32\MPK\Help\Spanish\filters.htm
C:\WINDOWS\system32\MPK\Help\Spanish\internet.htm
C:\WINDOWS\system32\MPK\Help\Spanish\invisible.htm
C:\WINDOWS\system32\MPK\Help\Spanish\keyboard.htm
C:\WINDOWS\system32\MPK\Help\Spanish\logging.htm
C:\WINDOWS\system32\MPK\Help\Spanish\log_size.htm
C:\WINDOWS\system32\MPK\Help\Spanish\password.htm
C:\WINDOWS\system32\MPK\Help\Spanish\programs.htm
C:\WINDOWS\system32\MPK\Help\Spanish\screenshot.htm
C:\WINDOWS\system32\MPK\Help\Spanish\settings_node.htm
C:\WINDOWS\system32\MPK\Help\Spanish\users_node.htm
C:\WINDOWS\system32\MPK\icon_1.ico
C:\WINDOWS\system32\MPK\Images\banner_em_english.gif
C:\WINDOWS\system32\MPK\Images\banner_em_english.swf
C:\WINDOWS\system32\MPK\Images\banner_em_german.gif
C:\WINDOWS\system32\MPK\Images\banner_em_german.swf
C:\WINDOWS\system32\MPK\Images\banner_em_spanish.gif
C:\WINDOWS\system32\MPK\Images\banner_em_spanish.swf
C:\WINDOWS\system32\MPK\Images\banner_english.gif
C:\WINDOWS\system32\MPK\Images\banner_english.swf
C:\WINDOWS\system32\MPK\Images\banner_german.gif
C:\WINDOWS\system32\MPK\Images\banner_german.swf
C:\WINDOWS\system32\MPK\Images\banner_pm_english.gif
C:\WINDOWS\system32\MPK\Images\banner_pm_english.swf
C:\WINDOWS\system32\MPK\Images\banner_pm_german.gif
C:\WINDOWS\system32\MPK\Images\banner_pm_german.swf
C:\WINDOWS\system32\MPK\Images\banner_pm_spanish.gif
C:\WINDOWS\system32\MPK\Images\banner_pm_spanish.swf
C:\WINDOWS\system32\MPK\Images\banner_russian.gif
C:\WINDOWS\system32\MPK\Images\banner_spanish.gif
C:\WINDOWS\system32\MPK\Images\banner_spanish.swf
C:\WINDOWS\system32\MPK\Images\english.gif
C:\WINDOWS\system32\MPK\Images\german.gif
C:\WINDOWS\system32\MPK\Images\upgrade_aeu.png
C:\WINDOWS\system32\MPK\Images\upgrade_aus.png
C:\WINDOWS\system32\MPK\Images\upgrade_eu.png
C:\WINDOWS\system32\MPK\Images\upgrade_us.png
C:\WINDOWS\system32\MPK\Images\vista_hide.bmp
C:\WINDOWS\system32\MPK\Images\xp_hide.bmp
C:\WINDOWS\system32\MPK\key.bin
C:\WINDOWS\system32\MPK\Lang\Brazilian.frc
C:\WINDOWS\system32\MPK\Lang\Brazilian.lng
C:\WINDOWS\system32\MPK\Lang\English.frc
C:\WINDOWS\system32\MPK\Lang\French.frc
C:\WINDOWS\system32\MPK\Lang\French.lng
C:\WINDOWS\system32\MPK\Lang\German.frc
C:\WINDOWS\system32\MPK\Lang\German.lng
C:\WINDOWS\system32\MPK\Lang\Italian.frc
C:\WINDOWS\system32\MPK\Lang\Italian.lng
C:\WINDOWS\system32\MPK\Lang\Japanese.frc
C:\WINDOWS\system32\MPK\Lang\Japanese.lng
C:\WINDOWS\system32\MPK\Lang\Polish.lng
C:\WINDOWS\system32\MPK\Lang\Portuguese.frc
C:\WINDOWS\system32\MPK\Lang\Portuguese.lng
C:\WINDOWS\system32\MPK\Lang\Romanian.frc
C:\WINDOWS\system32\MPK\Lang\Romanian.lng
C:\WINDOWS\system32\MPK\Lang\Russian.frc
C:\WINDOWS\system32\MPK\Lang\Spanish.frc
C:\WINDOWS\system32\MPK\Lang\Spanish.lng
C:\WINDOWS\system32\MPK\libeay32.dll
C:\WINDOWS\system32\MPK\lnkmst.exe
C:\WINDOWS\system32\MPK\logstart.vbs
C:\WINDOWS\system32\MPK\loguninstall.vbs
C:\WINDOWS\system32\MPK\Mpk.dll
C:\WINDOWS\system32\MPK\MPK.exe
C:\WINDOWS\system32\MPK\Mpk64.dll
C:\WINDOWS\system32\MPK\MPK64.exe
C:\WINDOWS\system32\MPK\MpkNetInstall.exe
C:\WINDOWS\system32\MPK\MPKView.exe
C:\WINDOWS\system32\MPK\sqlite3.dll
C:\WINDOWS\system32\MPK\ssleay32.dll
C:\WINDOWS\system32\MPK\trial_pro.ini
C:\WINDOWS\system32\MPK\unins000.dat
C:\WINDOWS\system32\MPK\unins000.exe
C:\WINDOWS\system32\MPK\unins000.msg
C:\WINDOWS\system32\MPK\update_info.bin
C:\WINDOWS\system32\MPK\zlib1.dll
C:\WINDOWS\system32\runrefog.lnk

———————————-
Folders added:12
———————————-
C:\Documents and Settings\All Users\Application Data\MPK
C:\Documents and Settings\All Users\Application Data\MPK\1
C:\Documents and Settings\All Users\Application Data\MPK\CPDA
C:\Documents and Settings\All Users\Application Data\MPK\CPDM
C:\Documents and Settings\All Users\Application Data\MPK\REFOG Personal Monitor
C:\WINDOWS\system32\MPK
C:\WINDOWS\system32\MPK\Help
C:\WINDOWS\system32\MPK\Help\English
C:\WINDOWS\system32\MPK\Help\German
C:\WINDOWS\system32\MPK\Help\Spanish
C:\WINDOWS\system32\MPK\Images
C:\WINDOWS\system32\MPK\Lang

———————————-
Total changes:216
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

1. Download UnHackMe free 30-day version

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

What to do if you are unable to solve a problem?

UnHackMe Remote Assistant
  1. Open UnHackMe main screen.
  2. Click on a Remote Assistant button.
  3. Follow instructions on a screen.
  4. We will contact you and send a solution of your problem.
  5. Remote assistance is free during trial period.

Enjoy!

Dmitry Sokolov - author of UnHackMe