WDT.EXE – trojan Meredrop
The file WDT.EXE is malware related. You must delete the file WDT.EXE immediately! Delete the file WDT.EXE without delay! Kill the process WDT.EXE and remove WDT.EXE from the Windows startup. Malware Analysis of “WDT.EXE” Executed: b5xm9qcy.exe Removed: wdt.exe. Full path: %Common Appdata%\Windows\wdt.exe Detected by UnHackMe: Item Name: wdt.exe Author: Related File: %COMMON APPDATA%\WINDOWS\WDT.EXE Type: Registry [...]
windows.exe – trojan Meredrop
The file windows.exe is identified as the Trojan Program that is used for stealing bank information and users passwords. To delete windows.exe we suggest you should use UnHackMe: http://www.unhackme.com Malware Analysis of “Windows Login access” Executed: 33K7.D10.exe Removed: windows.exe. Full path: C:\Documents and Settings\Administrator\Application Data\windows.exe —————————————————————————————————————————- Detected by UnHackMe: Item Name: Windows Login access Author: [...]
Removed: xvsfym.exe, mgrls32.exe, ndisrd.sys, srenum.sys, msrun.exe, ntos.exe, sdra64.exe, Restored: C:\WINDOWS\SYSTEM32\DRIVERS\PCI.SYS (trojan Meredrop combination of trojans Zeus (Zbot) and TDSS (TDL3 +)
Malware: 2f073.exe Removed: C:\Documents and Settings\Administrator\Local Settings\Temp\xvsfym.exe C:\RECYCLER\S-1-5-21-2353754676-5851395935-421277404-3452\mgrls32.exe C:\WINDOWS\system32\drivers\ndisrd.sys C:\WINDOWS\system32\drivers\srenum.sys C:\WINDOWS\system32\msrun.exe C:\WINDOWS\system32\ntos.exe C:\WINDOWS\system32\sdra64.exe Restored: C:\WINDOWS\SYSTEM32\DRIVERS\PCI.SYS —————————————————————————————————————————- Detected by UnHackMe: Item Name: UserInit Author: Unknown Related File: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\ntos.exe, Type: UserInit Value Item Name: Follower Author: Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fFollower.exe Type: Auto Services Item Name: ndisrd.sys Author: NT Kernel Resources Related File: C:\WINDOWS\SYSTEM32\DRIVERS\NDISRD.SYS Type: Drivers Item Name: 14598 [...]
Removed: C:\WINDOWS\system32\csbdll.dll (trojan Meredrop)
Malware: tn.exe Removed: C:\WINDOWS\system32\csbdll.dll —————————————————————————————————————————- Detected by UnHackMe: Item Name: csbdll Author: Related File: C:\WINDOWS\system32\CSBDLL.DLL Type: Winlogon Notification Removal Results: Success Number of reboot: 1 —————————————————————————————————————————- How to quickly detect malware presence? Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\DLLName Value: “csbdll.dll” Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\StartShell Value: “WinlogonStartShellEvent” Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Logon Value: “WinlogonLogonEvent” Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll\Logoff Value: “WinlogonLogoffEvent” Files: C:\WINDOWS\system32\csbdll.dll —————————————————————————————————————————- [...]
Removed: C:\WINDOWS\SYSTEM32\NMKLO.DLL Restored: C:\WINDOWS\SYSTEM32\USER32.DLL (trojan Meredrop)
Malware: file1.exe Removed: C:\WINDOWS\SYSTEM32\NMKLO.DLL Restored: C:\WINDOWS\SYSTEM32\USER32.DLL —————————————————————————————————————————- Detected by UnHackMe: Item Name: USER32.DLL Author: Microsoft Corporation Related File: C:\WINDOWS\SYSTEM32\USER32.DLL Type: Infected System Files Detected by RegRun Warrior: 1. Examiner: NMKLO.DLL Default location: C:\WINDOWS\SYSTEM32\NMKLO.DLL MD5: 0B7EFAD1243388CE1A3CFFD7FFD0BAA6 SHA1: 15D199A2 C1B1218A A8F6ED35 F94F4CA1 7B6994F2 File Size: 212 992 2. RegRun Reanimator: – none – 3. Multi AntiVirus scan: [...]
Removed: C:\WINDOWS\WinLogon.exe (trojan Meredrop)
Malware: pics.exe Removed: C:\WINDOWS\WinLogon.exe —————————————————————————————————————————- Detected by UnHackMe: Item Name: WinLogon.exe Author: Microsoft Related File: C:\WINDOWS\WINLOGON.EXE Type: Running Processes After first reboot detected by UnHackMe: Item Name: WinLogon Author: Related File: C:\WINDOWS\WinLogon.exe Type: Registry Run Removal Results: Success Number of reboot: 2 —————————————————————————————————————————- Classification: Antivirus Version Last Update Result F-Secure 9.0.15370.0 2010.05.21 Trojan.Generic.3817833 Kaspersky 7.0.0.125 [...]
Removed: smss.exe, qq.exe, qq.vbs (trojan Meredrop)
Malware: pptv.exe Removed: C:\Documents and Settings\Administrator\Application Data\smss.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qq.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\qq.vbs —————————————————————————————————————————- Detected by UnHackMe: Item Name: qq.exe Author: Unknown Related File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\QQ.EXE Type: Common Startup Folder Item Name: OAOUIµI?µCA?µAIA???¬E??yµoI?·?Oy??µCA?IµI??? Author: Unknown Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SMSS.EXE Type: Registry Run Item Name: qq.vbs Author: [...]
Removed: tmp-3\svchost.exe (trojan Meredrop)
Malware: Flashplayer.exe Removed: C:\Documents and Settings\Administrator\Application Data\svchost.exe C:\Documents and Settings\Administrator\Application Data\tmp-3\svchost.exe —————————————————————————————————————————- Detected by UnHackMe: Item Name: windows Author: Unknown Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\TMP-3\SVCHOST.EXE Type: Registry Run Item Name: wins Author: Unknown Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SVCHOST.EXE Type: Registry Run Item Name: winsvc32 Author: Unknown Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\\SVCHOST.EXE Type: [...]
- Remember: the best way to remove rootkits is from the outside!
