444.exe - Dangerous
444.exe
Manual removal instructions:
Antivirus Report of 444.exe:
444.exe
We suggest you to remove vkkk.exe from your computer as soon as possible.
Vkkk.exe is Trojan/Backdoor.
Kill the process vkkk.exe and remove vkkk.exe from Windows startup.
File: load.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.11 -
AVG 8.5.0.406 2009.08.12 Downloader.Agent2.HHJ
BitDefender 7.2 2009.08.12 -
Comodo 1949 2009.08.12 TrojWare.Win32.TrojanDownloader.Agent.cllu
DrWeb 5.0.0.12182 2009.08.12 -
F-Secure 8.0.14470.0 2009.08.11 Trojan-Downloader.Win32.Agent.cllu
Kaspersky 7.0.0.125 2009.08.12 Trojan-Downloader.Win32.Agent.cllu
Microsoft 1.4903 2009.08.11 -
NOD32 4327 2009.08.11 Win32/VB.OKI
Symantec 1.4.4.12 2009.08.12 Downloader
Additional information
File size: 13654 bytes
MD5 : 92e455f23bf5f6608d877cc7fb9aa98b
SHA1 : 2d77500c61eb7c0e89fe6d5526dedd310f12ba05
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:57
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SOFTWARE\RAdmin
HKLM\SOFTWARE\RAdmin\v1.01
HKLM\SOFTWARE\RAdmin\v1.01\ViewType
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
...
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
HKLM\SYSTEM\CurrentControlSet\Services\r_server
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Security
HKLM\SYSTEM\RAdmin
HKLM\SYSTEM\RAdmin\v2.0
HKLM\SYSTEM\RAdmin\v2.0\Server
HKLM\SYSTEM\RAdmin\v2.0\Server\iplist
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU
----------------------------------
Values added:48
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkkk.exe: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MSA\vkkk.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: " Error Unusual Info Debug"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0x00000001
HKLM\SOFTWARE\RAdmin\v1.01\ViewType\Data: 95 F3 0B 13 44 C0 10 74 7B 2E 83 2C F5 89 E4 B9 49 C8 49 00 1C EB 18 64 87 46 C5 78 59 73 2A 6A 13 72 53 9E E4 F5 74 94 4F 49 42 46 F7 AB 05 1F 55 24 72 79 E9 85 C8 8A 1E 5E E3 D8 35 70 06 28
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Service: "r_server"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\DeviceDesc: "Remote Administrator Service"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\r_server\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\r_server\ImagePath: ""C:\WINDOWS\help\svchost.exe" /service"
HKLM\SYSTEM\CurrentControlSet\Services\r_server\DisplayName: "Remote Administrator Service"
HKLM\SYSTEM\CurrentControlSet\Services\r_server\ObjectName: "LocalSystem"
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\NTAuthEnabled: 00 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter: 38 70 E3 B9 F6 F4 FB 9E F8 9C 77 92 11 F4 CE 1A
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon: 01 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Port: 23 13 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableLogFile: 00 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\LogFilePath: "c:\logfile.txt"
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\FilterIp: 00 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\AskUser: 00 00 00 00
HKCU\Software\Microsoft\CTF\MSUTB\ShowDeskBand: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\Enable: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\Size: 0x0000000A
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits: 0x00000064
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\Factor: 0x00000014
----------------------------------
Values modified:20
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A827DE8
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A82816C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A82840F
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A8284F0
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A827DE8
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A82816C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A82840F
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A8284F0
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000004
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000005
----------------------------------
Files added:14
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\111.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\111.reg
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\444.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\AdmDll.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\DEL.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\raddrv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\vkkk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\vkkk.exe.bak
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\vkkk.exe.log
C:\WINDOWS\Help\admdll.dll
C:\WINDOWS\Help\raddrv.dll
C:\WINDOWS\Help\svchost.exe
C:\WINDOWS\Temp\Perflib_Perfdata_6b0.dat
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:1
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:140
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET hxxp://www2.sexown.com/65/tt/d10.php?nocache=712
HTTP POST hxxp://www2.sexown.com/65/tt/rvkad.php?nocache=7055
HTTP GET hxxp://vkontakte.ru/?%205334
HTTP POST hxxp://www2.sexown.com/65/tt/rvkad.php?nocache=2896
HTTP GET hxxp://www2.sexown.com/65/tt/out.php?t=100072&yes=1&id=98240nocache=0.8416544
HTTP POST hxxp://www2.sexown.com/65/tt/rvkad.php?nocache=3019
HTTP GET hxxp://vkontakte.ru/?%207747
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: r_server
Author:
Related File: "C:\WINDOWS\help\svchost.exe" /service
Type: Auto Services
Item Name: vkkk.exe
Author:
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MSA\vkkk.exe
Type: Registry Run
Item Name: svchost.exe
Author: Unknown
Related File: C:\WINDOWS\HELP\SVCHOST.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
svchost.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.07 RemoteAdmin.BL
BitDefender 7.2 2009.08.07 -
Comodo 1896 2009.08.07 ApplicUnsaf.Win32.RemoteAdmin.RAdmin.20
DrWeb 5.0.0.12182 2009.08.07 -
Kaspersky 7.0.0.125 2009.08.07 not-a-virus:RemoteAdmin.Win32.RAdmin.20
Microsoft 1.4903 2009.08.07 -
NOD32 4314 2009.08.07 Win32/RemoteAdmin.RAdmin.20
Symantec 1.4.4.12 2009.08.07 Remacc.Radmin
Additional information
File size: 184320 bytes
MD5 : 377779e07226ab796bdaa2c6466608ec
SHA1 : 93e6ddb0b46754a0d16b38493eac494ea45437d1
-------------------------------------------------------------------------------------
vkkk.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.11 -
AVG 8.5.0.406 2009.08.12 -
BitDefender 7.2 2009.08.12 Generic.Malware.SFdld.5FFA0AB9
Comodo 1952 2009.08.12 -
DrWeb 5.0.0.12182 2009.08.12 -
F-Secure 8.0.14470.0 2009.08.12 Suspicious:W32/Malware!Gemini
Kaspersky 7.0.0.125 2009.08.12 -
Microsoft 1.4903 2009.08.12 -
NOD32 4328 2009.08.12 -
Symantec 1.4.4.12 2009.08.12 -
Additional information
File size: 12288 bytes
MD5...: f7c1bc07f1e1dbb7cde161575aacbf1a
SHA1..: fc15e4fdb8a4284b1b1e5a44d7a9a85b2d1b36d0
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
444.exe | Malware |
444.exe | Dangerous |
444.exe | High Risk |
Vkkk.exe is Trojan/Backdoor.
Kill the process vkkk.exe and remove vkkk.exe from Windows startup.
File: load.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.11 -
AVG 8.5.0.406 2009.08.12 Downloader.Agent2.HHJ
BitDefender 7.2 2009.08.12 -
Comodo 1949 2009.08.12 TrojWare.Win32.TrojanDownloader.Agent.cllu
DrWeb 5.0.0.12182 2009.08.12 -
F-Secure 8.0.14470.0 2009.08.11 Trojan-Downloader.Win32.Agent.cllu
Kaspersky 7.0.0.125 2009.08.12 Trojan-Downloader.Win32.Agent.cllu
Microsoft 1.4903 2009.08.11 -
NOD32 4327 2009.08.11 Win32/VB.OKI
Symantec 1.4.4.12 2009.08.12 Downloader
Additional information
File size: 13654 bytes
MD5 : 92e455f23bf5f6608d877cc7fb9aa98b
SHA1 : 2d77500c61eb7c0e89fe6d5526dedd310f12ba05
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:57
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SOFTWARE\RAdmin
HKLM\SOFTWARE\RAdmin\v1.01
HKLM\SOFTWARE\RAdmin\v1.01\ViewType
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
...
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI
HKLM\SYSTEM\CurrentControlSet\Services\r_server
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Security
HKLM\SYSTEM\RAdmin
HKLM\SYSTEM\RAdmin\v2.0
HKLM\SYSTEM\RAdmin\v2.0\Server
HKLM\SYSTEM\RAdmin\v2.0\Server\iplist
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU
----------------------------------
Values added:48
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vkkk.exe: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MSA\vkkk.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: " Error Unusual Info Debug"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0x00000001
HKLM\SOFTWARE\RAdmin\v1.01\ViewType\Data: 95 F3 0B 13 44 C0 10 74 7B 2E 83 2C F5 89 E4 B9 49 C8 49 00 1C EB 18 64 87 46 C5 78 59 73 2A 6A 13 72 53 9E E4 F5 74 94 4F 49 42 46 F7 AB 05 1F 55 24 72 79 E9 85 C8 8A 1E 5E E3 D8 35 70 06 28
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Service: "r_server"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\0000\DeviceDesc: "Remote Administrator Service"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_R_SERVER\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\r_server\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\r_server\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\r_server\ImagePath: ""C:\WINDOWS\help\svchost.exe" /service"
HKLM\SYSTEM\CurrentControlSet\Services\r_server\DisplayName: "Remote Administrator Service"
HKLM\SYSTEM\CurrentControlSet\Services\r_server\ObjectName: "LocalSystem"
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\NTAuthEnabled: 00 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Parameter: 38 70 E3 B9 F6 F4 FB 9E F8 9C 77 92 11 F4 CE 1A
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon: 01 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\Port: 23 13 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableLogFile: 00 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\LogFilePath: "c:\logfile.txt"
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\FilterIp: 00 00 00 00
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\AskUser: 00 00 00 00
HKCU\Software\Microsoft\CTF\MSUTB\ShowDeskBand: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\Enable: 0x00000001
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\Size: 0x0000000A
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits: 0x00000064
HKCU\Software\Microsoft\Internet Explorer\International\CpMRU\Factor: 0x00000014
----------------------------------
Values modified:20
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr sparrow sndblst Simbad SideBySide sfloppy Setup Service Control Manager Server serial scsiport Schedule SCardSvr Save Dump SAM RSVP Removable Storage Service RemoteAccess redbook Rdbss RasMan RasAuto ql1280 ql1240 ql12160 ql10wnt ql1080 PSched Print PptpMiniport PolicyAgent PlugPlayManager perc2 pcmcia pciide pci parvdm partmgr parport OSPFMib OSPF null NtServicePack ntfs npfs Nla Netlogon NetDDE NetBT NetBIOS NdisWan ndis napipsecenf napagent Mup msfs msadlib MrxSmb MRxDAV mraid35x mouclass Modem LsaSrv LmHosts LDMS LDM lbrtfdc Kerberos kbdclass isapnp IPXSAP IPXRouterManager IPXRIP IPXCP IPSec IPRouterManager IPRIP2 IPNATHLP IPMGM IPBOOTP intelppm intelide ini910u IGMPv2 i8042prt i2omp i2omgmt Http hpn ftdisk fs_rec flpydisk Fips fdc fastfat eventlog efs dpti2o Dnscache Dnsapi dmio dmboot Distributed Link Tracking Client disk DhcpQec Dhcp DfsSvc DfsDriver DCOM dac960nt dac2w2k cpqarray cmdide changer cdrom Cdm cdfs cdaudio cd20xrnt cbidf2k Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A827DE8
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A82816C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A82840F
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A8284F0
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A827DE8
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A82816C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A82840F
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A8284F0
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000004
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000005
----------------------------------
Files added:14
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\111.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\111.reg
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\444.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\AdmDll.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\DEL.bat
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\raddrv.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\vkkk.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\vkkk.exe.bak
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA\vkkk.exe.log
C:\WINDOWS\Help\admdll.dll
C:\WINDOWS\Help\raddrv.dll
C:\WINDOWS\Help\svchost.exe
C:\WINDOWS\Temp\Perflib_Perfdata_6b0.dat
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:1
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\MSA
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:140
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP GET hxxp://www2.sexown.com/65/tt/d10.php?nocache=712
HTTP POST hxxp://www2.sexown.com/65/tt/rvkad.php?nocache=7055
HTTP GET hxxp://vkontakte.ru/?%205334
HTTP POST hxxp://www2.sexown.com/65/tt/rvkad.php?nocache=2896
HTTP GET hxxp://www2.sexown.com/65/tt/out.php?t=100072&yes=1&id=98240nocache=0.8416544
HTTP POST hxxp://www2.sexown.com/65/tt/rvkad.php?nocache=3019
HTTP GET hxxp://vkontakte.ru/?%207747
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: r_server
Author:
Related File: "C:\WINDOWS\help\svchost.exe" /service
Type: Auto Services
Item Name: vkkk.exe
Author:
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MSA\vkkk.exe
Type: Registry Run
Item Name: svchost.exe
Author: Unknown
Related File: C:\WINDOWS\HELP\SVCHOST.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
svchost.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.07 RemoteAdmin.BL
BitDefender 7.2 2009.08.07 -
Comodo 1896 2009.08.07 ApplicUnsaf.Win32.RemoteAdmin.RAdmin.20
DrWeb 5.0.0.12182 2009.08.07 -
Kaspersky 7.0.0.125 2009.08.07 not-a-virus:RemoteAdmin.Win32.RAdmin.20
Microsoft 1.4903 2009.08.07 -
NOD32 4314 2009.08.07 Win32/RemoteAdmin.RAdmin.20
Symantec 1.4.4.12 2009.08.07 Remacc.Radmin
Additional information
File size: 184320 bytes
MD5 : 377779e07226ab796bdaa2c6466608ec
SHA1 : 93e6ddb0b46754a0d16b38493eac494ea45437d1
-------------------------------------------------------------------------------------
vkkk.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.11 -
AVG 8.5.0.406 2009.08.12 -
BitDefender 7.2 2009.08.12 Generic.Malware.SFdld.5FFA0AB9
Comodo 1952 2009.08.12 -
DrWeb 5.0.0.12182 2009.08.12 -
F-Secure 8.0.14470.0 2009.08.12 Suspicious:W32/Malware!Gemini
Kaspersky 7.0.0.125 2009.08.12 -
Microsoft 1.4903 2009.08.12 -
NOD32 4328 2009.08.12 -
Symantec 1.4.4.12 2009.08.12 -
Additional information
File size: 12288 bytes
MD5...: f7c1bc07f1e1dbb7cde161575aacbf1a
SHA1..: fc15e4fdb8a4284b1b1e5a44d7a9a85b2d1b36d0
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.