71947010.exe - Dangerous
71947010.exe
Manual removal instructions:
Antivirus Report of 71947010.exe:
71947010.exe
We suggest you to remove QQLpDp.exe from your computer as soon as possible.
QQLpDp.exe is Trojan/Backdoor.
Kill the process QQLpDp.exe and remove QQLpDp.exe from Windows startup.
File: winlogon.exe
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 Win32:Small-ERC
AVG 8.5.0.406 2009.08.06 Win32/Cekar.G
BitDefender 7.2 2009.08.06 Dropped:Generic.XPL.ADODB.4F5B2074
Comodo 1884 2009.08.06 -
DrWeb 5.0.0.12182 2009.08.06 Trojan.MulDrop.33193
F-Secure 8.0.14470.0 2009.08.06 Backdoor.Win32.Delf.pyd
Kaspersky 7.0.0.125 2009.08.06 Backdoor.Win32.Delf.pyd
Microsoft 1.4903 2009.08.06 TrojanDownloader:Win32/Cekar.gen!A
NOD32 4311 2009.08.06 probably a variant of Win32/Genetik
Symantec 1.4.4.12 2009.08.06 Backdoor.Trojan
Additional information
File size: 372832 bytes
MD5 : 02c3722853323913b2654416fa62c5ea
SHA1 : 45c1cea85ebae7b9039aa7ae1bc42edc12bb9506
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:126
----------------------------------
...
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Security
----------------------------------
Keys added:114
----------------------------------
...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
...
----------------------------------
Values deleted:144
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks\: ""
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg\DiskPercent: 0x0000000C
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg\MachineGuid: "{D97F00B9-86E7-4F3D-A081-D07F1E09CE0A}"
...
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\DisplayName: "Error Reporting Service"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Type: 0x00000020
----------------------------------
Values added:146
----------------------------------
HKLM\SOFTWARE\Microsoft\ESENT\Process\6357\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\ESENT\Process\QQLpDp\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\ESENT\Process\WScript\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\Windows NT\ReportBootOk: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE\Debugger: "ntsd -d"
...
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_5BC22F3A\0000\DeviceDesc: "5BC22F3A"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_5BC22F3A\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Service: "AppMgmt"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\DeviceDesc: "Application Management"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Service: "klan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\DeviceDesc: "klan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\DMusic\ImagePath: "system32\DRIVERS\JM.sys"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\ImagePath: "C:\WINDOWS\Fonts\71947010.EXE -k"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\DisplayName: "5BC22F3A"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\Description: "312E91B4"
HKLM\SYSTEM\CurrentControlSet\Services\klan\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\klan\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\ImagePath: "\??\C:\WINDOWS\system32\drivers\klan.sys"
HKLM\SYSTEM\CurrentControlSet\Services\klan\DisplayName: "klan"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\IeUpDate: "C:\Program Files\Internet Explorer\UpDate.exe"
HKCU\Software\WinRAR SFX\C%%DOCUME~1%ADMINI~1%LOCALS~1%Temp%: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\Description: "312E91B4"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\DisplayName: "5BC22F3A"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\ImagePath: "C:\WINDOWS\Fonts\71947010.EXE -k"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\ObjectName: "LocalSystem"
----------------------------------
Values modified:8
----------------------------------
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport: 0x00000001
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport: 0x00000000
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI: 0x00000001
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,D:\FlySoft\micsoft.exe"
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Start: 0x00000002
----------------------------------
Files added:23
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\2.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\6357.exe
C:\Program Files\AC3Filter\ws2help.dll
C:\Program Files\CCleaner\ws2help.dll
C:\Program Files\Common Files\System\debug.obj
C:\Program Files\Common Files\System\QQLpDp.exe
C:\Program Files\Common Files\ws2help.dll
C:\Program Files\Foxit Software\Foxit Reader\ws2help.dll
C:\Program Files\Greatis\Reanimator\ws2help.dll
C:\Program Files\Internet Explorer\UpDate.exe
C:\Program Files\IrfanView\ws2help.dll
C:\Program Files\K-Lite Codec Pack\ws2help.dll
C:\Program Files\Mozilla Firefox\uninstall\ws2help.dll
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ws2help.dll
C:\Program Files\WinRAR\ws2help.dll
C:\WINDOWS\Fonts\312E91B4.DLL
C:\WINDOWS\Fonts\71947010.EXE
C:\WINDOWS\Fonts\s3sds212.dat
C:\WINDOWS\system32\dllcache\appmgmts.dll
C:\WINDOWS\system32\dllcache\fly7814.dll
C:\WINDOWS\system32\fly7814.dll
C:\WINDOWS\system32\micsoft.exe
C:\WINDOWS\system32\Web.ini
----------------------------------
Files [attributes?] modified:5
----------------------------------
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\appmgmts.dll
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Folders attributes changed:2
----------------------------------
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
----------------------------------
Total changes:568
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: UserInit
Author: Unknown
Related File: C:\WINDOWS\system32\userinit.exe,D:\FlySoft\micsoft.exe
Type: UserInit Value
Item Name: 5BC22F3A
Author:
Related File: C:\WINDOWS\Fonts\71947010.EXE -k
Type: Auto Services
Item Name: APPMGMTS.DLL
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\APPMGMTS.DLL
Type: Infected System Files
Item Name: IeUpDate
Author: Unknown
Related File: C:\Program Files\Internet Explorer\UpDate.exe
Type: Registry RunOnce
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
micsoft.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.06 Agent2.OWG
BitDefender 7.2 2009.08.06 -
Comodo 1888 2009.08.06 -
DrWeb 5.0.0.12182 2009.08.06 Trojan.MulDrop.33192
F-Secure 8.0.14470.0 2009.08.06 -
Kaspersky 7.0.0.125 2009.08.06 -
Microsoft 1.4903 2009.08.06 -
NOD32 4312 2009.08.06 a variant of Win32/Agent.PHX
Symantec 1.4.4.12 2009.08.06 Backdoor.Trojan
Additional information
File size: 118784 bytes
MD5 : 19457aa1f9c8f6551e58d40423d8e2e3
SHA1 : 05f96ed4583f4dab5b0b23549703a872044fcf8a
-------------------------------------------------------------------------------------
71947010.EXE
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.07 -
BitDefender 7.2 2009.08.07 Win32.Worm.Winko.I
Comodo 1896 2009.08.07 -
DrWeb 5.0.0.12182 2009.08.07 -
F-Secure 8.0.14470.0 2009.08.07 -
Kaspersky 7.0.0.125 2009.08.07 -
Microsoft 1.4903 2009.08.07 TrojanDownloader:Win32/Agent.BA
NOD32 4314 2009.08.07 -
Symantec 1.4.4.12 2009.08.07 -
Additional information
File size: 176182 bytes
MD5...: 6bad37b8437d360284506b867ebc3737
SHA1..: 70f88e0926268246b95613adda4689cd1c6ced16
-------------------------------------------------------------------------------------
APPMGMTS.dll
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.05 -
AVG 8.5.0.406 2009.08.05 -
BitDefender 7.2 2009.08.05 Generic.Malware.P!dld!.AD86FDA3
Comodo 1876 2009.08.05 -
DrWeb 5.0.0.12182 2009.08.05 -
F-Secure 8.0.14470.0 2009.08.05 Trojan-Downloader.Win32.Clan.d
Kaspersky 7.0.0.125 2009.08.05 Trojan-Downloader.Win32.Clan.d
Microsoft 1.4903 2009.08.04 Trojan:Win32/Killav.DK
NOD32 4309 2009.08.05 Win32/TrojanDownloader.Agent.PJV
Symantec 1.4.4.12 2009.08.05 Trojan.KillAV
Additional information
File size: 9216 bytes
MD5 : 0992ac6365d96e0aeab21ca9b6faef77
SHA1 : 58ee7f8b08ddd393be649a1bd90e9806ffa357e6
-------------------------------------------------------------------------------------
UpDate.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.05 -
AVG 8.5.0.406 2009.08.05 -
BitDefender 7.2 2009.08.05 Generic.Malware.SP!Pk!g.F69BA5F1
Comodo 1875 2009.08.05 -
F-Secure 8.0.14470.0 2009.08.05 -
Kaspersky 7.0.0.125 2009.08.05 Heur.AntiAV
Microsoft 1.4903 2009.08.04 PWS:Win32/Frethog.gen!C
NOD32 4309 2009.08.05 probably a variant of Win32/Genetik
Symantec 1.4.4.12 2009.08.05 -
Additional information
File size: 53899 bytes
MD5 : 15b3afc558c3e4f558d92589e99629ff
SHA1 : 9d4ce981ab90c7a5f1a2de75887ccf954c4de150
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
71947010.exe | Malware |
71947010.exe | Dangerous |
71947010.exe | High Risk |
QQLpDp.exe is Trojan/Backdoor.
Kill the process QQLpDp.exe and remove QQLpDp.exe from Windows startup.
File: winlogon.exe
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 Win32:Small-ERC
AVG 8.5.0.406 2009.08.06 Win32/Cekar.G
BitDefender 7.2 2009.08.06 Dropped:Generic.XPL.ADODB.4F5B2074
Comodo 1884 2009.08.06 -
DrWeb 5.0.0.12182 2009.08.06 Trojan.MulDrop.33193
F-Secure 8.0.14470.0 2009.08.06 Backdoor.Win32.Delf.pyd
Kaspersky 7.0.0.125 2009.08.06 Backdoor.Win32.Delf.pyd
Microsoft 1.4903 2009.08.06 TrojanDownloader:Win32/Cekar.gen!A
NOD32 4311 2009.08.06 probably a variant of Win32/Genetik
Symantec 1.4.4.12 2009.08.06 Backdoor.Trojan
Additional information
File size: 372832 bytes
MD5 : 02c3722853323913b2654416fa62c5ea
SHA1 : 45c1cea85ebae7b9039aa7ae1bc42edc12bb9506
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:126
----------------------------------
...
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Security
----------------------------------
Keys added:114
----------------------------------
...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360hotfix.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.exe
...
----------------------------------
Values deleted:144
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks\: ""
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg\DiskPercent: 0x0000000C
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg\MachineGuid: "{D97F00B9-86E7-4F3D-A081-D07F1E09CE0A}"
...
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\DisplayName: "Error Reporting Service"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\ERSvc\Type: 0x00000020
----------------------------------
Values added:146
----------------------------------
HKLM\SOFTWARE\Microsoft\ESENT\Process\6357\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\ESENT\Process\QQLpDp\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\ESENT\Process\WScript\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\Windows NT\ReportBootOk: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe\Debugger: "ntsd -d"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE\Debugger: "ntsd -d"
...
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_5BC22F3A\0000\DeviceDesc: "5BC22F3A"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_5BC22F3A\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Service: "AppMgmt"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000\DeviceDesc: "Application Management"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Service: "klan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\0000\DeviceDesc: "klan"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KLAN\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\DMusic\ImagePath: "system32\DRIVERS\JM.sys"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\ImagePath: "C:\WINDOWS\Fonts\71947010.EXE -k"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\DisplayName: "5BC22F3A"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\5BC22F3A\Description: "312E91B4"
HKLM\SYSTEM\CurrentControlSet\Services\klan\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\klan\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\klan\ImagePath: "\??\C:\WINDOWS\system32\drivers\klan.sys"
HKLM\SYSTEM\CurrentControlSet\Services\klan\DisplayName: "klan"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\IeUpDate: "C:\Program Files\Internet Explorer\UpDate.exe"
HKCU\Software\WinRAR SFX\C%%DOCUME~1%ADMINI~1%LOCALS~1%Temp%: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\Description: "312E91B4"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\DisplayName: "5BC22F3A"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\ImagePath: "C:\WINDOWS\Fonts\71947010.EXE -k"
HKCU\SYSTEM\CurrentControlSet\Services\5BC22F3A\ObjectName: "LocalSystem"
----------------------------------
Values modified:8
----------------------------------
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport: 0x00000001
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport: 0x00000000
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI: 0x00000001
HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,D:\FlySoft\micsoft.exe"
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Start: 0x00000002
----------------------------------
Files added:23
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Temp\2.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\6357.exe
C:\Program Files\AC3Filter\ws2help.dll
C:\Program Files\CCleaner\ws2help.dll
C:\Program Files\Common Files\System\debug.obj
C:\Program Files\Common Files\System\QQLpDp.exe
C:\Program Files\Common Files\ws2help.dll
C:\Program Files\Foxit Software\Foxit Reader\ws2help.dll
C:\Program Files\Greatis\Reanimator\ws2help.dll
C:\Program Files\Internet Explorer\UpDate.exe
C:\Program Files\IrfanView\ws2help.dll
C:\Program Files\K-Lite Codec Pack\ws2help.dll
C:\Program Files\Mozilla Firefox\uninstall\ws2help.dll
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ws2help.dll
C:\Program Files\WinRAR\ws2help.dll
C:\WINDOWS\Fonts\312E91B4.DLL
C:\WINDOWS\Fonts\71947010.EXE
C:\WINDOWS\Fonts\s3sds212.dat
C:\WINDOWS\system32\dllcache\appmgmts.dll
C:\WINDOWS\system32\dllcache\fly7814.dll
C:\WINDOWS\system32\fly7814.dll
C:\WINDOWS\system32\micsoft.exe
C:\WINDOWS\system32\Web.ini
----------------------------------
Files [attributes?] modified:5
----------------------------------
C:\Documents and Settings\NetworkService\Cookies\index.dat
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\appmgmts.dll
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Folders attributes changed:2
----------------------------------
C:\Documents and Settings\NetworkService\Local Settings\History
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
----------------------------------
Total changes:568
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: UserInit
Author: Unknown
Related File: C:\WINDOWS\system32\userinit.exe,D:\FlySoft\micsoft.exe
Type: UserInit Value
Item Name: 5BC22F3A
Author:
Related File: C:\WINDOWS\Fonts\71947010.EXE -k
Type: Auto Services
Item Name: APPMGMTS.DLL
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\APPMGMTS.DLL
Type: Infected System Files
Item Name: IeUpDate
Author: Unknown
Related File: C:\Program Files\Internet Explorer\UpDate.exe
Type: Registry RunOnce
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
micsoft.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.06 Agent2.OWG
BitDefender 7.2 2009.08.06 -
Comodo 1888 2009.08.06 -
DrWeb 5.0.0.12182 2009.08.06 Trojan.MulDrop.33192
F-Secure 8.0.14470.0 2009.08.06 -
Kaspersky 7.0.0.125 2009.08.06 -
Microsoft 1.4903 2009.08.06 -
NOD32 4312 2009.08.06 a variant of Win32/Agent.PHX
Symantec 1.4.4.12 2009.08.06 Backdoor.Trojan
Additional information
File size: 118784 bytes
MD5 : 19457aa1f9c8f6551e58d40423d8e2e3
SHA1 : 05f96ed4583f4dab5b0b23549703a872044fcf8a
-------------------------------------------------------------------------------------
71947010.EXE
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 -
AVG 8.5.0.406 2009.08.07 -
BitDefender 7.2 2009.08.07 Win32.Worm.Winko.I
Comodo 1896 2009.08.07 -
DrWeb 5.0.0.12182 2009.08.07 -
F-Secure 8.0.14470.0 2009.08.07 -
Kaspersky 7.0.0.125 2009.08.07 -
Microsoft 1.4903 2009.08.07 TrojanDownloader:Win32/Agent.BA
NOD32 4314 2009.08.07 -
Symantec 1.4.4.12 2009.08.07 -
Additional information
File size: 176182 bytes
MD5...: 6bad37b8437d360284506b867ebc3737
SHA1..: 70f88e0926268246b95613adda4689cd1c6ced16
-------------------------------------------------------------------------------------
APPMGMTS.dll
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.05 -
AVG 8.5.0.406 2009.08.05 -
BitDefender 7.2 2009.08.05 Generic.Malware.P!dld!.AD86FDA3
Comodo 1876 2009.08.05 -
DrWeb 5.0.0.12182 2009.08.05 -
F-Secure 8.0.14470.0 2009.08.05 Trojan-Downloader.Win32.Clan.d
Kaspersky 7.0.0.125 2009.08.05 Trojan-Downloader.Win32.Clan.d
Microsoft 1.4903 2009.08.04 Trojan:Win32/Killav.DK
NOD32 4309 2009.08.05 Win32/TrojanDownloader.Agent.PJV
Symantec 1.4.4.12 2009.08.05 Trojan.KillAV
Additional information
File size: 9216 bytes
MD5 : 0992ac6365d96e0aeab21ca9b6faef77
SHA1 : 58ee7f8b08ddd393be649a1bd90e9806ffa357e6
-------------------------------------------------------------------------------------
UpDate.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.05 -
AVG 8.5.0.406 2009.08.05 -
BitDefender 7.2 2009.08.05 Generic.Malware.SP!Pk!g.F69BA5F1
Comodo 1875 2009.08.05 -
F-Secure 8.0.14470.0 2009.08.05 -
Kaspersky 7.0.0.125 2009.08.05 Heur.AntiAV
Microsoft 1.4903 2009.08.04 PWS:Win32/Frethog.gen!C
NOD32 4309 2009.08.05 probably a variant of Win32/Genetik
Symantec 1.4.4.12 2009.08.05 -
Additional information
File size: 53899 bytes
MD5 : 15b3afc558c3e4f558d92589e99629ff
SHA1 : 9d4ce981ab90c7a5f1a2de75887ccf954c4de150
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.