asp2009.exe - Dangerous
asp2009.exe
Manual removal instructions:
Antivirus Report of asp2009.exe:
asp2009.exe
We suggest you to remove asp2009.exe from your computer as soon as possible.
Asp2009.exe is Trojan/Backdoor.
Kill the process asp2009.exe and remove asp2009.exe from Windows startup.
File: setup.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.17 -
AVG 8.5.0.406 2009.08.17 -
BitDefender 7.2 2009.08.17 -
Comodo 1997 2009.08.17 -
DrWeb 5.0.0.12182 2009.08.17 -
F-Secure 8.0.14470.0 2009.08.17 -
Kaspersky 7.0.0.125 2009.08.17 Trojan.Win32.FraudPack.qhp
Microsoft 1.4903 2009.08.17 -
NOD32 4341 2009.08.17 -
Symantec 1.4.4.12 2009.08.17 Trojan.Fakeavalert
Additional information
File size: 77842 bytes
MD5...: 3e1109083d7afeb8023bc14108cbe1a9
SHA1..: b369db8e4124946669f7146abe3e174ea10ddcc7
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
----------------------------------
Keys added:69
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
/../
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BEEP\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMBOOT\0000\LogConf
/.../
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKCU\Software\Antispy Protector 2009
HKCU\Software\Antispy Protector 2009\threats
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:22
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\.ini: "notepad.exe ^.ini"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\.txt: "notepad.exe ^.txt"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\.wtx: "notepad.exe ^.wtx"
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Antispy Protector 2009: "C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009\asp2009.exe"
HKCU\Software\Antispy Protector 2009\threats\Threat0: "ULCJp7SYjFtdLbz+64FnSuYZcJJ5tjdiW//sItKdNQJpBuxuIWJBbiTLqPSBDKnDTeSK4HbfPV1Ozaf2lwUa0AQUjUSG7u72ZLyCkg30uQl7LzsP99zFU7s/xYb9kS94Hy2lTl+RK3P+AqgqYt65XDSwjBRZlYQRphdHmbIP96ZUpdwfwulhu0/afTHf+3rMNbOQeAAEOBDpn8hIdeRqOyiyWMUurvosjJDGH7V3pLTc4YDrOqHwwjuRJHR7bbsz3bcBepmdwFpm1/ae/XS0TVzt7KbtqreW+Q=="
HKCU\Software\Antispy Protector 2009\threats\Threat1: "RaaRrKeTj1teK7PC65EabuAOfY4ItyhNXejvKcqPWy5qA9hgJkMKTjHNrq7rB6uxQfvL+GyLLlwEza2ykQgI1wQFhVrD8//7b/+Yxwvu8wF2ZCoVspXKQrQxz5H8kCR4Hy24Ch6cZFTVR54MXd6FS3WwihgQr44duUpHrK4P4eNIu5ka1L13rEPBcDybq2XbNrOcf0kEKRG9ntVWde8lOyLrF8Ivv+0sj5DHE/Z3pbXA4ZLqM+Tihj6QYXBtIbV8op0ffYuQzFt3k5q0pBzfQFuj7e/pu7DrybMeeC2bH8ENOcYg2IZZyAcI9sD8IpHCqeGCtLzDRaYQ159YHl8z4/e8rYrgnSkWEJZTRevNeN8OQXThFiEdSXJN1rKPkMZJVrfzanRsYEp6I8WQCV7Y/RQmpMfB"
HKCU\Software\Antispy Protector 2009\threats\Threat2: "RaaRrKeTj1FfK6u0/Zd8d8AYaYcllkhXYeL3acCXLWFsHK9kZGAAWybAsunOJZSaBOLE9jfFO1dAjKiylAwJwQQXlkeE8vv3PeiYhhen+g9gYytH8JmHR6sxxtTmi2F4Vj+7Rh6LZGvxFaIxZI32XnuyxAVAx4AWpAEVmbRc8+tBuc0IiZAOoEzVdjfPvmmkXfL0BgxKbBmgl8JMFoI="
HKCU\Software\Antispy Protector 2009\threats\Threat3: "RaaRrKeTj1lBNLP865cabuAOfY4rshZuY+TmLOCWeTNmB69sNzAODwHcqffcLIrDbPLG8TPZb31Gxqy1l00Py0sLhkmRoO3ydP+YxwLj/RM1bm8T/ZPLULkmgp38xAhySym5RBqGZFjoF6cxY5ukDnWsjVBAlY4WpwcCnv1f+fYJoslbxvlyrFDHeifetmjHI7PXAW9NIhmsmNNaf4UPaEGYXt9mreFghIKnfA=="
HKCU\Software\Antispy Protector 2009\threats\Threat4: "SqeS4IKZ03UfALrx4pY7KvIYK5oZlhIzWOLxJZ23fSVpCv0kN3RaDyrd5uGPJ52XU/jY6nvKOFNWyemhjB8WhFAPhVzD4e7uePGAkxCn7Q81fSoX/pXEU6wxgpXxli5vTGy/QhrSIWX5FL83f5n2QHG2nh9CjM9/2A0Ji7hM4uNA2rNOqpdtpwLVejjeqACj"
HKCU\Software\Antispy Protector 2009\threats\Threat5: "QKuHobCEj19NALb04pY7JcZcd5V3kkZufeLkOtKeODR2CuslMH9PSyrPqqDOaZCKQ/+H4jnYOxJNwr2zkQMa0E0IikmPoOrycvKVxw3y9AJwfW8S4ZXJVfg1gpn9gCRxHzuiXhedMWmwE6M7MYulS2axyQBVlYwboRcOgrMP+fQEvNcU0PFhrUXWPXTpvmDGIaGVLApCbAuhktQff+FkNingF9g16+lol5jZF7RyruHGp8brIuTqkXqMa3c+aLlupNwEeJqcg0hswdv16AnLVkKi+aqvws7ynfpUOzaMW7twfOtd2IQVjhwB4MadXA=="
HKCU\Software\Antispy Protector 2009\threats\Threat6: "ULCJp7SYjEtBPfHX750qZPJdbYJijzJsYOfiJp6gaDgrLe5rJ38cDjDK86DGOtiCBPrL7T/IJl1R3+m3kx0XzUcGkEGM7rrudf2ExwLz7QV4fzsUsojIEqsgx5X+xDF9TD+8RQ2WNzGwC6Q5eJD2SnG2iBlclM1SswoDzbJb/uNW99oUyfttrUfdZz3aty3AOaaWfghFOBamlYkyEeFrPCnxQ9QixoI57PvDGPZ4oq3KsuuI"
HKCU\Software\Antispy Protector 2009\threats\Threat7: "Qa+HpLnb53ReK7vw/N0Lau8dcMckl1NiSuDiId/eXi1qAOtgNj4tTi3PqKHcLc3DTeSK4HbGLl5Nz6C5lh5bxVQXiEGA4e7zcvLQkwvm7UB0YyMI5Y+HU7Z0w4DmhSJ3Wj7rXhDSN3j+A+sxZIr2Q3WxmhlGgsETvwsSg6kP+eAEstQazvEkvU2TcnTIq2jKPqaQb0VQLQ2untMRFoJsNCr3VMUjr4UG0vygH7g+rajDpJWPXA=="
HKCU\Software\Antispy Protector 2009\Antispy Protector 2009: "D41D8CD98F00B204E9800998ECF8427E"
HKCU\Software\Antispy Protector 2009\pver: 0x00000003
HKCU\Software\Antispy Protector 2009\ZF: "NfDT/eDGlikFcaP9+oc5Ma5TaZEg3QBsauiuO9CSdmx1DKFwNz8GQSXB6Q=="
HKCU\Software\Antispy Protector 2009\LastUpdate: "2009-08-10"
HKCU\Software\Antispy Protector 2009\SS: "218"
HKCU\Software\Antispy Protector 2009\GA: "bLaSve/Zjm1Caaj84JcmfPIJboI2hwMwbOLuZ8OaezIq"
HKCU\Software\Antispy Protector 2009\GB: "bLaSve/Zjn9UMLnw65c6ZO8Qd4gy3Q9wIP3qK8Dc"
----------------------------------
Values modified:10
----------------------------------
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation: 32 36 35 33 33 36 00 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 3F 61 3F 00 3F 41 3F 61 3F 61 3F 55 3F 41 3F 61 01 00 00 00 3F 55 00 15 3F 55 3F 61 3F 41 00 00 00 00 3F 01 3F 3F 00 15 3F 55 3F 3F 3F 3F 3F 15 48 41 3D 3F 3D 3F 3F 55 3F 3F 3F 3F 00 00 32 3F 08 00 48 41 48 41 3F 55 3F 1B 3F 55 58 69
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation: 32 36 35 33 33 36 00 23 00 00 00 00 00 00 3F 3F 3F 41 6E 00 00 00 3F 23 3F 00 3F 55 68 09 3F 55 08 00 3F 61 3F 00 01 00 3F 00 00 00 00 15 3F 55 3F 41 6E 00 00 00 00 00 08 01 3F 3F 00 15 3F 55 3F 3F 3F 3F 3F 15 50 68 3D 3F 3D 3F 3F 55 3F 3F 3F 3F 00 00 32 3F 00 00 50 68 50 68 3F 55 3F 1B 3F 55 60 3F
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation: 35 38 30 34 36 30 00 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 3F 61 3F 00 3F 41 3F 61 3F 61 3F 55 3F 41 3F 61 01 00 00 00 3F 55 00 15 3F 55 3F 61 3F 41 00 00 00 00 3F 01 3F 3F 00 15 3F 55 3F 3F 3F 3F 3F 15 48 41 3D 3F 3D 3F 3F 55 3F 3F 3F 3F 00 00 32 3F 08 00 48 41 48 41 3F 55 3F 1B 3F 55 58 69
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation: 36 31 31 38 33 32 00 23 00 00 00 00 00 00 3F 3F 3F 41 6E 00 00 00 3F 23 3F 00 3F 55 68 09 3F 55 08 00 3F 61 3F 00 01 00 3F 00 00 00 00 15 3F 55 3F 41 6E 00 00 00 00 00 08 01 3F /.../67 00 65 00 64 00 2E 00 68 00 68 00 6B 00 00 00 00 00 04 00 00 00 03 00 00 00 01 00 02 00 00 00 01 00 01 00 00 00 01 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\PCHealth\HelpSvc\Backup\PackageStore: 51 43 31 03 01 00 00 00 0F 00 00 00 50 00 72 00 6F 00 66 00 65 00 73 00 73 00 69 00 6F 00 6E 00 61 00 6C 00 5F 00 33 00 32 00 09 04 00 00 17 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 58 00 50 00 20 00 50 00 72 00 6F 00 66 00 65 00 73 00 73 00 69 00 6F 00 6E 00 61 00 6C 00 0A 00 00 00 /.../43 00 74 00 72 00 5C 00 49 00 6E 00 64 00 69 00 63 00 65 00 73 00 5C 00 6D 00 65 00 72 00 67 00 65 00 64 00 2E 00 68 00 68 00 6B 00 00 00 00 00 06 00 00 00 03 00 00 00 01 00 02 00 00 00 01 00 01 00 00 00 01 00 04 00 00 00 01 00 05 00 00 00 01 00 06 00 00 00 00 01 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\PCHealth\HelpSvc\Backup\CRC_Registry: 0x191C5B82
HKLM\SOFTWARE\Microsoft\PCHealth\HelpSvc\Backup\CRC_Registry: 0x6B449A5B
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr /.../Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time /.../aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
----------------------------------
Files added:29
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009\asp2009.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\asp2009.exe
C:\Documents and Settings\All Users\Desktop\Antispy Protector 2009.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antispy Protector 2009\Antispy Protector 2009.lnk
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_10.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_11.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_12.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_13.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_14.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_15.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_3.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_4.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_5.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_6.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_7.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_9.xml
C:\WINDOWS\pchealth\helpctr\DataColl\history_db.xml
C:\WINDOWS\pchealth\helpctr\PackageStore\package_5.cab
C:\WINDOWS\pchealth\helpctr\PackageStore\package_6.cab
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\rcmoreinfo.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm
----------------------------------
Files deleted:2
----------------------------------
C:\WINDOWS\pchealth\helpctr\BATCH\hscmui.cab
C:\WINDOWS\pchealth\helpctr\BATCH\hscsp_w3.cab
----------------------------------
Files [attributes?] modified:902
----------------------------------
C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
C:\WINDOWS\pchealth\helpctr\Config\SAFStore.xml
C:\WINDOWS\pchealth\helpctr\Config\sereg.xml
C:\WINDOWS\pchealth\helpctr\Database\HCdata.edb
C:\WINDOWS\pchealth\helpctr\Indices\merged.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_2.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_3.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_4.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_5.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_6.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_7.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_8.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_9.hhk
C:\WINDOWS\pchealth\helpctr\Logs\hcupdate.log
C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000000.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000001.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000002.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000004.query
/.../
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\000002c8.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\000002ca.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\000002cb.query
C:\WINDOWS\pchealth\helpctr\PackageStore\CRC_Disk
C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
C:\WINDOWS\pchealth\helpctr\System\blurbs\about_support.htm
/.../
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\spacer.gif
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\status_ok.gif
C:\WINDOWS\Temp\7hji4mwf.TMP
----------------------------------
Folders added:7
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009
C:\Documents and Settings\All Users\Start Menu\Programs\Antispy Protector 2009
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:1042
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: Antispy Protector 2009
Author: Unknown
Related File: C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009\asp2009.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
asp2009.exe | Malware |
asp2009.exe | Dangerous |
asp2009.exe | High Risk |
Asp2009.exe is Trojan/Backdoor.
Kill the process asp2009.exe and remove asp2009.exe from Windows startup.
File: setup.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.17 -
AVG 8.5.0.406 2009.08.17 -
BitDefender 7.2 2009.08.17 -
Comodo 1997 2009.08.17 -
DrWeb 5.0.0.12182 2009.08.17 -
F-Secure 8.0.14470.0 2009.08.17 -
Kaspersky 7.0.0.125 2009.08.17 Trojan.Win32.FraudPack.qhp
Microsoft 1.4903 2009.08.17 -
NOD32 4341 2009.08.17 -
Symantec 1.4.4.12 2009.08.17 Trojan.Fakeavalert
Additional information
File size: 77842 bytes
MD5...: 3e1109083d7afeb8023bc14108cbe1a9
SHA1..: b369db8e4124946669f7146abe3e174ea10ddcc7
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
----------------------------------
Keys added:69
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
/../
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BEEP\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMBOOT\0000\LogConf
/.../
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKCU\Software\Antispy Protector 2009
HKCU\Software\Antispy Protector 2009\threats
----------------------------------
Values deleted:0
----------------------------------
----------------------------------
Values added:22
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\.ini: "notepad.exe ^.ini"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\.txt: "notepad.exe ^.txt"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\.wtx: "notepad.exe ^.wtx"
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Antispy Protector 2009: "C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009\asp2009.exe"
HKCU\Software\Antispy Protector 2009\threats\Threat0: "ULCJp7SYjFtdLbz+64FnSuYZcJJ5tjdiW//sItKdNQJpBuxuIWJBbiTLqPSBDKnDTeSK4HbfPV1Ozaf2lwUa0AQUjUSG7u72ZLyCkg30uQl7LzsP99zFU7s/xYb9kS94Hy2lTl+RK3P+AqgqYt65XDSwjBRZlYQRphdHmbIP96ZUpdwfwulhu0/afTHf+3rMNbOQeAAEOBDpn8hIdeRqOyiyWMUurvosjJDGH7V3pLTc4YDrOqHwwjuRJHR7bbsz3bcBepmdwFpm1/ae/XS0TVzt7KbtqreW+Q=="
HKCU\Software\Antispy Protector 2009\threats\Threat1: "RaaRrKeTj1teK7PC65EabuAOfY4ItyhNXejvKcqPWy5qA9hgJkMKTjHNrq7rB6uxQfvL+GyLLlwEza2ykQgI1wQFhVrD8//7b/+Yxwvu8wF2ZCoVspXKQrQxz5H8kCR4Hy24Ch6cZFTVR54MXd6FS3WwihgQr44duUpHrK4P4eNIu5ka1L13rEPBcDybq2XbNrOcf0kEKRG9ntVWde8lOyLrF8Ivv+0sj5DHE/Z3pbXA4ZLqM+Tihj6QYXBtIbV8op0ffYuQzFt3k5q0pBzfQFuj7e/pu7DrybMeeC2bH8ENOcYg2IZZyAcI9sD8IpHCqeGCtLzDRaYQ159YHl8z4/e8rYrgnSkWEJZTRevNeN8OQXThFiEdSXJN1rKPkMZJVrfzanRsYEp6I8WQCV7Y/RQmpMfB"
HKCU\Software\Antispy Protector 2009\threats\Threat2: "RaaRrKeTj1FfK6u0/Zd8d8AYaYcllkhXYeL3acCXLWFsHK9kZGAAWybAsunOJZSaBOLE9jfFO1dAjKiylAwJwQQXlkeE8vv3PeiYhhen+g9gYytH8JmHR6sxxtTmi2F4Vj+7Rh6LZGvxFaIxZI32XnuyxAVAx4AWpAEVmbRc8+tBuc0IiZAOoEzVdjfPvmmkXfL0BgxKbBmgl8JMFoI="
HKCU\Software\Antispy Protector 2009\threats\Threat3: "RaaRrKeTj1lBNLP865cabuAOfY4rshZuY+TmLOCWeTNmB69sNzAODwHcqffcLIrDbPLG8TPZb31Gxqy1l00Py0sLhkmRoO3ydP+YxwLj/RM1bm8T/ZPLULkmgp38xAhySym5RBqGZFjoF6cxY5ukDnWsjVBAlY4WpwcCnv1f+fYJoslbxvlyrFDHeifetmjHI7PXAW9NIhmsmNNaf4UPaEGYXt9mreFghIKnfA=="
HKCU\Software\Antispy Protector 2009\threats\Threat4: "SqeS4IKZ03UfALrx4pY7KvIYK5oZlhIzWOLxJZ23fSVpCv0kN3RaDyrd5uGPJ52XU/jY6nvKOFNWyemhjB8WhFAPhVzD4e7uePGAkxCn7Q81fSoX/pXEU6wxgpXxli5vTGy/QhrSIWX5FL83f5n2QHG2nh9CjM9/2A0Ji7hM4uNA2rNOqpdtpwLVejjeqACj"
HKCU\Software\Antispy Protector 2009\threats\Threat5: "QKuHobCEj19NALb04pY7JcZcd5V3kkZufeLkOtKeODR2CuslMH9PSyrPqqDOaZCKQ/+H4jnYOxJNwr2zkQMa0E0IikmPoOrycvKVxw3y9AJwfW8S4ZXJVfg1gpn9gCRxHzuiXhedMWmwE6M7MYulS2axyQBVlYwboRcOgrMP+fQEvNcU0PFhrUXWPXTpvmDGIaGVLApCbAuhktQff+FkNingF9g16+lol5jZF7RyruHGp8brIuTqkXqMa3c+aLlupNwEeJqcg0hswdv16AnLVkKi+aqvws7ynfpUOzaMW7twfOtd2IQVjhwB4MadXA=="
HKCU\Software\Antispy Protector 2009\threats\Threat6: "ULCJp7SYjEtBPfHX750qZPJdbYJijzJsYOfiJp6gaDgrLe5rJ38cDjDK86DGOtiCBPrL7T/IJl1R3+m3kx0XzUcGkEGM7rrudf2ExwLz7QV4fzsUsojIEqsgx5X+xDF9TD+8RQ2WNzGwC6Q5eJD2SnG2iBlclM1SswoDzbJb/uNW99oUyfttrUfdZz3aty3AOaaWfghFOBamlYkyEeFrPCnxQ9QixoI57PvDGPZ4oq3KsuuI"
HKCU\Software\Antispy Protector 2009\threats\Threat7: "Qa+HpLnb53ReK7vw/N0Lau8dcMckl1NiSuDiId/eXi1qAOtgNj4tTi3PqKHcLc3DTeSK4HbGLl5Nz6C5lh5bxVQXiEGA4e7zcvLQkwvm7UB0YyMI5Y+HU7Z0w4DmhSJ3Wj7rXhDSN3j+A+sxZIr2Q3WxmhlGgsETvwsSg6kP+eAEstQazvEkvU2TcnTIq2jKPqaQb0VQLQ2untMRFoJsNCr3VMUjr4UG0vygH7g+rajDpJWPXA=="
HKCU\Software\Antispy Protector 2009\Antispy Protector 2009: "D41D8CD98F00B204E9800998ECF8427E"
HKCU\Software\Antispy Protector 2009\pver: 0x00000003
HKCU\Software\Antispy Protector 2009\ZF: "NfDT/eDGlikFcaP9+oc5Ma5TaZEg3QBsauiuO9CSdmx1DKFwNz8GQSXB6Q=="
HKCU\Software\Antispy Protector 2009\LastUpdate: "2009-08-10"
HKCU\Software\Antispy Protector 2009\SS: "218"
HKCU\Software\Antispy Protector 2009\GA: "bLaSve/Zjm1Caaj84JcmfPIJboI2hwMwbOLuZ8OaezIq"
HKCU\Software\Antispy Protector 2009\GB: "bLaSve/Zjn9UMLnw65c6ZO8Qd4gy3Q9wIP3qK8Dc"
----------------------------------
Values modified:10
----------------------------------
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation: 32 36 35 33 33 36 00 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 3F 61 3F 00 3F 41 3F 61 3F 61 3F 55 3F 41 3F 61 01 00 00 00 3F 55 00 15 3F 55 3F 61 3F 41 00 00 00 00 3F 01 3F 3F 00 15 3F 55 3F 3F 3F 3F 3F 15 48 41 3D 3F 3D 3F 3F 55 3F 3F 3F 3F 00 00 32 3F 08 00 48 41 48 41 3F 55 3F 1B 3F 55 58 69
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation: 32 36 35 33 33 36 00 23 00 00 00 00 00 00 3F 3F 3F 41 6E 00 00 00 3F 23 3F 00 3F 55 68 09 3F 55 08 00 3F 61 3F 00 01 00 3F 00 00 00 00 15 3F 55 3F 41 6E 00 00 00 00 00 08 01 3F 3F 00 15 3F 55 3F 3F 3F 3F 3F 15 50 68 3D 3F 3D 3F 3F 55 3F 3F 3F 3F 00 00 32 3F 00 00 50 68 50 68 3F 55 3F 1B 3F 55 60 3F
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation: 35 38 30 34 36 30 00 00 00 00 00 00 00 00 08 00 00 00 08 00 00 00 3F 61 3F 00 3F 41 3F 61 3F 61 3F 55 3F 41 3F 61 01 00 00 00 3F 55 00 15 3F 55 3F 61 3F 41 00 00 00 00 3F 01 3F 3F 00 15 3F 55 3F 3F 3F 3F 3F 15 48 41 3D 3F 3D 3F 3F 55 3F 3F 3F 3F 00 00 32 3F 08 00 48 41 48 41 3F 55 3F 1B 3F 55 58 69
HKLM\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation: 36 31 31 38 33 32 00 23 00 00 00 00 00 00 3F 3F 3F 41 6E 00 00 00 3F 23 3F 00 3F 55 68 09 3F 55 08 00 3F 61 3F 00 01 00 3F 00 00 00 00 15 3F 55 3F 41 6E 00 00 00 00 00 08 01 3F /.../67 00 65 00 64 00 2E 00 68 00 68 00 6B 00 00 00 00 00 04 00 00 00 03 00 00 00 01 00 02 00 00 00 01 00 01 00 00 00 01 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\PCHealth\HelpSvc\Backup\PackageStore: 51 43 31 03 01 00 00 00 0F 00 00 00 50 00 72 00 6F 00 66 00 65 00 73 00 73 00 69 00 6F 00 6E 00 61 00 6C 00 5F 00 33 00 32 00 09 04 00 00 17 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 58 00 50 00 20 00 50 00 72 00 6F 00 66 00 65 00 73 00 73 00 69 00 6F 00 6E 00 61 00 6C 00 0A 00 00 00 /.../43 00 74 00 72 00 5C 00 49 00 6E 00 64 00 69 00 63 00 65 00 73 00 5C 00 6D 00 65 00 72 00 67 00 65 00 64 00 2E 00 68 00 68 00 6B 00 00 00 00 00 06 00 00 00 03 00 00 00 01 00 02 00 00 00 01 00 01 00 00 00 01 00 04 00 00 00 01 00 05 00 00 00 01 00 06 00 00 00 00 01 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\PCHealth\HelpSvc\Backup\CRC_Registry: 0x191C5B82
HKLM\SOFTWARE\Microsoft\PCHealth\HelpSvc\Backup\CRC_Registry: 0x6B449A5B
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService TermServDevices TermDD tdi TCPMon Tcpip System Error sym_u3 sym_hi symc8xx symc810 StillImage SSDPSRV Srv srservice sr /.../Browser BITS beep Atmarpc atdisk atapi AsyncMac asc3550 asc3350p asc Application Popup apphelp amsint ami0nt aliide Alerter aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time /.../aic78xx aic78u2 aha154x adpu160m acpiec acpi abp480n5 abiosdsk System'
----------------------------------
Files added:29
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009\asp2009.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\asp2009.exe
C:\Documents and Settings\All Users\Desktop\Antispy Protector 2009.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Antispy Protector 2009\Antispy Protector 2009.lnk
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_10.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_11.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_12.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_13.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_14.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_15.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_3.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_4.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_5.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_6.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_7.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_8.xml
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_9.xml
C:\WINDOWS\pchealth\helpctr\DataColl\history_db.xml
C:\WINDOWS\pchealth\helpctr\PackageStore\package_5.cab
C:\WINDOWS\pchealth\helpctr\PackageStore\package_6.cab
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\ConnIssue.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common\rcmoreinfo.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\escalationhelp.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen6.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\rcscreen7.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email\ShieldsUpMsg.htm
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\rcstatus.htm
----------------------------------
Files deleted:2
----------------------------------
C:\WINDOWS\pchealth\helpctr\BATCH\hscmui.cab
C:\WINDOWS\pchealth\helpctr\BATCH\hscsp_w3.cab
----------------------------------
Files [attributes?] modified:902
----------------------------------
C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
C:\WINDOWS\pchealth\helpctr\Config\SAFStore.xml
C:\WINDOWS\pchealth\helpctr\Config\sereg.xml
C:\WINDOWS\pchealth\helpctr\Database\HCdata.edb
C:\WINDOWS\pchealth\helpctr\Indices\merged.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_2.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_3.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_4.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_5.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_6.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_7.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_8.hhk
C:\WINDOWS\pchealth\helpctr\Indices\scoped_9.hhk
C:\WINDOWS\pchealth\helpctr\Logs\hcupdate.log
C:\WINDOWS\pchealth\helpctr\OfflineCache\index.dat
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000000.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000001.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000002.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\00000004.query
/.../
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\000002c8.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\000002ca.query
C:\WINDOWS\pchealth\helpctr\OfflineCache\Professional_32#0409\000002cb.query
C:\WINDOWS\pchealth\helpctr\PackageStore\CRC_Disk
C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
C:\WINDOWS\pchealth\helpctr\System\blurbs\about_support.htm
/.../
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\spacer.gif
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\status_ok.gif
C:\WINDOWS\Temp\7hji4mwf.TMP
----------------------------------
Folders added:7
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009
C:\Documents and Settings\All Users\Start Menu\Programs\Antispy Protector 2009
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Common
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation
C:\WINDOWS\pchealth\helpctr\Vendors\CN=Microsoft Windows Component Publisher,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:1042
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: Antispy Protector 2009
Author: Unknown
Related File: C:\Documents and Settings\Administrator\Application Data\Antispy Protector 2009\asp2009.exe
Type: Registry Run
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.