spyware.exe - Dangerous

spyware.exe

Manual removal instructions:

Antivirus Report of spyware.exe:
spyware.exe Malware
spyware.exeDangerous
spyware.exeHigh Risk
spyware.exe
We suggest you to remove spyware.exe from your computer as soon as possible.
Spyware.exe is Trojan/Backdoor.
Kill the process spyware.exe and remove spyware.exe from Windows startup.

File: spyware.exe (C:\sand-box\spyware.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.25 -
AVG 8.5.0.406 2009.08.25 -
BitDefender 7.2 2009.08.26 -
Comodo 2100 2009.08.26 -
DrWeb 5.0.0.12182 2009.08.26 -
F-Secure 8.0.14470.0 2009.08.26 -
Kaspersky 7.0.0.125 2009.08.26 -
Microsoft 1.4903 2009.08.26 Trojan:Win32/Waledac.gen!A
NOD32 4368 2009.08.26 a variant of Win32/Kryptik.AFX
Symantec 1.4.4.12 2009.08.26 -

Additional information
File size: 613376 bytes
MD5 : 7e9edc027a04c39a43483a5f4ad8e465
SHA1 : 9756b7e2d3cdba5a137c2282cc5b4874e6e534b9
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Values added:3
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RList: BA 50 0D 2B 0F B1 09 1E 5E 7E B4 16 AA 73 51 62 AD F1 FD 58 52 5B BE D9 D7 18 DD 77 D7 54 39 AB 12 A2 17 AB 33 65 A6 2A FD 50 86 75 1E 32 C1 DE D3 99 4B 6D E9 E6 90 F3 5A 96 EE F3 1B 92 4E 8E DD 33 E4 DD FE D1 66 96 00 72 24 22 D8 79 26 B1 9C A9 A8 D6 A5 84 96 49 A7 7E E2 2E 17 B4 BD C4 A1 74 F6 4D F3 68 9E 9F B0 C0 65 62 FE 79 76 46 1E C5 5D 9E D1 D3 D4 64 D3 F7 3B 92 DB 6F 8E E0 A4 B7 9D 5A 54 61 F0 FF 58 AF A5 B3 15 61 EC 4F B1 B7 FD 1A 78 3C 85 68 00 2A A5 FB 7F 95 60 09 47 68 EE FB CA CE 10 AA 66 F5 DF D8 AB 3F FC 2D BB A8 12 01 A5 65 36 26 45 84 48 E7 C9 3B 94 EA 40 79 55 9A 94 B1 14 0E 17 42 D5 69 FB 54 FB 43 6F 37 08 76 9F C7 B4 30 5A EB 6A EE F7 7A 78 59 AD FF 48 60 80 FF DA 45 C9 BB AF 3D FC C4 BC 05 6C AA 69 34 D0 B2 43 EB 77 01 23 A3 73 3E 0C 65 96 DD 81 D5 A7 25 88 9F BA 71 6F 96 7B 52 84 00 E2 61 C5 07 D0 CF FC 38 14 29 42 A9 5B FE 0A 2D EF 21 43 4A 43 C2 37 10 BB 63 8B F6 EB 6F 2E 60 23 E4 2D 8B 88 5B 5B A0 27 09 92 F3 F4 CB AC 31 CE F9 76 50 F3 29 D9 F3 85 E7 82 F5 32 36 8A 5E 3B E8 69 E8 2D 8E 10 0D 4F 8C BE B0 6F E6 92 FA 8F EA 8E 3B 72 31 9E 75 FC A2 AF 73 30 A5 E6 2E CE 9C 50 8E E1 3A E5 C6 54 0B 28 1B 8F 04 8D 79 1F EB 28 46 D5 68 3F 4E F1 C7 79 CA CA 4D DE 19 11 AE 51 79 31 C4 22 A4 A1 15 BF 63 F2 A6 4A B3 4B 83 87 B9 98 CC 82 0B 8C 09 73 80 F8 6B CF 95 81 1D 2C 07 D6 FC 01 48 71 6F CC 45 69 5F DD 6F E8 F6 C9 1B AD A9 FC AA 69 AF 42 66 89 FB D4 AD 71 18 77 34 27 35 07 A5 A5 22 F3 29 21 CE B8 E2 5D A9 CF 0C E6 0D 89 7E DD D3 74 1D D0 D1 2D A0 99 9F 63 FC AF D6 4F BA 60 C1 E3 F2 73 A7 5D 9E 06 0A E0 27 D8 FA 10 B7 CB A5 0F AA 92 42 E2 E0 FA 1B 8F 28 B6 93 97 5F 8C 0D 43 D1 3E 5A EE 7F ED 45 77 C9 D1 15 7A 85 06 D5 10 DA 68 C6 8C 1B 6F 83 A0 95 14 E8 40 A1 36 BB 50 C8 FE F7 A1 36 7A 06 DD E4 8C 31 59 E8 03 85 85 23 0A BA EB 57 AC 0D C3 12 10 98 23 91 3C E7 F5 AC A3 A3 81 54 AF EB 4E 46 3B 26 AB A1 28 AE 91 09 79 42 49 E9 6A C0 6A 57 F4 8A 12 78 13 65 78 17 D3 01 74 AB F6 E9 7B E4 AB 92 79 E5 5F 69 18 BA 40 95 9A 4D 00 C2 58 3F 03 E5 62 77 08 4A 67 FC 40 CB 04 FA DB 22 C7 21 9D 83 3E E4 34 6C AC 4D 01 1D 6C 3B 3E FD B2 68 08 3F 5F 53 0D 03 45 E1 F8 D8 FF 38 93 E8 50 85 FA AC 7D D5 36 41 4F 47 BF 10 4D C9 F5 11 77 50 FC 89 DA 38 B6 E2 FC D4 AA FD C6 20 93 FE 3E 1C 72 23 0C 7F 98 DD 64 03 64 5D B8 3E 6A 44 39 9A 3C 6E 9F 18 A0 7B B7 EA EF 0A 8E 1D B7 B6 20 1C 87 D8 22 08 CA 65 A2 A0 D3 8B A9 FC CD CD D3 E1 68 B0 47 5E B7 A0 87 C0 78 D6 4C F4 F6 D8 7E F3 47 29 9B 2C A7 2C 7B 76 ED A6 9A 26 10 61 E7 34 F5 69 5C 23 C5 2E 37 0F 39 EF 51 32 CF A7 53 46 3B BC A3 9D 44 6E 40 A9 26 2C 61 71 30 A5 EF 9D 14 AA AC 41 15 F8 3B A6 9C 03 2C 2E 16 DA 12 FE 49 DE F5 E2 DF 83 17 5F B2 7E E2 1C F7 33 F7 2E F4 3C EE C1 6B C2 CD B3 DB A4 E2 76 3C 9E 57 89 CA 23 64 7F 89 88 88 B5 07 30 57 B6 31 FE 53 2F F8 6B DE 89 C2 5F 5F 3E C8 B4 CE 8C 47 10 B6 C5 48 40 8A BB 35 65 48 46 6A 68 C7 3E 6F EA 6D A9 FF 98 5B 94 77 AC 9F C0 CC 96 A2 34 9A 39 21 F1 86 21 2C 04 EB 25 44 1F F7 6F 47 DB 62 EC E0 7F EA F7 62 3D 02 5B C3 B7 8F 92 6B 7F D7 A4 19 C9 4F 8B ED 10 C8 4E 56 85 86 49 81 96 50 85 4D C5 54 10 49 4E D9 64 8C 82 F0 95 4D 28 64 CF 7F 81 1B 6A 6C AA 45 1F FE 41 9E 9A 38 E8 38 42 FB 24 41 9F CB 37 45 B9 E8 DB 37 A4 9C 81 91 F7 E7 14 75 9F EB 2E CB 2C A7 12 AA E0 9E 49 30 80 EE 8A 83 05 08 91 06 97 47 2D A1 A8 1D 53 D9 0F 56 23 ED 86 7A 57 5F BB 55 9E 21 FD BD B4 21 81 97 FB D7 DA E5 C9 32 6D 8B 75 48 20 0D 94 AE 31 E4 FB DF 74 AE 5D 83 59 2B DA C8 02 E0 F0 05 F7 3E E5 B2 83 BA 1E DE 07 BA 24 D2 21 A7 D7 EE 01 44 D5 F1 47 C3 74 E7 20 77 59 63 8A 6F 2E 56 01 A8 45 43 54 48 E3 BF 28 AC 1F B7 37 8E 1A 2A BC 37 63 79 14 BB C0 08 0C EC 1D 95 FF C9 D6 92 50 CA C0 D3 23 CB 96 67 A4 3C 21 75 BF FC D8 C0 8F 31 49 15 2C E0 5D 28 8F 54 FD 34 CE EA 10 FA A0 53 A9 77 A0 44 A3 BE C2 41 A6 9C 71 EA 77 63 B2 C3 88 CA A4 D9 E6 DB E2 8C CB 18 45 70 B6 98 71 56 92 4C C8 BA 9E 77 AF 74 0B 0F E9 28 6B 78 84 83 04 EF 85 EA 82 07 51 26 1B D7 03 FB 58 CC 0C BE D0 38 1C 56 C7 98 DE 03 F3 2A 12 3D 49 5D CE 55 D7 40 3E 16 73 E4 8E 4B ED A2 8F A0 07 07 75 C2 A3 DF 27 CE 96 7B DD 2F F9 3E B5 57 D9 6B 2B 6B 91 E1 60 86 9F BA 47 F7 70 5C 21 C5 11 98 C8 81 62 B2 D8 B6 3A D0 CB 91 98 6E EE 9B A4 B9 82 9D FC 53 A9 D3 09 B5 4D 57 69 C7 BE 30 36 D5 5A 8C 2B 76 05 C6 EF 7A BF 9E 15 ED 1E 59 CE C3 67 1A 49 8E 6F 0B 88 10 32 32 DE A7 62 DD BE 30 D5 71 6B 5E 0E FF 14 D5 A2 8E 15 CA CA BD 53
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: "C:\sand-box\spyware.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\MyID: 32 7E E2 60 CA 7D 14 33 61 1E 6D 6D 22 76 68 40 96 22 80 2E 14

----------------------------------
Values modified:0
----------------------------------

----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\Temp\7hji4mwf.TMP

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:4
----------------------------------

-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP POST http://76.187.28.203/rlcio.htm
HTTP POST http://68.38.2.49/
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: PromoReg
Author: Unknown
Related File: C:\sand-box\spyware.exe
Type: Registry Run

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove spyware.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.