usrinit0.exe - Dangerous
usrinit0.exe
Manual removal instructions:
Antivirus Report of usrinit0.exe:
usrinit0.exe
We suggest you to remove 2EF0D734.dll from your computer as soon as possible.
2EF0D734.dll is Trojan/Backdoor.
Kill the file 2EF0D734.dll and remove 2EF0D734.dll from Windows startup.
Malware dropper: 10.exe
Removed: saplmf.exe, wmSecurity.dll, 2EF0D734.dll, pcidump.sys, ORQSRTVU.EXE
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.31 Win32:Dogrobot-C
AVG 8.5.0.406 2009.09.01 Agent2.HWA
BitDefender 7.2 2009.09.01 Trojan.Generic.1445491
Comodo 2124 2009.09.01 TrojWare.Win32.TrojanDropper.KillAV.~F
DrWeb 5.0.0.12182 2009.09.01 Trojan.AVKill.746
F-Secure 8.0.14470.0 2009.09.01 Trojan-Dropper.Win32.Killav.ae
Kaspersky 7.0.0.125 2009.09.01 Trojan-Dropper.Win32.Killav.ae
Microsoft 1.5005 2009.09.01 TrojanDropper:Win32/Dogkild.C
NOD32 4385 2009.08.31 Win32/KillAV.NDC
Symantec 1.4.4.12 2009.09.01 Trojan.KillAV
Additional information
File size: 36864 bytes
MD5 : b69a251cdb4afa055ac80b95ff962a0b
SHA1 : ebc12deee76bcd038c06079e5129a0c7e64daca4
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:5
----------------------------------
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082720090828
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082820090829
----------------------------------
Keys added:95
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32
/.../
----------------------------------
Values deleted:19
----------------------------------
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb\CLSID: "{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb\: "Microsoft OLE DB Provider for Internet Publishing"
/.../
----------------------------------
Values added:113
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32\: "C:\WINDOWS\system32\2EF0D734.dll"
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\VersionIndependentProgID\: "MyShilter.Sucker"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\TypeLib\: "{1D540DF7-B214-4994-A659-3C76656FF204}"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\ProgID\: "MyShilter.Sucker.1"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\InprocServer32\: "C:\Program Files\Windows Media Player\ext\wmSecurity.dll"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\: "Sucker Class"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Delete\Command\: "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Open\Command\: "C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.666t.com/"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Properties\Command\: "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Rename\Command\: "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Rename\: "OO?AAuAu(&M)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Properties\: "Eo?O(&R)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Open\: "?o??O?O?(&H)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Delete\: "E??y(&D)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\ShellFolder\Attributes: 00 00 00 00
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\DefaultIcon\: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\: "Internet Explorer"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\TypeLib\: "{8417087A-1774-4DFC-8E86-7AEA26B2FC21}"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\: "IHost_Proxy"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\TypeLib\: "{8417087A-1774-4DFC-8E86-7AEA26B2FC21}"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\: "IHostEvent"
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\: "FlashFilter Class"
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\0\win32\: "C:\Program Files\Windows Media Player\ext\wmSecurity.dll"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\HELPDIR\: "C:\Program Files\Windows Media Player\ext\"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\: "IEMonitor"
HKLM\SOFTWARE\Classes\MyShilter.Sucker\CurVer\: "MyShilter.Sucker.1"
HKLM\SOFTWARE\Classes\MyShilter.Sucker\CLSID\: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Classes\MyShilter.Sucker\: "Sucker Class"
HKLM\SOFTWARE\Classes\MyShilter.Sucker.1\CLSID\: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Classes\MyShilter.Sucker.1\: "Sucker Class"
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\: "Internet Explorer"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}: ""
/.../
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\saplmf.exe: "C:\WINDOWS\system32\saplmf.exe:*:Enabled:Microsoft (R) Internetal IExplore"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Security\Security: 01 00 14 /.../ 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\ImagePath: "C:\WINDOWS\system32\saplmf.exe"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\DisplayName: "IKE and AuthIP IPsec Keying Modules"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Description: "?·?InI??U Internet AUO???»?»?»(IKE)?IEi?·YNeO?¤ Internet ??Oe(AuthIP)?u?OA??e??"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 /.../ 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 /.../ 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
/.../
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009090420090905\CacheRepair: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon: 0x00000001
----------------------------------
Values modified:14
----------------------------------
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\: "http: Asychronous Pluggable Protocol Handler"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\: "FlashFilter Class"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\CLSID: "{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\CLSID: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: "C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.666t.com/"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 /.../ abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC /.../ abiosdsk System'
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "hxxp://www.google.com/"
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "hxxp://www.666t.com"
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 /.../ 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 /.../ 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile: 01 00 00 /.../ 23 34 16
HKCU\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile: 01 00 00 /.../ 02 1B 4F
----------------------------------
Files added:41
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\?o?¶? Internet Explorer a?AA??.lnk
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\XP76FC5R\a.alimama.cn\aliCookie.sol
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#a.alimama.cn\settings.sol
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
C:\Documents and Settings\Administrator\Desktop\Internet Explorer.lnk
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082420090831\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009090420090905\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\155406.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\43583526.log
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit0.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit1.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit2.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit_t.exe
C:\Documents and Settings\Administrator\Start Menu\Internet Explorer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Explorer.lnk
C:\Documents and Settings\All Users\Start Menu\Internet Explorer.lnk
C:\Program Files\NeoSmart Technologies\orqsrtvu.exe
C:\Program Files\Windows Media Player\ext\wmSecurity.dll
C:\WINDOWS\Fonts\Qq3qg7RGSp9raxWW.Ttf
C:\WINDOWS\system32\drivers\1193.txt
C:\WINDOWS\system32\drivers\12.txt
C:\WINDOWS\system32\drivers\g7.txt
C:\WINDOWS\system32\drivers\OLD3.tmp
C:\WINDOWS\system32\drivers\own.txt
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\drivers\ys.txt
C:\WINDOWS\system32\2EF0D734.dll
C:\WINDOWS\system32\kbd101b.dll
C:\WINDOWS\system32\kbd101c.dll
C:\WINDOWS\system32\kbd103.dll
C:\WINDOWS\system32\kbd106.dll
C:\WINDOWS\system32\kbdjpn.dll
C:\WINDOWS\system32\kbdkor.dll
C:\WINDOWS\system32\killkb.dll
C:\WINDOWS\system32\saplmf.exe
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\systemlog0.txt
C:\systemlog1.txt
C:\systemlog2.txt
C:\WINDOWSupdate.dll
----------------------------------
Files deleted:4
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082720090828\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082820090829\index.dat
C:\WINDOWS\system32\verclsid.exe
----------------------------------
Files [attributes?] modified:7
----------------------------------
C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
C:\Documents and Settings\Administrator\Desktop\Reanimator.lnk
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts
----------------------------------
Folders added:16
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player
/.../
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers
----------------------------------
Folders deleted:2
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082720090828
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082820090829
----------------------------------
Total changes:316
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP POST http://myart-gallery.com/senm.php?data=v...
HTTP POST http://bonluxarts.com/senm.php?data=v22M...
HTTP POST http://photoartsnetwork.com/senm.php?dat...
HTTP GET http://zsmdo.cn/down/ttnew.txt
/.../
HTTP GET http://mdomdo.cn/xm/ys.exe
HTTP GET http://www.hao123.com/count.asp?szclient...
HTTP GET http://kcs.cn/web6/images/own.exe
HTTP GET http://mdomdo.cn/xm/g7.exe
HTTP GET http://www.666t.com/
HTTP GET http://mdomdo.cn/xm/12.exe
HTTP GET http://server.nidex.cn/count/count.asp?s...
HTTP GET http://z.alimama.com/alimama.php?i=mm_12...
HTTP GET http://www.666t.com/static/images/taobao...
/.../
HTTP GET http://z.alimama.com/alimamal.php?i=mm_1...
HTTP GET http://kcs.cn/web6/images/1193.exe
HTTP GET http://server.nidex.cn/count/count.asp?s...
HTTP GET http://server.nidex.cn/count/count.asp?s...
HTTP GET http://server.nidex.cn/count/count.asp?s...
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: text/html
Author:
Related File: C:\Program Files\Windows Media Player\ext\wmSecurity.dll
Type: Protocols Filter
Item Name: http
Author:
Related File: C:\Program Files\Windows Media Player\ext\wmSecurity.dll
Type: Protocols Handler
Item Name: {2EF0D734-21FD-4225-A1A2-BCD296182AAF}
Author: Unknown
Related File: C:\WINDOWS\system32\2EF0D734.dll
Type: Shell Execute Hooks
Item Name: IKEEXTEND090825
Author:
Related File: C:\WINDOWS\system32\saplmf.exe
Type: Auto Services
Item Name: saplmf.exe
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\SAPLMF.EXE
Type: Running Processes
After first reboot detected by RegRun Reanimator:
Item Name: pcidump
Author:
Related File: System32\DRIVERS\pcidump.sys
Type: Services detected by Partizan
Detected after executing Internet Explorer shortcut on the desktop:
Item Name: orqsrtvu.exe
Author: Unknown
Related File: C:\PROGRAM FILES\NEOSMART TECHNOLOGIES\ORQSRTVU.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 2
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
usrinit0.exe | Malware |
usrinit0.exe | Dangerous |
usrinit0.exe | High Risk |
2EF0D734.dll is Trojan/Backdoor.
Kill the file 2EF0D734.dll and remove 2EF0D734.dll from Windows startup.
Malware dropper: 10.exe
Removed: saplmf.exe, wmSecurity.dll, 2EF0D734.dll, pcidump.sys, ORQSRTVU.EXE
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.31 Win32:Dogrobot-C
AVG 8.5.0.406 2009.09.01 Agent2.HWA
BitDefender 7.2 2009.09.01 Trojan.Generic.1445491
Comodo 2124 2009.09.01 TrojWare.Win32.TrojanDropper.KillAV.~F
DrWeb 5.0.0.12182 2009.09.01 Trojan.AVKill.746
F-Secure 8.0.14470.0 2009.09.01 Trojan-Dropper.Win32.Killav.ae
Kaspersky 7.0.0.125 2009.09.01 Trojan-Dropper.Win32.Killav.ae
Microsoft 1.5005 2009.09.01 TrojanDropper:Win32/Dogkild.C
NOD32 4385 2009.08.31 Win32/KillAV.NDC
Symantec 1.4.4.12 2009.09.01 Trojan.KillAV
Additional information
File size: 36864 bytes
MD5 : b69a251cdb4afa055ac80b95ff962a0b
SHA1 : ebc12deee76bcd038c06079e5129a0c7e64daca4
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys deleted:5
----------------------------------
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\0x00000001
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb
HKLM\SYSTEM\CurrentControlSet\Services\PCIDump
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082720090828
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009082820090829
----------------------------------
Keys added:95
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32
/.../
----------------------------------
Values deleted:19
----------------------------------
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb\CLSID: "{E1D2BF40-A96B-11d1-9C6B-0000F875AC61}"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\oledb\: "Microsoft OLE DB Provider for Internet Publishing"
/.../
----------------------------------
Values added:113
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32\: "C:\WINDOWS\system32\2EF0D734.dll"
HKLM\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\VersionIndependentProgID\: "MyShilter.Sucker"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\TypeLib\: "{1D540DF7-B214-4994-A659-3C76656FF204}"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\ProgID\: "MyShilter.Sucker.1"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\InprocServer32\: "C:\Program Files\Windows Media Player\ext\wmSecurity.dll"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\InprocServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{44D7DC44-154F-46A6-9450-94B635BE1A66}\: "Sucker Class"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Delete\Command\: "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Open\Command\: "C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.666t.com/"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Properties\Command\: "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Rename\Command\: "RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Rename\: "OO?AAuAu(&M)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Properties\: "Eo?O(&R)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Open\: "?o??O?O?(&H)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\Shell\Delete\: "E??y(&D)"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\ShellFolder\Attributes: 00 00 00 00
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\DefaultIcon\: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Classes\CLSID\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\: "Internet Explorer"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\TypeLib\: "{8417087A-1774-4DFC-8E86-7AEA26B2FC21}"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{6BCA2145-07D4-4FBB-A29C-D03BBBE5FC69}\: "IHost_Proxy"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\TypeLib\: "{8417087A-1774-4DFC-8E86-7AEA26B2FC21}"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\ProxyStubClsid32\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\ProxyStubClsid\: "{00020420-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{DF9166A0-B18D-4EA7-9A49-161BEF6BF82C}\: "IHostEvent"
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\: "FlashFilter Class"
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\CLSID: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\0\win32\: "C:\Program Files\Windows Media Player\ext\wmSecurity.dll"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\HELPDIR\: "C:\Program Files\Windows Media Player\ext\"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{8417087A-1774-4DFC-8E86-7AEA26B2FC21}\1.0\: "IEMonitor"
HKLM\SOFTWARE\Classes\MyShilter.Sucker\CurVer\: "MyShilter.Sucker.1"
HKLM\SOFTWARE\Classes\MyShilter.Sucker\CLSID\: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Classes\MyShilter.Sucker\: "Sucker Class"
HKLM\SOFTWARE\Classes\MyShilter.Sucker.1\CLSID\: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Classes\MyShilter.Sucker.1\: "Sucker Class"
HKLM\SOFTWARE\Microsoft\ESENT\Process\ipconfig\DEBUG\Trace Level: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{8a6aa65f-8a2d-4f52-9312-00a1d2716ba4}\: "Internet Explorer"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}: ""
/.../
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\saplmf.exe: "C:\WINDOWS\system32\saplmf.exe:*:Enabled:Microsoft (R) Internetal IExplore"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Security\Security: 01 00 14 /.../ 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\ImagePath: "C:\WINDOWS\system32\saplmf.exe"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\DisplayName: "IKE and AuthIP IPsec Keying Modules"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXTEND090825\Description: "?·?InI??U Internet AUO???»?»?»(IKE)?IEi?·YNeO?¤ Internet ??Oe(AuthIP)?u?OA??e??"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Security\Security: 01 00 14 /.../ 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\ImagePath: "System32\DRIVERS\pcidump.sys"
HKLM\SYSTEM\CurrentControlSet\Services\pcidump\DisplayName: "pcidump"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Security\Security: 01 00 14 /.../ 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\Start: 0x00000003
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\ImagePath: "\??\C:\WINDOWS\system32\drivers\acpiec.sys"
HKLM\SYSTEM\CurrentControlSet\Services\UPDATEDATA\DisplayName: "UPDATEDATA"
/.../
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009090420090905\CacheRepair: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon: 0x00000001
----------------------------------
Values modified:14
----------------------------------
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\: "http: Asychronous Pluggable Protocol Handler"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\: "FlashFilter Class"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\CLSID: "{79eac9e2-baf9-11ce-8c82-00aa004ba90b}"
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\http\CLSID: "{44D7DC44-154F-46A6-9450-94B635BE1A66}"
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: "C:\Program Files\Internet Explorer\iexplore.exe"
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: "C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.666t.com/"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 /.../ abiosdsk System'
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'Schannel WZCSVC /.../ abiosdsk System'
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "hxxp://www.google.com/"
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page: "hxxp://www.666t.com"
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 /.../ 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 /.../ 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile: 01 00 00 /.../ 23 34 16
HKCU\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile: 01 00 00 /.../ 02 1B 4F
----------------------------------
Files added:41
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\?o?¶? Internet Explorer a?AA??.lnk
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\XP76FC5R\a.alimama.cn\aliCookie.sol
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#a.alimama.cn\settings.sol
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
C:\Documents and Settings\Administrator\Desktop\Internet Explorer.lnk
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082420090831\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009090420090905\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temp\155406.txt
C:\Documents and Settings\Administrator\Local Settings\Temp\43583526.log
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit0.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit1.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit2.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\usrinit_t.exe
C:\Documents and Settings\Administrator\Start Menu\Internet Explorer.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Internet Explorer.lnk
C:\Documents and Settings\All Users\Start Menu\Internet Explorer.lnk
C:\Program Files\NeoSmart Technologies\orqsrtvu.exe
C:\Program Files\Windows Media Player\ext\wmSecurity.dll
C:\WINDOWS\Fonts\Qq3qg7RGSp9raxWW.Ttf
C:\WINDOWS\system32\drivers\1193.txt
C:\WINDOWS\system32\drivers\12.txt
C:\WINDOWS\system32\drivers\g7.txt
C:\WINDOWS\system32\drivers\OLD3.tmp
C:\WINDOWS\system32\drivers\own.txt
C:\WINDOWS\system32\drivers\pcidump.sys
C:\WINDOWS\system32\drivers\ys.txt
C:\WINDOWS\system32\2EF0D734.dll
C:\WINDOWS\system32\kbd101b.dll
C:\WINDOWS\system32\kbd101c.dll
C:\WINDOWS\system32\kbd103.dll
C:\WINDOWS\system32\kbd106.dll
C:\WINDOWS\system32\kbdjpn.dll
C:\WINDOWS\system32\kbdkor.dll
C:\WINDOWS\system32\killkb.dll
C:\WINDOWS\system32\saplmf.exe
C:\WINDOWS\LastGood\system32\drivers\acpiec.sys
C:\systemlog0.txt
C:\systemlog1.txt
C:\systemlog2.txt
C:\WINDOWSupdate.dll
----------------------------------
Files deleted:4
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082720090828\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082820090829\index.dat
C:\WINDOWS\system32\verclsid.exe
----------------------------------
Files [attributes?] modified:7
----------------------------------
C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
C:\Documents and Settings\Administrator\Desktop\Reanimator.lnk
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
C:\WINDOWS\system32\drivers\acpiec.sys
C:\WINDOWS\system32\drivers\etc\hosts
----------------------------------
Folders added:16
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player
/.../
C:\WINDOWS\LastGood\system32
C:\WINDOWS\LastGood\system32\drivers
----------------------------------
Folders deleted:2
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082720090828
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009082820090829
----------------------------------
Total changes:316
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP POST http://myart-gallery.com/senm.php?data=v...
HTTP POST http://bonluxarts.com/senm.php?data=v22M...
HTTP POST http://photoartsnetwork.com/senm.php?dat...
HTTP GET http://zsmdo.cn/down/ttnew.txt
/.../
HTTP GET http://mdomdo.cn/xm/ys.exe
HTTP GET http://www.hao123.com/count.asp?szclient...
HTTP GET http://kcs.cn/web6/images/own.exe
HTTP GET http://mdomdo.cn/xm/g7.exe
HTTP GET http://www.666t.com/
HTTP GET http://mdomdo.cn/xm/12.exe
HTTP GET http://server.nidex.cn/count/count.asp?s...
HTTP GET http://z.alimama.com/alimama.php?i=mm_12...
HTTP GET http://www.666t.com/static/images/taobao...
/.../
HTTP GET http://z.alimama.com/alimamal.php?i=mm_1...
HTTP GET http://kcs.cn/web6/images/1193.exe
HTTP GET http://server.nidex.cn/count/count.asp?s...
HTTP GET http://server.nidex.cn/count/count.asp?s...
HTTP GET http://server.nidex.cn/count/count.asp?s...
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: text/html
Author:
Related File: C:\Program Files\Windows Media Player\ext\wmSecurity.dll
Type: Protocols Filter
Item Name: http
Author:
Related File: C:\Program Files\Windows Media Player\ext\wmSecurity.dll
Type: Protocols Handler
Item Name: {2EF0D734-21FD-4225-A1A2-BCD296182AAF}
Author: Unknown
Related File: C:\WINDOWS\system32\2EF0D734.dll
Type: Shell Execute Hooks
Item Name: IKEEXTEND090825
Author:
Related File: C:\WINDOWS\system32\saplmf.exe
Type: Auto Services
Item Name: saplmf.exe
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\SAPLMF.EXE
Type: Running Processes
After first reboot detected by RegRun Reanimator:
Item Name: pcidump
Author:
Related File: System32\DRIVERS\pcidump.sys
Type: Services detected by Partizan
Detected after executing Internet Explorer shortcut on the desktop:
Item Name: orqsrtvu.exe
Author: Unknown
Related File: C:\PROGRAM FILES\NEOSMART TECHNOLOGIES\ORQSRTVU.EXE
Type: Running Processes
Removal Results: Success
Number of reboot: 2
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.