wif97.exe - Dangerous

wif97.exe

Manual removal instructions:

Antivirus Report of wif97.exe:
wif97.exe Malware
wif97.exeDangerous
wif97.exeHigh Risk
wif97.exe
We suggest you to remove WIf97.exe from your computer as soon as possible.
WIf97.exe is Trojan/Backdoor.
Kill the process WIf97.exe and remove WIf97.exe from Windows startup.

File: Release.exe (C:\sand-box\Release.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.14 -
AVG 8.5.0.406 2009.08.15 FakeAlert.MA
BitDefender 7.2 2009.08.15 -
Comodo 1978 2009.08.14 -
DrWeb 5.0.0.12182 2009.08.15 -
F-Secure 8.0.14470.0 2009.08.15 -
K7AntiVirus 7.10.819 2009.08.14 -
Microsoft 1.4903 2009.08.15 Trojan:Win32/FakeVimes
Symantec 1.4.4.12 2009.08.15 -

Additional information
File size: 2309120 bytes
MD5 : ec7fbf3b82b0a7ddfb394bb4377ef1ee
SHA1 : 930c02f7f7bead042b49064f175358f110ce4ed7

-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys deleted:1
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

----------------------------------
Keys added:782
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
HKLM\SOFTWARE\Classes\Release.DocHostUIHandler
HKLM\SOFTWARE\Classes\Release.DocHostUIHandler\Clsid
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe

...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\Enroll\HcsGroups
HKLM\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig\UI

----------------------------------
Values added:763
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\: "Release.DocHostUIHandler"
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\: "C:\sand-box\Release.exe"
HKLM\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\: "Implements DocHostUIHandler"
HKLM\SOFTWARE\Classes\Release.DocHostUIHandler\Clsid\: "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"
HKLM\SOFTWARE\Classes\Release.DocHostUIHandler\: "Implements DocHostUIHandler"
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\Debugger: "svchost.exe"

...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\Debugger: "svchost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\Guid: "710adbf0-ce88-40b4-a50d-231ada6593f0"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr\BitNames: " NAP_TRACE_BASE NAP_TRACE_NETSH"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\ControlFlags: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\Guid: "b0278a28-76f1-4e15-b1df-14b209a12613"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier\BitNames: " Error Unusual Info Debug"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\LogSessionName: "stdout"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\Active: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\ControlFlags: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\EventMessageFile: "%SystemRoot%\system32\lsasrv.dll"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Schannel\TypesSupported: 0x00000007
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\sand-box\Release.exe: "C:\sand-box\Release.exe:*:Enabled:Windows Protection Suite"
HKCU\Software\Microsoft\Internet Explorer\PRS: "http://127.0.0.1:27777/?inj=%ORIGINAL%"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UID: "7"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\97780825703: ""
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Protection Suite: ""C:\Documents and Settings\All Users\Application Data\a1693\WIf97.exe" /s /d"

----------------------------------
Values modified:4
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\Sources: 'WZCSVC Wudf01000 WPDClassInstaller Workstation WMPNetworkSvc Windows Update Agent Windows Script Host Windows File Protection Win32k WgaNotify W32Time VolSnap vmx_svga vmxnet vmscsi vmdebug vmci viaide VgaSave USER32 UPS ultra udfs toside TermServSessDir TermService
...

HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL: "http://search.live.com/results.aspx?q={s...
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL: "http://search-gala.com/?&uid=7&q={search...

----------------------------------
Files added:13
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Protection Suite.lnk
C:\Documents and Settings\Administrator\Desktop\Windows Protection Suite.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Protection Suite.lnk
C:\Documents and Settings\Administrator\Start Menu\Windows Protection Suite.lnk
C:\Documents and Settings\All Users\Application Data\a1693\WIf97.exe
C:\Documents and Settings\All Users\Application Data\WINSPSys\winps.cfg
C:\Program Files\Mozilla Firefox\searchplugins\search.xml
C:\sand-box\562.mof
C:\sand-box\mozcrt19.dll
C:\sand-box\sqlite3.dll
C:\sand-box\WINPS.ico
C:\sand-box\WINSPSys\vd952342.bd
C:\sand-box\working.log

----------------------------------
Files [attributes?] modified:4
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
C:\WINDOWS\system32\drivers\etc\hosts

----------------------------------
Folders added:5
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Windows Protection Suite
C:\Documents and Settings\All Users\Application Data\a1693
C:\Documents and Settings\All Users\Application Data\WINSPSys
C:\sand-box\WINSPSys
C:\ADWARE_LOG

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Folders attributes changed:1
----------------------------------
C:\sand-box

----------------------------------
Total changes:1573
----------------------------------
-------------------------------------------------------------------------------------
Internet activity:

Code:
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP GET http://crl.verisign.com/pca3.crl
HTTP GET http://csc3-2004-crl.verisign.com/CSC3-2...
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP GET http://crl.usertrust.com/UTN-USERFirst-O...
HTTP GET http://crl.microsoft.com/pki/crl/product...
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://pay1.windowsprotectionsuite.com/
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://prestotunerst.cn/
HTTP GET http://prestotunerst.cn/reports/get_prod...
HTTP POST http://prestotunerst.cn/reports/SoftServ...
HTTP POST http://prestotunerst.cn/reports/install-...
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://update1.windowsprotectionsuite.co...
HTTP HEAD http://windowsprotectionsuite.com/
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://prestotunerst.cn/
HTTP HEAD http://prestotunerst.cn/
HTTP POST http://prestotunerst.cn/reports/SoftServ...
HTTP HEAD http://prestotunerst.cn/
HTTP POST http://prestotunerst.cn/reports/SoftServ...

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: Windows Protection Suite
Author: Unknown
Related File: "C:\Documents and Settings\All Users\Application Data\a1693\WIf97.exe" /s /d
Type: Registry Run

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove wif97.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.