Gen:Variant.Adware.Symmi.49192 (B) also known as BehavesLike.Win32.Downloader.th, suspected of Heur.Malware-Cryptor.Multiplug, Gen:Variant.Adware.Symmi.49192. MALWARE ANALYSIS OF GEN:VARIANT.ADWARE.SYMMI.49192 (B) – 994B9353F7C10E43B5ECDC0E6E47F96A.EXE Created files: %TEMP%\124BC7F36733\IMAGES\LOADER.GIF %TEMP%\124BC7F36733\IMAGES\PROGRESSBAR.GIF %TEMP%\124BC7F36733\TEMP\BG.CA %TEMP%\124BC7F36733\TEMP\994B9353F7C10E43B5ECDC0E6E47F96A.EXE Detected by UnHackMe: 994B9353F7C10E43B5ECDC0E6E47F96A.EXE DEFAULT LOCATION: %TEMP%\124BC7F36733\TEMP\994B9353F7C10E43B5ECDC0E6E47F96A.EXE Dropper hash(md5): 994b9353f7c10e43b5ecdc0e6e47f96a UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

W32.HfsAdware.A7EA also known as Adware.MPLug.HH, Adware.MPLug.HH, Adware.MPLug.HH. MALWARE ANALYSIS OF W32.HFSADWARE.A7EA – 9D6D11CEB4CC3130F11AFCC44E026875.EXE Created files: %COMMON APPDATA%\{B306DEE9-16EA-35F9-B306-6DEE916E7BA4}\9D6D11CEB4CC3130F11AFCC44E026875.DAT %COMMON APPDATA%\{B306DEE9-16EA-35F9-B306-6DEE916E7BA4}\9D6D11CEB4CC3130F11AFCC44E026875.EXE %STARTUP%\9D6D11CEB4CC3130F11AFCC44E026875.LNK Detected by UnHackMe: 9D6D11CEB4CC3130F11AFCC44E026875.EXE DEFAULT LOCATION: %COMMON APPDATA%\{B306DEE9-16EA-35F9-B306-6DEE916E7BA4}\9D6D11CEB4CC3130F11AFCC44E026875.EXE Dropper hash(md5): 9d6d11ceb4cc3130f11afcc44e026875 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain…

Continue reading →

AdWare/MultiPlug.bwhn also known as Adware.Installerex.A8, W32/S-e57cb847!Eldorado, Heur.Malware-Cryptor.Multiplug. MALWARE ANALYSIS OF ADWARE/MULTIPLUG.BWHN – 04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE Created files: %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\EF33422C96E5A971 %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\04A6A9FF5A279C4AEFD4C0D6F37E3C0A.DAT %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE %TEMP%\DED2E3472E5D790992466875BC8ADBE9.JSON %SYSDIR%\TASKS\LIFEEVENTS Detected by UnHackMe: 04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE DEFAULT LOCATION: %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE Dropper hash(md5): 04a6a9ff5a279c4aefd4c0d6f37e3c0a UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

Win.Adware.Agent-1321134 also known as MultiPlug, trojan.win32.virumulu.a, PUA.Multiplug. MALWARE ANALYSIS OF WIN.ADWARE.AGENT-1321134 – 04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE Created files: %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\EF33422C96E5A971 %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\04A6A9FF5A279C4AEFD4C0D6F37E3C0A.DAT %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE %TEMP%\DED2E3472E5D790992466875BC8ADBE9.JSON %SYSDIR%\TASKS\LIFEEVENTS Detected by UnHackMe: 04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE DEFAULT LOCATION: %COMMON APPDATA%\{E02E5769-C032-6D96-E02E-E5769C035DA7}\04A6A9FF5A279C4AEFD4C0D6F37E3C0A.EXE Dropper hash(md5): 04a6a9ff5a279c4aefd4c0d6f37e3c0a UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

Win.Adware.Agent-1330812 also known as MultiPlug, Gen:Variant.Razy.14008, Adware.MultiPlugGen.Win32.51. MALWARE ANALYSIS OF WIN.ADWARE.AGENT-1330812 – 9DA59EDD889BC72ADE572B1483A178B3.EXE Created files: %COMMON APPDATA%\{25428BB6-4332-136A-2542-28BB64332ED9}\F0FA2CD40C4E51E8 %COMMON APPDATA%\{25428BB6-4332-136A-2542-28BB64332ED9}\9DA59EDD889BC72ADE572B1483A178B3.DAT %COMMON APPDATA%\{25428BB6-4332-136A-2542-28BB64332ED9}\9DA59EDD889BC72ADE572B1483A178B3.EXE %SYSDIR%\TASKS\WALKINGBUDDY %WINDIR%\TASKS\WALKINGBUDDY.JOB Detected by UnHackMe: 9DA59EDD889BC72ADE572B1483A178B3.EXE DEFAULT LOCATION: %COMMON APPDATA%\{25428BB6-4332-136A-2542-28BB64332ED9}\9DA59EDD889BC72ADE572B1483A178B3.EXE Dropper hash(md5): 9da59edd889bc72ade572b1483a178b3 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

Gen:Variant.Adware.Razy.6249 also known as MultiPlug (v), Trojan.Adware.Razy.D1869, static engine – malicious. MALWARE ANALYSIS OF GEN:VARIANT.ADWARE.RAZY.6249 – 9FE1E72CECAF0FEC832352F780D5B003.EXE Created files: %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\BE6DC7722C6B6870 %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\9FE1E72CECAF0FEC832352F780D5B003.DAT %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\9FE1E72CECAF0FEC832352F780D5B003.EXE %SYSDIR%\TASKS\HYPERDOCK %WINDIR%\TASKS\HYPERDOCK.JOB Detected by UnHackMe: 9FE1E72CECAF0FEC832352F780D5B003.EXE DEFAULT LOCATION: %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\9FE1E72CECAF0FEC832352F780D5B003.EXE Dropper hash(md5): 9fe1e72cecaf0fec832352f780d5b003 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100%…

Continue reading →

Gen:Variant.Adware.Razy.6249 (B) also known as AdWare/Generic.hsc, AdLoad, BehavesLike.Win32.MultiPlug.dh. MALWARE ANALYSIS OF GEN:VARIANT.ADWARE.RAZY.6249 (B) – 9FE1E72CECAF0FEC832352F780D5B003.EXE Created files: %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\BE6DC7722C6B6870 %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\9FE1E72CECAF0FEC832352F780D5B003.DAT %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\9FE1E72CECAF0FEC832352F780D5B003.EXE %SYSDIR%\TASKS\HYPERDOCK %WINDIR%\TASKS\HYPERDOCK.JOB Detected by UnHackMe: 9FE1E72CECAF0FEC832352F780D5B003.EXE DEFAULT LOCATION: %COMMON APPDATA%\{F2C4F720-FE11-D4DA-F2C4-4F720FE1DC83}\9FE1E72CECAF0FEC832352F780D5B003.EXE Dropper hash(md5): 9fe1e72cecaf0fec832352f780d5b003 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which…

Continue reading →

AdWare/MultiPlug.bxxd also known as Win.Adware.Terkcop-26, AdLoad, worm.win32.dorkbot.i. MALWARE ANALYSIS OF ADWARE/MULTIPLUG.BXXD – 994EBE56BB7EC6F629B37D5056480E9F.EXE Created files: %COMMON APPDATA%\{C62D247E-28DF-06B6-C62D-D247E28D91F8}\9EBF33B57E283907 %COMMON APPDATA%\{C62D247E-28DF-06B6-C62D-D247E28D91F8}\994EBE56BB7EC6F629B37D5056480E9F.DAT %COMMON APPDATA%\{C62D247E-28DF-06B6-C62D-D247E28D91F8}\994EBE56BB7EC6F629B37D5056480E9F.EXE %SYSDIR%\TASKS\TOUCHCODE %WINDIR%\TASKS\TOUCHCODE.JOB Detected by UnHackMe: 994EBE56BB7EC6F629B37D5056480E9F.EXE DEFAULT LOCATION: %COMMON APPDATA%\{C62D247E-28DF-06B6-C62D-D247E28D91F8}\994EBE56BB7EC6F629B37D5056480E9F.EXE Dropper hash(md5): 994ebe56bb7ec6f629b37d5056480e9f UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

AdWare/MultiPlug.btzd also known as Trojan.Win32.Crypted.duwrdx, Gen:Variant.Adware.MPlug.66, GrayWare[AdWare]/Win32.MultiPlug.np. MALWARE ANALYSIS OF ADWARE/MULTIPLUG.BTZD – DCF1D1DF3461714CADCB052DD66C86CC.EXE Created files: %COMMON APPDATA%\{DC39B539-8A0F-5580-DC39-9B5398A0D4E6}\DCF1D1DF3461714CADCB052DD66C86CC.DAT %COMMON APPDATA%\{DC39B539-8A0F-5580-DC39-9B5398A0D4E6}\DCF1D1DF3461714CADCB052DD66C86CC.EXE %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %SYSDIR%\TASKS\GIRLCOMPANION %WINDIR%\TASKS\GIRLCOMPANION.JOB Detected by UnHackMe: DCF1D1DF3461714CADCB052DD66C86CC.EXE DEFAULT LOCATION: %COMMON APPDATA%\{DC39B539-8A0F-5580-DC39-9B5398A0D4E6}\DCF1D1DF3461714CADCB052DD66C86CC.EXE Dropper hash(md5): dcf1d1df3461714cadcb052dd66c86cc UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

a variant of Win32/Adware.Agent.NQL also known as not-a-virus:HEUR:RiskTool.Win32.Siaomo.gen, not-a-virus:HEUR:RiskTool.Win32.Siaomo.gen. Malware Analysis of a variant of Win32/Adware.Agent.NQL – MSOPROT.SYS Created files: %Program Files%\Tclbop\UnInstall.exe %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %SYSDIR%\DRIVERS\MSOPROT.SYS %SYSDIR%\DRIVERS\MSOPROTE.SYS Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\miaos\DisplayName: “miaos” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\miaos\UninstallString: “%Program Files%\Tclbop\Uninstall.exe” HKLM\System\CurrentControlSet\services\ficldos\ImagePath: “\??\%Program Files%\Tclbop\ficldos.sys” HKLM\System\CurrentControlSet\services\ficldos\DisplayName: “ficldos” Detected by UnHackMe: MSOPROT.SYS Default location: %SYSDIR%\DRIVERS\MSOPROT.SYS Dropper hash(md5): f2b54f53611f2703ebeb525052e4556a UnHackMe removes malware invisible for your antivirus!…

Continue reading →

ADWARE/MSIL.DomaIQ.aad.1 also known as TROJ_SPNR.0BAE14, Trojan.Win32.Downware.ddqexe, Adware.Generic.655584. Malware Analysis of ADWARE/MSIL.DomaIQ.aad.1 – ZYAJURCXZJHEQU.EXE Created files: %TEMP%\KJXDINWNWRLQGU\CONFIG.DMC %TEMP%\KJXDINWNWRLQGU\PARENT.TXT %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE.CONFIG Detected by UnHackMe: ZYAJURCXZJHEQU.EXE DEFAULT LOCATION: %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE Dropper hash(md5): bb468b8d0146b7000108537e89b90628 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form…

Continue reading →

Adware ( 004f6b751 ) also known as Adware.GenericKD.4163570, Adware.GenericKD.4163570, Adware.GenericKD.4163570. Malware Analysis of Adware ( 004f6b751 ) – HAOTUMODIFY.EXE Created files: %LOCAL APPDATA%\HAOTUKANKAN\FREEIMAGE.DLL %LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE %LOCAL APPDATA%\HAOTUKANKAN\HAOTUMODIFY.EXE %LOCAL APPDATA%\HAOTUKANKAN\ICONS\BMP.ICO %LOCAL APPDATA%\HAOTUKANKAN\ICONS\GIF.ICO Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1A7B0538-FD28-48A0-BB8B-DE3E04DF94C2}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\CLSID\{79BEF29B-2700-4D41-BE42-6EBA8A889D29}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.3FR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.BMP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.CUT\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.DDS\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE”…

Continue reading →

not-a-virus:AdWare.Win32.Wews87.br also known as W32.HfsAdware.6174, Adware.ChinAd, Application.ChinAd (A). Malware Analysis of not-a-virus:AdWare.Win32.Wews87.br – BLUEMOONLEGEND.EXE Created files: %SYSTEMDRIVE%\IO.SYS %SYSTEMDRIVE%\MSDOS.SYS %Program Files%\BlueMoon\BlueMoonLegend.exe %Program Files%\BlueMoon\Lander.ini %Program Files%\BlueMoon\uninst.exe Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath: “%SystemRoot%\system32\svchost.exe -k…

Continue reading →

Adware.Generic.DA00E0 also known as Infostealer.Limitail, Adware.Generic.655584, Artemis!90986F8314F8. Malware Analysis of Adware.Generic.DA00E0 – ZYAJURCXZJHEQU.EXE Created files: %TEMP%\KJXDINWNWRLQGU\CONFIG.DMC %TEMP%\KJXDINWNWRLQGU\PARENT.TXT %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE.CONFIG Detected by UnHackMe: ZYAJURCXZJHEQU.EXE DEFAULT LOCATION: %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE Dropper hash(md5): bb468b8d0146b7000108537e89b90628 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form…

Continue reading →

Adware ( 004f60e41 ) also known as Trojan.IGENERIC, a variant of Win32/KingSoft.B potentially unwanted, W32/Malicious_Behavior.VEX. Malware Analysis of Adware ( 004f60e41 ) – KINST_168_206.EXE Created files: %TEMP%\NSP245D.TMP\BROWSER_V5.7.16400.16_R_4396_(BUILD1611171340).EXE %TEMP%\NSP245D.TMP\IQIYISETUP_SENXING@KB008.EXE %TEMP%\NSP245D.TMP\KINST_168_206.EXE %TEMP%\NSP245D.TMP\KUWO_JM634.EXE %TEMP%\NSP245D.TMP\LANY_Y_907453_FEITIAN.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe”…

Continue reading →

a variant of Win32/Adware.ShandaAdd.F also known as Trojan.ZusyCRTD.Win32.5117, W32.Malware.Gen. Malware Analysis of a variant of Win32/Adware.ShandaAdd.F – HAOTUKANKAN.EXE Created files: %LOCAL APPDATA%\HAOTUKANKAN\DOODLES\FC49F01C68F1626392DC15A1C592CFB663AEE1FB209EE-FOGFYU_FW658.PNG %LOCAL APPDATA%\HAOTUKANKAN\FREEIMAGE.DLL %LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE %LOCAL APPDATA%\HAOTUKANKAN\HAOTUMODIFY.EXE %LOCAL APPDATA%\HAOTUKANKAN\ICONS\BMP.ICO Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1A7B0538-FD28-48A0-BB8B-DE3E04DF94C2}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\CLSID\{79BEF29B-2700-4D41-BE42-6EBA8A889D29}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.3FR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.BMP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.CUT\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.DDS\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″”…

Continue reading →

Adware.ChinAd/Variant also known as W32.HfsAdware.6174, not-a-virus:AdWare.Win32.Wews87.br. Malware Analysis of Adware.ChinAd/Variant – BLUEMOONLEGEND.EXE Created files: %SYSTEMDRIVE%\IO.SYS %SYSTEMDRIVE%\MSDOS.SYS %Program Files%\BlueMoon\BlueMoonLegend.exe %Program Files%\BlueMoon\Lander.ini %Program Files%\BlueMoon\uninst.exe Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath: “%SystemRoot%\system32\svchost.exe -k bbnetservice” HKLM\System\CurrentControlSet\services\bbnetservice\DisplayName:…

Continue reading →

Adware ( 005076f51 ) also known as Adware.ChinAd, Trojan.Win32.Generic!BT, Adware.GenericKD.4588483. Malware Analysis of Adware ( 005076f51 ) – LANY_Y_907453_FEITIAN.EXE Created files: %TEMP%\NSP245D.TMP\KINST_168_206.EXE %TEMP%\NSP245D.TMP\KUWO_JM634.EXE %TEMP%\NSP245D.TMP\LANY_Y_907453_FEITIAN.EXE %TEMP%\NSP245D.TMP\QBDOWNLOAD_10024040.EXE %TEMP%\NSP245D.TMP\RAV3490022.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath:…

Continue reading →

W32.HfsAdware.6174 also known as Adware.ChinAd, a variant of Win32/Wews87.A potentially unwanted, not-a-virus:AdWare.Win32.Wews87.br. Malware Analysis of W32.HfsAdware.6174 – BLUEMOONLEGEND.EXE Created files: %SYSTEMDRIVE%\IO.SYS %SYSTEMDRIVE%\MSDOS.SYS %Program Files%\BlueMoon\BlueMoonLegend.exe %Program Files%\BlueMoon\Lander.ini %Program Files%\BlueMoon\uninst.exe Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName:…

Continue reading →

a variant of Win32/Adware.ShandaAdd.G also known as Win32:Adware-gen [Adw], Adware.GenericKD.4163570, Adware ( 004f6b751 ). Malware Analysis of a variant of Win32/Adware.ShandaAdd.G – HAOTUMODIFY.EXE Created files: %LOCAL APPDATA%\HAOTUKANKAN\FREEIMAGE.DLL %LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE %LOCAL APPDATA%\HAOTUKANKAN\HAOTUMODIFY.EXE %LOCAL APPDATA%\HAOTUKANKAN\ICONS\BMP.ICO %LOCAL APPDATA%\HAOTUKANKAN\ICONS\GIF.ICO Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1A7B0538-FD28-48A0-BB8B-DE3E04DF94C2}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\CLSID\{79BEF29B-2700-4D41-BE42-6EBA8A889D29}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.3FR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.BMP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.CUT\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE”…

Continue reading →

Adware.Generic.655584 also known as Adware.DomaIQ.Win32.692, DomaIQ. Malware Analysis of Adware.Generic.655584 – ZYAJURCXZJHEQU.EXE Created files: %TEMP%\KJXDINWNWRLQGU\CONFIG.DMC %TEMP%\KJXDINWNWRLQGU\PARENT.TXT %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE.CONFIG Detected by UnHackMe: ZYAJURCXZJHEQU.EXE DEFAULT LOCATION: %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE Dropper hash(md5): bb468b8d0146b7000108537e89b90628 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form of…

Continue reading →

ADWARE/ShandaAdd.pfyzg also known as Adware.GenericKD.4163570, TROJ_GEN.R00XH0EAF17. Malware Analysis of ADWARE/ShandaAdd.pfyzg – HAOTUMODIFY.EXE Created files: %LOCAL APPDATA%\HAOTUKANKAN\FREEIMAGE.DLL %LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE %LOCAL APPDATA%\HAOTUKANKAN\HAOTUMODIFY.EXE %LOCAL APPDATA%\HAOTUKANKAN\ICONS\BMP.ICO %LOCAL APPDATA%\HAOTUKANKAN\ICONS\GIF.ICO Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1A7B0538-FD28-48A0-BB8B-DE3E04DF94C2}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\CLSID\{79BEF29B-2700-4D41-BE42-6EBA8A889D29}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.3FR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.BMP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.CUT\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.DDS\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.EXR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.G3\SHELL\OPEN\COMMAND\: “”%LOCAL…

Continue reading →

Adware.GenericKD.4163570 also known as Adware ( 004f6b751 ). Malware Analysis of Adware.GenericKD.4163570 – HAOTUMODIFY.EXE Created files: %LOCAL APPDATA%\HAOTUKANKAN\FREEIMAGE.DLL %LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE %LOCAL APPDATA%\HAOTUKANKAN\HAOTUMODIFY.EXE %LOCAL APPDATA%\HAOTUKANKAN\ICONS\BMP.ICO %LOCAL APPDATA%\HAOTUKANKAN\ICONS\GIF.ICO Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1A7B0538-FD28-48A0-BB8B-DE3E04DF94C2}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\CLSID\{79BEF29B-2700-4D41-BE42-6EBA8A889D29}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.3FR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.BMP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.CUT\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.DDS\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.EXR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″”…

Continue reading →

Adware.GenericKD.4163570 (B) also known as Adware.GenericKD.4163570, ADWARE/ShandaAdd.pfyzg, Win32:Adware-gen [Adw]. Malware Analysis of Adware.GenericKD.4163570 (B) – HAOTUMODIFY.EXE Created files: %LOCAL APPDATA%\HAOTUKANKAN\FREEIMAGE.DLL %LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE %LOCAL APPDATA%\HAOTUKANKAN\HAOTUMODIFY.EXE %LOCAL APPDATA%\HAOTUKANKAN\ICONS\BMP.ICO %LOCAL APPDATA%\HAOTUKANKAN\ICONS\GIF.ICO Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1A7B0538-FD28-48A0-BB8B-DE3E04DF94C2}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\CLSID\{79BEF29B-2700-4D41-BE42-6EBA8A889D29}\INPROCSERVER32\: “%LOCAL APPDATA%\HAOTUKANKAN\CONTEXTMENU32.DLL” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.3FR\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.BMP\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.CUT\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.DDS\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\HAOTUKANKAN\HAOTUKANKAN.EXE” /FILENAME:”%1″” HKLM\SOFTWARE\CLASSES\HAOTUKANKAN.EXR\SHELL\OPEN\COMMAND\: “”%LOCAL…

Continue reading →

Msil.Adware.Domaiq.Hrym also known as GrayWare[AdWare:not-a-virus]/MSIL.DomaIQ, DomaIQ. Malware Analysis of Msil.Adware.Domaiq.Hrym – ZYAJURCXZJHEQU.EXE Created files: %TEMP%\KJXDINWNWRLQGU\CONFIG.DMC %TEMP%\KJXDINWNWRLQGU\PARENT.TXT %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE.CONFIG Detected by UnHackMe: ZYAJURCXZJHEQU.EXE DEFAULT LOCATION: %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE Dropper hash(md5): bb468b8d0146b7000108537e89b90628 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form of…

Continue reading →

Adware.ChinAd also known as not-a-virus:AdWare.Win32.Wews87.br, Adware.ChinAd/Variant, Adware ( 004c59d01 ). Malware Analysis of Adware.ChinAd – BLUEMOONLEGEND.EXE Created files: %SYSTEMDRIVE%\IO.SYS %SYSTEMDRIVE%\MSDOS.SYS %Program Files%\BlueMoon\BlueMoonLegend.exe %Program Files%\BlueMoon\Lander.ini %Program Files%\BlueMoon\uninst.exe Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath:…

Continue reading →

Adware.Generic.D4603C3 also known as malicious (high confidence), Adware.GenericKD.4588483, Trojan.IGENERIC. Malware Analysis of Adware.Generic.D4603C3 – LANY_Y_907453_FEITIAN.EXE Created files: %TEMP%\NSP245D.TMP\KINST_168_206.EXE %TEMP%\NSP245D.TMP\KUWO_JM634.EXE %TEMP%\NSP245D.TMP\LANY_Y_907453_FEITIAN.EXE %TEMP%\NSP245D.TMP\QBDOWNLOAD_10024040.EXE %TEMP%\NSP245D.TMP\RAV3490022.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath: “%SystemRoot%\system32\svchost.exe -k bbnetservice” HKLM\System\CurrentControlSet\services\bbnetservice\DisplayName:…

Continue reading →

Adware.Generic.655584 (B) also known as Adware.Generic.655584, Msil.Adware.Domaiq.Hrym, Generic PUA EH (PUA). Malware Analysis of Adware.Generic.655584 (B) – ZYAJURCXZJHEQU.EXE Created files: %TEMP%\KJXDINWNWRLQGU\CONFIG.DMC %TEMP%\KJXDINWNWRLQGU\PARENT.TXT %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE.CONFIG Detected by UnHackMe: ZYAJURCXZJHEQU.EXE DEFAULT LOCATION: %TEMP%\KJXDINWNWRLQGU\ZYAJURCXZJHEQU.EXE Dropper hash(md5): bb468b8d0146b7000108537e89b90628 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

Adware.GenericKD.4588483 (B) also known as Adware ( 005076f51 ), Trojan.Win32.Generic!BT, Adware ( 005076f51 ). Malware Analysis of Adware.GenericKD.4588483 (B) – LANY_Y_907453_FEITIAN.EXE Created files: %TEMP%\NSP245D.TMP\KINST_168_206.EXE %TEMP%\NSP245D.TMP\KUWO_JM634.EXE %TEMP%\NSP245D.TMP\LANY_Y_907453_FEITIAN.EXE %TEMP%\NSP245D.TMP\QBDOWNLOAD_10024040.EXE %TEMP%\NSP245D.TMP\RAV3490022.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName:…

Continue reading →

Adware.GenericKD.4588483 also known as Adware.GenericKD.4588483 (B), Trojan.Win32.Generic!BT, not-a-virus:AdWare.Win32.Wews87.br. Malware Analysis of Adware.GenericKD.4588483 – LANY_Y_907453_FEITIAN.EXE Created files: %TEMP%\NSP245D.TMP\KINST_168_206.EXE %TEMP%\NSP245D.TMP\KUWO_JM634.EXE %TEMP%\NSP245D.TMP\LANY_Y_907453_FEITIAN.EXE %TEMP%\NSP245D.TMP\QBDOWNLOAD_10024040.EXE %TEMP%\NSP245D.TMP\RAV3490022.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath: “%SystemRoot%\system32\svchost.exe -k bbnetservice” HKLM\System\CurrentControlSet\services\bbnetservice\DisplayName: “bbnetservice”…

Continue reading →