Win32/Virus.WebToolbar.d32 also known as RiskWare[WebToolbar]/Win32.Linkury, WebToolbar.Linkury.amp, not-a-virus:HEUR:WebToolbar.Win32.Linkury.gen. Malware Analysis of Win32/Virus.WebToolbar.d32 – NETTRANS.EXE Created files: %COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE %COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE.CONFIG %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_NETTRANS.EXE_972877DE09E9226E6FBA975167E1E31C8A64B1_CAB_0A45D135\REPORT.WER %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_NETTRANS.EXE_972877DE09E9226E6FBA975167E1E31C8A64B1_CAB_0A45D135\WER9AA5.TMP.APPCOMPAT.TXT %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_NETTRANS.EXE_972877DE09E9226E6FBA975167E1E31C8A64B1_CAB_0A45D135\WER9BAF.TMP.WERINTERNALMETADATA.XML Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\PREFERSSECURE\IMAGEPATH: “%COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE” HKLM\System\CurrentControlSet\services\PrefersSecure\DisplayName: “Prefers Secure” Detected by UnHackMe: NETTRANS.EXE DEFAULT LOCATION: %COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE Dropper hash(md5): 4fa73ad05d5a1156a69d2a1e63274d05 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible…

Continue reading →

not-a-virus:HEUR:WebToolbar.Win32.Linkury.gen also known as Trj/GdSda.A, Application.AdLink (A), TROJ_GEN.R01BC0ECB17. Malware Analysis of not-a-virus:HEUR:WebToolbar.Win32.Linkury.gen – NETTRANS.EXE Created files: %COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE %COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE.CONFIG %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_NETTRANS.EXE_972877DE09E9226E6FBA975167E1E31C8A64B1_CAB_0A45D135\REPORT.WER %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_NETTRANS.EXE_972877DE09E9226E6FBA975167E1E31C8A64B1_CAB_0A45D135\WER9AA5.TMP.APPCOMPAT.TXT %COMMON APPDATA%\MICROSOFT\WINDOWS\WER\REPORTQUEUE\APPCRASH_NETTRANS.EXE_972877DE09E9226E6FBA975167E1E31C8A64B1_CAB_0A45D135\WER9BAF.TMP.WERINTERNALMETADATA.XML Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\PREFERSSECURE\IMAGEPATH: “%COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE” HKLM\System\CurrentControlSet\services\PrefersSecure\DisplayName: “Prefers Secure” Detected by UnHackMe: NETTRANS.EXE DEFAULT LOCATION: %COMMON APPDATA%\PREFERSSECURE\NETTRANS.EXE Dropper hash(md5): 4fa73ad05d5a1156a69d2a1e63274d05 UnHackMe removes malware invisible for your antivirus! UnHackMe is…

Continue reading →

not-a-virus:RiskTool.BitCoinMiner also known as Riskware ( 0040eff71 ), Trj/CI.A, Trojan.Coinbit.43. Malware Analysis of not-a-virus:RiskTool.BitCoinMiner – INTELLITRACE.EXE Created files: %TEMP%\MONERO.EXE %TEMP%\SERVER.EXE %STARTUP%\JAVA UPDATE.EXE %APPDATA%\MICROSOFT\CONHOST.EXE %APPDATA%\MICROSOFT\INTELLITRACE.EXE Detected by UnHackMe: INTELLITRACE.EXE DEFAULT LOCATION: %APPDATA%\MICROSOFT\INTELLITRACE.EXE Dropper hash(md5): e9c27d5895d7c61de2ce7ed8e3ee9ee3 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

not-a-virus:RiskTool.Win64.BitCoinMiner.ju also known as Application.BitCoinMiner.IG, Trojan.Coinbit.43, W64/BitCoinMiner.D. Malware Analysis of not-a-virus:RiskTool.Win64.BitCoinMiner.ju – INTELLITRACE.EXE Created files: %TEMP%\MONERO.EXE %TEMP%\SERVER.EXE %STARTUP%\JAVA UPDATE.EXE %APPDATA%\MICROSOFT\CONHOST.EXE %APPDATA%\MICROSOFT\INTELLITRACE.EXE Detected by UnHackMe: INTELLITRACE.EXE DEFAULT LOCATION: %APPDATA%\MICROSOFT\INTELLITRACE.EXE Dropper hash(md5): e9c27d5895d7c61de2ce7ed8e3ee9ee3 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain…

Continue reading →

not-a-virus:RiskTool.Win64.BitCoinMiner.avo also known as a variant of Win64/BitCoinMiner.AP potentially unsafe, Risktool.Win64.Bitcoinminer!c, Trojan.Coinbitminer. Malware Analysis of not-a-virus:RiskTool.Win64.BitCoinMiner.avo – SYSTEMIDLE.EXE Created files: %COMMON APPDATA%\MICROSOFTDLL\LIBWINPTHREAD-1.DLL %COMMON APPDATA%\MICROSOFTDLL\SSLEAY32.DLL %COMMON APPDATA%\MICROSOFTDLL\SYSTEMIDLE.EXE %COMMON APPDATA%\MICROSOFTDLL\SYSUTILITES.EXE %COMMON APPDATA%\MICROSOFTDLL\ZLIB1.DLL Detected by UnHackMe: SYSTEMIDLE.EXE DEFAULT LOCATION: %COMMON APPDATA%\MICROSOFTDLL\SYSTEMIDLE.EXE Dropper hash(md5): ad1b989e8a70636cdb2e2f4af93c3475 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software.…

Continue reading →

W32.Virus.Win64.Bitcoinminer also known as RDN/Generic PUP.x, Riskware.Win64.BitCoinMiner.elaoxq. Malware Analysis of W32.Virus.Win64.Bitcoinminer – SYSTEMIDLE.EXE Created files: %COMMON APPDATA%\MICROSOFTDLL\LIBWINPTHREAD-1.DLL %COMMON APPDATA%\MICROSOFTDLL\SSLEAY32.DLL %COMMON APPDATA%\MICROSOFTDLL\SYSTEMIDLE.EXE %COMMON APPDATA%\MICROSOFTDLL\SYSUTILITES.EXE %COMMON APPDATA%\MICROSOFTDLL\ZLIB1.DLL Detected by UnHackMe: SYSTEMIDLE.EXE DEFAULT LOCATION: %COMMON APPDATA%\MICROSOFTDLL\SYSTEMIDLE.EXE Dropper hash(md5): ad1b989e8a70636cdb2e2f4af93c3475 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which…

Continue reading →

VirusOrg.Win32.Ramnit.G also known as Gen:Variant.Kazy.8782, Gen:Variant.Kazy.8782, Win32.Ramnit.A. Malware Analysis of VirusOrg.Win32.Ramnit.G – FILEMGR.EXE Created files: %LOCAL APPDATA%\MICROSOFT\VAULT\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\POLICY.VPOL %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %TEMP%\FILEMGR.EXE %TEMP%\O4UTEMKF %STARTUP%\OWEEAXCE.EXE Autostart registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT: “%SYSDIR%\USERINIT.EXE,,%PROGRAM FILES%\GTPRQKGN\OWEEAXCE.EXE” HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LOAD: “%APPDATA%\UPDATE\SVCHOST.EXE.LNK ” Detected by UnHackMe: FILEMGR.EXE DEFAULT LOCATION: %TEMP%\FILEMGR.EXE Dropper hash(md5): 7b4b9a90da1b3df62869c4b748baebd0 UnHackMe…

Continue reading →

not-a-virus:HEUR:RiskTool.Win32.Siaomo.gen also known as a variant of Win32/Adware.Agent.NQL. Malware Analysis of not-a-virus:HEUR:RiskTool.Win32.Siaomo.gen – MSOPROT.SYS Created files: %Program Files%\Tclbop\UnInstall.exe %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %SYSDIR%\DRIVERS\MSOPROT.SYS %SYSDIR%\DRIVERS\MSOPROTE.SYS Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\miaos\DisplayName: “miaos” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\miaos\UninstallString: “%Program Files%\Tclbop\Uninstall.exe” HKLM\System\CurrentControlSet\services\ficldos\ImagePath: “\??\%Program Files%\Tclbop\ficldos.sys” HKLM\System\CurrentControlSet\services\ficldos\DisplayName: “ficldos” Detected by UnHackMe: MSOPROT.SYS Default location: %SYSDIR%\DRIVERS\MSOPROT.SYS Dropper hash(md5): f2b54f53611f2703ebeb525052e4556a UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with…

Continue reading →

Win32.Virus.Ramnit.Eeqw also known as Worm.Win32.AutoRun.hbbg, generic.ml, Win32:Kryptik-HRR [Trj]. Malware Analysis of Win32.Virus.Ramnit.Eeqw – FILEMGR.EXE Created files: %LOCAL APPDATA%\MICROSOFT\VAULT\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\POLICY.VPOL %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %TEMP%\FILEMGR.EXE %TEMP%\O4UTEMKF %STARTUP%\OWEEAXCE.EXE Autostart registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT: “%SYSDIR%\USERINIT.EXE,,%PROGRAM FILES%\GTPRQKGN\OWEEAXCE.EXE” HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LOAD: “%APPDATA%\UPDATE\SVCHOST.EXE.LNK ” Detected by UnHackMe: FILEMGR.EXE DEFAULT LOCATION: %TEMP%\FILEMGR.EXE Dropper hash(md5): 7b4b9a90da1b3df62869c4b748baebd0…

Continue reading →

virus.win32.ravs.a also known as Cryp_Xed-12, W32/Heuristic-162!Eldorado, malicious_confidence_100% (D). Malware Analysis of virus.win32.ravs.a – KUWO_JM634.EXE Created files: %TEMP%\NSP245D.TMP\IQIYISETUP_SENXING@KB008.EXE %TEMP%\NSP245D.TMP\KINST_168_206.EXE %TEMP%\NSP245D.TMP\KUWO_JM634.EXE %TEMP%\NSP245D.TMP\LANY_Y_907453_FEITIAN.EXE %TEMP%\NSP245D.TMP\QBDOWNLOAD_10024040.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\BAIDUCLIENT.DEFAULT\.EXE\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” %*” HKLM\SOFTWARE\CLASSES\BAIDUCLIENTBROWSERHTML\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE” — “%1″ –MAIN-FRAME 3” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\BAIDU.EXE\SHELL\OPEN\COMMAND\: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDU.EXE –MAIN-FRAME 1” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BAIDUSERVICE.EXE\IMAGEPATH: “%LOCAL APPDATA%\BAIDU\ILJ\3.1.200.2978\BAIDUSERVICE.EXE” HKLM\System\CurrentControlSet\services\BaiduService.exe\DisplayName: “BaiduService.exe” HKLM\System\CurrentControlSet\services\bbnetdriver\ImagePath: “\SystemRoot\system32\drivers\bbnetdriver.sys” HKLM\System\CurrentControlSet\services\bbnetdriver\DisplayName: “bbnetdriver” HKLM\System\CurrentControlSet\services\bbnetservice\ImagePath: “%SystemRoot%\system32\svchost.exe -k bbnetservice” HKLM\System\CurrentControlSet\services\bbnetservice\DisplayName: “bbnetservice”…

Continue reading →

Malware Analysis of Virus/Win32.ramnit.ffqzc – SLIDESHOW.DLL Created files: %PROFILE%\DOCUMENTS\VIRTUALDJ\PLUGINS\VIDEOEFFECT\KARAOKE.DLL %PROFILE%\DOCUMENTS\VIRTUALDJ\PLUGINS\VIDEOEFFECT\NEGATIVE.DLL %PROFILE%\DOCUMENTS\VIRTUALDJ\PLUGINS\VIDEOEFFECT\SLIDESHOW.DLL %PROFILE%\DOCUMENTS\VIRTUALDJ\PLUGINS\VIDEOEFFECT\SONIQUE.DLL %PROFILE%\DOCUMENTS\VIRTUALDJ\PLUGINS\VIDEOEFFECT\STROBE.DLL Autostart registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2250177403-3231077850-1239169437-1002\Products\4D5D2C775CDA9F943BE69529CF3FE53A\InstallProperties\UninstallString: “MsiExec.exe /I{77C2D5D4-ADC5-49F9-B36E-5992FCF35EA3}” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2250177403-3231077850-1239169437-1002\Products\4D5D2C775CDA9F943BE69529CF3FE53A\InstallProperties\DisplayName: “VirtualDJ Home FREE” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{77C2D5D4-ADC5-49F9-B36E-5992FCF35EA3}\UninstallString: “MsiExec.exe /I{77C2D5D4-ADC5-49F9-B36E-5992FCF35EA3}” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{77C2D5D4-ADC5-49F9-B36E-5992FCF35EA3}\DisplayName: “VirtualDJ Home FREE” Detected by UnHackMe: SLIDESHOW.DLL DEFAULT LOCATION: %PROFILE%\DOCUMENTS\VIRTUALDJ\PLUGINS\VIDEOEFFECT\SLIDESHOW.DLL Dropper hash(md5): ce5067fc5785d647fd4fedc59f959e06 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe…

Continue reading →

Virus/Win32.WGeneric.kvnkd also known as Gen:Variant.MSILPerseus.65950, a variant of MSIL/Injector.RBE, Gen:Variant.MSILPerseus.65950. Malware Analysis of Virus/Win32.WGeneric.kvnkd – ASCQSERVICE.EXE Created files: %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %TEMP%\TMP1965231370.TMP %APPDATA%\ASCQSERVICE.EXE %APPDATA%\MONITOR\GUARD\1 %APPDATA%\MONITOR\SCREENSHOTS\03-09-2017\1.26 PM Detected by UnHackMe: ASCQSERVICE.EXE DEFAULT LOCATION: %APPDATA%\ASCQSERVICE.EXE Dropper hash(md5): 708c80458ac882db2f83d0ad5a70f98b UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

virus.win32.parite.a also known as Backdoor.AndromCRTD.Win32.6324, Mal/Generic-S, Trojan.Win32.Androm.ejwzyc. Malware Analysis of virus.win32.parite.a – WINWORD016.EXE Created files: %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %TEMP%\TMP01.DLL %TEMP%\WINWORD016.EXE %APPDATA%\WINWORD016.EXE Autostart registry keys: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WINWORD016: “%TEMP%\WINWORD016.EXE” Detected by UnHackMe: WINWORD016.EXE DEFAULT LOCATION: %TEMP%\WINWORD016.EXE Dropper hash(md5): 4f8bc14d0d85d02b37f17ce58682e06d UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

not-a-virus:RiskTool.Win32.Catalina.ajx also known as not-a-virus:RiskTool.Catalina, Trojan.MBro.ad. Malware Analysis of not-a-virus:RiskTool.Win32.Catalina.ajx – CATALINACRASHHANDLER.EXE Created files: %LOCAL APPDATA%\CATALINAGROUP\CITRIO\USER DATA\SAFE BROWSING COOKIES %LOCAL APPDATA%\CATALINAGROUP\CITRIO\USER DATA\SAFE BROWSING COOKIES-JOURNAL %LOCAL APPDATA%\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE %LOCAL APPDATA%\CATALINAGROUP\UPDATE\1.3.25.225\CATALINAUPDATE.EXE %LOCAL APPDATA%\CATALINAGROUP\UPDATE\1.3.25.225\CATALINAUPDATEBROKER.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\CITRIODOC.5H2QR4GU3NYWVL3TJ6VO2JWGTI\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE” — “%1″” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\CITRIO.5H2QR4GU3NYWVL3TJ6VO2JWGTI\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE”” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CATALINAGROUP UPDATE: “”%LOCAL APPDATA%\CATALINAGROUP\UPDATE\CATALINAUPDATE.EXE” /C” HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio\DisplayName: “Citrio” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CITRIO\UNINSTALLSTRING: “”%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\50.0.2661.274\INSTALLER\SETUP.EXE” –UNINSTALL” HKCU\SOFTWARE\CATALINAGROUP\UPDATE\CLIENTSTATE\{92F8A219-E740-49D5-B785-B962AD819724}\UNINSTALLSTRING: “%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\50.0.2661.274\INSTALLER\SETUP.EXE”…

Continue reading →

not-a-virus:RiskTool.Catalina also known as not-a-virus:RiskTool.Win32.Catalina.ajx, Application.InstallShare (A), Adware.Downware.17750. Malware Analysis of not-a-virus:RiskTool.Catalina – CATALINACRASHHANDLER.EXE Created files: %LOCAL APPDATA%\CATALINAGROUP\CITRIO\USER DATA\SAFE BROWSING COOKIES %LOCAL APPDATA%\CATALINAGROUP\CITRIO\USER DATA\SAFE BROWSING COOKIES-JOURNAL %LOCAL APPDATA%\CATALINAGROUP\UPDATE\1.3.25.225\CATALINACRASHHANDLER.EXE %LOCAL APPDATA%\CATALINAGROUP\UPDATE\1.3.25.225\CATALINAUPDATE.EXE %LOCAL APPDATA%\CATALINAGROUP\UPDATE\1.3.25.225\CATALINAUPDATEBROKER.EXE Autostart registry keys: HKLM\SOFTWARE\CLASSES\CITRIODOC.5H2QR4GU3NYWVL3TJ6VO2JWGTI\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE” — “%1″” HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\CITRIO.5H2QR4GU3NYWVL3TJ6VO2JWGTI\SHELL\OPEN\COMMAND\: “”%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\CITRIO.EXE”” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\CATALINAGROUP UPDATE: “”%LOCAL APPDATA%\CATALINAGROUP\UPDATE\CATALINAUPDATE.EXE” /C” HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Citrio\DisplayName: “Citrio” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CITRIO\UNINSTALLSTRING: “”%LOCAL APPDATA%\CATALINAGROUP\CITRIO\APPLICATION\50.0.2661.274\INSTALLER\SETUP.EXE” –UNINSTALL” HKCU\SOFTWARE\CATALINAGROUP\UPDATE\CLIENTSTATE\{92F8A219-E740-49D5-B785-B962AD819724}\UNINSTALLSTRING:…

Continue reading →

virus.win32.floxif.h also known as PUP/PDFForgeToolbar, a variant of Win32/Toolbar.Widgi potentially unwanted. Malware Analysis of virus.win32.floxif.h – VUZETOOLBARIE.DLL Created files: %Program Files%\Application Updater\config.ini %Program Files%\Vuze Remote Toolbar\IE\26.7\config.ini %Program Files%\Vuze Remote Toolbar\IE\26.7\vuzeToolbarIE.dll %Program Files%\Vuze Remote Toolbar\IE\26.7\vuzeToolbarIE64.dll %Program Files%\Vuze Remote Toolbar\Res\amazon.gif Autostart registry keys: HKLM\Software\Classes\CLSID\{05478A66-EDB6-4A22-A870-A5987F80A7DA}\InprocServer32\: “%Program Files%\Vuze Remote Toolbar\IE\26.7\vuzeToolbarIE.dll” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\09A904EFFACCFA94082A67CA9C6E8FFC\InstallProperties\UninstallString: “MsiExec.exe /X{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\09A904EFFACCFA94082A67CA9C6E8FFC\InstallProperties\DisplayName: “Vuze Remote Toolbar v26.7” HKLM\Software\Microsoft\Windows\CurrentVersion\Run\:…

Continue reading →

not-a-virus:HEUR:WebToolbar.Win32.Spigot.gen also known as PUP.Adware.Spigot, a variant of Win32/Toolbar.Widgi potentially unwanted, Adwareare.Widgi.Pmril!c. Malware Analysis of not-a-virus:HEUR:WebToolbar.Win32.Spigot.gen – PREFERENCESMANAGER.EXE Created files: %Program Files Common%\Spigot\Preferences Manager\Lang\res1036.ini %Program Files Common%\Spigot\Preferences Manager\Lang\res1040.ini %Program Files Common%\Spigot\Preferences Manager\PreferencesManager.exe %Program Files%\Application Updater\ApplicationUpdater.exe %Program Files%\Application Updater\config.ini Autostart registry keys: HKLM\Software\Classes\CLSID\{05478A66-EDB6-4A22-A870-A5987F80A7DA}\InprocServer32\: “%Program Files%\Vuze Remote Toolbar\IE\26.7\vuzeToolbarIE.dll” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\09A904EFFACCFA94082A67CA9C6E8FFC\InstallProperties\UninstallString: “MsiExec.exe /X{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\09A904EFFACCFA94082A67CA9C6E8FFC\InstallProperties\DisplayName: “Vuze Remote Toolbar v26.7” HKLM\Software\Microsoft\Windows\CurrentVersion\Run\:…

Continue reading →

Virus.F8C.Gen!c also known as Adware.WidgiCRTD.Win32.4890, Spigot (fs). Malware Analysis of Virus.F8C.Gen!c – VUZETOOLBAR.EXE Created files: %WINDIR%\INSTALLER\{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}\ARPPRODUCTICON.EXE %SYSDIR%\TASKS\PROGRAM MANAGER %WINDIR%\TEMP\VUZETOOLBAR.EXE %SYSTEMDRIVE%\CONFIG.MSI\3B2EF.RBF Autostart registry keys: HKLM\Software\Classes\CLSID\{05478A66-EDB6-4A22-A870-A5987F80A7DA}\InprocServer32\: “%Program Files%\Vuze Remote Toolbar\IE\26.7\vuzeToolbarIE.dll” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\09A904EFFACCFA94082A67CA9C6E8FFC\InstallProperties\UninstallString: “MsiExec.exe /X{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\09A904EFFACCFA94082A67CA9C6E8FFC\InstallProperties\DisplayName: “Vuze Remote Toolbar v26.7” HKLM\Software\Microsoft\Windows\CurrentVersion\Run\: “” HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SearchSettings: “”%Program Files Common%\Spigot\Preferences Manager\PreferencesManager.exe”” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}\UninstallString: “MsiExec.exe /X{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FE409A90-CCAF-49AF-80A2-76ACC9E6F8CF}\DisplayName: “Vuze Remote Toolbar v26.7” HKLM\System\CurrentControlSet\services\Application Updater\ImagePath: “”%Program Files%\Application…

Continue reading →

not-a-virus:RiskTool.Win32.HideExec.bc also known as HackTool/Win32.ProcPatcher.C876952, Riskware.Win32.HideExec.cwwtxz, RiskWare.CHP. Malware Analysis of not-a-virus:RiskTool.Win32.HideExec.bc – HREWNF.EXE Created files: %WINDIR%\GDWSLK %WINDIR%\GRUBER.EXE %WINDIR%\HREWNF.EXE %WINDIR%\JHNDSN %WINDIR%\LOADERMASTER.EXE Autostart registry keys: HKLM\Software\Google\Chrome\Extensions\pgoackgjjkpbkjoomkklkofbhpkbeboc\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\ikdlehiegikpggplngbmpdgnidekfmjn\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\hkdmihdclhhoghpojiifklmegjnjkdlh\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\gccplojjfpdbeidicabkegekmcplafee\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\eoepodkgpakekgncgnfnijcippobokhp\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\clmghkfhfkcfhpccgbafbailibgogkbi\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\cckdoammdligdedbakcgnmegjljgipjb\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Google\Chrome\Extensions\akhdblbjebmbllhinponghfmaekhlhob\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0\DisplayName: “Local Group Policy” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MoneyFriend1.0\DisplayName: “MoneyFriend” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MoneyFriend1.0\UninstallString: “”%Program Files%\MoneyFriend\uninstall.exe” “/U:%Program Files%\MoneyFriend\Uninstall\uninstall.xml”” HKLM\Software\WOW6432Node\Google\Chrome\Extensions\pgoackgjjkpbkjoomkklkofbhpkbeboc\update_url: “https://clients2.google.com/service/update2/crx” HKLM\Software\WOW6432Node\Google\Chrome\Extensions\ikdlehiegikpggplngbmpdgnidekfmjn\update_url: “https://clients2.google.com/service/update2/crx”…

Continue reading →

virus.win32.capsfin.a also known as Win32:Malware-gen, Trojan.Crypt!KxUhJLcY4S0, Trojan ( 004f8bee1 ). Malware Analysis of virus.win32.capsfin.a – XFAOIRRDGG.EXE Created files: %APPDATA%\TOR\LOCK %APPDATA%\TOR\STATE %APPDATA%\XFAOIRRDGG.EXE Autostart registry keys: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\XFAOIRRDGG: “”%APPDATA%\XFAOIRRDGG.EXE”” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\*XFAOIRRDGG: “”%APPDATA%\XFAOIRRDGG.EXE”” Detected by UnHackMe: XFAOIRRDGG.EXE DEFAULT LOCATION: %APPDATA%\XFAOIRRDGG.EXE Dropper hash(md5): 28ff782bd7b627b8b86ad88717e53a23 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100%…

Continue reading →

virus.win32.ramnit.i also known as PUP-FJE, Application.AdPack (A), Malware.Generic!xYfFQCDajYN@5 (thunder). Malware Analysis of virus.win32.ramnit.i – ZDENGINE.DLL Created files: %Program Files%\OtherSearch\uninstall.exe %Program Files%\OtherSearch\updengine.exe %Program Files%\OtherSearch\zdengine.dll %Program Files%\OtherSearch\zdengine.exe %Program Files%\OtherSearch\zdengine.tlb Autostart registry keys: HKLM\Software\Classes\CLSID\{176F706B-5175-479C-A3DF-32420F6FB01A}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{38BE2BE8-EB8E-41D1-9D94-3B1697094D47}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{53C267B2-B01D-410F-A4DD-A32962EE55F4}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{8804A543-42D3-4D71-9685-B0243D5526F3}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{A0F322D5-6A13-4CAB-84CF-FABB5690618E}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{AC3E336C-B524-47F0-9AA2-5F67AA056086}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{C68E9BB6-3DBD-4C4B-910B-C5D84A7EBB03}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Classes\CLSID\{F577A1BA-D82D-4BB2-8430-B767285D081D}\LocalServer32\: “”%Program Files%\OtherSearch\zdengine.exe”” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\OtherSearch\DisplayName:…

Continue reading →

virus.win32.slugin.a!dll also known as malicious_confidence_64% (D), Artemis, a variant of Win32/Injector.DIED. Malware Analysis of virus.win32.slugin.a!dll – TRACEABILITY.DLL Created files: %TEMP%\CLAPPERBOARD.GSA %TEMP%\NSJD5A0.TMP\SYSTEM.DLL %TEMP%\TRACEABILITY.DLL Detected by UnHackMe: TRACEABILITY.DLL DEFAULT LOCATION: %TEMP%\TRACEABILITY.DLL Dropper hash(md5): 1bae0774ad05ee97cf6b1245426cbdb9 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not…

Continue reading →

not-a-virus:RiskTool.Win64.BitCoinMiner.bgq also known as Riskware.BitCoinMiner!, Riskware.Win64.BtcMine.eifmpg, Trojan.Generic.19669610. Malware Analysis of not-a-virus:RiskTool.Win64.BitCoinMiner.bgq – NHEQMINER.EXE Created files: %WINDIR%\MSVCR120.DLL %WINDIR%\N.BAT %WINDIR%\NHEQMINER.EXE %WINDIR%\OPENCL.DLL %WINDIR%\ZEC.BAT Detected by UnHackMe: NHEQMINER.EXE Default location: %WinDir%\NHEQMINER.EXE Dropper hash(md5): 1525fc81d1d5d4f56f4f85f23be64d17 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

GrayWare[WebToolbar:not-a-virus]/JS.CroRi.b also known as Unwanted-Program ( 004a9f361 ), W32/Crossrider.N.gen!Eldorado, HEUR/QVM20.1.0000.Malware.Gen. Malware Analysis of GrayWare[WebToolbar:not-a-virus]/JS.CroRi.b – RULCOEZRA.EXE Created files: %TEMP%\NSQAE92.TMP\SYSTEM.DLL %TEMP%\NSQAE92.TMP\USERINFO.DLL %TEMP%\NSF3034.TMP\RULCOEZRA.EXE %TEMP%\NSF3034.TMP\STDUTILS.DLL %TEMP%\NSF3034.TMP\STRICMNEH.TMP Detected by UnHackMe: RULCOEZRA.EXE DEFAULT LOCATION: %TEMP%\NSF3034.TMP\RULCOEZRA.EXE Dropper hash(md5): fc7e9dac839a497c310a1e5b909bdfb9 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

virus.win32.parite.b also known as TROJ_FAKEAV.SMER, W32/FakeAlert.AAA2.gen!Eldorado, Trojan.VIZ.Gen.1. Malware Analysis of virus.win32.parite.b – ISOJ.EXE Created files: %LOCAL APPDATA%\MICROSOFT\WINDOWS MAIL\TMP.EDB %TEMP%\PPCRLUI_2396_2 %APPDATA%\MYOQRA\ISOJ.EXE Autostart registry keys: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\{0FA87B82-4BB0-AD46-4A8C-16D17B6435CC}: “%APPDATA%\MYOQRA\ISOJ.EXE” Detected by UnHackMe: ISOJ.EXE DEFAULT LOCATION: %APPDATA%\MYOQRA\ISOJ.EXE Dropper hash(md5): fe734528a5b9d2f55e937e8d87e93c57 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means…

Continue reading →

RiskWare[WebToolbar:not-a-virus]/Win32.SearchSuite also known as a variant of Win32/Toolbar.SearchSuite.AD potentially unwanted, Adware ( 004c74cb1 ), Adware.Bandoo.372. Malware Analysis of RiskWare[WebToolbar:not-a-virus]/Win32.SearchSuite – MUSICAPPHELPER.DLL Created files: %Program Files%\Music App\Datamngr\DatamngrCoordinator.exe %Program Files%\Music App\Datamngr\favicon.ico %Program Files%\Music App\Datamngr\MusicAppHelper.dll %Program Files%\Music App\Datamngr\SRTOOL~1\FF\install.ico %Program Files%\Music App\Datamngr\SRTOOL~1\FF\uninstall.exe Autostart registry keys: HKLM\Software\Classes\Applications\98d1ccfa985ba53d38b92a98ef4356776e1191789f8d658a9c8388db2e8adbbd.exe\IsHostApp: “” HKLM\SOFTWARE\CLASSES\CLSID\{88D8ECB7-204F-4EFD-8134-F6341F76C672}\INPROCSERVER32\: “%SYSTEMDRIVE%\PROGRA~1\MUSICA~1\DATAMNGR\SRTOOL~1\IE\SEARCHRESULTSDX.DLL” HKLM\Software\Classes\CLSID\{E677C7AD-2B66-4539-AA29-3771A1CFEDA9}\InprocServer32\: “%Program Files%\jZip\jZipShell.dll” HKLM\Software\Classes\jZip.file\shell\open\command\: “”%Program Files%\jZip\jZip.exe” –open-archive “%1″” HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}\DisplayName:…

Continue reading →

virus.win32.ramnit.a!remnants also known as Trojan.Generic-NwUtGGiNRCD (cloud), AdWare.SProtector, ADWARE/Adware.Gen. Malware Analysis of virus.win32.ramnit.a!remnants – ZIAI.DLL Created files: %COMMON APPDATA%\DOWNLOIAD. KEEPUER\GO0YR.EXE %COMMON APPDATA%\DOWNLOIAD. KEEPUER\ZIAI.DAT %COMMON APPDATA%\DOWNLOIAD. KEEPUER\ZIAI.DLL %COMMON APPDATA%\DOWNLOIAD. KEEPUER\ZIAI.TLB %SYSTEMDRIVE%\SAND-BOX\13381834072549179492.LOG Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{E5FC606E-0022-95C7-AD28-99A2ECAF253C}\INPROCSERVER32\: “%COMMON APPDATA%\DOWNLOIAD. KEEPUER\ZIAI.DLL” HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{C1A27135-69EB-8D44-7358-34727DD7B820}\UNINSTALLSTRING: “”%COMMON APPDATA%\DOWNLOIAD. KEEPUER\GO0YR.EXE” /S /N /I:”EXECUTECOMMANDS;UNINSTALLCOMMANDS” “”” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C1A27135-69EB-8D44-7358-34727DD7B820}\DisplayName: “Downloiad. keepuer” Detected by UnHackMe: ZIAI.DLL DEFAULT LOCATION: %COMMON APPDATA%\DOWNLOIAD.…

Continue reading →

Virus.E14.Gen!c also known as PUA.Abtoolscom1.Gen, Win32:DownloadGuide-X [PUP], Malware.SoftwareBundler!8.394-VX6afmMe1sF (cloud). Malware Analysis of Virus.E14.Gen!c – DOWNLOADSPEEDTEST.EXE Created files: %Program Files%\AB-Tools.com\Download Speed Test\DevExpress.XtraGauges.v11.1.Core.dll %Program Files%\AB-Tools.com\Download Speed Test\DevExpress.XtraGauges.v11.1.Win.dll %Program Files%\AB-Tools.com\Download Speed Test\DownloadSpeedTest.exe %Program Files%\AB-Tools.com\Download Speed Test\DST-de.hep %Program Files%\AB-Tools.com\Download Speed Test\DST-de.rd Autostart registry keys: HKLM\System\CurrentControlSet\services\LavasoftTcpService\ImagePath: “%Program Files%\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe” HKLM\System\CurrentControlSet\services\LavasoftTcpService\DisplayName: “LavasoftTcpService” HKLM\System\CurrentControlSet\services\WCAssistantService\ImagePath: “%Program Files%\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe” HKLM\System\CurrentControlSet\services\WCAssistantService\DisplayName: “WC Assistant” Detected by…

Continue reading →

virus.win32.knat.a also known as W32/Zbot.BR.gen!Eldorado, a variant of Win32/Spy.Zbot.YW, Trojanpws.Zbot.28492. Malware Analysis of virus.win32.knat.a – IWRET.EXE Created files: %APPDATA%\DIHYXA\VIYG.YMU %APPDATA%\U %APPDATA%\ULUK\IWRET.EXE %APPDATA%\?? Autostart registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{ADF1683A-B057-ED55-39E4-30FB418341C3}: “” HKCU\Software\Microsoft\Windows\CurrentVersion\Run\{ADF1683A-2A57-ED55-39E4-30FB418341C3}: “” Detected by UnHackMe: IWRET.EXE DEFAULT LOCATION: %APPDATA%\ULUK\IWRET.EXE Dropper hash(md5): 1056e33834c9e79b9691a9eab5ece695 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is…

Continue reading →

Virus.E76.Gen!c also known as Generic.E76. Malware Analysis of Virus.E76.Gen!c – CLEAR_CACHE.EXE Created files: %TEMP%\CHROME_UPGRADE\IMPORT_BOOKMARKS.TXT %TEMP%\CHROME_UPGRADE\OPERATION_LOG.TXT %TEMP%\CLEAR_CACHE.EXE %TEMP%\ETILQS_ANAZNLFD0GADVPJ %TEMP%\ETILQS_KJ0UBHQF0OTAR0C Autostart registry keys: HKLM\Software\Classes\2345ExplorerHTML\shell\open\command\: “”%Program Files%\2345Soft\2345Explorer\2345Explorer.exe” — “%1″” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer\DisplayName: “2345?????” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer\UninstallString: “%Program Files%\2345Soft\2345Explorer\Uninstall.exe” HKLM\Software\2345PCSafe\2345Reg2\1a63034b00\shell\open\command\: “”%Program Files%\Mozilla Firefox\firefox.exe” -osint -url “%1″” HKLM\Software\2345PCSafe\2345Reg2\1a63034b01\shell\open\command\: “”%Program Files%\Mozilla Firefox\firefox.exe” -osint -url “%1″” HKLM\Software\2345PCSafe\2345Reg2\75265f1800\shell\open\command\: “”%Program Files%\Mozilla Firefox\firefox.exe” -osint -url “%1″” HKLM\Software\2345PCSafe\2345Reg2\75265f1801\shell\open\command\: “”%Program Files%\Mozilla…

Continue reading →