Malware Analysis of Worm.Qvod.Win32.627 – GDSSETUP.EXE Created files: %TEMP%\~RNSETUP\XTMPX.RFX %TEMP%\~RNSETUP\ZGOOGLE_DESKTOP\GDSAPI.DLL %TEMP%\~RNSETUP\ZGOOGLE_DESKTOP\GDSSETUP.EXE %TEMP%\~RNSETUP\ZGOOGLE_TOOLBAR\BARCONTROL.DLL %TEMP%\~RNSETUP\ZGOOGLE_TOOLBAR\GOOGLETOOLBARINSTALLER.EXE Autostart registry keys: HKLM\Software\Classes\CLSID\{47f59200-8783-11d2-8343-00a0c945a819}\InprocServer32\: “%Program Files%\Internet Explorer\PLUGINS\RichFX\Player\nprfxins.dll” Detected by UnHackMe: GDSSETUP.EXE DEFAULT LOCATION: %TEMP%\~RNSETUP\ZGOOGLE_DESKTOP\GDSSETUP.EXE Dropper hash(md5): 115953246b798695c685478ca4497e9a UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

Worm.Python.a also known as Trojan.Generic.17103840, Trojan.Generic.17103840, Trj/CI.A. Malware Analysis of Worm.Python.a – MSDS.EXE Created files: %TEMP%\_MEI39602\MICROSOFT.VC90.CRT.MANIFEST %TEMP%\_MEI39602\MICROSOFT.VC90.MFC.MANIFEST %TEMP%\_MEI39602\MSDS.EXE.MANIFEST %TEMP%\_MEI39602\MSVCM90.DLL %TEMP%\_MEI39602\MSVCP90.DLL Detected by UnHackMe: MSDS.EXE DEFAULT LOCATION: %TEMP%\_MEI39602\MSDS.EXE.MANIFEST Dropper hash(md5): 063f30f0b88bbb45e04934e043a67255 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

BehavesLike.Win32.Worm.tc also known as Backdoor:Python/Raywa.A, Trojan.Agent.OL, Troj.W32.Reconyc!c. Malware Analysis of BehavesLike.Win32.Worm.tc – MSDS.EXE Created files: %TEMP%\_MEI39602\MICROSOFT.VC90.CRT.MANIFEST %TEMP%\_MEI39602\MICROSOFT.VC90.MFC.MANIFEST %TEMP%\_MEI39602\MSDS.EXE.MANIFEST %TEMP%\_MEI39602\MSVCM90.DLL %TEMP%\_MEI39602\MSVCP90.DLL Detected by UnHackMe: MSDS.EXE DEFAULT LOCATION: %TEMP%\_MEI39602\MSDS.EXE.MANIFEST Dropper hash(md5): 063f30f0b88bbb45e04934e043a67255 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

Worm.Win32.VBNA.bttn also known as Gen:Variant.MSILPerseus.79826, Trojan.Win32.Generic!BT, Worm/MSIL.EVA. Malware Analysis of Worm.Win32.VBNA.bttn – HDAUDIODRIVER.EXE Created files: %APPDATA%\HDAUDIODRIVER.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\REALTEK HIGH DEFINITION AUDIO DRIVER: “%APPDATA%\HDAUDIODRIVER.EXE” Detected by UnHackMe: HDAUDIODRIVER.EXE DEFAULT LOCATION: %APPDATA%\HDAUDIODRIVER.EXE Dropper hash(md5): 5d4c342eb8fcb5bb956cfa08af090115 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means…

Continue reading →

MSIL/Spy_Agent.R!worm also known as Win32.Trojan.WisdomEyes.16070401.9500.9994, Trojan.Win32.Generic!BT, ransom.msil.jigsawlocker.a. Malware Analysis of MSIL/Spy_Agent.R!worm – HDAUDIODRIVER.EXE Created files: %APPDATA%\HDAUDIODRIVER.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\REALTEK HIGH DEFINITION AUDIO DRIVER: “%APPDATA%\HDAUDIODRIVER.EXE” Detected by UnHackMe: HDAUDIODRIVER.EXE DEFAULT LOCATION: %APPDATA%\HDAUDIODRIVER.EXE Dropper hash(md5): 5d4c342eb8fcb5bb956cfa08af090115 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means…

Continue reading →

Worm/MSIL.EVA also known as Win32.HLLW.Autoruner2.27616, Gen:Variant.MSILPerseus.79826, Trojan.Win32.Autorun.emfzsp. Malware Analysis of Worm/MSIL.EVA – HDAUDIODRIVER.EXE Created files: %APPDATA%\HDAUDIODRIVER.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\REALTEK HIGH DEFINITION AUDIO DRIVER: “%APPDATA%\HDAUDIODRIVER.EXE” Detected by UnHackMe: HDAUDIODRIVER.EXE DEFAULT LOCATION: %APPDATA%\HDAUDIODRIVER.EXE Dropper hash(md5): 5d4c342eb8fcb5bb956cfa08af090115 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means…

Continue reading →

Worm.VBNA!8.2BE (cloud:iS5WJVFyZQL) also known as Trojan.Win32.Generic!BT, Msil.Worm.Autorun.Sxey. Malware Analysis of Worm.VBNA!8.2BE (cloud:iS5WJVFyZQL) – HDAUDIODRIVER.EXE Created files: %APPDATA%\HDAUDIODRIVER.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\REALTEK HIGH DEFINITION AUDIO DRIVER: “%APPDATA%\HDAUDIODRIVER.EXE” Detected by UnHackMe: HDAUDIODRIVER.EXE DEFAULT LOCATION: %APPDATA%\HDAUDIODRIVER.EXE Dropper hash(md5): 5d4c342eb8fcb5bb956cfa08af090115 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which…

Continue reading →

Msil.Worm.Autorun.Sxey also known as Worm.Win32.VBNA.bttn, ransom.msil.jigsawlocker.a, Worm/MSIL.EVA. Malware Analysis of Msil.Worm.Autorun.Sxey – HDAUDIODRIVER.EXE Created files: %APPDATA%\HDAUDIODRIVER.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\REALTEK HIGH DEFINITION AUDIO DRIVER: “%APPDATA%\HDAUDIODRIVER.EXE” Detected by UnHackMe: HDAUDIODRIVER.EXE DEFAULT LOCATION: %APPDATA%\HDAUDIODRIVER.EXE Dropper hash(md5): 5d4c342eb8fcb5bb956cfa08af090115 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means…

Continue reading →

Worm.Win32.AutoRun.hbbg also known as Packed.Win32.PWSZbot.gen.cy (v), W32/Ramnit.K.gen!Eldorado, Gen:Variant.Kazy.8782. Malware Analysis of Worm.Win32.AutoRun.hbbg – FILEMGR.EXE Created files: %LOCAL APPDATA%\MICROSOFT\VAULT\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\POLICY.VPOL %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %TEMP%\FILEMGR.EXE %TEMP%\O4UTEMKF %STARTUP%\OWEEAXCE.EXE Autostart registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT: “%SYSDIR%\USERINIT.EXE,,%PROGRAM FILES%\GTPRQKGN\OWEEAXCE.EXE” HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LOAD: “%APPDATA%\UPDATE\SVCHOST.EXE.LNK ” Detected by UnHackMe: FILEMGR.EXE DEFAULT LOCATION: %TEMP%\FILEMGR.EXE Dropper hash(md5): 7b4b9a90da1b3df62869c4b748baebd0…

Continue reading →

W32.NtsuikA.Worm also known as Trojan.Zbot.Win32.29907, PWS-Zbot.gen.cy. Malware Analysis of W32.NtsuikA.Worm – FILEMGR.EXE Created files: %LOCAL APPDATA%\MICROSOFT\VAULT\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\POLICY.VPOL %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %TEMP%\FILEMGR.EXE %TEMP%\O4UTEMKF %STARTUP%\OWEEAXCE.EXE Autostart registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Client update: “”%Program Files%\svchost\svchost.exe” -a /a” HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT: “%SYSDIR%\USERINIT.EXE,,%PROGRAM FILES%\GTPRQKGN\OWEEAXCE.EXE” HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\LOAD: “%APPDATA%\UPDATE\SVCHOST.EXE.LNK ” Detected by UnHackMe: FILEMGR.EXE DEFAULT LOCATION: %TEMP%\FILEMGR.EXE Dropper hash(md5): 7b4b9a90da1b3df62869c4b748baebd0 UnHackMe removes…

Continue reading →

Worm/Win32.Palevo.C118180 also known as HEUR:Trojan.Win32.Generic, Gen:Variant.Barys.2441, Trojan.Barys.D989. Malware Analysis of Worm/Win32.Palevo.C118180 – HGDSG.EXE Created files: %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %PROFILE%\FAVORITES\HGDSG.EXE Detected by UnHackMe: HGDSG.EXE DEFAULT LOCATION: %PROFILE%\FAVORITES\HGDSG.EXE Dropper hash(md5): 0c48b799f14909ca081adb203f7edb22 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form of malware,…

Continue reading →

Worm.Ainslot also known as W32/Trojan.TOLC-7391, W32.Clode7c.Trojan.c2e5, W32/Injector.CYIA!tr. Malware Analysis of Worm.Ainslot – SYSTEMOSWIN.EXE Created files: %ALLUSERSPROFILE%\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\GATHERLOGS\SYSTEMINDEX\SYSTEMINDEX.707.CRWL %ALLUSERSPROFILE%\MICROSOFT\SEARCH\DATA\APPLICATIONS\WINDOWS\GATHERLOGS\SYSTEMINDEX\SYSTEMINDEX.707.GTHR %TEMP%\36ACC673201609ABCCEBA535EA70B3B4.JSON %APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN %APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{A6BFEBCC-82BF-D843-EBCB-2E36D06324D0}\STUBPATH: “%APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE” HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\WINDOWS: “%APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE” HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WINDOWS: “%APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE” HKCU\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{A6BFEBCC-82BF-D843-EBCB-2E36D06324D0}\STUBPATH: “%APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE” HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WINDOWS: “%APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE” Detected by UnHackMe: SYSTEMOSWIN.EXE DEFAULT LOCATION: %APPDATA%\SYSTEMOSWIN\SYSTEMOSWIN.EXE Dropper hash(md5): 9ce8bd7719c922b2cc9483abb4f7c6cb UnHackMe removes malware invisible for your antivirus! UnHackMe…

Continue reading →

Worm.Runouce.Win32.21613 also known as Win32.Trojan.WisdomEyes.16070401.9500.9777. Malware Analysis of Worm.Runouce.Win32.21613 – XREG.EXE Created files: %TEMP%\RARSFX0\WINDOWS UTILITIES\INSTALLER32\XEROX_POWER_ENGAGE_SETUP.EXE %TEMP%\RARSFX0\WINDOWS UTILITIES\INSTALLER32\XLIBEAY101L.DLL %TEMP%\RARSFX0\WINDOWS UTILITIES\INSTALLER32\XREG.EXE %TEMP%\RARSFX0\WINDOWS UTILITIES\INSTALLER32\XRXSCANUNINSTALLER.EXE %TEMP%\RARSFX0\WINDOWS UTILITIES\INSTALLER64\BACKGROUNDSTARTUP.BMP Detected by UnHackMe: XREG.EXE DEFAULT LOCATION: %TEMP%\RARSFX0\WINDOWS UTILITIES\INSTALLER32\XREG.EXE Dropper hash(md5): d490e85a20bdf1b5c2da155009d933ea UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

BehavesLike.Win32.Worm.qh also known as W32/SecRisk-ProcessPatcher-base, Win32:Imsecure-A [Trj], Trojan/Win32.Dynamer.R152049. Malware Analysis of BehavesLike.Win32.Worm.qh – WINDOWSSS.EXE Created files: %TEMP%\CTQC.TH %TEMP%\GONE.EXE %TEMP%\WINDOWSSS.EXE %TEMP%\WINDOWSSS2.EXE %TEMP%\WVJJKSF.EXE Detected by UnHackMe: WINDOWSSS.EXE DEFAULT LOCATION: %TEMP%\WINDOWSSS.EXE Dropper hash(md5): ea2d92c1027adb5f78b7a5675a19063e UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain…

Continue reading →

Worm:Win32/Xtrat.C also known as generic.a, malicious_confidence_100% (D), HEUR:Trojan.Win32.Generic. Malware Analysis of Worm:Win32/Xtrat.C – WINDOWSSS.EXE Created files: %TEMP%\CTQC.TH %TEMP%\GONE.EXE %TEMP%\WINDOWSSS.EXE %TEMP%\WINDOWSSS2.EXE %TEMP%\WVJJKSF.EXE Detected by UnHackMe: WINDOWSSS.EXE DEFAULT LOCATION: %TEMP%\WINDOWSSS.EXE Dropper hash(md5): ea2d92c1027adb5f78b7a5675a19063e UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain…

Continue reading →

WORM/Lodbak.Gen4 also known as Adware ( 004fc8591 ), PUA.Tencent, malicious_confidence_88% (D). Malware Analysis of WORM/Lodbak.Gen4 – N2U29.EXE Created files: %APPDATA%\NSFE3C8.ICO %APPDATA%\NSFE3C8.TMP %APPDATA%\TENCENT\QQPCMGR\DOWNLOAD\N2U29.EXE %APPDATA%\ZNG.URL %PROFILE%\DESKTOP\.LNK Autostart registry keys: HKLM\System\CurrentControlSet\services\QiyiService\ImagePath: “%Program Files%\IQIYI Video\LStyle\5.5.33.3550\QiyiService.exe” HKLM\System\CurrentControlSet\services\QiyiService\DisplayName: “IQIYI Video Platform Service” Detected by UnHackMe: N2U29.EXE DEFAULT LOCATION: %APPDATA%\TENCENT\QQPCMGR\DOWNLOAD\N2U29.EXE Dropper hash(md5): ee27b964f0d19de0cbccee9e8cea2518 UnHackMe removes malware invisible for your antivirus! UnHackMe is…

Continue reading →

Worm.Luder!24PmwCW5AwI also known as Trojan.VIZ.Gen.1, Trojan.VIZ.Gen.1, TrojWare.Win32.Kryptik.AHXM. Malware Analysis of Worm.Luder!24PmwCW5AwI – OBME.EXE Created files: %LOCAL APPDATA%\MICROSOFT\WINDOWS MAIL\LOCAL FOLDERS\SENT ITEMS\WINMAIL.FOL %LOCAL APPDATA%\MICROSOFT\WINDOWS MAIL\MICROSOFT COMMUNITIES\ACCOUNT{3CC05103-59FD-466A-80E6-12486C131C6E}.OEACCOUNT %APPDATA%\VYADW\OBME.EXE Autostart registry keys: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\OBME: “%APPDATA%\VYADW\OBME.EXE” Detected by UnHackMe: OBME.EXE DEFAULT LOCATION: %APPDATA%\VYADW\OBME.EXE Dropper hash(md5): 81ef46b7fc5cea28ad8f391dbe3d0fca UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe…

Continue reading →

worm.win32.secrar.a also known as Ransom.Locky, Trojan.Win32.S.Ransom.409449[h], Trojan.Generic.D3A0238. Malware Analysis of worm.win32.secrar.a – UQPFAGAV.EXE Created files: %TEMP%\SHLGUID.H %TEMP%\_HASHLIB.PY %WINDIR%\UQPFAGAV.EXE Autostart registry keys: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\AQEJEFIS: “”%WINDIR%\UQPFAGAV.EXE”” Detected by UnHackMe: UQPFAGAV.EXE Default location: %WinDir%\UQPFAGAV.EXE Dropper hash(md5): 6ea4c6c598985d88e73afd56b22e7dc8 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does…

Continue reading →

Malware Analysis of Worm.AutoRun.Win32.107651 – SMGVER.EXE Created files: %Program Files%\Shuame\3.3.9.174\data\Bin\rgs %Program Files%\Shuame\3.3.9.174\data\Bin\shuamesu %Program Files%\Shuame\3.3.9.174\data\Bin\smgver.exe %Program Files%\Shuame\3.3.9.174\data\Bin\su %Program Files%\Shuame\3.3.9.174\data\Bin\su1 Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}\LOCALSERVER32\: “”%COMMONPROGRAMFILES%\TENCENT\QQDOWNLOAD\132\TENCENTDL.EXE”” HKLM\SOFTWARE\CLASSES\CLSID\{B9E49847-9822-4139-BC55-7173ED1ADA11}\INPROCSERVER32\: “%COMMONPROGRAMFILES%\TENCENT\QQDOWNLOAD\132\DOWNLOADPROXYPS.DLL” HKLM\Software\Classes\shuame\shell\open\command\: “”%Program Files%\Shuame\Shuame.exe” /URL “%1″” HKLM\Software\Classes\ShuameApkTool\shell\open\command\: “”%Program Files%\Shuame\3.3.9.174\ApkTool.exe” “%1″” HKLM\Software\Classes\ShuameRom\shell\open\command\: “”%Program Files%\Shuame\Shuame.exe” /ROM_PATH “%1″” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Shuame\DisplayName: “????” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Shuame\UninstallString: “%Program Files%\Shuame\Uninst.exe” Detected by UnHackMe: SMGVER.EXE Default location: %PROGRAM FILES%\SHUAME\3.3.9.174\DATA\BIN\SMGVER.EXE Dropper hash(md5): ef4c2985b2cb4ebd9ed87bc0244c3f92…

Continue reading →

Worm.Vobfus.Win32.192377 also known as Program.Unwanted.952, W32.HfsAdware.D686. Malware Analysis of Worm.Vobfus.Win32.192377 – DRIVERDOC.EXE Created files: %Program Files%\Solvusoft\DriverDoc\DPInst32.exe %Program Files%\Solvusoft\DriverDoc\DPInst64.exe %Program Files%\Solvusoft\DriverDoc\DriverDoc.exe %Program Files%\Solvusoft\DriverDoc\DriverHiveEngine.dll %Program Files%\Solvusoft\DriverDoc\Html\about_lightbox.html Autostart registry keys: HKLM\Software\Classes\Applications\DriverDocSetup.exe\IsHostApp: “” HKLM\Software\Classes\Applications\EULA.rtf\NoStartPage: “” HKLM\Software\Classes\Applications\LogFilesCollector.exe\NoStartPage: “” HKLM\Software\Classes\Applications\Setup_DriverDoc_2016.exe\IsHostApp: “” HKLM\Software\Classes\Applications\ShortcutLauncher.exe\NoStartPage: “” HKLM\Software\Classes\Applications\SolvusoftTray.exe\NoStartPage: “” HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\0570A0D4430B8FD479ED621F12A22CFF\InstallProperties\DisplayName: “DriverDoc” HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CommonToolkitTray_Solvusoft: “%Program Files%\Solvusoft\Tray\SolvusoftTray.exe” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\DriverDoc\DisplayName: “DriverDoc” HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DRIVERDOC\UNINSTALLSTRING: “”%COMMON APPDATA%\{0897014C-63E3-47DF-8A5F-4399CC5D61B9}\DRIVERDOCSETUP.EXE” REMOVE=TRUE MODIFY=FALSE” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4D0A0750-B034-4DF8-97DE-26F1212AC2FF}\DisplayName: “DriverDoc” HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4D0A0750-B034-4DF8-97DE-26F1212AC2FF}\UNINSTALLSTRING: “%COMMON…

Continue reading →

worm.win32.rebhip.a also known as Backdoor.Bot, Trojan.Win32.Agent, malicious_confidence_64% (W). Malware Analysis of worm.win32.rebhip.a – 456.EXE Created files: %TEMP%\456.EXE %TEMP%\CHANCHAN.EXE Detected by UnHackMe: 456.EXE DEFAULT LOCATION: %TEMP%\456.EXE Dropper hash(md5): 2eb509af987916e50fef146bf314612c UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form of…

Continue reading →

Worm.Win32.Shakblades.wva also known as Trojan.Generic.18092507, a variant of MSIL/TrojanDropper.Agent.BXI, Trojan.Win32.Strictor.a-SbcAY5hFbGO (cloud). Malware Analysis of Worm.Win32.Shakblades.wva – CMESINUPX.EXE Created files: %TEMP%\7076CRYPTED.VBS %TEMP%\CMDESCTIVATE.EXE %TEMP%\CMESINUPX.EXE %TEMP%\ENCRYPTADO.EXE %TEMP%\VCHOST.EXE Detected by UnHackMe: CMESINUPX.EXE DEFAULT LOCATION: %TEMP%\CMESINUPX.EXE Dropper hash(md5): 30ce9b0274eb835528d696980dd77edd UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →

worm.win32.vesenlosow.a also known as Troj.W32.Scar!c, HW32.Packed.136C, Trojan.VBInject!1.64FE-faeZKOeHJYR (cloud). Malware Analysis of worm.win32.vesenlosow.a – REALPLAYER.EXE.EXE Created files: %APPDATA%\MICROSOFT\CRYPTO\RSA\S-1-5-21-3826439297-2269405635-17600287-1000\699C4B9CDEBCA7AAEA5193CAE8A50098_0D4B1D18-7E83-4EF4-B78E-47045F725890 %APPDATA%\0D4B1D18-7E83-4EF4-B78E-47045F725890\.LOCK %APPDATA%\0D4B1D18-7E83-4EF4-B78E-47045F725890\RUN.DAT %APPDATA%\REALP\REALPLAYER.EXE.EXE Detected by UnHackMe: REALPLAYER.EXE.EXE DEFAULT LOCATION: %APPDATA%\REALP\REALPLAYER.EXE.EXE Dropper hash(md5): 01d5a6f1696ba30e0f60c12619665259 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

Worm.Ngrbot.Win32.7688 also known as GrayWare[AdWare]/Win32.OutBrowse.ci, PUA.OutBrowse!, Trojan.Gen.2. Malware Analysis of Worm.Ngrbot.Win32.7688 – HVLPRWS.DLL Created files: %TEMP%\BEEHFGABBJ.JBBAG %TEMP%\JBBAG.ZIP %TEMP%\NSBDAE0.TMP\HVLPRWS.DLL %TEMP%\NSBDAE0.TMP\ZIPDLL.DLL %TEMP%\WER274C.TMP.APPCOMPAT.TXT Detected by UnHackMe: HVLPRWS.DLL DEFAULT LOCATION: %TEMP%\NSBDAE0.TMP\HVLPRWS.DLL Dropper hash(md5): 91223fafdb7610d6e5ce745209eecdf4 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any…

Continue reading →

Malware Analysis of Win.Worm.Agent-1290102 – 5844032E29CC1CD0279E15815F862A39.EXE Created files: %APPDATA%\TENCENT\LOGS\QTUNINSTALL.TXT %APPDATA%\TENCENT\QTALK\AUTEMP\5844032E29CC1CD0279E15815F862A39.EXE %SYSDIR%\QQVISTAHELPER.DLL Detected by UnHackMe: 5844032E29CC1CD0279E15815F862A39.EXE DEFAULT LOCATION: %APPDATA%\TENCENT\QTALK\AUTEMP\5844032E29CC1CD0279E15815F862A39.EXE Dropper hash(md5): 5844032e29cc1cd0279e15815f862a39 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and…

Continue reading →

Malware Analysis of Win.Worm.Chir-2302 – NYYODU.EXE Created files: %APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\MICROSOFT.VC80.CRT\MSVCR80.DLL %APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\MINDOWNLOAD.ICO %APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\NYYODU.EXE %APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\PROTOCOLDLL.DLL %APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\REPORTDLL.DLL Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{D3C9CF85-72D2-4D22-B16A-0B682403AB84}\INPROCSERVER32\: “%APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\IEBDSOFTHELPERPLUG.DLL” HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BaiduRJDownloader\DisplayName: “?????? 1.6.0.77” HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BAIDURJDOWNLOADER\UNINSTALLSTRING: “%APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\UNINSTALLER.EXE” HKLM\System\CurrentControlSet\services\bd0001\ImagePath: “system32\DRIVERS\bd0001.sys” HKLM\System\CurrentControlSet\services\bd0001\DisplayName: “bd0001” HKLM\System\CurrentControlSet\services\bd0004\ImagePath: “system32\DRIVERS\bd0004.sys” HKLM\System\CurrentControlSet\services\bd0004\DisplayName: “bd0004” HKLM\System\CurrentControlSet\services\BDArKit\ImagePath: “system32\DRIVERS\BDArKit.sys” HKLM\System\CurrentControlSet\services\BDArKit\DisplayName: “BDArKit” HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BDDLSVC\IMAGEPATH: “”%APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\BDDLSVC.EXE” -R” HKLM\System\CurrentControlSet\services\bddlsvc\DisplayName: “BDHY Service” HKLM\System\CurrentControlSet\services\BDMWrench\ImagePath: “system32\DRIVERS\BDMWrench.sys” HKLM\System\CurrentControlSet\services\BDMWrench\DisplayName: “BDMWrench” Detected by UnHackMe: NYYODU.EXE DEFAULT LOCATION: %APPDATA%\BAIDU\BAIDURJDOWNLOADER\1.6.0.77\NYYODU.EXE Dropper hash(md5): 434585db9697c67eff8e63f4f068075c…

Continue reading →

Worm.Parite.B also known as Virus/W32.Parite.C, Win32.Parite.C. Malware Analysis of Worm.Parite.B – 338720D011797452F7D8E138D2879603.EXE Created files: %COMMON APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\338720D011797452F7D8E138D2879603.EXE %TEMP%\BWADE0B.TMP %SYSDIR%\KKWGKS.EXE %WINDIR%\TEMP\NYAF993.TMP %WINDIR%\TEMP\ZYAF4FE.TMP Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NATIONALUFO\IMAGEPATH: “%SYSDIR%\KKWGKS.EXE” HKLM\System\CurrentControlSet\services\Nationalufo\DisplayName: “Nationallcg Instruments Domain Service” Detected by UnHackMe: 338720D011797452F7D8E138D2879603.EXE DEFAULT LOCATION: %COMMON APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\338720D011797452F7D8E138D2879603.EXE Dropper hash(md5): 338720d011797452f7d8e138d2879603 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most…

Continue reading →

Worm.Win32.Ramnit.45 also known as Trojan.Win32.Generic!BT, W32.RammintDropperNNA.Worm, Trojan.Krap.rw3. Malware Analysis of Worm.Win32.Ramnit.45 – TGVBGQSRV.EXE Created files: %WINDIR%\TEMP\FE8.TMP %WINDIR%\TGVBGQ.EXE %WINDIR%\TGVBGQSRV.EXE Autostart registry keys: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\.NET CLR\IMAGEPATH: “%WINDIR%\TGVBGQ.EXE” HKLM\System\CurrentControlSet\services\.Net CLR\DisplayName: “Microsoft .Net Framework COM+ Support” HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\USERINIT: “%SYSDIR%\USERINIT.EXE,,%PROGRAM FILES%\MICROSOFT\DESKTOPLAYER.EXE” Detected by UnHackMe: TGVBGQSRV.EXE Default location: %WinDir%\TGVBGQSRV.EXE Dropper hash(md5): 23f538cd097d862bbf2d9f8e25d0cb7b UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible…

Continue reading →

Malware Analysis of Win.Worm.Runouce-434 – QQBROWSERWEBINSTALLER.EXE Created files: %Program Files%\Tencent\QQPCMgr\11.5.17499.219\QOLogo\QQMobileMgr.png %Program Files%\Tencent\QQPCMgr\11.5.17499.219\QOLogo\QQPCLaunch.png %Program Files%\Tencent\QQPCMgr\11.5.17499.219\QQBrowserWebInstaller.exe %Program Files%\Tencent\QQPCMgr\11.5.17499.219\QQFileFlt.dll %Program Files%\Tencent\QQPCMgr\11.5.17499.219\QQPCAVSetting.dat Autostart registry keys: HKLM\Software\Classes\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\npQMExtensionsIE.dll” HKLM\Software\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\QMContextScan.dll” HKLM\SOFTWARE\CLASSES\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}\LOCALSERVER32\: “”%COMMONPROGRAMFILES%\TENCENT\QQDOWNLOAD\130\TENCENTDL.EXE”” HKLM\Software\Classes\CLSID\{920D873D-05AB-4574-AD3A-872DD173658A}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\UDiskShellExt.dll” HKLM\Software\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\QMGCShellExt.dll” HKLM\Software\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\QMContextUninstall.dll” HKLM\Software\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\QMContextUninstall.dll” HKLM\Software\Classes\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32\: “%Program Files%\Tencent\QQPCMgr\11.5.17499.219\QMContextScan.dll” HKLM\Software\Classes\PCMgrRepairIEExtensions\Shell\Open\Command\: “”%Program Files%\Tencent\QQPCMgr\11.5.17499.219\QQPCMgr.exe”%1 ” HKLM\Software\Classes\qmgcfiles\Shell\open\Command\: “”%Program Files%\Tencent\QQPCMgr\11.5.17499.219\\QMDeskTopGC.exe” /file=”%1″” HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ QQPCTray: “”%Program…

Continue reading →

W32.ServerXCDll.Worm also known as Mal_Naix-6, Trojan.Win32.Generic!BT, Generic.Perfloger.B7DCE920. Malware Analysis of W32.ServerXCDll.Worm – SO2GAMESWB.DLL Created files: %SYSDIR%\SO2GAMESHK.DLL %SYSDIR%\SO2GAMESR.EXE %SYSDIR%\SO2GAMESWB.DLL %SYSDIR%\WEB.DAT Autostart registry keys: HKLM\SOFTWARE\CLASSES\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\INPROCSERVER32\: “%SYSDIR%\SO2GAMESWB.DLL” Detected by UnHackMe: SO2GAMESWB.DLL Default location: %SYSDIR%\SO2GAMESWB.DLL Dropper hash(md5): c4dc20b0f9a0abbec5535469deeba1d6 UnHackMe removes malware invisible for your antivirus! UnHackMe is compatible with most antivirus software. UnHackMe is 100% CLEAN, which means it…

Continue reading →