Malware Analysis of MyBackup.940 – SIGNUP WIZARD.EXE

Created files:

%Program Files%\MyPC Backup\Service Start.exe
%Program Files%\MyPC Backup\Shared Stack.dll
%Program Files%\MyPC Backup\Signup Wizard.exe
%Program Files%\MyPC Backup\SignupWizard.dll
%Program Files%\MyPC Backup\syncicon.ico

Autostart registry keys:

HKLM\Software\Classes\CLSID\{2B0183D6-3C22-4F0B-F62F-58AF52F66606}\InProcServer32\: “%Program Files%\HostSecurePlugin\bho32.dll”
HKLM\Software\Classes\CLSID\{5DAAB57B-836A-456C-99D8-A5E0AF03FD94}\InprocServer32\: “%Program Files%\HostSecurePlugin\forge32.dll”
HKLM\Software\Classes\CLSID\{71B97DA2-A432-42FA-AD66-28C567704807}\InprocServer32\: “%Program Files%\HostSecurePlugin\forge32.dll”
HKLM\Software\Classes\CLSID\{7bcc228a-c730-4004-93f9-72cbb7033a62}\InprocServer32\: “%Program Files%\dlsecuretb\dlsecureDx.dll”
HKLM\Software\Classes\CLSID\{7F2FA86A-181A-4F8F-B853-51F897A91227}\InprocServer32\: “%Program Files%\HostSecurePlugin\forge32.dll”
HKLM\Software\Classes\CLSID\{99E2F3AB-15ED-4F76-8921-2471702C2EF3}\InprocServer32\: “%Program Files%\HostSecurePlugin\forge32.dll”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D20352A90C039D93DBF6126ECE614057\InstallProperties\UninstallString: “MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D20352A90C039D93DBF6126ECE614057\InstallProperties\DisplayName: “Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.17”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HostSecurePlugin: “%Program Files%\Host Secure\HostSecure.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HostSecurePlugin3: “%Program Files%\Host Secure\HostSecure.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\dlsecuretb\DisplayName: “DLSecure Toolbar”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\dlsecuretb\UninstallString: “%Program Files%\dlsecuretb\uninstall.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host Secure\DisplayName: “Host Secure v1.3”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host Secure\UninstallString: “%Program Files%\Host Secure\uninstall.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\HostSecurePlugin\DisplayName: “HostSecurePlugin (remove only)”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\HostSecurePlugin\UninstallString: “%Program Files%\HostSecurePlugin\Uninstall.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup\DisplayName: “MyPC Backup ”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup\UninstallString: “%Program Files%\MyPC Backup\uninst.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}\UninstallString: “MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}\DisplayName: “Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.17”
HKLM\System\CurrentControlSet\Services\BackupStack\ImagePath: “%Program Files%\MyPC Backup\BackupStack.exe”
HKLM\System\CurrentControlSet\Services\BackupStack\DisplayName: “Computer Backup (MyPC Backup)”
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\DisplayName: “Search The Web”

Detected by UnHackMe:

SIGNUP WIZARD.EXE
Default location: %PROGRAM FILES%\MYPC BACKUP\SIGNUP WIZARD.EXE

Dropper hash(md5): bbba9c1f8cb70783478d5bce1c4b546f

Written by NightWatcher

Malware Hunter.
Google+

UnHackMe removes malware invisible for your antivirus!

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.