Malware Analysis of Program.Unwanted.913 – FILEHIDERS.SYS

Created files:

%Program Files%\Essentware\PCKeeper\Elevator.exe
%Program Files%\Essentware\PCKeeper\fileHiders.inf
%Program Files%\Essentware\PCKeeper\fileHiders.sys
%Program Files%\Essentware\PCKeeper\Ionic.Zip.dll
%Program Files%\Essentware\PCKeeper\LocalizationHelpers.dll

Autostart registry keys:

HKLM\Software\Classes\CLSID\{0319DE47-F039-45DC-A213-DBB61C6AE509}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\PCKObjFactoryPS.dll”
HKLM\Software\Classes\CLSID\{05562BE7-0EFC-4BD2-BD8F-FAA363E68410}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\PCKeeperShellExt32.dll”
HKLM\Software\Classes\CLSID\{074BFF31-CA38-43C4-8F25-79213AD708EF}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\SharedNativeLibraryPS.dll”
HKLM\Software\Classes\CLSID\{0D838143-D511-4555-8B97-16C3CF5A780D}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\WebCamFrameCaptureComponentPS.dll”
HKLM\Software\Classes\CLSID\{16A94A89-66C4-4990-896C-5FC3E1557FFD}\InprocServer32\: “%Program Files%\Essentware\PCKAV\SharedNativeLibrary.dll”
HKLM\Software\Classes\CLSID\{206E5E13-3B8F-4146-9C21-F18A63A9689B}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\OneClickFixServicePS.dll”
HKLM\Software\Classes\CLSID\{2B5E8E95-F503-4530-A340-53DE89F3358F}\InProcServer32\: “%Program Files%\Essentware\PCKAV\PCKAVServicePS.dll”
HKLM\Software\Classes\CLSID\{2F8F99FD-7C0E-4150-8DFD-13B1F4FBD916}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\WebCamFrameCaptureComponent.dll”
HKLM\Software\Classes\CLSID\{33B2A2E0-18F6-45CB-8080-04320066A4A1}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\RegistryCleanerComponent.dll”
HKLM\Software\Classes\CLSID\{503F82AB-1549-4B08-AF10-289CCCF3BE4B}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\SharedNativeLibrary.dll”
HKLM\Software\Classes\CLSID\{6AF595D6-D4A0-4ACA-ADD4-62034EE9FF3A}\LocalServer32\: “”%Program Files%\Essentware\PCKeeper\PCKeeperService.exe””
HKLM\Software\Classes\CLSID\{6F09F687-2C4C-4A37-8D7A-2CB76D2B3F71}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\RegistryCleanerComponentPS.dll”
HKLM\Software\Classes\CLSID\{723F0E89-F10C-4D28-A46C-934513EA963A}\InprocServer32\: “%Program Files%\Essentware\PCKAV\engine\AvComponent.dll”
HKLM\Software\Classes\CLSID\{7944171A-50CC-479E-A6FC-B1E25E665C25}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\SharedNativeLibrary.dll”
HKLM\Software\Classes\CLSID\{7A2BA8C4-F382-4DD1-A6D2-A86C6D66C4F9}\InProcServer32\: “%Program Files%\Essentware\PCKAV\SharedNativeLibraryPS.dll”
HKLM\Software\Classes\CLSID\{80E9CB05-9C8B-4B85-8A66-D81092F5AF60}\LocalServer32\: “”%Program Files%\Essentware\PCKAV\PCKAVService.exe””
HKLM\Software\Classes\CLSID\{817BF5D8-380E-44F4-8E61-43E7ECF74B53}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\PCKObjFactory.dll”
HKLM\Software\Classes\CLSID\{8888A22B-3380-4C2B-950F-A5B6EC527A4B}\InProcServer32\: “%Program Files%\Essentware\PCKAV\engine\AvComponentPS.dll”
HKLM\Software\Classes\CLSID\{9443C19D-B318-4EBD-8A7F-6A50D0472FB4}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\DiskCleanerComponent.dll”
HKLM\Software\Classes\CLSID\{95CAD169-7912-410E-8C8A-7BA1729BD8F7}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\DiskCleanerComponent.dll”
HKLM\Software\Classes\CLSID\{990F7D4F-09EF-47DF-9ABE-BAF2DCCF5C4B}\LocalServer32\: “”%Program Files%\Essentware\Common\AccountService.exe””
HKLM\Software\Classes\CLSID\{B462C1CA-E368-4321-B0B1-0453E4AB6FDB}\InprocServer32\: “%Program Files%\Essentware\PCKAV\engine\AvComponent.dll”
HKLM\Software\Classes\CLSID\{B52115B1-936F-4EEA-A363-A535FB1942B7}\InprocServer32\: “%Program Files%\Essentware\PCKAV\PCKAVShellExt32.dll”
HKLM\Software\Classes\CLSID\{CCF68051-721D-40C7-812D-86ED0FDE7411}\InprocServer32\: “%Program Files%\Essentware\PCKeeper\RegistryCleanerComponent.dll”
HKLM\Software\Classes\CLSID\{CF6E1E3B-5B36-4A71-9105-DC75B4089D8C}\InprocServer32\: “%Program Files%\Essentware\Common\AccountServicePS.dll”
HKLM\Software\Classes\CLSID\{D8F2F7F9-F8F3-4562-9FDA-C1E2DAE60A30}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\PCKeeperServicePS.dll”
HKLM\Software\Classes\CLSID\{DEE0443A-95B1-41DF-B50A-409FDEA53644}\InprocServer32\: “%Program Files%\Essentware\PCKAV\engine\AvComponent.dll”
HKLM\Software\Classes\CLSID\{F55EA208-E122-4B4E-8483-4404A1CC9569}\LocalServer32\: “”%Program Files%\Essentware\PCKeeper\OneClickFixService.exe””
HKLM\Software\Classes\CLSID\{F5950775-5405-49E5-A9B0-24094C206B7A}\LocalServer32\: “”%Program Files%\Essentware\PCKeeper\OneClickFixService.exe””
HKLM\Software\Classes\CLSID\{F6649783-7559-4772-96C7-02D33BEACD8C}\InProcServer32\: “%Program Files%\Essentware\PCKeeper\DiskCleanerComponentPS.dll”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\107367941945A954DA989330ABE49075\InstallProperties\UninstallString: “MsiExec.exe /X{49763701-5491-459A-AD89-3903BA4E0957}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\107367941945A954DA989330ABE49075\InstallProperties\DisplayName: “PCKeeper”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6E815EB96CCE9A53884E7857C57002F0\InstallProperties\UninstallString: “MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6E815EB96CCE9A53884E7857C57002F0\InstallProperties\DisplayName: “Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.6161”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\91D74906933C99B4986DCED8BF2A728B\InstallProperties\UninstallString: “MsiExec.exe /X{60947D19-C339-4B99-89D6-EC8DFBA227B8}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\91D74906933C99B4986DCED8BF2A728B\InstallProperties\DisplayName: “PCKeeper Antivirus”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\92D40EBB025BF0941AB82BE495771AAD\InstallProperties\UninstallString: “MsiExec.exe /X{BBE04D29-B520-490F-A18B-B24E5977A1DA}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\92D40EBB025BF0941AB82BE495771AAD\InstallProperties\DisplayName: “AccountService”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{49763701-5491-459A-AD89-3903BA4E0957}\UninstallString: “MsiExec.exe /X{49763701-5491-459A-AD89-3903BA4E0957}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{49763701-5491-459A-AD89-3903BA4E0957}\DisplayName: “PCKeeper”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{60947D19-C339-4B99-89D6-EC8DFBA227B8}\UninstallString: “MsiExec.exe /X{60947D19-C339-4B99-89D6-EC8DFBA227B8}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{60947D19-C339-4B99-89D6-EC8DFBA227B8}\DisplayName: “PCKeeper Antivirus”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}\UninstallString: “MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}\DisplayName: “Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.6161”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BBE04D29-B520-490F-A18B-B24E5977A1DA}\UninstallString: “MsiExec.exe /X{BBE04D29-B520-490F-A18B-B24E5977A1DA}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BBE04D29-B520-490F-A18B-B24E5977A1DA}\DisplayName: “AccountService”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E44BBEE3-3F83-4670-9E2E-EE0556442287}\DisplayName: “PCKeeper”
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E44BBEE3-3F83-4670-9E2E-EE0556442287}\UNINSTALLSTRING: “%COMMON APPDATA%\ESSENTWARE\INSTALLER.EXE /UNINSTPCK”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E7E7B26A-88AA-48B0-A47C-173C062FD904}\DisplayName: “PCKeeper Antivirus”
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E7E7B26A-88AA-48B0-A47C-173C062FD904}\UNINSTALLSTRING: “%COMMON APPDATA%\ESSENTWARE\INSTALLER.EXE /UNINSTSEC”
HKLM\System\CurrentControlSet\services\AccountService\ImagePath: “”%Program Files%\Essentware\Common\AccountService.exe””
HKLM\System\CurrentControlSet\services\AccountService\DisplayName: “Essentware Account Service”
HKLM\System\CurrentControlSet\services\fileHiders\ImagePath: “system32\DRIVERS\fileHiders.sys”
HKLM\System\CurrentControlSet\services\fileHiders\DisplayName: “fileHiders”
HKLM\System\CurrentControlSet\services\PCKAVService\ImagePath: “”%Program Files%\Essentware\PCKAV\PCKAVService.exe””
HKLM\System\CurrentControlSet\services\PCKAVService\DisplayName: “PCKeeper Antivirus Service”
HKLM\System\CurrentControlSet\services\PCKeeper2Service\ImagePath: “”%Program Files%\Essentware\PCKeeper\PCKeeperService.exe””
HKLM\System\CurrentControlSet\services\PCKeeper2Service\DisplayName: “PCKeeper Service”
HKLM\System\CurrentControlSet\services\PCKeeperOcfService\ImagePath: “”%Program Files%\Essentware\PCKeeper\OneClickFixService.exe””
HKLM\System\CurrentControlSet\services\PCKeeperOcfService\DisplayName: “PCKeeper Ocf Service”
HKLM\System\CurrentControlSet\services\ZeoScanner\ImagePath: “system32\DRIVERS\zeoscanner.sys”
HKLM\System\CurrentControlSet\services\ZeoScanner\DisplayName: “ZeoScanner”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PCKeeperLive: “”%Program Files%\Essentware\PCKeeper\PCKeeper.exe” /autorun”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PCKeeper Antivirus: “”%Program Files%\Essentware\PCKAV\PCKAV.exe” /autorun”

Detected by UnHackMe:

FILEHIDERS.SYS
Default location: %PROGRAM FILES%\ESSENTWARE\PCKEEPER\FILEHIDERS.SYS

Dropper hash(md5): e4aa59c766c00e57ef1079060c3f50a6

Written by NightWatcher

Malware Hunter.
Google+

UnHackMe removes malware invisible for your antivirus!

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.