|
|
UnHackMe Warrior Removing rootkits is best done from the "clean" Windows!
Blog: New viruses/malware/rootkits. Everyday!
Blog: How to remove malware/Trojans/rootkits using UnHackMe or manually. We know how to remove malware.
Shortcut Antivirus protects against Microsoft LNK and PIF vulnerability, notify a user about found threats and give possibility to immediately remove threats.
StuxnetRemover - free of charge Stuxnet/Tmphider rootkit removal tool.
|
 %sysdir%\calc.dll - Dangerous
Fix it immediately
S_loader.exe is Trojan/Backdoor. Kill the process s_loader.exe and remove s_loader.exe from Windows startup. Malware dropper: s_loader.exe Removed: C:\Documents and Settings\Administrator\Application Data\seres.exe C:\Documents and Settings\Administrator\Application Data\svcst.exe C:\DOCUME~1\ADMINI~1\ntuser.dll C:\WINDOWS\system32\calc.dll C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.dll ------------------------------------------------------------------------------------- Classification: Code: Antivirus Version Last Update Result F-Secure 8.0.14470.0 2009.10.08 - Kaspersky 7.0.0.125 2009.10.08 - McAfee 5765 2009.10.08 Generic.dx!fpr Microsoft 1.5101 2009.10.08 TrojanDownloader:Win32/FakeRean NOD32 4491 2009.10.08 a variant of Win32/Kryptik.AMD Symantec 1.4.4.12 2009.10.08 Packed.Generic.255 Additional information File size: 62976 bytes MD5 : 8a93d70504b354beec93a7ba2748c11a SHA1 : a6024dde7f4b6abceabda203b12fd9d1d542e8b9 ------------------------------------------------------------------------------------- Installation When the program is executed, it creates the following registry subkeys and values: ---------------------------------- Keys deleted:121 ---------------------------------- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base /.../ HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt /.../ HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F} HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ---------------------------------- Keys added:3 ---------------------------------- HKLM\SOFTWARE\Microsoft\DownloadManager HKCU\Software\Microsoft\Internet Explorer\Download HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations ---------------------------------- Values deleted:119 ---------------------------------- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\: "Human Interface Devices" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\: "Volume" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\: "Floppy disk drive" /.../ HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender\: "Driver Group" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Base\: "Driver Group" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt\: "Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\: "Human Interface Devices" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\: "Volume" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\: "Floppy disk drive" /.../ HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppMgmt\: "Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AFD\: "Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell: "cmd.exe" ---------------------------------- Values added:11 ---------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc: "rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0" HKCU\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures: "no" HKCU\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures: 0x00000001 HKCU\Software\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001 HKCU\Software\Microsoft\Security Center\FirewallDisableNotify: 0x00000001 HKCU\Software\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes: "zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav" HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\SaveZoneInformation: 0x00000001 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\calc: "rundll32.exe C:\DOCUME~1\ADMINI~1\ntuser.dll,_IWMPEvents@0" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mserv: "C:\Documents and Settings\Administrator\Application Data\seres.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost: "C:\Documents and Settings\Administrator\Application Data\svcst.exe" ---------------------------------- Values modified:0 ---------------------------------- ---------------------------------- Files added:9 ---------------------------------- C:\Documents and Settings\Administrator\Application Data\lizkavd.exe C:\Documents and Settings\Administrator\Application Data\seres.exe C:\Documents and Settings\Administrator\Application Data\svcst.exe C:\Documents and Settings\Administrator\Local Settings\Temp\nsrbgxod.bak C:\Documents and Settings\Administrator\Local Settings\Temp\popka.exe C:\Documents and Settings\Administrator\Local Settings\Temp\rundll32.dll C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.dll C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk C:\WINDOWS\system32\calc.dll ---------------------------------- Files deleted:1 ---------------------------------- C:\sand-box\s_loader.exe ---------------------------------- Files [attributes?] modified:0 ---------------------------------- ---------------------------------- Folders added:0 ---------------------------------- ---------------------------------- Folders deleted:0 ---------------------------------- ---------------------------------- Total changes:264 ---------------------------------- ------------------------------------------------------------------------------------- Internet activity: Code: HTTP GET http://utorgtanedoskaw.com/files/avp21_d... HTTP GET http://rtugamer5tobes.com/files/avp21_d_... HTTP GET http://lersolamgaderg.com/files/avp21_d_... HTTP GET http://orav4abustorabe.com/files/avp21_d... HTTP GET http://orav4abustorabe.com/files/avp21_d... HTTP GET http://orav4abustorabe.com/files/_AVE_._... HTTP GET http://orav4abustorabe.com/files/_AVE_._... HTTP GET http://orav4abustorabe.com/files/_Add_._... HTTP GET http://orav4abustorabe.com/files/_GUI_._... HTTP GET http://orav4abustorabe.com/files/_SC_._d... HTTP GET http://orav4abustorabe.com/files/_Upd_._... ------------------------------------------------------------------------------------- Detected by UnHackMe: Item Name: mserv Author: Unknown Related File: C:\Documents and Settings\Administrator\Application Data\seres.exe Type: Registry Run Item Name: svchost Author: Unknown Related File: C:\Documents and Settings\Administrator\Application Data\svcst.exe Type: Registry Run Item Name: seres.exe Author: Unknown Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SERES.EXE Type: Running Processes Item Name: calc Author: Microsoft Related File: rundll32.exe C:\DOCUME~1\ADMINI~1\ntuser.dll,_IWMPEvents@0 Type: Registry Run Item Name: calc Author: Microsoft Related File: rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0 Type: Registry Run After first reboot detected by UnHackMe: Item Name: Antivirus Pro 2010 Author: vikbnerobeb Related File: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide Type: Registry Run Item Name: Antivirus Pro 2010 Author: vikbnerobeb Related File: "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide Type: Registry Run Item Name: calc Author: Related File: rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0 Type: Registry Run Item Name: scandisk.dll Author: Microsoft Related File: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.dll Type: Startup Folder Removal Results: Success Number of reboot: 2 ------------------------------------------------------------------------------------- Recommended software: UnHackMe anti-rootkit and anti-malware http://www.unhackme.com RegRun Security Suite (Good choice for removal and protection)
Virus Problem? Google Redirects? Ads? Slow?
Constantly updated. Last update: February 5 2012
Fix Windows PC's Fast! Automated Software Repairs damaged & slow windows systems in 1 click.
|
|
