mplay.exe - Dangerous
%windir%\mplay.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
%WinDir%\mplay.exe is Trojan/Backdoor.
Kill the process %WinDir%\mplay.exe and remove %WinDir%\mplay.exe from Windows startup.
File: mplay.exe
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.07.09 Win32:Trojan-gen {Other}
AVG 8.5.0.387 2009.07.09 Generic13.BKVD
BitDefender 7.2 2009.07.10 Trojan.Dropper.Agent.UOU
Comodo 1601 2009.07.10 -
DrWeb 5.0.0.12182 2009.07.10 BackDoor.Dosia.108
F-Secure 8.0.14470.0 2009.07.10 Trojan.Win32.Buzus.bhtd
Kaspersky 7.0.0.125 2009.07.10 Trojan.Win32.Buzus.bhtd
Microsoft 1.4803 2009.07.10 VirTool:Win32/DelfInject.gen!L
NOD32 4230 2009.07.10 Win32/Naprat.B
Symantec 1.4.4.12 2009.07.10 W32.IRCBot
Additional information
File size: 160768 bytes
MD5 : ce5126b12926220c15d3df3a8ff6a05d
SHA1 : 5b39eaa17ce07ce42036b41fdc45dddd6d5a3605
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:
----------------------------------
Keys added:2
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7U56KFDB-4036-J8SX-U8JI-6512121AP505}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
----------------------------------
Values added:7
----------------------------------
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7U56KFDB-4036-J8SX-U8JI-6512121AP505}\StubPath: ""C:\WINDOWS\mplay.exe""
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RSA: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\DSA: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows Media Player: "C:\WINDOWS\mplay.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Media Player: "C:\WINDOWS\mplay.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<: 0x00000001
HKCU\Software\Microsoft\Windows NT\CurrentVersion\: "H1UYEEMA[QRmymn{.nqk"
----------------------------------
Values modified:0
----------------------------------
----------------------------------
Files added:2
----------------------------------
C:\WINDOWS\mplay.exe
C:\WINDOWS\odbcsetup.ini
----------------------------------
Files [attributes?] modified:0
----------------------------------
----------------------------------
Folders added:0
----------------------------------
----------------------------------
Folders deleted:0
----------------------------------
----------------------------------
Total changes:11
----------------------------------
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:
Item Name: Windows Media Player
Author: Unknown
Related File: C:\WINDOWS\mplay.exe
Type: Explorer Run
Item Name: {7U56KFDB-4036-J8SX-U8JI-6512121AP505}
Author: Unknown
Related File: "C:\WINDOWS\mplay.exe"
Type: ActiveSetup
Item Name: mplay.exe
Author: Unknown
Related File: C:\WINDOWS\mplay.exe
Type: Detected using Heuristic Algorithm
Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)