msrege.exe - Dangerous
msrege.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
By default it opens ports 14728 and 24759.
The Trojan is launched using an .html file that contains malicious Visual Basic Script (VBS) code.
When the .html file is opened, it does following:
Drops the q.vbs file and executes it. The file does the following:
Drops x.exe and executes it, which terminates security programs.
Downloads q.exe from a predetermined Web site and executes it.
Drops and executes the following files:
%Windir%\5845.exe
%Windir%\msreg.exe
%System%\svchostc.exe
%System%\svchosts.exe
Downloads configuration information from predetermined Web sites, and then runs svchostc.exe and svchosts.exe with these configurations.
Connects to a predetermined SMTP server and sends email message to a certain email address.
The message contains following information:
- Operating system version
- Registered user name
- Organization name
- AIM user accounts
- ICQ accounts
- Trillian accounts
- Ghisler Windows Commander and Total Commander information
- SMTP and POP email accounts and passwords
Automatical remove:
Use RegRun Startup Opimizer.
And navigate to the %System% folder and delete the svchosts.exe and svchostc.exe files.