poet.exe - Dangerous
poet.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Creates the following files:
%Windir%\System32\poet.log
%Windir%\System32\Inf\readme.txt
%Windir%\System32\Inf\poet.exe
Adds the value: "Poet" = "%Windir%\System32\Inf\Poet.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Attempts to create copies of itself in the %Windir%\System32\Inf folder using different file names.
The file extension will be an .exe, .avi, or a .zip archive that contains a file with one of the previous two extensions.
Creates the following files:
C:\Program Files\KaAaA\My shared folder\The White Stripes - IM INFECTED.mp3
C:\Documents and Settings\All Users\Start Menu\Programs\BrainwashBrainwashBrainwash45.exe
Modifies configuration files or registry keys of file-sharing programs, such as Kazaa, eMule, eDonkey2000, Lphant, and Overnet,
so the shared folder of the programs is %Windir%\System32\Inf.
It then attempts to delete samo registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Such as: avserve.exe; avserve2.exe; skynetave.exe; etc.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "Poet" = "%Windir%\System32\Inf\Poet.exe"