william_a.exe - Dangerous

william_a.exe

Manual removal instructions:

Antivirus Report of william_a.exe:
william_a.exe Malware
william_a.exeDangerous
william_a.exeHigh Risk
william_a.exe
We suggest you to remove william_a.exe from your computer as soon as possible.
William_a.exe is Trojan/Backdoor.
Kill the process william_a.exe and remove william_a.exe from Windows startup.

File: william_a.exe (C:\sand-box\william_a.exe)
-------------------------------------------------------------------------------------
Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.19 -
AVG 8.5.0.406 2009.08.19 -
BitDefender 7.2 2009.08.20 -
Comodo 2030 2009.08.20 -
DrWeb 5.0.0.12182 2009.08.20 -
F-Secure 8.0.14470.0 2009.08.19 -
Kaspersky 7.0.0.125 2009.08.20 -
Microsoft 1.4903 2009.08.19 Trojan:Win32/Waledac.gen!A
NOD32 4349 2009.08.19 -
Symantec 1.4.4.12 2009.08.20 Packed.Generic.243

Additional information
File size: 510976 bytes
MD5 : d6e16537426fa0b120bca0920f4b4191
SHA1 : 353ae2ba12fa6a57dc497dfe1be7f4a307f0f875
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Values added:3
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RList: 96 A4 C0 AF 35 79 94 CC B1 82 6C 6A 35 D1 8F AA 0D 8A 0C DE BF 77 21 7D 97 20 1D 27 AB C6 C8 52 C1 FB 5C 0E 4B 58 AD 0F F4 FA A4 7E 7F E4 F4 85 97 C7 6D 72 EF 19 51 AA EE 46 50 9C 07 70 F4 29 E5 1B 58 06 C2 C0 09 00 F2 CE EC F5 CD E1 08 01 5C 3B 14 75 28 9C C0 66 94 17 0E 54 3D 15 1F 26 B4 E8 29 27 71 72 E6 A7 C0 4F B5 F0 B2 B4 91 16 7A 12 DD 71 34 74 20 54 56 EF D8 A1 52 3A 51 6A 38 34 05 85 80 9F AB AB 20 9C 3D 28 0F E0 65 E1 3D 13 62 D9 74 10 43 39 58 6A 92 FF D3 B0 92 0A 7D B1 97 23 D2 65 F8 27 F4 39 0D 16 22 EB 7D 4A D3 0B 6F 8E 8D 1D 09 61 18 95 EC FA 31 75 A1 33 66 EA 0D 95 7F C7 5F 0A 4D A8 15 09 D8 F7 75 DC 5E 08 5F D2 C2 67 35 CB 49 93 8C C5 BB 33 0D 0E 5F 6D FE 4D 5B 3F 0D CA 7D 46 B5 3F 2A 0F 20 42 EE 7F E8 18 5F AA 84 AC 0A 11 CC 0B 77 FD 5F 49 05 00 0C F9 8E A6 70 EF B3 C6 2B EB C9 89 38 B7 A4 CD 78 B0 7C 52 02 D0 EE 7C 01 36 2D 95 B8 97 BB 2D 7F E0 95 7F 79 D7 B2 CA 1D 4F C9 4A D6 AB 22 DF 4F 3D CB 41 21 27 30 DF D1 58 5E F4 8A A5 75 FA 74 F0 DB 93 D2 28 9C A2 EF B4 0A 85 52 5B 9D D3 79 6D 56 4E B1 67 D7 A9 0C EA 11 CE 1A 51 3C A5 6D 09 ED CB 50 D4 DD 08 E1 19 52 D6 70 D8 08 88 EA 2C E7 06 FF 80 C6 32 97 55 87 39 14 E5 D3 67 9F 9C 88 BC 7E 28 68 F6 99 A1 F3 5F 54 44 69 8F C9 EF 8B DD B1 8A 29 54 A8 F0 58 1E 9C 47 8C 14 61 77 F3 D7 06 DB DB 0E C7 5F A7 C0 1F D8 DC 51 04 22 1B 30 DD 50 4B 33 08 82 3F 69 C8 E4 81 FC 56 69 FE D1 13 DF 80 C1 2D 29 EC 62 82 7E B9 3E EA C6 C0 73 68 AD 8B EF 91 5C 2C 4F A3 72 D6 A5 81 89 5D 79 D0 74 0C 68 BC FD 2A E4 D5 F4 9B 10 B2 7F 87 1A 76 FA B5 D4 24 06 99 4D D3 72 7C 77 DB F2 C3 07 10 CE 9D DD 21 F3 42 3F 22 4F FF C1 E1 F5 54 62 76 02 93 BF 13 37 A9 BE AE DC 5B 23 0B 8F AA 51 66 2F 97 5C 7B 4B 3F CA 14 5D CD 78 F3 A6 36 D0 AA B1 EC 57 8C FC 6E 3E C2 B5 F9 D5 56 D3 56 34 35 81 9F CC 22 F8 DD D8 D0 9A 56 A2 F5 B9 8E 53 10 AA F7 FA FB 20 5B BD 40 14 DE C7 71 40 74 4D 8B F3 07 79 D9 8A 45 4E 27 DF 1C DA 6D D2 26 C3 83 7C 4C 13 4F D1 C2 97 62 7F AB 3C 35 E8 94 CD B4 37 62 BE 94 90 67 C5 5B 3E 33 9C 76 7D 94 39 CD 8F BF AE 64 10 73 56 DE AB F3 58 24 BC 96 B8 1D C3 78 A5 0E F1 07 AD 15 CF D5 CC E3 DA 88 04 E2 8F FF 42 DF 7D 35 19 B7 27 9F C3 5F BF 4B 4E 20 E2 42 00 E5 60 84 F5 CF A1 D6 B4 20 39 80 82 B0 E4 04 7B 03 63 96 C0 A9 BB AE B7 AC 24 55 E3 8F 70 E3 24 E9 4F AE 53 C6 D0 76 A1 51 02 69 9A A5 6E BB B9 D0 BD 3F 61 B4 76 FE AC DD 0B 18 C1 2B 80 9E 79 90 F3 39 96 9B B6 71 A7 48 5D 31 C0 93 78 6F 4C 9E 0D 2A DC 44 1D D6 3C 44 35 FD C4 CE 79 8C 51 3D 40 76 5D 2B 25 2B 2A 86 00 F1 7A 80 C3 7F 44 AA A2 E3 63 8B 9D
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PromoReg: "C:\sand-box\william_a.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\MyID: E9 27 7B 46 F2 29 38 48 D1 40 77 14 22 7A 7E 1C C2 1B

----------------------------------
Values modified:0
----------------------------------

----------------------------------
Files [attributes?] modified:1
----------------------------------
C:\WINDOWS\Temp\7hji4mwf.TMP

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:4
----------------------------------

-------------------------------------------------------------------------------------
Internet activity:
Code:
HTTP POST http://85.101.51.6/zwiqnarptua.htm
HTTP POST http://99.18.90.137/
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: PromoReg
Author: Unknown
Related File: C:\sand-box\william_a.exe
Type: Registry Run

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove william_a.exe now!

Reviewed by:

by

william_a.exe Dangerous Rating: 5 out of 5

Jeff's Story:

My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.

I sought a solution on the Internet and discovered your product and tried out the trial of UnHackMe.

You quickly found the rootkit and SAVED my PC!

I haven't had any problems since, and I'm extremely grateful.