user.ds - Dangerous

user.ds

Manual removal instructions:

Antivirus Report of user.ds:
user.ds Malware
user.dsDangerous
user.dsHigh Risk
user.ds
We suggest you to remove twex.exe from your computer as soon as possible.
Twex.exe is Trojan/Backdoor.
Kill the process twex.exe and remove twex.exe from Windows startup.

File: archive.js.exe

Classification:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.05.06 Win32:Zbot-BDT
AVG 8.5.0.327 2009.05.06 Win32/Cryptor
BitDefender 7.2 2009.05.07 Trojan.Spy.Zeus.T
F-Secure 8.0.14470.0 2009.05.07 Trojan-Spy.Win32.Zbot.rpq
Kaspersky 7.0.0.125 2009.05.07 Trojan-Spy.Win32.Zbot.rpq
Microsoft 1.4602 2009.05.06 PWS:Win32/Zbot.G
NOD32 4057 2009.05.06 probably a variant of Win32/Spy.Zbot.JF
Symantec 1.4.4.12 2009.05.07 Infostealer.Banker.C

Additional information
File size: 62976 bytes
MD5 : 8d29622f9319874603a58b6c32cc636c
SHA1 : 7ed4540f9c78b371c0ebe4ad9a2e825a7b0a4803

Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Values deleted:0
----------------------------------

----------------------------------
Values added:1
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID: "7600-A9041E6B18_00015A9E"

----------------------------------
Values modified:2
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,"

----------------------------------
Files added:4
----------------------------------
C:\WINDOWS\system32\twain32\local.ds
C:\WINDOWS\system32\twain32\user.ds
C:\WINDOWS\system32\twain32\user.ds.lll
C:\WINDOWS\system32\twex.exe

----------------------------------
Files [attributes?] modified:0
----------------------------------

----------------------------------
Folders added:1
----------------------------------
C:\WINDOWS\system32\twain32

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:8
----------------------------------

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: UserInit
Author: Unknown
Related File: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
Type: UserInit Value

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove user.ds now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.