winshou.exe - Dangerous

winshou.exe

Manual removal instructions:

Antivirus Report of winshou.exe:
winshou.exe Malware
winshou.exeDangerous
winshou.exeHigh Risk
winshou.exe
We suggest you to remove jojo.dll from your computer as soon as possible.
Jojo.dll is Trojan/Backdoor.
Kill the file jojo.dll and remove jojo.dll from Windows startup.

File: winshou.exe (C:\sand-box\winshou.exe)

Classification:
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.06 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.08.06 VB.JLY
BitDefender 7.2 2009.08.06 -
Comodo 1888 2009.08.06 TrojWare.Win32.TrojanDownloader.Tibs.1
DrWeb 5.0.0.12182 2009.08.06 Trojan.PWS.Multi.72
F-Secure 8.0.14470.0 2009.08.06 Trojan-Dropper.Win32.Agent.ayox
Kaspersky 7.0.0.125 2009.08.06 Trojan-Dropper.Win32.Agent.ayox
Microsoft 1.4903 2009.08.06 TrojanDropper:Win32/Gontu.B
NOD32 4312 2009.08.06 probably a variant of Win32/VB.OEA
Symantec 1.4.4.12 2009.08.06 -
Additional information
File size: 24397 bytes
MD5 : 0cedec6dc63cb6e096fdd3febb68d41d
SHA1 : c687b5815c2658b66240759c4d82729cefdaceb3

Installation
When the program is executed, it creates the following registry subkeys and values:

----------------------------------
Keys added:24
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\Implemented Categories
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\InprocServer32
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\VERSION
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\BrowserHelper.CBrowserHelper
HKLM\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\Clsid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{180C3CF4-F324-400B-A4C3-BABBC87AB967}
HKCU\Software\VB and VBA Program Settings
HKCU\Software\VB and VBA Program Settings\BrowserHelper
HKCU\Software\VB and VBA Program Settings\BrowserHelper\BrowserHelper

----------------------------------
Values added:18
----------------------------------
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\VERSION\: "1.0"
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\TypeLib\: "{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}"
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\ProgID\: "BrowserHelper.CBrowserHelper"
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\InprocServer32\: "C:\WINDOWS\system32\jojo.dll"
HKLM\SOFTWARE\Classes\CLSID\{180C3CF4-F324-400B-A4C3-BABBC87AB967}\: "BrowserHelper.CBrowserHelper"
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\TypeLib\: "{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}"
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{6FA8E272-B11D-47B5-B90F-6B9E92307AAD}\: "CBrowserHelper"
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\0\win32\: "C:\WINDOWS\system32\jojo.dll"
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\HELPDIR\: "C:\WINDOWS\system32"
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{BBE184BF-92B1-4E5D-848E-0F0FF4D56060}\1.0\: "BrowserHelper"
HKLM\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\Clsid\: "{180C3CF4-F324-400B-A4C3-BABBC87AB967}"
HKLM\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\: "BrowserHelper.CBrowserHelper"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe,C:\WINDOWS\system32\jojo.exe"
HKCU\Software\VB and VBA Program Settings\BrowserHelper\BrowserHelper\HomePath: "Db3bjbNaUbacob5cadZdZa5adaPbLaZapb5cadadDb3bjbNaUbacobgdGdYdRa4adaBa9aAana2dXcIc8aebcbLabcacaa1cBcIcXbbaubOaYa"

----------------------------------
Values modified:4
----------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}: 0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}: 0x00000001

----------------------------------
Files added:4
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk
C:\Documents and Settings\Administrator\Desktop\Internet Explorer.lnk
C:\WINDOWS\system32\jojo.dll
C:\WINDOWS\system32\jojo.exe

----------------------------------
Files deleted:2
----------------------------------
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
C:\sand-box\winshou.exe

----------------------------------
Files [attributes?] modified:2
----------------------------------
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
C:\WINDOWS\system32\wbem\Logs\wbemcore.log

----------------------------------
Folders added:0
----------------------------------

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:54
----------------------------------

-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: {180C3CF4-F324-400B-A4C3-BABBC87AB967}
Author: administrator
Related File: C:\WINDOWS\system32\jojo.dll
Type: Browser Helper Objects

Item Name: shell
Author: Unknown
Related File: explorer.exe,C:\WINDOWS\system32\jojo.exe
Type: User Shell


Item Name: jojo.exe
Author: Unknown
Related File: C:\WINDOWS\SYSTEM32\JOJO.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
jojo.dll

Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.04 -
AVG 8.5.0.406 2009.08.04 -
BitDefender 7.2 2009.08.04 -
Comodo 1862 2009.08.04 -
DrWeb 5.0.0.12182 2009.08.04 -
F-Secure 8.0.14470.0 2009.08.04 -
Kaspersky 7.0.0.125 2009.08.04 Trojan.Win32.VB.tws
Microsoft 1.4903 2009.08.04 -
NOD32 4304 2009.08.04 -
Symantec 1.4.4.12 2009.08.04 -

Additional information
File size: 45056 bytes
MD5 : fe352391122eae6fb397bfbb7acec429
SHA1 : 2bbb88bb74023e59e83262fd6d3d56d5d79df773
-------------------------------------------------------------------------------------
jojo.exe

Antivirus Version Last Update Result
Code:
Avast 4.8.1335.0 2009.08.06 Win32:Trojan-gen {Other}
AVG 8.5.0.406 2009.08.06 VB.JLY
BitDefender 7.2 2009.08.06 -
Comodo 1888 2009.08.06 TrojWare.Win32.TrojanDownloader.Tibs.1
F-Secure 8.0.14470.0 2009.08.06 Trojan-Dropper.Win32.Agent.ayox
Kaspersky 7.0.0.125 2009.08.06 Trojan-Dropper.Win32.Agent.ayox
Microsoft 1.4903 2009.08.06 TrojanDropper:Win32/Gontu.B
NOD32 4312 2009.08.06 probably a variant of Win32/VB.OEA
Symantec 1.4.4.12 2009.08.06 -

Additional information
File size: 24397 bytes
MD5 : 0cedec6dc63cb6e096fdd3febb68d41d
SHA1 : c687b5815c2658b66240759c4d82729cefdaceb3
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove winshou.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.