winsys32_061230.dll - Dangerous

winsys32_061230.dll

Manual removal instructions:

Antivirus Report of winsys32_061230.dll:
winsys32_061230.dll Malware
winsys32_061230.dllDangerous
winsys32_061230.dllHigh Risk
winsys32_061230.dll
We suggest you to remove realsvc.exe from your computer as soon as possible.
Realsvc.exe is Trojan/Backdoor.
Kill the process realsvc.exe and remove realsvc.exe from Windows startup.

File: ppp.exe

-------------------------------------------------------------------------------------
Classification:
Antivirus Version Last Update Result

Code:
Avast 4.8.1335.0 2009.08.11 -
AVG 8.5.0.406 2009.08.12 Win32/Heur
BitDefender 7.2 2009.08.12 GenPack:Trojan.Autorun.TK
Comodo 1949 2009.08.12 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.0.12182 2009.08.12 Win32.HLLW.Autoruner.2174
F-Secure 8.0.14470.0 2009.08.11 -
Kaspersky 7.0.0.125 2009.08.12 Trojan-Downloader.Win32.Baser.dn
Microsoft 1.4903 2009.08.11 Worm:Win32/Autorun.G
NOD32 4327 2009.08.11 a variant of Win32/Kryptik.NX
Symantec 1.4.4.12 2009.08.12 Suspicious.MH690.A

Additional information
File size: 55808 bytes
MD5 : 12db26505da2f165bb8e0b0b8601f63f
SHA1 : 9306ac5b8c3fc2f2a66a1b74a32709389c98913e
-------------------------------------------------------------------------------------
Installation
When the program is executed, it creates the following registry subkeys and values:


----------------------------------
Keys added:5
----------------------------------
HKLM\SOFTWARE\Microsoft\DownloadManager
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Security
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081220090813

----------------------------------
Values added:18
----------------------------------
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Enum\0: "Root\LEGACY_WINDOWS_REGEDIT_HELPS\0000"
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\ImagePath: "%WINDIR%\system\realsvc.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\DisplayName: "Indexings helps"
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\Indexingbox\Description: "Indexingbox"
HKCU\Software\Microsoft\CTF\MSUTB\ShowDeskBand: 0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081220090813\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012009081220090813"
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081220090813\CachePrefix: ":2009081220090813: "
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081220090813\CacheLimit: 0x00002000
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081220090813\CacheOptions: 0x0000000B
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012009081220090813\CacheRepair: 0x00000000
HKCU\Software\WinRAR SFX\C%%WINDOWS%system: "C:\WINDOWS\system"

----------------------------------
Values modified:38
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_061230.dll start"
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}: FC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 87 81 4A 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A C0 A8 AE 01 0F 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 ED 8D 81 4A 6C 6F 63 61 6C 64 6F 6D 61 69 6E 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A FF FF FF 00 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A 00 00 07 08 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ED 8D 81 4A C0 A8 AE FE 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ED 8D 81 4A 05 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}: 06 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 8D 58 82 4A C0 A8 AE 01 0F 00 00 00 00 00 00 00 0B 00 00 00 00 00 00 00 8D 58 82 4A 6C 6F 63 61 6C 64 6F 6D 61 69 6E 00 01 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 8D 58 82 4A FF FF FF 00 33 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 8D 58 82 4A 00 00 07 08 36 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 8D 58 82 4A C0 A8 AE FE 35 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 8D 58 82 4A 05 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseObtainedTime: 0x4A825185
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T1: 0x4A825509
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\T2: 0x4A8257AC
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\LeaseTerminatesTime: 0x4A82588D
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A8186E5
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseObtainedTime: 0x4A825185
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A818A69
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T1: 0x4A825509
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A818D0C
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\T2: 0x4A8257AC
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A818DED
HKLM\SYSTEM\CurrentControlSet\Services\{0445ABC5-DCB0-4E8B-A5BE-DA7B973EBA30}\Parameters\Tcpip\LeaseTerminatesTime: 0x4A82588D
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000004
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags: 0x00000005
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Main\Window_Placement: 2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 20 03 00 00 3A 02 00 00
HKCU\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F\UserFile: 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 A2 C5 D9 2F 35 B2 BE 40 BC E1 10 8F D5 25 9D F2 00 00 00
...
A2 6C 4E CC 96 D6 CF 25 42 C7 5B 2A CD B0 B3 6B 1B 1E 21 BA 72 8F 3A E3 EC EA DC 4F 3E F9 9C D1 9F FE 05 B0 DB C7 C8 4B 8D B5 E5 04 4A 46 2F 0F 6B 7C 81 11 C0 D2 A4 B6 27 81 7E 26 2F 09 1C 19 2F 34 81 21 6F 6F C1 A3 0C 31 EB AE EC DB A7 2A F2 6F 12 CB C6 47 0D DC E0 C5 33 15 A9 D0 A0 BC 69 F9 B6 9E ED 88 14 00 00 00 62 F0 EB A1 04 04 45 CA AD 38 31 E6 A2 ED C5 70 5D 68 13 6B
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Count: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Count: 0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Time: D9 07 08 00 02 00 0B 00 0E 00 3A 00 24 00 B1 01
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Time: D9 07 08 00 03 00 0C 00 05 00 17 00 21 00 E9 00
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Count: 0x00000002
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Count: 0x00000003
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Time: D9 07 08 00 02 00 0B 00 0E 00 3A 00 24 00 1E 02
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Time: D9 07 08 00 03 00 0C 00 05 00 17 00 21 00 76 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime: E2 9A 62 AB 93 1A CA 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime: 4C D1 A3 E1 0C 1B CA 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinFinishTime: E2 9A 62 AB 93 1A CA 01
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinFinishTime: 00 96 A8 E1 0C 1B CA 01

----------------------------------
Files added:10
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009081220090813\index.dat
C:\WINDOWS\system\realsvc.exe
C:\WINDOWS\system\realsvc.reg
C:\WINDOWS\system32\AlxRes061230.exe
C:\WINDOWS\system32\dd.exe
C:\WINDOWS\system32\scrsys061230.scr
C:\WINDOWS\system32\scrsys16_061230.scr
C:\WINDOWS\system32\winsys16_061230.dll
C:\WINDOWS\system32\winsys32_061230.dll
C:\WINDOWS\mywinsys.ini

----------------------------------
Files deleted:1
----------------------------------
C:\sand-box\ppp.exe

----------------------------------
Files [attributes?] modified:2
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

----------------------------------
Folders added:1
----------------------------------
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012009081220090813

----------------------------------
Folders deleted:0
----------------------------------

----------------------------------
Total changes:75
----------------------------------

-------------------------------------------------------------------------------------
Internet activity:

HTTP GET hxxp://dns5.8866.org/hxw/hx/200512.exe
HTTP GET hxxp://dns5.8866.org/hxw/hx/dd.exe
-------------------------------------------------------------------------------------
Detected by RegRun Reanimator:

Item Name: UserInit
Author: Unknown
Related File: C:\WINDOWS\system32\userinit.exe,rundll32.exe C:\WINDOWS\system32\winsys16_061230.dll start
Type: UserInit Value

Item Name: Indexingbox
Author:
Related File: C:\WINDOWS\system\realsvc.exe
Type: Auto Services

Item Name: winsys16_061230.dll
Author: Unknown
Related File: C:\WINDOWS\system32\winsys16_061230.dll
Type: Detected using Heuristic Algorithm

Item Name: AlxRes061230.exe
Author: Unknown
Related File: C:\WINDOWS\system32\AlxRes061230.exe
Type: Detected using Heuristic Algorithm

Item Name: scrsys061230.scr
Author: Unknown
Related File: C:\WINDOWS\system32\scrsys061230.scr
Type: Detected using Heuristic Algorithm

Item Name: scrsys16_061230.scr
Author: Unknown
Related File: C:\WINDOWS\system32\scrsys16_061230.scr
Type: Detected using Heuristic Algorithm

Item Name: winsys32_061230.dll
Author: Unknown
Related File: C:\WINDOWS\system32\winsys32_061230.dll
Type: Detected using Heuristic Algorithm

Item Name: xydzyh
Author: Unknown
Related File: C:\WINDOWS\system32\xydzyh.exe
Type: Registry Run

Removal Results: Success
Number of reboot: 1
-------------------------------------------------------------------------------------
winsys16_061230.dll

Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.05.11 Win32:Trojan-gen {Other}
AVG 8.5.0.327 2009.05.12 Win32/PolyCrypt
BitDefender 7.2 2009.05.12 Trojan.Agent.AHCM
Comodo 1157 2009.05.08 TrojWare.Win32.Pakes.csp
DrWeb 5.0.0.12182 2009.05.12 Trojan.Hitpop
F-Secure 8.0.14470.0 2009.05.12 Trojan.Win32.Pakes.csp
Kaspersky 7.0.0.125 2009.05.12 Trojan.Win32.Pakes.csp
Microsoft 1.4602 2009.05.12 Trojan:Win32/Agent
NOD32 4067 2009.05.12 Win32/Spy.Delf.NEN
Symantec 1.4.4.12 2009.05.12 Infostealer.Gampass

Additional information
File size: 30720 bytes
MD5 : 49940b40ae39bc1d115c7d12666218d5
SHA1 : 36dee6e8f8685023db66f4f4986ad0c16dccc75b
-------------------------------------------------------------------------------------
realsvc.exe
Code:
Antivirus Version Last Update Result
Avast 4.8.1335.0 2009.08.04 -
AVG 8.5.0.406 2009.08.03 Win32/Heur
BitDefender 7.2 2009.08.04 GenPack:Trojan.Downloader.Delf.ALF
Comodo 1843 2009.08.04 -
DrWeb 5.0.0.12182 2009.08.04 -
F-Secure 8.0.14470.0 2009.08.04 -
Kaspersky 7.0.0.125 2009.08.04 -
Microsoft 1.4903 2009.08.03 TrojanDownloader:Win32/Small.gen!C
NOD32 4302 2009.08.03 a variant of Win32/Kryptik.NX
Symantec 1.4.4.12 2009.08.04 Suspicious.MH690.A

Additional information
File size: 144680 bytes
MD5 : c1d472b949ed743da275af30fa5be219
SHA1 : 77eab9ff4658dbdd2cf27cc59ea68ddc27fe0609
-------------------------------------------------------------------------------------

Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)

Remove winsys32_061230.dll now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.