January 17th, 2010 F2, Trojan, Winlogon\UserInit
sdra64.exe is a harmful program.
Name: sdra64
Filename: sdra64.exe
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit
Command: C:\WINDOWS\system32\sdra64.exe
Startup Type: Winlogon\UserInit
HijackThis Category: F2
HijackThis Line:
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
Description: core component of trojan ZBot also known as Trojan-Spy.Win32.Zbot.gen [Kaspersky Lab], PWS:Win32/Zbot.gen!R [Microsoft], Mal/Zbot-O [Sophos], Infostealer.Banker.C [Symantec]
How to remove: use HijackThis + Malwarebytes` Anti-malware
January 17th, 2010 O4, Run, RunServices, Trojan
winIogon.exe is a harmful program.
Name: winIogon
Filename: winIogon.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Microsoft System Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices | Microsoft System Service
HKEY_CURRENT_USER\Software\Microsoft\OLE | Microsoft System Service
Command: C:\Windows\System32\winIogon.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [Microsoft System Service] winIogon.exe
DDS Line:
mRun: [Microsoft System Service] winIogon.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Microsoft System Service”=winIogon.exe
Description: trojan also known as W32/Virut.gen.a [McAfee], Backdoor:Win32/Poebot.gen [Microsoft], W32.IRCBot [Symantec], PE_VIRUT.AV [Trend Micro], W32.Virut.W [Symantec]
How to remove: use HijackThis + Kaspersky virus removal tool
January 17th, 2010 O4, Run, Worm
freddy81.exe is a harmful program.
Name: freddy81
Filename: freddy81.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray
Command: C:\windows\freddy81.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [sysfbtray] C:\windows\freddy81.exe
DDS Line:
Run: [sysfbtray] C:\windows\freddy81.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\freddy81.exe
Description: component of koobface worm
How to remove: use these koobface removal instructions.
January 16th, 2010 Trojan
winhlp64.exe is a harmful program.
Name: winhlp64
Filename: winhlp64.exe
Command: %UserProfile%\Temp\winhlp64.exe
Description: component of trojan FakeAlert. This is installed with cls_pack.exe.
How to remove: use these winhlp64.exe removal instructions.
January 16th, 2010 O4, Run, Trojan
cls_pack.exe is a harmful program.
Name: cls_pack
Filename: cls_pack.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | cls_pack.exe
Command: %UserProfile%\temp\cls_pack.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [cls_pack.exe] C:\DOCUME~1\user\LOCALS~1\Temp\cls_pack.exe
DDS Line:
uRun: [cls_pack.exe] c:\dokume~1\user\lokale~1\temp\cls_pack.exe
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“cls_pack.exe”=c:\dokume~1\user\lokale~1\temp\cls_pack.exe
Description: component of trojan FakeAlert
How to remove: use these cls_pack.exe removal instructions.
January 16th, 2010 O4, Run, Worm
freddy80.exe is a harmful program.
Name: freddy80
Filename: freddy80.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | sysfbtray
Command: C:\windows\freddy80.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [sysfbtray] C:\windows\freddy80.exe
DDS Line:
mRun: [sysfbtray] C:\windows\freddy80.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“sysfbtray”=C:\windows\freddy80.exe
Description: part of Koobface worm
How to remove: use these Koobface removal instructions.
January 16th, 2010 O4, Startup folder, Trojan
rarype32.exe is a harmful program.
Name: rarype32
Filename: rarype32.exe
Command: %userProfile%\start menu\programs\startup\rarype32.exe
Startup Type: O4
HijackThis Category:
HijackThis Line:
O4 – Startup: rarype32.exe
DDS Line:
StartupFolder: c:\documents and settings\user\start menu\programs\startup\rarype32.exe
Combofix/RSIT Line:
C:\Documents and Settings\user\Start Menu\Programs\Startup
rarype32.exe
Description: trojan also known as Mal/Bredo-A [Sophos]
How to remove: use HijackThis + Malwarebytes` Anti-malware + Kaspersky virus removal tool
January 16th, 2010 O4, Rogue Antispyware/Antivirus, Run
DefendAPc.exe is a harmful program.
Name: DefendAPc
Filename: DefendAPc.exe
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | DefendAPc
Command: C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe
Startup Type: HKLM->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKLM\..\Run: [DefendAPc] C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe
DDS Line:
mRun: [DefendAPc] C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe
Combofix/RSIT Line:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“DefendAPc”=C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe
Description: core component of DefendAPc. DefendAPc is a rogue antispyware program.
How to remove: use these DefendAPc removal instructions.
January 14th, 2010 O4, Service, Trojan
sshnas21.dll is a harmful program.
Name: sshnas21
Filename: sshnas21.dll
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | LosAlamos
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Canaveral
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS
Command: C:\Windows\System32\sshnas21.dll
Startup Type: Service
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas21.dll,DllWork
O4 – HKCU\..\Run: [Canaveral] rundll32.exe C:\Users\username\AppData\Local\Temp\sshnas21.dll,BackupReadW
Combofix/RSIT Line:
S2 SSHNAS;SSHNAS; C:\WINDOWS\system32\svchost.exe
Description: this is a new version of sshnas.dll trojan (trojan FakeAlert)
How to remove: use these sshnas.dll removal instructions.
January 13th, 2010 O4, Rogue Antispyware/Antivirus, Run
GhostAV.exe is a harmful program.
Name: GhostAV
Filename: GhostAV.exe
Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | Ghost Antivirus
Command: c:\program files\Ghost Antivirus\GhostAV.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:
O4 – HKCU\..\Run: [Ghost Antivirus] “c:\program files\Ghost Antivirus\GhostAV.exe” /s
DDS Line:
uRun: [Ghost Antivirus] “c:\program files\ghost antivirus\GhostAV.exe” /s
Combofix/RSIT Line:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Ghost Antivirus”=c:\program files\Ghost Antivirus\GhostAV.exe [2010-01-10 1608192]
Description: core component of Ghost Antivirus. Ghost Antivirus is a rogue antispyware program.
How to remove: use these Ghost Antivirus removal instructions.