HT Logs. Tips, FAQs, Analyze.

photo_id.exe is a harmful program.

It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: photo_id
Filename: photo_id.exe
Registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | photo_id
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | photo_id

Command:

C:\WINDOWS\system32\photo_id.exe
%UserProfile%\photo_id.exe
C:\WINDOWS\system32\config\systemprofile\photo_id.exe

Startup Type: HKLM->Run. HKCU->Run
HijackThis Category:
HijackThis Line:

O4 – HKLM\..\Run: [photo_id] C:\WINDOWS\system32\photo_id.exe
O4 – HKCU\..\Run: [photo_id] C:\Documents and Settings\user\photo_id.exe
O4 – HKUS\S-1-5-18\..\Run: [photo_id] C:\WINDOWS\system32\config\systemprofile\photo_id.exe (User ‘SYSTEM’)
O4 – HKUS\.DEFAULT\..\Run: [photo_id] C:\WINDOWS\system32\config\systemprofile\photo_id.exe (User ‘Default user’)

DDS Line:

mRun: [photo_id] C:\WINDOWS\system32\photo_id.exe
uRun: [photo_id] C:\Documents and Settings\user\photo_id.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“photo_id”=C:\WINDOWS\system32\photo_id.exe
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“photo_id”=C:\Documents and Settings\user\photo_id.exe

Description: trojan

How to remove: use HijackThis + Malwarebytes` Anti-malware

This entry was posted on Tuesday, December 1st, 2009 at 6:10 am and is filed under O4, Run, Trojan. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.