If your PC is also running slowly, you may be interested to look at Registry Fix.. Registry fix is proven to improve the performance of your computer.

Trojan.Dysflink can arrive on your PC by way of a drive by download.

When the Trojan itself is executed, it will copy itself as the following file:
%ProgramFiles%\qcat\qsetup.exe

Then the trojan will create the following file on your computer.
%ProgramFiles%\qcat\qcat.ini

Dysflink then searches these folders on your machine for .lnk files, which are used to represent Windows shortcuts:

* %UserProfile%\Desktop
* %UserProfile%\Start Menu
* %SystemDrive%\Documents and Settings\All Users\Desktop
* %SystemDrive%\Documents and Settings\All Users\Start Menu

Next, Dysflink modifies all .lnk files found so that it executes whenever one of the above shortcuts is used. It also executes the original target executable of the shortcut so that the user remains unaware of its presence.

Note: The original .lnk files are copied to the following folder:
%ProgramFiles%\qcat\tmpdata

It will then attempt to steal information relating to the QQ instant messaging program, which it will then send along to the following URL:
[http://]716mm.com:81/dd/dd/qq.[REMOVED]

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at Registry Fix.. Registry fix is proven to improve the performance of your computer.

Upon the Trojan being executed, the following files are created:

* %UserProfile%\Templates\memory.tmp
* %UserProfile%\Local Settings\Application Data\Windows Server\
[SIX RANDOM LETTERS].dll

Then it will create the following registry entries:

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\AppCertDlls\"AppSecDll" = "%User
Profile%\Local Settings\Application Data\Windows Server\[SIX
RANDOM LETTERS].dll"
* HKEY_CURRENT_USER\Software\[TEN RANDOM
LETTERS]\"[TEN RANDOM LETTERS]" = "[BINARY DATA]"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\sr\Parameters\"FirstRun" = "1"

Then these registry entries are deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"

Then the Trojan injects itself into these processes if they are found
to be running.

* cmdagent.exe
* fssm32.exe
* fsorsp.exe
* avp.exe
* iexplore.exe
* firefox.exe
* opera.exe
* explorer.exe

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

Bloodhound.PDF!gen2 is a heuristic detection for potentially malicious
files that may exploit vulnerabilities in Adobe Reader in order to
perform further malicious actions.

This heuristic detection is used to detect threats associated with
the following Trojan family: Trojan.Pidief.J

Files that are detected as Bloodhound.PDF!gen2 may be malicious.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

Once executed, the Trojan attempts to exploit Adobe Flash Player,
Acrobat Reader, and Acrobat ‘authplay.dll’ Remote Code Execution
Vulnerability (BID 40586).

The Trojan then downloads a bitmap file from the following URL:
[http://]google-analytics.dynalias.org/intl/images/calc[REMOVED]

Note: The bitmap file contains an encrypted file (detected as Backdoor.Trojan).

The downloaded file is extracted to %Temp%\upt.exe and executed.

It then creates the following files:

* %Windir%\EventSystem.dll (detected as Backdoor.Trojan)
* %System%\qmgr.dll (detected as Backdoor.Trojan)
* %System%\dllcache\qmgr.dll (detected as Backdoor.Trojan)
* %System%\es.ini

Next, it copies the file %System%\qmgr.dll to %System%\kernel64.dll.

It then connects to the following URL:
[http://]google-analytics.dynalias.org/ddr/ddrh[REMOVED]

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

The Trojan could arrive as a .jtd extension.

When opened, this file will attempt to exploit the JustSystems Ichitaro Character Attributes Processing Remote Code Execution Vulnerability (BID 40472).

Please Note: This issue can be fixed by the Ichitaro version 1.0.1.6 update patch program.

The Trojan will then possibly create these files:

* %Temp%\update.exe (Downloader)
* %System%\PMService.exe (Downloader)
* %Temp%\[DOUBLE BYTE FILE NAME].jtd
* %Temp%\[DOUBLE BYTE FILE NAME].jtd.$$$

The Trojan will then create the following registry subkey in order to register itself as a service:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\PMSservice

Then it will connect to the following location on TCP port 80:
[http://]update.winsdate.com/domestic/svcho[REMOVED]

It may then download and execute files from the above location.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

The Loginck trojan can arrive on your computer in a variety of ways.

Once Loginck is executed, it contacts a predetermined server and downloads a list of stored user names and passwords for gaming websites.

Note: The Trojan does not steal these account details. They have likely been gathered by other information-stealing threats.

The Trojan then tried to login to each of these accounts to determine their validity.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

This Trojan can be picked up from spammed email messages or downloaded

through the web.

The Trojan drops the following DLL file:
%System%\msxsltsso.dll (detected as Trojan.Gootkit)

It then creates the following registry entry, to activated upon windows startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\ShellServiceObjectDelayLoad\"GootkitSSO" = "{FE7D5E7C-3EAF
-47BC-89EF-CD279EA619DE}"

It registers msxsltsso.dll as a COM object by creating the following registry
entries:

* HKEY_CLASSES_ROOT\CLSID\{0FDB33AF-96F2-4AD6-A737-
956138C470C5}\InProcServer32\"(Default)" = "%System%\msxsltsso.dll"
* HKEY_CLASSES_ROOT\CLSID\{FE7D5E7C-3EAF-47BC-89EF-
CD279EA619DE}\InProcServer32\"(Default)" = "%System%\msxsltsso.dll"

It then contacts the following remote location to download a custom
Command and Control file:
[http://]78.140.15.82/boot[REMOVED]

The Trojan acts as a botnet based on the Command and Control file and may
perform some of the following actions:

* Access predetermined remote locations
* Download and execute files, some of which may be additional malware
* Gather confidential information such as: CPU information, passwords
and FTP credentials
* Injects arbitrary JavaScript code into HTML files
* List, start, stop, and remove processes and threads
* List, create, modify and delete registry subkeys
* List, create, modify and delete files
* May modify content in an FTP server, including listing, uploading, and
deleting files
* Sends mail
* Uploads files from the compromised computer, including gathered
confidential information

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

Upon the worm being executed the following files are created:
%Windir%\infocard.exe
%Windir%\mds.sys
%Windir%\mdt.sys
%Windir%\winbrd.jpg

Then the following registry entry is created to activate when windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"Firewall Administrating" = "%Windir%\infocard.exe"

The worm then attempts to connect to the following URL:
[http://]browseusers.myspace.com/Browse/Brows[REMOVED]

Then it stop the following windows processes that disable the Microsoft Malware
Protection Service and Windows Update:

* MsMpSvc
* wuauserv

Then it attempts to connect to the following URL to download a conig file:
[http://]get.articleslinked.com/univ[REMOVED]

Then it connects to the following network addresses on TCP port 2345 and waits

for the IRC commands:

* e2doo.org
* sls.e2doo.net

The worm then searches Windows on the compromised computer for anything
belonging to Yahoo! Messenger.

The worm spreads by sending messages that contain links to copies of the worm

to all Yahoo! Messenger contacts.

The following messages may be sent by the worm:

* foto [http://]tusfbfotos.com/imag[REMOVED]
* foto [http://]kompnk.com/imag[REMOVED]
* foto [http://]beautyphotoson.com/imag[REMOVED]

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When this worm is executed, it continues to create these files.

* %SystemDrive%\Driver\Files\Desktop.ini
* %SystemDrive%\Driver\Files\DT.exe

Then it will assign the following registry entry to execute on the startup of Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX5-314CCA322142}\"StubPath" = "%SystemDrive%\Driver\Files\DT.exe"

The worm will then copy the following to all removable drives.

* %DriveLetter%\Driver\Files\DT.exe
* %DriveLetter%\Driver\Files\Desktop.ini
* %DriveLetter%\autorun.inf

…and then creates a backdoor to connect to these IRC servers.

* 4.darkogard.com
* ogard4.helldark.biz
* ogard4.ircdevils.net

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at Regcure. Regcure is proven to improve the performance of your computer.

Its quite possible that this Trojan may enter your machine as a .cab
file.

Once the .cab file is opened, the Trojan creates a Windows Telephony
file called: %CurrentFolder%\1.dll

The Terred Trojan will then create the following malicious dialer
program file: %CurrentFolder%\reg.exe

It will then copy that file to the following location:
%Windir%\smart32.exe

The Trojan will then create this registry entry:
HKEY_CURRENT_USER\Alpha\"Status" = "1"

Then it will automatically attempt to call these high-cost
international phone numbers:

* 8823460777
* 17675033611
* 88213213214
* 25240221601

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at Regcure. Regcure is proven to improve the performance of your computer.

When W32.Difupat is executed, it places an executable .rar file, named:
%System%\reinstall.exe

Then, it will delete the following file from your PC.
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE

Then the virus replaces IEXPLORE.EXE with its own copy of the file.

It also places the following files on your machine.

* %ProgramFiles%\Internet Explorer\bootloader.dll
* %ProgramFiles%\Internet Explorer\detoured.dll
* %ProgramFiles%\Internet Explorer\funcition.dll
* %ProgramFiles%\Internet Explorer\funcition.ini
* %ProgramFiles%\Internet Explorer\install.exe
* %ProgramFiles%\Internet Explorer\pserver.exe
* %ProgramFiles%\Internet Explorer\pserver.ini
* %System%\Internet Explorer\bootloader.dll
* %System%\Internet Explorer\detoured.dll
* %System%\Internet Explorer\funcition.dll
* %System%\Internet Explorer\funcition.ini
* %System%\Internet Explorer\iexplore.exe
* %System%\Internet Explorer\install.exe
* %System%\Internet Explorer\pserver.exe
* %System%\Internet Explorer\pserver.ini

It will then create the following registry values in Windows Startup:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\getpass\"DllName" = "bootloader.dll"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\getpass\"Logon" = "OnEventShutDown"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Winlogon\Notify\getpass\"Shutdown" = "OnEventShutDown"

When your PC Reboots, bootloader.dll loads the following into memory:

* %System%/funcition.dll
* %System%/pserver.exe

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at Regcure. Regcure is proven to improve the performance of your computer.

When Backdoor.Dawcun is executed It creates a service by adding entries to this registry subkey so that it runs on Windows Startup.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[TROJAN

FILE NAME]

It then creates the following registry subkeys so that it restarts in safe mode:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safe
  Boot\Minimal\[TROJAN FILE NAME]
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safe
  Boot\Network\[TROJAN FILE NAME]

The Backdoor.Dawcun Trojan captures registry access to prevent modifying and deleting registry key values.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at Regcure. Regcure is proven to improve the performance of your computer.

When the Dosvine Trojan is executed, it creates this file:
%System%\msconfig32.sys

It then creates these registry entries in Windows Startup

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"Adobe Update Manager" = "[PATH TO ORIGINAL EXECUTABLE]"
* HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.
exe, [PATH TO ORIGINAL EXECUTABLE]"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"Adobe Update Manager" = "[PATH TO ORIGINAL
EXECUTABLE]"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.
exe, [PATH TO ORIGINAL EXECUTABLE]"

The Dosvine Trojan then attempts to download a config file from:
[http://]www.update-adobe.com/info[REMOVED]

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When Trojan.Mebratix is downloaded and executed on the host machine it copies the MBR to another location on your HDD. It then overwrites the original MBR with its own code.

…and then the trojan creates the following files.

• C:\Program Files\MSDN\atixi.inf
• C:\Program Files\MSDN\atixx.sys
• C:\WINDOWS\inf\oem22.inf
• C:\WINDOWS\inf\oem22.PNF
• C:\WINDOWS\inf\oem23.inf
• C:\WINDOWS\inf\oem23.PNF
• C:\WINDOWS\system32\drivers\atixi.sys
• C:\WINDOWS\system32\drivers\atixx.sys
• C:\WINDOWS\LastGood\INF\oem22.inf
• C:\WINDOWS\LastGood\INF\oem22.PNF
• C:\WINDOWS\LastGood\INF\oem23.inf
• C:\WINDOWS\LastGood\INF\oem23.PNF

Be aware that it may also create the following registry entries..

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class
  \{02EB6841-28D2-44C2-8303-584F54E6D913}
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
  ATIXI\0000
• HKEY_LOCAL_MACHINE\SYSTEM\LastKnownGoodRecovery\
  LastGood\INF

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the file is executed, it may create one of these files:

* %UserProfile%\Local Settings\Temporary Internet Files\20100307.htm

* %UserProfile%\Local Settings\Temporary Internet Files\20100307[1].htm

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

Symantec’s antivirus products contain an highly sensitive detection technology designed to detect entirely new malware threats without traditional signatures. This technology is aimed at detecting malicious software that has been intentionally mutated or morphed by attackers.

If one or more files on your computer have been classified as having a Suspicious.SecTool threat, this indicates that the files have suspicious characteristics and therefore might contain a new or unknown threat. However, given the sensitive nature of this detection technology, it may occasionally identify non-malicious, legitimate software programs that also share these behavioral characteristics. Therefore, it is recommended that users manually check all files detected as Suspicious.SecTool by Symantec antivirus products for potential misidentification, and submit any suspect files to Symantec Security Response for further analysis. For instructions on how to do this, read Submit Virus Samples.

In rare cases where a legitimate file has been misidentified and subsequently quarantined, your computer may behave abnormally or you may find that one or more applications no longer function as expected. In such rare situations, you should open the Quarantine in your Symantec antivirus product. From here, you may review the list of all files detected as Suspicious.SecTool and, if you identify a potential misidentification, restore the file from quarantine and allow it to run normally.

FREE SCAN:

Please click here for manual removal instructions.

Overview:

The SymbOS.Exy.E worm creates the following files:

* C:\sys\bin\Installer_SV.exe

* C:\sys\bin\LanPackage.exe

* C:\private\101f875a\import\[20028B98].rsc

* C:\private\101f875a\startup\[20028B98].dat

* C:\private\20028B98\SisInfo.cfg

* C:\private\20028B98\Source.ini

It also create the following temporary files, which it deletes when the threat finishes installing:

* C:\system\data\Local_Para.txt

* C:\system\data\Remote_Para.txt

* C:\system\data\SisInfo.cfg

* C:\system\data\Source.ini

The worm then updates itself by downloading the following temporary file:

C:\private\20028B98\kel.sisx

..and then the following processes if they are running:

* AppMngr

* TaskSpy

* Y-Tasks

* ActiveFile

* TaskMan

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

be downloaded by other malware with the following install name:

Your PC Protector

Once executed, the Trojan creates the following files:

* C:\Documents and Settings\All Users\Desktop\Your PC Protector.lnk

* %ProgramFiles%\adc32.dll

* %ProgramFiles%\alggui.exe

* %ProgramFiles%\nuar.old

* %ProgramFiles%\schtml\dbsinit.exe

* %ProgramFiles%\schtml\images\i1.gif

* %ProgramFiles%\schtml\images\i2.gif

* %ProgramFiles%\schtml\images\i3.gif

* %ProgramFiles%\schtml\images\j1.gif

* %ProgramFiles%\schtml\images\j2.gif

* %ProgramFiles%\schtml\images\j3.gif

* %ProgramFiles%\schtml\images\jj1.gif

* %ProgramFiles%\schtml\images\jj2.gif

* %ProgramFiles%\schtml\images\jj3.gif

* %ProgramFiles%\schtml\images\l1.gif

* %ProgramFiles%\schtml\images\l2.gif

* %ProgramFiles%\schtml\images\l3.gif

* %ProgramFiles%\schtml\images\pix.gif

* %ProgramFiles%\schtml\images\t1.gif

* %ProgramFiles%\schtml\images\t2.gif

* %ProgramFiles%\schtml\images\Thumbs.db

* %ProgramFiles%\schtml\images\up1.gif

* %ProgramFiles%\schtml\images\up2.gif

* %ProgramFiles%\schtml\images\w1.gif

* %ProgramFiles%\schtml\images\w11.gif

* %ProgramFiles%\schtml\images\w2.gif

* %ProgramFiles%\schtml\images\w3.gif

* %ProgramFiles%\schtml\images\w3.jpg

* %ProgramFiles%\schtml\images\word.doc

* %ProgramFiles%\schtml\images\wt1.gif

* %ProgramFiles%\schtml\images\wt2.gif

* %ProgramFiles%\schtml\images\wt3.gif

* %ProgramFiles%\schtml\wispex.html

* %ProgramFiles%\skynet.dat

* %ProgramFiles%\some.dat

* %ProgramFiles%\svchost.exe

* %ProgramFiles%\wp3.dat

* %ProgramFiles%\wp4.dat

* %ProgramFiles%\Your PC Protector

* %ProgramFiles%\Your PC Protector\Your PC Protector.exe

* %Temp%\8fc

* %UserProfile%\Start Menu\Programs\Your PC Protector

* %UserProfile%\Start Menu\Programs\Your PC Protector\Your PC Protector.

lnk

* %Windir%\Temp\8fc

* %Windir%\Temp\a7b

It creates the following registry entries:

* HKEY_CLASSES_ROOT\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\”(Default)” = “ADC PlugIn”

* HKEY_CLASSES_ROOT\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\InprocServer32\”(Default)” = “%SYSTEM%\Program

Files\adc32.dll”

* HKEY_CLASSES_ROOT\CLSID\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}\InprocServer32\”ThreadingModel” = “Apartment”

* HKEY_CURRENT_USER\Software\Your PC Protector\Your PC

Protector\setdata\”scantime” = “[CURRENT TIMESTAMP]”

* HKEY_CURRENT_USER\Software\Your PC Protector\Your PC

Protector\setdata\”scantime” = “[CURRENT TIMESTAMP]”

* HKEY_CURRENT_USER\Software\Your PC Protector\Your PC

Protector\setdata\”scncnt” = “[NUMBER]”

* HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Adb

Upd\”DisplayName” = “Adobe Update Service”

* HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Adb

Upd\”ErrorControl” = “0×00000001″

* HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Adb

Upd\”ImagePath” = “%SYSTEM%\Program Files\svchost.exe”"

* HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Adb

Upd\”ObjectName” = “LocalSystem”

* HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Adb

Upd\”Start” = “0×00000002″

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adb

Upd\”Type” = “0×00000010″

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adb

Upd\Security\”Security” = “[DATA]”

It then modifies the following registry entries:

* HKEY_CLASSES_ROOT\exefile\shell\open\command\”(Default)” =

“% SYSTEM%\Program Files\alggui.exe “%1″ %*”

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar

\”Locked” = “0×00000001″

The Trojan then prevents other applications from being executed and displays

the following false error messages:

Title: Warning!

Body: Running of application is impossible.

The file [FILE PATH AND NAME] is infected.

Please activate your antivirus program.

The Trojan may also display any of the following warning messages:

Title: Warning infection is detected

Body: Windows has found spyware infection on your computer!

Click here to update your Windows antivirus software…

Title: Security Warning

Body: Your computer continues to be infected with harmful viruses.

In order to prevent permanent loss of your information and

credit card data theft please activate your antivirus software.

Click here to enable protection.

Title: Security Warning

Body: There are critical system files on your computer that were

modified by malicious program.

It will cause unstable work of your system and permanent

data loss.

Click here to undo performed modifications and remove

malicious software (Highly recommended).

The Trojan also displays the following scan interface:

Title: Your PC Protector

Body: Scanning for viruses

It then displays the false results of the misleading scan:

Title: Warning 3 infection found

Body: Unwanted software (malware) or tracking cookies have been found

during last scan. It is highly recommended to remove it from your computer.

Title: Items Detected

Body: Your PC Protector has found infected documents or programs.

You can lose your personal data and infect other network computers.

It may also display the following fake Microsoft error messages:

Title: Windows Security Center

Body: Security Center

Help protect your PC

Title: svchost.exe

Body: svchost.exe has encountered a problem and needs to

close. We are sorry for the inconvenience.

The Trojan then displays the following requests for payment:

Title: Your PC Protector evaluation

Body: This version of Your PC Protector is for evaluation purposes only.

The removal feature is disabled. You may scan your PC to locate malware

threats.

Please purchase the full version of Your PC Protector to remove identified

threats.

Title: Bright Red Warning Symbol

Body: Are you sure? Your PC will not be protected against spyware.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

The virus may arrive as a file with the following file name:
%CurrentFolder%\7z.exe

When the virus is executed, it infects all .exe files on the compromised computer.

It then monitors connections to the Internet, gathering sensitive information.

The virus also scans the registry, gathering user names and passwords stored within it.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the Trojan is executed, it creates the following file:
%System%\kernel.exe

Next, the Trojan creates the following registry entry so that it executes
whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"default" = "%System%\kernel.exe"

The Trojan then steals information from the compromised computer, including passwords related to the following applications:

* DynDNS
* Firefox
* FlashFXP
* Google
* IMVU
* Internet Explorer 7
* Internet Explorer 8
* MSN
* NO-IP
* Paypal
* Pidgin
* Steam
* Trillian
* Yahoo

The Trojan saves the stolen information in the following locations:

* %Temp%\keylog.dat
* %Temp%\Pass.dat

Next, it sends the stolen information to a remote location either using FTP or
in the form of an email.

The Trojan may display the following message:
Title:
Error
Message:
Run-time error ’429′

It may download a configurable file from a remote server.

The Trojan may also cause the compromised computer to crash, displaying
a Blue Screen of Death.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

The original DLL is copied to the following file:

%System%\UxTheme.dll~[EIGHT RANDOM CHARACTERS].TMP

The purpose of this infection is to load a malicious DLL named msls51.dll.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When executed, the worm copies itself as the following file:
%SystemDrive%\VIDI\UNUK\DRG.exe

The worm then creates the following file:
%SystemDrive%\VIDI\UNUK\DesKTop.ini

It then creates the following registry entry so that it runs every time Windows starts:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67KLN5J0-4OPM-01WE-AAX2-5657QCA554112}\"StubPath" = "%SystemDrive%\VIDI\UNUK\DRG.exe"

The worm attempts to download files from the following network addresses:

* acc008.homeip.net
* acc7hr33.webhop.biz
* ogard6.ircdevils.net

Note: The downloaded files may be updates to the worm.

The worm spreads by copying itself to all removable drives as the following file: %DriveLetter%\VIDI\UNUK\DRG.exe

It also creates the following file: %DriveLetter%\VIDI\UNUK\DesKTop.ini

The worm creates the following file so that it runs when the above drives are accessed: %DriveLetter%\aUtOrUn.inf

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

It has been reported that this threat is installed as the following file:
%SystemDrive%\mmsvc.cpl

When the Trojan is executed, it creates one of following services:

* NVMonSystem
* NPKClient
* ALGEvent

It then modifies the following registry entries:

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"MaxHashTableSize" = "800"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"MaxUserPort" = "FFFE"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxConnectResponseRetransmissions" = "2"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpTimedWaitDelay" = "1E"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TCPFinWait2Delay" = "1E"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxPortsExhausted" = "5"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxHalfOpen" = "500"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxHalfOpenRetried" = "400"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"TcpMaxDataRetransmissions" = "A"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"KeepAliveTime" = "493E0"
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\"KeepAliveInterval" = "3E8"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPer1_0Server" = "2"
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPerServer" = "2"
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPer1_0Server" = "2"
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Internet Settings\"MaxConnectionsPerServer" = "2"

It then attempts to open a back door by connecting to one of following locations,

allowing a remote attacker access to the compromised computer:

* [RANDOM CHARACTERS].55cn90001.selfip.com
* [RANDOM CHARACTERS].59cn80801.selfip.com
* [RANDOM CHARACTERS].59cn81811.selfip.com
* [RANDOM CHARACTERS].b59e40004.selfip.com
* [RANDOM CHARACTERS].59cn80001.selfip.com
* [RANDOM CHARACTERS].55cn90002.selfip.net
* [RANDOM CHARACTERS].59cn80802.selfip.net
* [RANDOM CHARACTERS].59cn81812.selfip.net
* [RANDOM CHARACTERS].b59e40005.selfip.net
* [RANDOM CHARACTERS].59cn80002.selfip.net
* [RANDOM CHARACTERS].59cn80803.homeip.net
* [RANDOM CHARACTERS].b59e40001.homeip.net
* [RANDOM CHARACTERS].59cn80003.homeip.net
* [RANDOM CHARACTERS].59cn81813.homeip.net
* [RANDOM CHARACTERS].b59e40002.homeftp.org
* [RANDOM CHARACTERS].b59e40003.homeftp.net
* [RANDOM CHARACTERS].59cn80804.gotdns.com
* [RANDOM CHARACTERS].59cn81814.gotdns.com
* [RANDOM CHARACTERS].59cn80004.gotdns.com
* [RANDOM CHARACTERS].59cn80805.blogdns.com
* [RANDOM CHARACTERS].59cn80005.blogdns.com
* [RANDOM CHARACTERS].59cn81815.blogdns.com
* 58.221.33.164
* 58.221.33.171

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the Trojan is executed, it drops the following file:

%Temp%\wuweb.exe

Next, the Trojan creates the following registry entry so that the dropped file

executes whenever Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Run\”wuweb” = “%Temp%\wuweb.exe”

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the Trojan is executed, it creates the following file:
%Temp%\1.tmp

The worm modifies the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\"
AccessVBOM" = "1"

It then opens Microsoft Word, if it is installed, and runs a VBA script that

loads %Temp%\1.tmp and executes it.

The Trojan then opens an instance of svchost.exe and injects itself into the
service.

It then copies itself as the following DLL file:
%System%\[RANDOMLY NAMED FILE]

Note: [RANDOMLY NAMED FILE] is a variable for the file name. It is
made up of a random four-letter file name and a random three-letter file
extension.

The Trojan creates the following subkey:
HKEY_CLASSES_ROOT\idid

The Trojan then deletes the original executable.

The Trojan modifies the following registry entry, so that it starts when Windows
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = " Explorer.exe rundll32.exe %System%\[RANDOMLY NAMED FILE] [5 OR 6 RANDOM CHARA
CTERS]"

It then connects to the following IP address using HTTP on TCP port 80:
193.104.27.91

The Trojan may then download and execute additional files.

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the Trojan is executed, it drops the following configuration file, which is a

password-protected ZIP archive:

%SystemDrive%\cleansweep.exe\config.bin

It also drops the following file, which contains a hard-coded password to decrypt

the above configuration file:

%SystemDrive%\cleansweep.exe\cleansweep.exe

Next, the Trojan creates the following registry entry so that it executes whenever

Windows starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

“cleansweep.exe” = “%SystemDrive%\cleansweep.exe\cleansweep.exe”

The Trojan then injects code into any currently running system processes so that

it can then perform the following functions:

* Capture network traffic

* Send and receive network packets in order to bypass application firewalls

It also provides certain rootkit capabilities, for example it can:

* Hide its own process on injected processes

* Hide and prevent access to its own binary code

* Hide and prevent access to its startup registry entry

The Trojan then steals information from the following Internet browsers:

* Firefox

* Internet Explorer

* Maxthon

It sends the stolen information back to a control server, which is specified in the

configuration file.

A remote attacker may also perform the following actions from the control server:

* Download and execute files

* Log and report keystrokes

* Perform certain hidden tasks on the Trojan

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the worm is executed, it copies itself to the following locations:

* %System%\system3_.exe
* %Windir%\system3_.exe

It also creates the following file:
%System%\autorun.ini

Next it modifies the following registry entry so that it runs when Windows
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe system3_.exe"

It then changes the home and search page for Internet Explorer by setting

the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Page_URL" = "http://www.mydreamworld.50
webs.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://www.mydreamworld.50
webs.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
\Main\"Search Page" = "http://www.mydreamworld.50webs.com"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
\Main\"Start Page" = "http://www.mydreamworld.50webs.com"
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\"Start Page" = "http://www.mydreamworld.50webs.com"

It also sets the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Schedule\"AtTaskMaxHours" = 0

It may also modify the Mozilla Firefox pref.js file to change the homepage
of the Firefox browser.

The worm then downloads a configuration file using the following URLs:

* h1.ripway.com/asdb0[NUMBER BETWEEN 00 AND 50]/setting.ini
* www.balu0[NUMBER BETWEEN 00 AND 24].0catch.com/setting/
setting.ini

The configuration file may contain instructions to download an update of
the worm.

If Yahoo! Messenger is not installed on the compromised computer, the
worm will attempt to download and install it from the following location:
rd.software.yahoo.com/msgr/9/msgr9us.exe

The worm will end processes with the following names:

* game_y.exe
* cmd.exe

It also attempts to close application windows that have the following strings
in their title:

* Bkav2006
* System Configuration
* Registry
* Windows Task

If the worm detects an application window with a title that contains the string "
[Firelion]", it will delete the following registry subkey and restart the computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\"IEProtection"

The worm attempts to spread by copying itself to all local and shared drive
as the following file:
%DriveLetter%\New Folder.exe

It will also send the following messages to contacts found in the address books
of Yahoo! Messenger and Google Talk:

* happy valentine day screen saver from http: //advgoogle.0catch.com/love.
scr and get new tips and tricks from URL
* happy valentine day screen saver and beautiful screen saver from lovers http: //advgoogle.0catch.com/love.scr and URL
* golden lovers rose screen saver from http: //advgoogle.0catch.com/love.scr
and see more from URL
* rose is always red ,see in http: //advgoogle.0catch.com/love.scr screen saver
from URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and get new tips and tricks from URL
* I LOVE YOUUUUUUUUUUUUU from screensaver http: //advgoogle.0catch.
com/love.scr see more in URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and get new tips and tricks from URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and get new tips and tricks for lovers URL
* happy valentine day screen saver from http: //advgoogle.0catch.com/love.scr
and view secrets from private cam BIN
* asl please & @CRLF & I am 23 Female, Delhi (India) and you?

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

%CurrentFolder%\Surprise.exe

When the Trojan is executed, it creates the following mutex so that only

one instance of the Trojan exists on the computer:

{CC51461B-E32A-4883-8E97-E0706DC65415}

It then creates a copy of itself in the following location:

%Windir%\system32\spool\prtprocs\[RANDOM NAME ONE].tmp

Next, the Trojan creates the following file:

%Temp%\[RANDOM NAME TWO].tmp

It then registers itself as a service by creating the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[

RANDOM NAME THREE]

The Trojan then deletes the above registry subkey as well as the following

files:

* %CurrentFolder%\Surprise.exe

* %Windir%\system32\spool\prtprocs\[RANDOM NAME ONE].tmp

* %Temp%\[RANDOM NAME TWO].tmp

Note: The Trojan then enters a dormant state and will be removed from

the computer if the computer is restarted at this time.

The Trojan resumes executing if either of the following processes are

executed:

* spoolsv.exe

* svchost.exe

It also tests the name of any new processes that are started and executes

if the process name contains any of the following strings:

* avant

* browser

* chrome

* explore

* firefox

* netscape

* opera

* safari

The Trojan then monitors Internet access to the following sites:

* abmr.net

* adbureau.net

* adrevolver.com

* aol.com

* aolcdn.com

* ask.com

* atdmt.com

* bing.com

* blinkx.com

* doubleclick.net

* everesttech.net

* fimserve.com

* google

* google-analytics.com

* img.youtube.com

* live.com

* msn.com

* othersonline.com

* powerset.com

* search.aol.com

* search.yahoo.com

* tribalfusion.com

* upload.wikimedia.org

* www.ask.com

* www.bing.com

* www.google.

* yahoo.com

* yieldmanager.com

* yimg.com

It may then download and execute a file from one of the following locations.

It may also send information to the following locations:

* https://d45648675.cn

* https://d92378523.cn

* https://91.212.226.62

* http://b11335599.cn

* http://b00882244.cn

* http://m3131313.cn

* http://mfdclk001.org

* https://a57990057.cn

* https://a58990058.cn

* https://212.117.174.178

* http://c36996639.cn

* http://c58446658.cn

* http://m2121212.cn

FREE SCAN:

Please click here for manual removal instructions.

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

* %SystemDrive%\RESTORE\[SID]\Desktop.ini

* %SystemDrive%\RESTORE\[SID]\ise32.exe

Next, the worm creates the following registry entry so that it executes whenever Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C967120}\”StubPath” = “%SystemDrive%\RESTORE\[SID]\ise32.exe”

The worm then copies itself to all removable drives as the following files:

* %DriveLetter%\RESTORE\[SID]\Desktop.ini

* %DriveLetter%\RESTORE\[SID]\ise32.exe

It also creates the following file so that it runs when the above drives are accessed:

%DriveLetter%\autorun.inf

The worm also opens a back door on the compromised computer by connecting to the following IRC server on TCP port 9890:

travo892.dyndns.org

FREE SCAN:

Please click here for manual removal instructions.

In order to Remove W32.Arbormen you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of W32.Arbormen. Read our full No Adware Review

If your PC is also running slowly, you may be interested to look at our Regcure Review. Regcure is proven to improve the performance of your computer.

When the virus executes, it attempts to inject code into processes with the name "explorer" and processes with the window name "TibiaClient"

It then searches for .exe and .scr files to infect them.

The virus avoids infecting files under the following paths:

* %Windir%
* %UserProfile%\Application Data
* %UserProfile%\Movie Maker
* %UserProfile%\Local Settings\Application Data
* %ProgramFiles%\Internet Explorer
* %ProgramFiles%\Outlook Express
* %ProgramFiles%\MSN Gaming Zone
* %ProgramFiles%\NetMeeting
* %ProgramFiles%\Windows Media Player
* %ProgramFiles%\Windows NT
* %ProgramFiles%\Windows Update
* %ProgramFiles%\Common Files

The virus then attempts to download files from and send information about the compromised computer to the following location:
m-net.arbornet.org/~hglwfk/?a=***

FREE SCAN:

Please click here for manual removal instructions.

Once executed, the worm drops the following files:

* %ProgramFiles%\Dump\Dump.exe
* %System%\drivers\Mseu.sys
* %System%\drivers\Mstart.sys
* %System%\ainf.inf
* %System%\mseus.exe
* %System%\tokset.dll

It drops the following nonmalicious files into C:\IQTEST and then opens an
Explorer window and displays the C:\IQTEST folder contents:

* C:\IQTEST\Iqtest.exe (clean version of the IQ test)
* C:\IQTEST\Readme.txt

The program c:\iqtest\Iqtest.exe is a clean program that looks like this:

The worm then deletes itself.

After a predetermined number of days the worm copies itself as zipsetup.exe to
the following drives and to the first 9 physical drives:

* C:
* D:
* E:
* F:
* G:
* H:
* I:
* J:

The worm creates the following registry entry, so that it runs every time Windows
starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"Dump" = "%ProgramFiles%\Dump\Dump.exe"

It creates new services with the following characteristics:
Service Name: Mseu
Display Name: Mseu
Startup Type: Automatic
Image Path: System32\Mseus.exe

Service Name: Mstart
Display Name: Mstart
Startup Type: Automatic
Image Path: \??\C:\WINDOWS\system32\Drivers\MSTART.SYS

Service Name: UnzipService
Display Name: UnzipService
Startup Type: Automatic

Service Name: Self Extract Service
Display Name: Self Extract Service
Startup Type: Automatic

The worm creates the services by adding entries to the following registry subkeys:

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
MSTART
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
UnzipService

It spreads through removable drives as the file zipsetup.exe and it is also
shared online as the following program:
IqTest.exe

It also copies the following file so that it runs when the removable devices
are accessed:
%DriveLetter%\autorun.inf

After a predetermined amount of time the threat will attempt to delete the
following files:

* C:\System Volume Information
* D:\System Volume Information
* E:\System Volume Information
* F:\System Volume Information
* G:\System Volume Information
* H:\System Volume Information
* I:\System Volume Information
* J:\System Volume Information
* C:\Documents and Settings\Administrator\My Documents
* D:\Documents and Settings\Administrator\My Documents
* E:\Documents and Settings\Administrator\My Documents
* F:\Documents and Settings\Administrator\My Documents
* G:\Documents and Settings\Administrator\My Documents
* H:\Documents and Settings\Administrator\My Documents
* I:\Documents and Settings\Administrator\My Documents
* J:\Documents and Settings\Administrator\My Documents
* C:\Users\Administrator
* D:\Users\Administrator
* E:\Users\Administrator
* F:\Users\Administrator
* G:\Users\Administrator
* H:\Users\Administrator
* I:\Users\Administrator
* J:\Users\Administrator
* C:\Documents and Settings
* D:\Documents and Settings
* E:\Documents and Settings
* F:\Documents and Settings
* G:\Documents and Settings
* H:\Documents and Settings
* I:\Documents and Settings
* J:\Documents and Settings
* C:\Users
* D:\Users
* E:\Users
* F:\Users
* G:\Users
* H:\Users
* I:\Users
* J:\Users
* C:\BOOT.INI
* C:\BOOT.INI
* C:\NTDETECT.COM
* C:\NTDETECT.COM
* C:\NTLDR
* C:\NTLDR
* C:\HYBERFILE.SYS
* C:\HYBERFILE.SYS
* C:\BOOTMGR
* C:\BOOTMGR
* C:\BOOTMGR.BAK
* C:\BOOTMGR.BAK
* C:\BOOTSECT
* C:\BOOTSECT
* C:\BOOTSECT.BAK
* C:\BOOTSECT.BAK

The threat also deletes all system restore points by deleting the following
folders:

* C:\System Volume Information
* D:\System Volume Information
* E:\System Volume Information
* F:\System Volume Information
* G:\System Volume Information
* H:\System Volume Information
* I:\System Volume Information
* J:\System Volume Information

It will also attempt to overwrite the beginning of the disk in order to overwrite

the master boot record (MBR), thereby not allowing the compromised
computer to be restarted.

When restarted, the system may display the message "Operating System not
found".

FREE SCAN:

Please click here for manual removal instructions.

When executed, the virus copies itself as the following file:
%Temp%\gb+[RANDOM NUMBER]\syshost.exe

It also creates the following files:

* %Temp%\gb+[RANDOM NUMBER]\tmpgb.exe
* %Temp%\gb+[RANDOM NUMBER]\goodby.dat
* %Windir%\directx9d.ini

Next, the virus searches for .exe files in order to infect them but excludes any paths that contain the following words:

* nrestore
* Symantec
* windows

It also excludes any folders with the following names:

* Documents and Settings
* Recycler
* System Volume Information

It also excludes the following folders:

* %ProgramFiles%
* %Windir%

The virus then adds random data to the beginning of files with the following file extensions, which may render them unusable:

* .cdr
* .cdx
* .db
* .doc
* .dwg
* .gdb
* .md
* .ppt
* .ps
* .tab
* .vs
* .wor
* .xls

FREE SCAN:

Please click here for manual removal instructions.

%System%\n.vbe

The worm creates the following registry entry, so that it starts when Windows

starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Run\”dpzProtect” = “%System%\n.vbe”

It them modifies the following registry entry, so that it starts when Windows

starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\Winlogon\”Userinit” = “%System%\userinit.exe,%System%\wscript.

exe %System%\n.vbe”

The worm also modifies the following registry entries:

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”

Window Title” = “Protected by DespoterZ”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoSMHelp” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoStartMenuMFUprogramsList” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoSMMyDocs” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoRecentDocsMenu” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoSMMyPictures” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoStartMenuMyMusic” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoFolderOptions” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\System\”DisableTaskMgr” = “0″

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\System\”DisableRegistryTools” = “0″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\”RegisteredOwner” = “Microsoft”

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\”RegisteredOrganization” = “.”

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\Winlogon\”LegalNoticeCaption” = “”

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\Winlogon\”LegalNoticeText” = “”

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue” = “0″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Explorer\Advanced\Folder\SuperHidden\”UncheckedValue” = “0″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current

Version\Winlogon\”Shell” = “explorer.exe”

The worm deletes the following files:

* %System%\VirusRemoval.vbs

* %System%\neo.vbe

* %System%\amvo.exe

* %System%\avpo.exe

* %System%\winlogons.exe

* %System%\ssvichosst.exe

* %System%\tmp.exe

* %System%\scvhost.exe

* %System%\explorer.exe

* %System%\service.exe

* %System%\soundmix.exe

* %System%\regsvr.exe

* %DriveLetter%\ravmon.exe

* %DriveLetter%\sxs.exe

* %DriveLetter%\winfile.exe

* %DriveLetter%\run.wsh

The worm then deletes all files with file names that start with “autorun” in the

root folder of all removable drives, all .inf and .scr files in the root folder of all

fixed drives, and all .vbe files in the root and %Windir% folder of all drives

except drive A.

It then copies the following files to all available removable drives except A:

* %DriveLetter%\n.vbe

* %DriveLetter%\autorun.inf

FREE SCAN:

Please click here for manual removal instructions.

%ProgramFiles%\MNetwork

It then creates the following mutex so only one instance of the worm is running:

Ghiyhjmnklowqq

The worm spreads by encrypting and then appending itself to files with the following extensions:

* DLL

* EXE

* HTM

When an infected file, detected as W32.Ramnit!inf, is executed, it drops a copy of the worm executable file with the following file name and executes it:

%CurrentFolder%\[INFECTED FILE NAME]Srv.exe

The worm also spreads by copying itself to the recycle bin on the removable drive and creates the following file so that it executes whenever the drive is accessed:

%DriveLetter%\autorun.ini

The worm attempts to connect to the following remote location:

rmnzerobased.com

It attempts to download a .dll file and register it.

Note: At the time of writing, the file was unavailable.

FREE SCAN:

Please click here for manual removal instructions.

* %SystemDrive%\RECYCLER\[SID]\nissan.exe

* %SystemDrive%\RECYCLER\[SID]\Desktop.ini

* %DriveLetter%\RECYCLER\[SID]\csrxx.exe (W32.IRCBot)

* %DriveLetter%\SLATKO\torta.exe

* %DriveLetter%\SLATKO\Desktop.ini

* %DriveLetter%\autorun.inf

It then creates the following registry entry, so that it starts when Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Taskman” = “C:\RECYCLER\[SID]\nissan.exe”

The worm then opens a back door and connects to the following domains on UDP port 25000:

* sandra.prichaonica.com

* pica.banjalucke-ljepotice.ru

* l33t.brand-clothes.net

The worm also copies itself to the shared folder of the following file-sharing programs:

* Ares

* BearShare

* iMesh

* Shareaza

* Kazaa

* DC++

* eMule

* LimeWire

It then monitors browsing activities, logging passwords stored in the browsers.

The worm will send messages through Microsoft instant messaging programs, such as MSN Messenger and Windows Live Messenger, that include a link to download the worm.

FREE SCAN:

Please click here for manual removal instructions.

%Windir%\explorer.exe

It then attempts to download files from the following URLs:

* [http://]irannew.narod.ru/pe[REMOVED]

* [http://]iraqnew.hotbox.ru/pe[REMOVED]

* [http://]irannew.narod.ru/pl[REMOVED]

* [http://]iraqnew.hotbox.ru/pl[REMOVED]

The virus then searches the compromised computer for other .exe files, which it then infects.

FREE SCAN:

Please click here for manual removal instructions.

January 13, 2010 3:23:21 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When an infected executable is started, it copies the original executable to the following location and executes it:
%CurrentFolder%\_[VIRUS FILE NAME].exe

Next, the virus scans the hard drive and infects any executable that it finds.

It then connects to a MySQL database hosted at the following location:
remote-mysql3.servage.net

The virus then updates this database in order to record the infection of the compromised computer.

FREE SCAN:

Please click here for manual removal instructions.

January 12, 2010 12:27:03 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Note: This worm is generated by the Spy-Net RAT toolkit, and as a result the
files and registry entries can be determined by the attacker. The files, registry
entries, processes, and mutexes listed below are default values presented by
the toolkit.

When the worm is executed, it creates the following files:

* %Temp%\UuU.uUu
* %Temp%\XX–XX–XX.txt
* %Temp%\XxX.xXx
* C:\Dir\install\server.exe

It then creates the following registry entry, so that it starts when Windows
starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run\"Policies" = "c:\dir\install\server.exe"

The worm then opens a back door using a predetermined port and IP address,
allowing an attacker to perform the following actions on the compromised
computer:

* Read, write, and execute files
* Steal stored passwords
* Issue commands
* Activate and view a webcam, if present
* Log keystrokes
* Create a HTTP proxy to route traffic through the compromised computer

The worm may also create a rootkit that hides any registry entries or files
that begin with the "SPY_NET_RAT" string.

The threat may also inject itself into the iexplorer.exe process, or another
predetermined process, so that it starts when the process starts.

It also creates a mutex named ***MUTEX*** (or another value determined
by the attacker) to prevent multiple instances of the threat from running.

The worm spreads by copying itself to removable drives and the share folders
of file-sharing programs, such as Limewire and Bearshare.

FREE SCAN:

Please click here for manual removal instructions.

another threat.

When executed, the threat creates one of the following files:

%Temp%\c_1758.nls

%Temp%\[RANDOM FILE NAME]

It then creates a service with the following characteristic:

Service name: RaS[FOUR RANDOM CHARACTERS]

The Trojan creates the following registry subkey in order to register the

above service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

RaS[FOUR RANDOM CHARACTERS]

Next, the Trojan modifies the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\”netsvcs” = “36 00 74 00 6F 00 34 00 00

The Trojan then opens a back door and allow a remote attacker to perform

the following actions on the compromised computer:

* Adjust token privileges.

* Check status, control, and end processes and services

* Download a remote file, save it as %Temp%\mdm.exe, and then execute it.

* Create, modify, and delete registry subkeys.

* Retrieve a list of logical drives.

* Read, write, execute, copy, change attributes, and delete files.

* Reboot and shut down the computer.

* Uninstall itself by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ra

S[FOUR RANDOM CHARACTERS] subkey.

* clear all system event logs.

* Check if %System%\acelpvc.dll is present. If so, load it and call its Entry

Main() export.

* Check if %System%\VedioDriver.dll is present.

* Open, read, and delete the %System%\drivers\etc\networks.ics file.

* Retrieve the CPU speed by checking the HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\

CentralProcessor\0\”~MHz” registry value.

It then connects to one of the following domains using port 443 and

sends any information gathered:

* yahooo.8866.org

* sl1.homelinux.org

* 360.homeunix.com

The Trojan then redirects the computer to the following domain:

* li107-40.members.linode.com

* ftp2.homeunix.com

* update.ourhobby.com

The Trojan also stores configuration information in the following registry entries:

* HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\”IsoTp”

* HKEY_LOCAL_MACHINE\Software\Sun\1.1.2\”AppleTlk”

FREE SCAN:

Please click here for manual removal instructions.

* %System%\sdra64.exe

* %System%\oembios.exe

* %System%\ntos.exe

It may also create the following files:

* %System%\wsnpoem\audio.dll

* %System%\wsnpoem\video.dll

* %System%\sysproc64\sysproc86.sys

* %System%\sysproc64\sysproc32.sys

It also drops the following encrypted configuration file:

%System%\lowsec\local.ds

The configuration file specifies to the Trojan where it can download further

instructions and updates.

It may then create one of the following registry entries so that it executes

when Windows starts:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Run\”userinit” = “%System%\sdra64.exe”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Run\”userinit” = “%System%\oembios.exe”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Run\”userinit” = “%System%\ntos.exe”

The Trojan may also make modifications to the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%System%\userinit.exe, %System%\sdra64.exe”

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%System%\userinit.exe, %System%\oembios.exe”

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”Userinit” = “%System%\userinit.exe, %

System%\ntos.exe

It then attempts to gather the following information from the compromised

computer:

* Operating system version

* Presence of Windows XP Service Pack 2

* Language of the operating system

* Saved passwords in PStore

It attempts to create malicious threads in all running processes except

for CSRSS.EXE. It does this by hooking the following system functions

of NTDLL.DLL:

* NtCreateThread

* LdrLoadDll

* LdrGetProcedureAddress

It also deletes cookies in the Internet Explorer URL cache so that users

will have to re-enter passwords when visiting banking Web sites.

It attempts to hook the functions from various DLLs to take control

of network functionality and to steal sensitive information:

From WININET.DLL

* HttpSendRequestW

* HttpSendRequestA

* HttpSendRequestExW

* HttpSendRequestExA

* InternetReadFile

* InternetReadFileExW

* InternetReadFileExA

* InternetQueryDataAvailable

* InternetCloseHandle

From WS2_32.DLL and WSOCK32.DLL

* send

* sendto

* closesocket

* WSASend

* WSASendTo

From USER32.DLL

* GetMessageW

* GetMessageA

* PeekMessageW

* PeekMessageA

* GetClipboardData

After hooking the DLLs, it filters the network traffic for specific

keywords related to banking, social networking and Web email sites.

The keywords are specified in the encrypted configuration file.

The stolen information is then stored in the following file:

%System%\lowsec\user.ds.

It transmits the stolen data to URLs specified in the configuration file.

FREE SCAN:

Please click here for manual removal instructions.

January 8, 2010 4:50:06 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the Trojan is executed, it creates the following mutex so that only one copy of the threat is running on the computer at any time:
0430BC64-6833-4845-A192-D9ADFCFDFC43

Next the Trojan copies itself to the following location:
%Temp%\H8SRT[RANDOM HEXADECIMAL DIGITS FILE NAME ONE].tmp

It then drops the following file:
%Temp%\H8SRT[RANDOM HEXADECIMAL DIGITS FILE NAME TWO].tmp

It also modifies %System%\msvcrt.dll and saves it to the following location:
%Temp%\H8SRT[RANDOM HEXADECIMAL DIGITS FILE NAME THREE].tmp

The Trojan then creates the following files:

* %Windir%\system32\H8SRT[TEN RANDOM CHARACTERS].dll (Trojan.Vundo)
* %Windir%\system32\H8SRT[TEN RANDOM CHARACTERS].dat
* %Windir%\system32\drivers\H8SRT[TEN RANDOM CHARACTERS].sys

Next, the Trojan registers itself as a service by creating the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\H8SRTd.sys

It also creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT

It then modifies the following registry entries:

* HKEY_CURRENT_USER\Software\Mozilla\"affid" = ""
* HKEY_CURRENT_USER\Software\Mozilla\"subid" = "nk[TWO DIGITS]"

Next it injects malicious code into the svchost.exe process.

The injected code attempts to contact a controlling server using the following URLs:

* [http://]searchyields.org/css/crcmds/ma[REMOVED]
* [http://]searchphoto.org/css/crcmds/ma[REMOVED]
* [http://]readersfind.org/css/crcmds/ma[REMOVED]
* [http://]gotunderway.cn/css/crcmds/ma[REMOVED]
* [http://]eventuallygot.cn/css/crcmds/ma[REMOVED]

The Trojan contains back door functionality that allows it to download additional components based on instructions received from the above servers.

Next, the Trojan may download and execute the following file:
[http://]ruledout.cn/setup/setu[REMOVED]

The Trojan hooks the following kernel APIs:

* IofCallDriver
* IofCompleteRequest
* ZwEnumerateKey
* ZwFlushInstructionCache

It also has rootkit functionality in order to hide files, directories, and registry subkeys with names starting with the following characters:
H8SRT

The Trojan checks the current geographic location and does not execute some of its functionality if it is in any of the following locations:

* Azerbaijan
* Belarus
* Czech Republic
* Kazakhstan
* Kyrgyzstan
* Poland
* Russia
* Ukraine
* Uzbekistan

FREE SCAN:

Please click here for manual removal instructions.

January 6, 2010 2:28:45 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the Trojan is executed, it creates the following files:

* %System%\windex.exe
* %System%\winup.exe

It then creates the following registry entry, so that it starts when Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\policies\Explorer\Run\"CommonService" = "%System%\winup.exe"

The threat creates the following mutexes:

* RMTAA
* MAIN

It then opens a back door and connects to the following URL, allowing a

remote attacker to perform unauthorized actions on the compromised
computer: [http://]www1.vmnat.com

The threat may connect to one of the following URLs to send information
to

the remote attacker:

* [http://]www1.vmnat.com/httpdocs/mm/[LOCAL HOST NAME]:[
LOCAL MAC ADDRESS]/Cmw[REMOVED]
* [http://]www1.vmnat.com/httpdocs/mm/[LOCAL HOST NAME]:[
LOCAL MAC ADDRESS]/Dfw[REMOVED]
* [http://]www1.vmnat.com/httpdocs/mm/[LOCAL HOST NAME]:[
LOCAL MAC ADDRESS]/Ufw[REMOVED]
* [http://]www1.vmnat.com/httpdocs/mm/[LOCAL HOST NAME]:[
LOCAL MAC ADDRESS]/Ccmw[REMOVED]
* [http://]www1.vmnat.com/httpdocs/mm/[LOCAL HOST NAME]:
[LOCAL MAC ADDRESS]/Trb[REMOVED]
* [http://]www1.vmnat.com/cgi-bin/Clnpp[REMOVED]
* [http://]www1.vmnat.com/cgi-bin/Rwpq[REMOVED]
* [http://]www1.vmnat.com/cgi-bin/Owpq[REMOVED]
* [http://]www1.vmnat.com/cgi-bin/Dwpq[REMOVED]
* [http://]www1.vmnat.com/cgi-bin/Trpq[REMOVED]

FREE SCAN:

Please click here for manual removal instructions.

January 5, 2010 6:52:53 PM

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

This program must be manually installed.

When the program is executed, it creates the following folders:

* %ProgramFiles%\Zwunzi
* C:\Documents and Settings\All Users\Application Data\Zwunzi

It drops the following files:

* %ProgramFiles%\Zwunzi\uninstall.exe

* %ProgramFiles%\Zwunzi\zwunzi.dll
* %ProgramFiles%\Zwunzi\zwunzi.exe
* C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi128
.exe

Then, the program creates the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Uninstall\Zwunzi\"DisplayName" = "Zwunzi 1.0 build 128"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Uninstall\Zwunzi\"UninstallString" = "%ProgramFiles%\Zwunzi\uninstall.

exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Cid" = "466705c153
4b4aee8c896579946b055f"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"DllPath = "%Progra

mFiles%\Zwunzi\zwunzi.dll"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Initial" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Partner" = "ZWUN

ZI128"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Primary" = "f403"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"ShowBarSign" = "
0"

* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"ShowToolbarButto
n" = "0"
* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Src" = "zwunzi"

* HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Version" = "1001
c"

The program creates a new service with the following characteristics:
Service Name: Zwunzi Service
Display Name: Zwunzi Service

Startup Type: Automatic

It registers the service by creating the following registry subkeys:

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root
\LEGACY_ZWUNZI_SERVICE
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\
LEGACY_ZWUNZI_SERVICE\0000

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\L
EGACY_ZWUNZI_SERVICE\0000\Control
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Z
wunzi Service
* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zw
unzi Service\Enum

* HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Z
wunzi Service\Security
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Ro
ot\LEGACY_ZWUNZI_SERVICE
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Ro
ot\LEGACY_ZWUNZI_SERVICE\0000

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Roo
t\LEGACY_ZWUNZI_SERVICE\0000\Control
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Zwunzi Service
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Zwunzi Service\Enum

* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Zwunzi Service\Security

The program is installed as a Browser Search Plugin for Internet Explorer
and Mozilla Firefox and redirects user searches to the following location:
zwunzi.com

FREE SCAN:

Please click here for manual removal instructions.

%Temp%\NOO[RANDOM CHARACTERS]

Next, it copies %System%\ctfmon.exe to the following location:

%System%\ctfmon.dll

The worm then infects all .scr and .exe files on the compromised computer.

It also randomly deletes files with the extensions, depending on how long the computer has been turned on:

• .avi
• .xls
• .jpg
• .doc

The worm modifies the following files in order to disable Windows File Protection:

• %System%\SFC_OS.dll
• %System%\dllcache\SFC_OS.dll

It also disables Windows File Protection by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\”SFCDisable” = “1″

The worm spreads through the eMule file-sharing network.

FREE SCAN:

Please click here for manual removal instructions.

December 17, 2009 5:25:39 PM

Windows 98, Windows 95, Windows XP, Solaris, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Linux, Windows 2000

The Trojan may be found in the configuration path for Mozilla Firefox.

It may also create the following file:
%CurrentFolder%\_cfg.js

The Trojan then monitors queries to popular search engines and modifies the returned results with data obtained from an external domain.

FREE SCAN:

Please click here for manual removal instructions.

November 28, 2009 1:10:06 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

The malicious file typically arrives as an installation file for certain computer games.

When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp

Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg

Next it sends the screenshot to the following FTP site:
[ftp://]ftp96.heteml.jp/web/img/us[REMOVED]

It connects to the following URLs to obtain global IP address and the host name of the infected machine:

* [http://]cplayer.dreamhosters.com/getho[REMOVED]
* [http://]checkip.dyndns.org[REMOVED]

Then, it displays a form and requests the user to fill it with the following information:

* first name
* family name
* email address
* password
* first name in game
* family name in game
* gender
* birth date
* company name
* telephone number
* zip code
* address

It also steals the following information from the compromised machine:

* computer name
* domain name
* OS type
* time
* clipboard

Then the Trojan sends the stolen information to the following URL:
[http://]p3p.jp/en[REMOVED]/

When the Trojan exits, it displays the following URL with the gathered information using default browser:
[http://]p3p.jp/entry/user/[RANDOM [REMOVED]

FREE SCAN:

Please click here for manual removal instructions.

November 27, 2009 10:10:59 AM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

W32.Sipem!inf is a detection for files that are infected by W32.Sipem.

When the infected file executes, it drops a .sys file in the %Temp% folder and loads it as a service.

Next, it hooks the following processes in order to reinfect the file whenever the computer restarts:

* ExitProcess
* ExitWindowsEx

It also hooks the CreateFileW process in order to drop and execute a .dll file in the following folder:
%Temp%

FREE SCAN:

Please click here for manual removal instructions.

November 20, 2009 7:54:48 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

* %System%\[RANDOM FILE NAME].exe

* %Temp%\[RANDOM FILE NAME].exe

The worm creates the following registry entries, so that it runs every time

Windows starts:

* HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion

\policies\Explorer\Run\”[RANDOM FILE NAME]” = “[RANDOM FILE

NAME].exe”

* HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion

\policies\Explorer\Run\”[RANDOM FILE NAME]” = “%Temp%\(ramdom).exe”

* HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\

Run\”[RANDOM FILE NAME]” = “%Temp%\[RANDOM FILE NAME].exe”

* HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\

Run\”[RANDOM FILE NAME]” = “(ramdom).exe”

* HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\

RunOnce\”[RANDOM FILE NAME]” = “%Temp%\[RANDOM FILE

NAME].exe .”

* HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\

RunOnce\”[RANDOM FILE NAME]” = “[RANDOM FILE NAME].exe .”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Run\”[RANDOM FILE NAME]” = “%Temp%\[RANDOM FILE NAME].exe”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Run\”[RANDOM FILE NAME]” = “[RANDOM FILE NAME].exe”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

RunOnce\”[RANDOM FILE NAME]” = “[RANDOM FILE NAME].exe .”

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

RunOnce\”[RANDOM FILE NAME]” = “%Temp%\[RANDOM FILE

NAME].exe .”

It modifies the following registry entries to bypass the Windows firewall:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security

Center\”FirewallDisableNotify” = “1″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security

Center\”FirewallOverride” = “1″

The worm modifies the following registry entries in order to lower security

settings:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Policies\System\”DisableRegistryTools” = “1″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\policies\system\”DisableRegistryTools” = “1″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security

Center\”UpdatesDisableNotify” = “1″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\policies\system\”EnableLUA” = “0″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security

Center\”AntiVirusDisableNotify” = “1″

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Security

Center\”AntiVirusOverride” = “1″

It then modifies the following registry entry to alter Explorer settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\policies\Explorer\”NoDriveTypeAutoRun” = “1″

The worm modifies the following registry entry in order to hide its presence:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current

Version\Explorer\Advanced\Folder\Hidden\SHOWALL\”CheckedValue”

= “145″

It also modifies the following registry entry to alter Explorer settings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

Policies\Explorer\”NoDriveTypeAutoRun” = “181″

The worm then deletes registry entries to prevent the compromised computer

f
rom restarting in safe mode.

The worm gathers credentials from different Web sites along with information

regarding the user’s Skype account and then sends the confidential information

back to the remote attacker.

The worm supports 18 different languages schemes, depending on the platform’s

language configuration.

In order to spread, it will try to send Skype IM messages to the user’s contacts.

The messages may have the following characteristics:

* crazy bitch

* do you have camera on skype?

* from where are you?

* hello

* hello again

* hi

* how are you

* I know what you did

* I saw you last week. I would like to speak with you

* I saw you photo. I would like to speak with you

* I watching you long time. I would like to speak with you

* idiot

* is it really your web site?

* now everyone know

* piece of shit

* pudge women

* so what do you think?

* what are you doing

* what are you doing in my contacts?

* what are you?

* what do you think about that?

* what is in that link on your skype?

* what is there?

* why dont you speak

* you skype version is old

The worm may spread by sending a URL pointing to a copy of itself to the

user’s contacts.

FREE SCAN:

Please click here for manual removal instructions.

November 14, 2009 2:34:17 AM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Once executed, the Trojan creates the following files:

* %System%\nwwwks.dll
* %System%\rdisk.dll
* %System%\skeys.dll
* %System%\SvcHost.DLL.exe
* %System%\SvcHost.DLL.log

It then creates the following folder:
%SystemDrive%\drivers\own\

The Trojan registers the file %System%\nwwwsk.dll as a new service with the following characteristics, so that it runs every time Windows starts:
Service Name: Gateway Service For Netware
Display Name: Gateway Service for Netware
Startup Type: Automatic

It creates the service by adding entries to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWC
workstation

The Trojan opens a back door on the compromised computer allowing a
remote attacker to perform some of the following actions:

* Download, upload, delete and execute files
* List, stop, and start processes and services.

It gathers the following information on the compromised computer:

* Available Network Resources
* Computer Name
* Drives connected and type of drive.
* Free Space on each drive
* Operating System and Version
* Processor Type
* System Memory
* System uptime
* User Name.

The Trojan copies all files with the following extensions to the %SystemDrive%\drivers\own\ folder and sends them to a predetermined
remote location:

* .doc
* .pdf
* .ppt
* .rar
* .zip

FREE SCAN:

Please click here for manual removal instructions.

November 13, 2009 12:04:28 PM

Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

When the Trojan is executed, it copies itself to the following location:
%System%\sysservice.exe

It also creates the following configuration file:
%System%\sysservice.dll

Next, the Trojan creates the following registry entry so that it executes whenever
Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"Microsoft Startup Manager" = "%System%\sysservice.exe"

It also creates the following registry entry in order to add itself to the list of
applications authorized by the Windows firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Shared
Access\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
"%System%\sysservice.exe" = "%System%\sysservice.exe:*:Enabled:DNS client"

The Trojan then connects to one of the following locations and downloads an

updated configuration file and back door commands:

* [http://]www.kfw8f23.net/bn/file[REMOVED]
* [http://]www.g43gwef.com/bn/file[REMOVED]
* [http://]www.avrergq.com/bn/file[REMOVED]
* [http://]www.hwrgtwer.net/bn/file[REMOVED]
* [http://]www.vgerferge.com/bn/file[REMOVED]

It may then perform the following actions on the compromised computer:

* Update the configuration information
* Report details about the compromised computer to a remote attacker
* Update itself
* Download a file and execute it
* Act as a proxy

FREE SCAN:

Please click here for manual removal instructions.