Version 5.013
2008 08 26
Files:
windows\servicez.exe
windows\nvchost.exe
windows\winlogon.exe
system32\alog.txt
system32\crypto64.dll
system32\csrcli32.dll
system32\dpl.txt
%System%\info.txt
system32\NGIX.bin
system32\ntld.bin
system32\preved.bat
system32\ps1.dat
system32\rc.dat
system32\rdata.bin
system32\rhs.bin
system32\scrcwi32.dll
system32\sms.bat
system32\sys32time.dll
system32\winsms.bat
system32\winsms.dll
system32\cryptmd5.dll
system32\datcom.dll
system32\datmps.dll
system32\droute.dll
system32\dwave.sys
system32\dx9sr.sys
system32\emulx86.sys
system32\hdtvu6.dll
system32\hooka.sys
system32\ke64boot.dll
system32\kteproc.sys
system32\mcrwave.dll
system32\necsopp.sys
system32\nkudpn1.sys
system32\pcixm.sys
system32\pcixmm.dll
system32\pemulx86.dll
system32\routew.dll
system32\rotw.sys
system32\stfilter.dll
system32\syncm.sys
system32\syslink.dll
system32\tehlink0.dll
system32\tehlink5.sys
system32\wlite.sys
Notifykeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datcom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datmps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\droute
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hdtvu6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ke64boot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcrwave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pcixmm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pemulx86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\routew
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\stfilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syslink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tehlink0
Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwave
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dx9sr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\emulx86
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hooka
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kteproc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\necsopp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nkudpn1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcixm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rotr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rotw
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tehlink5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlite
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kteproc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\kteproc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wlite.sys
Runkeys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvchost"
"winlogon"
"Windows Services"
"KIT3"
Use haxfix to remove this infection.
Removalinstructions for this infection, you can find
here or
here.