Solved! Use RZ52.EXE (Trojan Hllw) Removal Guide

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Download UnHackMe
Fully Functional 30-day Trial. No credit card is required. Reviews. EULA. Privacy Policy.

RZ52.EXE – Trojan Hllw removal

File MD5 Virus Alias
RZ52.EXE 95d4a7eeddcb0fd269b4b850aa730c62 Trojan Hllw

RZ52.EXE size: 100352 bytes
RZ52.EXE hash: 95D4A7EEDDCB0FD269B4B850AA730C62

Created files:

%Program Files%\Internet Explorer\IEXPLORE.zyq
%Program Files%\Mozilla Firefox\firefox.uwe
%Program Files%\MSN Gaming Zone\Windows\bckgzm.exe
%Program Files%\MSN Gaming Zone\Windows\chkrzm.exe
%Program Files%\MSN Gaming Zone\Windows\hrtzzm.exe
%Program Files%\NetMeeting\conf.xqk
%Program Files%\Windows NT\dialer.ibu
%SysDir%\taskmgr.exe
%SysDir%\Winkny.exe
%TEMP%\Coz50.exe
%TEMP%\Jf51.exe
%TEMP%\Rb59.exe
%TEMP%\Rv54.exe
%TEMP%\Rz52.exe
%TEMP%\Rzb53.exe
%TEMP%\Sjb57.exe
%TEMP%\Vk5A.exe
%TEMP%\Wnr5B.exe
%TEMP%\Wst58.exe
%TEMP%\Wt55.exe
%TEMP%\Za56.exe
\\VBOXSVR\in\Xwbb.doc.exe

Autostart registry keys:

HKLM\System\CurrentControlSet\Services\LL54K\Type: 10010000
HKLM\System\CurrentControlSet\Services\LL54K\Start: 03000000
HKLM\System\CurrentControlSet\Services\LL54K\DisplayName: LL54K
HKLM\System\CurrentControlSet\Services\LL54K\ImagePath: \\VBOXSVR\in\Xwbb.doc.exe
HKLM\System\CurrentControlSet\Services\Winkny\Type: 10010000
HKLM\System\CurrentControlSet\Services\Winkny\Start: 02000000
HKLM\System\CurrentControlSet\Services\Winkny\DisplayName: Winkny
HKLM\System\CurrentControlSet\Services\Winkny\ImagePath: %WinDir%\System32\Winkny.exe

Detected by UnHackMe:

RZ52.EXE
Default location: %TEMP%\RZ52.EXE

Dropper information:
MD5: ac30df4f1cbba3f9131fa613d2bd65d0
File size: 87898 bytes

Leave a Reply