I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:
Free DownloadFully Functional 30-day Trial. No credit card is required.
Reviews. EULA. Privacy Policy. Uninstall.
1289100.DLL – Backdoor Farfli removal
File | MD5 | Virus Alias |
---|---|---|
1289100.DLL | 5fb857acb4c5f0bf85f86c2e9f239f5c | Backdoor Farfli |
1289100.DLL | 5fb857acb4c5f0bf85f86c2e9f239f5c | Trojan DLOADER |
1289100.DLL | 5fb857acb4c5f0bf85f86c2e9f239f5c | Trojan PcClient |
1289100.DLL | 5fb857acb4c5f0bf85f86c2e9f239f5c | Trojan Eldorado |
1289100.DLL | 5fb857acb4c5f0bf85f86c2e9f239f5c | Trojan Downloader |
1289100.DLL | 5fb857acb4c5f0bf85f86c2e9f239f5c | Backdoor PcClien |
1289100.DLL size: 103936 bytes
1289100.DLL hash: 5FB857ACB4C5F0BF85F86C2E9F239F5C
Created files:
C:\1289100.dll
C:\windows\system32\dllcache\ws2help.dll
C:\windows\system32\drivers\420a0a1f.sys
C:\windows\system32\drivers\xpV3001.sys
C:\windows\system32\RpcSvc.psd
C:\windows\system32\ws2helpXP.dll
C:\windows\system32\wshtcpip.dll
C:\windows\Tasks\csrss.exe
C:\windows\temp\svohcst.exe
C:\windows\temp\temp1.exe
C:\windows\temp\temp2.exe
C:\windows\temp\temp3.exe
C:\windows\temp\temp4.exe
Autostart registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Download: C:\windows\temp\svohcst.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %WinDir%\System32\userinit.exe,%WinDir%\Tasks\csrss.exe?, |Q- |X- |2?`??|??
HKLM\System\CurrentControlSet\Services\420a0a1f\Type: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\Start: 02000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\420a0a1f\DisplayName: 420a0a1f
HKLM\System\CurrentControlSet\Services\420a0a1f\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C00340032003000610030006100310066002E007300790073000000
HKLM\System\CurrentControlSet\Services\420a0a1f\ProcessID: 94170000
HKLM\System\CurrentControlSet\Services\BITS\My_Host_URL: http://110.34.198.123:888/3.txt
HKLM\System\CurrentControlSet\Services\neverdeath\Type: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\Start: 02000000
HKLM\System\CurrentControlSet\Services\neverdeath\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\neverdeath\DisplayName: neverdeath
HKLM\System\CurrentControlSet\Services\neverdeath\ImagePath: 5C003F003F005C0043003A005C00570049004E0044004F00570053005C00730079007300740065006D00330032005C0064007200690076006500720073005C0078007000560033003000300031002E007300790073000000
HKLM\System\CurrentControlSet\Services\neverdeath\ProcessID: 94170000
HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\DLLPath: 43003A005C0031003200380039003100300030002E0064006C006C000000
HKLM\System\CurrentControlSet\Services\RpcSvc\Type: 10010000
HKLM\System\CurrentControlSet\Services\RpcSvc\Start: 02000000
HKLM\System\CurrentControlSet\Services\RpcSvc\DisplayName: Remote Procedure Call (RPC) Service
HKLM\System\CurrentControlSet\Services\RpcSvc\ImagePath: %SystemRoot%\System32\svchost.exe -k imgsvc
Detected by UnHackMe:
1289100.DLL
Default location: C:\1289100.DLL
Dropper information:
MD5: ca33e1826f8d03ed2c11fba563ca3bbb
File size: 4207 bytes