I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:
Free DownloadFully Functional 30-day Trial. No credit card is required.
Reviews. EULA. Privacy Policy. Uninstall.
NS.EXE – Trojan Delf removal
File | MD5 | Virus Alias |
---|---|---|
NS.EXE | 8be01ed4466e3c1e9ccf0d49e50607b9 | Trojan Delf |
NS.EXE | 8be01ed4466e3c1e9ccf0d49e50607b9 | Trojan Agent |
NS.EXE size: 4269837 bytes
NS.EXE hash: 8BE01ED4466E3C1E9CCF0D49E50607B9
Created files:
%TEMP%\IXP000.TMP\ns.exe
%TEMP%\RarSFX0\0001\shell.dos
%TEMP%\RarSFX0\12500852.ssp
%TEMP%\RarSFX0\BDE\bantam.dll
%TEMP%\RarSFX0\BDE\blw32.dll
%TEMP%\RarSFX0\BDE\ceeurope.btl
%TEMP%\RarSFX0\BDE\charset.cvb
%TEMP%\RarSFX0\BDE\europe.btl
%TEMP%\RarSFX0\BDE\idapi32.dll
%TEMP%\RarSFX0\BDE\idapinst.dll
%TEMP%\RarSFX0\BDE\idasci32.dll
%TEMP%\RarSFX0\BDE\iddbas32.dll
%TEMP%\RarSFX0\BDE\iddr32.dll
%TEMP%\RarSFX0\BDE\idr20009.dll
%TEMP%\RarSFX0\BDE\other.btl
%TEMP%\RarSFX0\BDE\usa.btl
%TEMP%\RarSFX0\hl.dll.cpt
%TEMP%\RarSFX0\IJL15.DLL
%TEMP%\RarSFX0\isnf2.dll
%TEMP%\RarSFX0\nspl.dll.cpt
%TEMP%\RarSFX0\options.bak
%TEMP%\RarSFX0\shr.dll
%TEMP%\RarSFX0\SpyConsoleSetup.exe
%TEMP%\RarSFX0\wpcap\4.0\npf.sys
%TEMP%\RarSFX0\wpcap\4.0\npptools.dll
%TEMP%\RarSFX0\wpcap\4.0\Packet.dll
%TEMP%\RarSFX0\wpcap\4.0\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\4.0\WanPacket.dll
%TEMP%\RarSFX0\wpcap\4.0\wpcap.dll
%TEMP%\RarSFX0\wpcap\4.1\npf.sys
%TEMP%\RarSFX0\wpcap\4.1\npptools.dll
%TEMP%\RarSFX0\wpcap\4.1\Packet.dll
%TEMP%\RarSFX0\wpcap\4.1\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\4.1\WanPacket.dll
%TEMP%\RarSFX0\wpcap\4.1\WinPcap_4_1_2.exe
%TEMP%\RarSFX0\wpcap\4.1\wpcap.dll
%TEMP%\RarSFX0\wpcap\npf.sys
%TEMP%\RarSFX0\wpcap\npptools.dll
%TEMP%\RarSFX0\wpcap\Packet.dll
%TEMP%\RarSFX0\wpcap\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\vista\npptools.dll
%TEMP%\RarSFX0\wpcap\vista\Packet.dll
%TEMP%\RarSFX0\wpcap\vista\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\vista\wpcap.dll
%TEMP%\RarSFX0\wpcap\WanPacket.dll
%TEMP%\RarSFX0\wpcap\wpcap.dll
%TEMP%\RarSFX0\wpcap\x64\npf.sys
Autostart registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0: rundll32.exe %WinDir%\System32\advpack.dll,DelNodeRunDLL32 “%TEMP%\IXP000.TMP\”
Detected by UnHackMe:
NS.EXE
Default location: %TEMP%\IXP000.TMP\NS.EXE
Dropper information:
MD5: 1ba4a741245f68d14691bfecf37280d0
File size: 4065280 bytes