Trojan Agent – 15717cd327a723820d71900611545917

I recommend you UnHackMe - Ultimate Malware Killer for fast malware removal:

Free Download
Fully Functional 30-day Trial. No credit card is required.
Reviews
. EULA. Privacy Policy. Uninstall.

Trojan Agent
Also known as: Backdoor IRCBot
SHA256: db6cea7e8d62d3b21efe3b423b48c131e345cb55f168cbe1f142e491bb812747
SHA1: 99184ec149d329e98cd3e600cfaba22a2f9a0156
MD5: 15717cd327a723820d71900611545917
File size: 189990 bytes

Created files:

%Program Files Common%\System\wmsncs.exe – Trojan Agent
%WinDir%\Fonts\wmsncs.exe – Trojan Agent
%SysDir%\spool\drivers\wmsncs.exe – Trojan Agent
%SysDir%\wins\wmsncs.exe – Trojan Agent
%Common Startmenu%\Programs\Startup\wmsncs.exe – Trojan Agent

Trojan Agent created autostart registry keys:

HKLM\Software\Microsoft\Active Setup\Installed Components\{103L3C30-C3B3-4130-9363-E59E1375PERM}\StubPath: %WinDir%\Fonts\wmsncs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wmsncs Service: %WinDir%\Fonts\wmsncs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvidMediaCenter: %Program Files Common%\System\wmsncs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Spool Driver Service: %WinDir%\System32\spool\drivers\wmsncs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wins Service: %WinDir%\System32\wins\wmsncs.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell: explorer.exe “%WinDir%\Fonts\wmsncs.exe”
HKLM\System\CurrentControlSet\Services\Afd\Parameters\DisableRawSecurity: 01000000
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\SizReqBuf: 00400000
HKLM\System\CurrentControlSet\Services\Messenger\Start: 04000000
HKLM\System\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86\Type: 10010000
HKLM\System\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86\Start: 02000000
HKLM\System\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86\DisplayName: NET Runtime Optimization Service v2.1.41329_X86
HKLM\System\CurrentControlSet\Services\NET Runtime Optimization Service v2.1.41329_X86\ImagePath: “%WinDir%\Fonts\wmsncs.exe”
HKLM\System\CurrentControlSet\Services\RemoteRegistry\Start: 04000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 01000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\wmsncs.exe: wmsncs.exe:*:Enabled:SYSTEM
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 01000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort: FEFF0000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay: 1E000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\StrictTimeWaitSeqCheck: 01000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts: 01000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\GlobalMaxTcpWindowSize: C0EB0300
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize: C0EB0300
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery: 01000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SackOpts: 01000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL: 40000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDupAcks: 02000000
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\LargeBufferSize: 00800C00
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\AllowUserRawAccess: 01000000
HKLM\System\CurrentControlSet\Services\TlntSvr\Start: 04000000
HKLM\System\CurrentControlSet\Services\wscsvc\Start: 04000000

Leave a Reply