• trojan

Win32.Yakes.adkv copies malicious files into the program directory, starts itself in autorun and connects to the Internet in background without giving the user a possibility to cancel that process.

• The directory at "<$APPDATA>\<$ENV(Win32Yakes_Dir)>".

• Delete the registry key "Yqyt" at "HKEY_CURRENT_USER\Software\Microsoft\".
• Delete the registry value "12033:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "12033:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "12033:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "26693:UDP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "26693:UDP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "26693:UDP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan
• passwordstealer

Win32.OnLineGames.gen tries to steal passwords for online games. The library files get injected into running processes in order to avoid detection and to be executed by system files.

• Delete the registry value "<$ENV(OLG1)>.dll" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
• Delete the registry value "<$ENV(OLG1)>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
• Remove "<$ENV(OLG1)>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan
• worm

Win32.Mabezat is a Worm with file infecting ability. It cloaks itself as a 3rd party installer or uses a document icon to mislead the user. Once installed it copies itself to all removable drives or network shares and creates an autorun entry for these files.

• A file with an unknown location named "InstallMSN11En.exe".
• A file with an unknown location named "KasperSky6.0 Key.doc.exe".
• A file with an unknown location named "Make Windows Original.exe".
• A file with an unknown location named "Office2007 Serial.txt.exe".
• A file with an unknown location named "WinrRarSerialInstall.exe".
• The file at "<$APPDATA>\Tazebama\tazebama.log".
• The file at "<$FIXEDDRIVES>\InstallMSN11En.exe".
• The file at "<$FIXEDDRIVES>\KasperSky6.0 Key.doc.exe".
• The file at "<$FIXEDDRIVES>\Make Windows Original.exe".
• The file at "<$FIXEDDRIVES>\Office2007 Serial.txt.exe".
• The file at "<$FIXEDDRIVES>\WinrRarSerialInstall.exe".
• The file at "<$PROFILES>\hook.dl_".
• The file at "<$PROFILES>\tazebama.dl_".

• The directory at "<$APPDATA>\tazebama".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan

Win32.IRCBot installs a file into the local temp directory. Variants create a subfolder within recycler and drop the copy into it. This malware is run via autorun and establishes a connection with a remote IRC Server. Win32.IRCbot installer pretends to be a cracking or other keygen tool.

• The directory at "c:\Windows\temp\mama".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan

Win32.Graftor.6078 installs malicious files into the Program files and root directories and makes DoS-attack on 58.221.41.56-address.

• The directory at "<$PROGRAMFILES>\<$ENV(Win32Graftor6078_Dir)>".

• Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
• Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
• Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
• Delete the registry key "Ghijkl Nopqrstu Wxy" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\".
• Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteAccess\RouterManagers\Ip\".
• Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\RouterManagers\Ip\".
• Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\RemoteAccess\RouterManagers\Ip\".
• Remove "<$ENV(Win32Graftor6078_path)>" from registry value "DLLPath" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• malware

Win32.Downloader.bdld copies malicious files into the Windows directory and itself via an userinit entry.

• Remove "<$ENV(Win32DownloaderBdld_Dir)>" from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• malware

Win32.Autorun.ie tries to start itself in autorun as "iexplorer" to get started without raising suspicion.

• Entries named "iexplorer" and pointing to "<$SYSDIR>\iexplorer32.exe".
• Entries named "msnmsggr" and pointing to "<$SYSDIR>\msnmsggr2.exe".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan
• rootkit

Conficker.rtk is a Trojan horse that gets installed in background and can spread to the local network. It compromises the system security and uses rootkit functions to hide itself and stay persistent.

• The file at "<$PROGRAMFILES>\Internet Explorer\mzeky.dll".
• The file at "<$SYSDIR>\mzeky.dll".

• Delete the registry value "6628:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "6628:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "6628:TCP" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\".
• Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\".
• Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wuauserv\".
• Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wuauserv\".
• Delete the registry value "Start=W=2" at "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• malware

ClaroMultimedia tries to start a malicious executable file from the system directory via Autorun as "Windows Defender" or "Winlogon" without giving the user a possibility to cancel that process.

• Entries named "Winlogon" and pointing to "<$WINDIR>\scssrr.exe".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan
• passwordstealer

Win32.OnLineGames.gen tries to steal passwords for online games. The library files get injected into running processes in order to avoid detection and to be executed by system files.

• Delete the registry value "<$ENV(OLG1)>.dll" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
• Delete the registry value "<$ENV(OLG1)>" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\".
• Remove "<$ENV(OLG1)>.dll" from registry value "AppInit_DLLs" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan

Win32.Matsnu copies malicious files into the application data and system directories, starts itself via autorun and userinit entries. It blocks system processes like msconfig, taskmanager and regedit. Win32.Matsnu crypts all executable, library and data files and locks the computer. It forces the user to pay for unlocking and decoding the machine.

• The directory at "<$APPDATA>\<$ENV(Win32Matsnu_Dir)>".

• Delete the registry value "Debugger" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\".
• Delete the registry value "Debugger" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\".
• Delete the registry value "Debugger" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\".
• Remove "<$ENV(Win32Matsnu_Path)>," from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
• Remove "<regexpr><$SYSDIR>\\[A-F0-9] \.exe," from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan

Win32.Chiznit copies malicious files into the application patch directory, starts itself via autorun, userinit and winlogon entries. It monitors system values and stores the data into log files and registry keys. Win32.Chiznit connects to remote web servers to download further malware.

• Entries named "userinit" and pointing to "<$WINDIR>\AppPatch\*.exe".
• Entries named "userinit" and pointing to "<regexpr><$WINDIR>\\AppPatch\\([a-z] )\.exe".

• Delete the registry value "44d228d9" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
• Remove "<$WINDIR>\apppatch\<$ENV(FLname)>.exe," from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon".
• Remove "<$WINDIR>\apppatch\<$ENV(FLname)>.exe" from registry value "load" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
• Remove "<$WINDIR>\apppatch\<$ENV(FLname)>.exe" from registry value "run" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
• Remove "<$WINDIR>\apppatch\<$ENV(FLname)>.exe" from registry value "System" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".
• Remove "<regexpr><$WINDIR>\\AppPatch\\([a-z] )\.exe\," from registry value "Userinit" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon".
• Remove "<regexpr><$WINDIR>\\AppPatch\\([a-z] )\.exe" from registry value "load" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
• Remove "<regexpr><$WINDIR>\\AppPatch\\([a-z] )\.exe" from registry value "run" at "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\".
• Remove "<regexpr><$WINDIR>\\AppPatch\\([a-z] )\.exe" from registry value "System" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• malware

Win32.Autorun.gen copies malicious files into the program directory and starts itself via autorun (as "Sext","Sliv","Smsn" and "Snet").

• Entries named "Sext" and pointing to "c:\programdata\Sext.exe".
• Entries named "Sliv" and pointing to "c:\programdata\Sliv.exe".
• Entries named "Smsn" and pointing to "c:\programdata\Smsn.exe".
• Entries named "Snet" and pointing to "c:\programdata\Snet.exe".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• trojan

Win32.Autorun.bomb copies several malicious files to the profile directory and creates an autorun entry in order to get launched on every startup.

• Entries named "MSClient" and pointing to ""<$COMMONPROGRAMFILES>\MS\MSClient.exe" /w".

• The directory at "<$COMMONPROGRAMFILES>\MS".

• Delete the registry value "ShowSuperHidden=W=1" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.

• spyware
• keylogger

UltraAccessNetworks.NetBusPro is an adsupported spyware that enables to spy on other users once the serve components are hidden on the target computer.

• Products that have a key or property named "NetBus Pro".

• The file at "<$COMMONPROGRAMS>\NetBus Pro\Get Paid To Be Online.lnk".
• The file at "<$COMMONPROGRAMS>\NetBus Pro\NetBus Help.lnk".
• The file at "<$COMMONPROGRAMS>\NetBus Pro\NetBus Server.lnk".
• The file at "<$COMMONPROGRAMS>\NetBus Pro\NetBus.lnk".
• The file at "<$COMMONPROGRAMS>\NetBus Pro\Readme.lnk".
• The file at "<$PROGRAMFILES>\NetBus Pro\ad468x60.gif".
• The file at "<$PROGRAMFILES>\NetBus Pro\ad468x60.url".
• The file at "<$PROGRAMFILES>\NetBus Pro\DB\Broadcast1.db".
• The file at "<$PROGRAMFILES>\NetBus Pro\DB\Command1.db".
• The file at "<$PROGRAMFILES>\NetBus Pro\DB\Host.db".
• The file at "<$PROGRAMFILES>\NetBus Pro\DB\Schedule1.db".
• The file at "<$PROGRAMFILES>\NetBus Pro\DB\Script1.db".
• The file at "<$PROGRAMFILES>\NetBus Pro\Lang\Default.lng".
• The file at "<$PROGRAMFILES>\NetBus Pro\Lang\Swedish.lng".
• The file at "<$PROGRAMFILES>\NetBus Pro\Log.txt".
• The file at "<$PROGRAMFILES>\NetBus Pro\NBFind.dll".
• The file at "<$PROGRAMFILES>\NetBus Pro\NBHelp.dll".
• The file at "<$PROGRAMFILES>\NetBus Pro\NBSvr.exe".
• The file at "<$PROGRAMFILES>\NetBus Pro\NBUninst.dll".
• The file at "<$PROGRAMFILES>\NetBus Pro\NetBus.cnt".
• The file at "<$PROGRAMFILES>\NetBus Pro\NetBus.exe".
• The file at "<$PROGRAMFILES>\NetBus Pro\NetBus.hlp".
• The file at "<$PROGRAMFILES>\NetBus Pro\Readme.txt".
• The file at "<$PROGRAMFILES>\NetBus Pro\Skin\Listen.bmp".
• The file at "<$PROGRAMFILES>\NetBus Pro\Skin\Logotype.bmp".
• The file at "<$PROGRAMFILES>\NetBus Pro\Uninst.isu".

• The directory at "<$COMMONPROGRAMS>\NetBus Pro".
• The directory at "<$PROGRAMFILES>\NetBus Pro\DB".
• The directory at "<$PROGRAMFILES>\NetBus Pro\Down".
• The directory at "<$PROGRAMFILES>\NetBus Pro\Lang".
• The directory at "<$PROGRAMFILES>\NetBus Pro\Skin".
• The directory at "<$PROGRAMFILES>\NetBus Pro".

• Delete the registry key "Net Solutions" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
• Delete the registry key "NetBus.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
• Delete the registry key "NetBus" at "HKEY_CURRENT_USER\".
• Delete the registry key "UltraAccess Networks" at "HKEY_LOCAL_MACHINE\SOFTWARE\".

1. Please read these instructions before requesting assistance,
2. Then start your own thread in the Malware Removal Forum where a volunteer analyst will advise you as soon as available.