The file UPD.EXE is a computer worm.
The worm UPD.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the UPD.EXE problem as soon as possible!
Delete the file UPD.EXE from all infected computers in your network.
Set up your network firewall against UPD.EXE intervention.
Malware Analysis of \YAFINDER\UPD.EXE
Full path on a computer: %PROGRAM FILES%\YAFINDER\UPD.EXE
Detected by UnHackMe:
Item Name: AppInit_DLLs
Author: Unknown
Related File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\ruirtbi.dll
Type: List of Injected DLLs
Item Name: YaFinder Updater
Author:
Related File: %PROGRAM FILES%\YAFINDER\UPD.EXE
Type: Registry Run
Item Name: mnashbk
Author: ?????????? ? ?????????
Related File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MOZILLA\ZPVCKRD.EXE
Type: Scheduled Tasks
Item Name: RUIRTBI.DLL
Author: Unknown
Related File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MOZILLA\RUIRTBI.DLL
Type: Multi AV Detected Files
Item Name: UPD.EXE
Author:
Related File: %PROGRAM FILES%\YAFINDER\UPD.EXE
Type: Multi AV Detected Files
Item Name: ZPVCKRD.EXE
Author:
Related File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\MOZILLA\ZPVCKRD.EXE
Type: Multi AV Detected Files
Removal Results: Success
Number of reboot: 1
\YAFINDER\UPD.EXE is known as:
Worm.Gamarue.87042, W32.Trojan.NLSP-6507, TScope.Trojan.MSIL, a variant of MSIL.TrojanDownloader.Adload.AA, Trojan.Msil, W32.Agent.CDVS.tr
UPD.EXE hash:
- MD5: f61d1303c6bdb197c89bf800d1443e21
Registry:- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\YaFinder Updater: “%Program Files%\YaFinder\upd.exe”
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs: “C:\DOCUME~1\ALLUSE~1\APPLIC~1\Mozilla\ruirtbi.dll”
Folders:- %Local Appdata%\Temp
- %Local Appdata%\Temp\htm
- %Local Appdata%\Temp\htm\css
- %Local Appdata%\Temp\htm\css\images
- %Program Files%\La
- %Program Files%\La\Xo
- %Program Files%\SubwaySurfers
- %Program Files%\YaFinder
Files:- %Appdata%\Mozilla Firefox.lnk
- %Local Appdata%\Temp\htm\css\images\animated-overlay.gif
- %Local Appdata%\Temp\htm\css\images\ui-bg_diagonals-thick_18_b81900_40x40.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_diagonals-thick_20_666666_40x40.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_flat_10_000000_40x100.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_glass_100_f6f6f6_1x400.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_glass_100_fdf5ce_1x400.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_glass_65_ffffff_1x400.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_gloss-wave_35_f6a828_500x100.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_highlight-soft_100_eeeeee_1x100.png
- %Local Appdata%\Temp\htm\css\images\ui-bg_highlight-soft_75_ffe45c_1x100.png
- %Local Appdata%\Temp\htm\css\images\ui-icons_222222_256x240.png
- %Local Appdata%\Temp\htm\css\images\ui-icons_228ef1_256x240.png
- %Local Appdata%\Temp\htm\css\images\ui-icons_ef8c08_256x240.png
- %Local Appdata%\Temp\htm\css\images\ui-icons_ffd27a_256x240.png
- %Local Appdata%\Temp\htm\css\images\ui-icons_ffffff_256x240.png
- %Local Appdata%\Temp\htm\css\jquery-ui-1.10.0.custom.css
- %Local Appdata%\Temp\htm\css\jquery-ui-1.10.0.custom.min.css
- %Local Appdata%\Temp\htm\getactivation.jpg
- %Local Appdata%\Temp\htm\nachat-ustanovku.jpg
- %Local Appdata%\Temp\htm\obratno.jpg
- %Local Appdata%\Temp\htm\open.php
- %Local Appdata%\Temp\htm\orange-four.jpg
- %Local Appdata%\Temp\htm\orange-one.jpg
- %Local Appdata%\Temp\htm\orange-three.jpg
- %Local Appdata%\Temp\htm\orange-two.jpg
- %Local Appdata%\Temp\htm\otmena.jpg
- %Local Appdata%\Temp\htm\page.html
- %Local Appdata%\Temp\htm\page2.html
- %Local Appdata%\Temp\htm\page3.html
- %Local Appdata%\Temp\htm\page4.html
- %Local Appdata%\Temp\htm\prodoljaem.jpg
- %Local Appdata%\Temp\htm\text.html
- %Startmenu%\Mozilla Firefox.lnk
- %Common Appdata%\Mozilla\ruirtbi.dll
- %Common Appdata%\Mozilla\zpvckrd.exe
- %Common Startmenu%\Mozilla Firefox.lnk
- %Program Files%\La\Xo\bashni_kiaa.vbs
- %Program Files%\La\Xo\polovinkaostankinskoi.vbs
- %Program Files%\La\Xo\trizvonkaiodnatete.bat
- %Program Files%\La\Xo\veseli_praz.nik
- %Program Files%\La\Xo\zakrivaya.glaza
- %Program Files%\SubwaySurfers\4konya.exe
- %Program Files%\SubwaySurfers\Interop.IWshRuntimeLibrary.dll
- %Program Files%\SubwaySurfers\mac.exe
- %Program Files%\SubwaySurfers\runme.exe
- %Program Files%\SubwaySurfers\SubwaySurfers.exe
- %Program Files%\YaFinder\injected.js
- %Program Files%\YaFinder\Interop.IWshRuntimeLibrary.dll
- %Program Files%\YaFinder\jquery.js
- %Program Files%\YaFinder\main.js
- %Program Files%\YaFinder\manifest.json
- %Program Files%\YaFinder\upd.exe
- %SysDir%\drivers\etc\hists
- %WinDir%\Tasks\mnashbk.job