The program MR.EXE is used for hidden penetration into PC and its remote administration.
UnHackMe is recommended as a reliable program for solving the problem with MR.EXE.
Download for free: http://www.unhackme.com
Malware Analysis of MR.EXE
Full path on a computer: %SysDir%\drivers\mr.exe
Detected by UnHackMe:
MR.EXE
Default location: %SysDir%\drivers\mr.exe
Removal Results: Success
Number of reboot: 1
MR.EXE is known as:
Backdoor.Poison.dyvj, Backdoor.Poison.5amJngoSxg0, Trojan.Agent.Gen-Poison, TrojWare.VB.OSKB, Trojan.Siggen4.22348, Backdoor.Poison.dyvj (v), Troj.Poison-EX, Backdoor.Poison.afku, Backdoor.Poison, Trojan.Msposer.I, Trojan.Swisyn.943377, Trojan.Swisyn, Hoax.Xorist, Malware.Gosys.rem, a variant of Win32.VB.QQC, Trojan.QOT.4901, Trojan.VB, W32.Mofksys.ABZH.tr, VB.CKVR
MR.EXE hash:
- MD5: 9c041415d8fa33dc2fac1ea40fd96011
How to quickly detect MR.EXE presence?
![]( "Registry")
Registry:
![]( "Files")
Files:
Registry:- HKLM\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath: “c:\windows\system32\drivers\mr.exe”
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Explorer: “c:\windows\system\explorer.exe RO”
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Svchost: “c:\windows\system32\drivers\svchost.exe RO”
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “%WinDir%\explorer.exe, c:\windows\system\explorer.exe”
- HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000004
Files:- %WinDir%\system\explorer.exe
- %WinDir%\system\scm.cmn
- %SysDir%\drivers\mr.exe
- %SysDir%\drivers\spoolsv.exe
- %SysDir%\drivers\svchost.exe