Trojan: winntR1.exe, winntR2.exe, winnt2.exe, winnt3.exe, winnt4.exe, winnt5.exe, winnt.6.exe


Virus/Trojan Summary

Name: Generic.dx!zi!1958aa4e01e3 (McAfee), Trojan-Downloader.Win32.Banload [Ikarus]

Type: Trojan virus


Infection Method: Email

User received email from his friend or colleague with various subject (e.g. Fotos Data: 17/06) with then content similar to below:

Imagens anexadas: DSC_252.jpg DSC_326.jpg DSC_417.jpg

User clicked and open the Hyperlink because they thought it just a photo from his/her friend.

Note: Please do not click on the jpg link above because it lead you to the actual trojan location

User just ignore the warning prompt:


User clicked on “Run”

Windows shown below with “Arquivo Corrompido!” mean you are infected by trojan.

Background Process after Infection:

You would notice the processes below in task manager:

  • winntR1.exe
  • winntR2.exe
  • winnt2.exe
  • winnt3.exe
  • winnt4.exe
  • winnt5.exe
  • winnt.6.exe

Network Activity after Infection:

The infected system will try spread out by sending smtp and http mail as shown below:

According to the user experience, the Trojan/Virus will try to spead out by sending email using user’s hotmail account with the contact list in user’s hotmail.

Registry Modification

The following Registry Key was created:

  • The newly created Registry Value in either location below is:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • winntR1 = “C:\winnt_\winntR1.exe”
      • winntR2 = “C:\winnt_\winntR2.exe”
      • winnt2 = “C:\winnt_\winnt2.exe”
      • winnt3 = “C:\winnt_\winnt3.exe”
      • winnt4 = “C:\winnt_\winnt4.exe”
      • winnt5 = “C:\winnt_\winnt5.exe”
      • winnt6 = “C:\winnt_\winnt6.exe”

File System Modifications:

The following directory was created:


Removal Method:

Note: The trojan might affected to the particular user only

  1. Login as the user name that infected by the Trojan
  2. Kill (End Task) all the process start with winnt*.exe in task manager
  3. Empty Internet Temporary files.
  4. Delete all the winnt* entries in the registry key below: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  5. Delete HKEY_CURRENT_USER\dark in the registry
  6. Restart the computer
  7. Login in as administrator
  8. Delete “c:\winnt_” folder
  9. Download and run the removal tool from (This tools only able to remove certain infected files only. That’s the reason we have to do some manual clean up before running this tool.)

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by
Please contact us should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.