What is Watermark.exe and how do I remove it?

Yeah... this is a nasty little POS. More recent releases back themselves up with a timer entry, using a completely random filepath.

I have to say, it's been a good few years since I've seen an implementation that isn't caught by MWB or even MSE. I honestly suggest, seeing that this is one of the nastier infections out there, that you do that planned upgrade of yours.

More information:

I'm not usually a scaremonger(er?) but this is truly something awful. I've never seen two infections the same, which really makes the blood pressure rise. There's even rumoured to be a relationship between WTMark and W32.Ramnit, which caused headaches for a while. AFAIK, WTMark doesn't create an open RAccess point... but that said, I don't quite know what it does. Anyway, for those of you interested, here's a few tidbits about the old version from 2010:

Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Value: “c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe”

Folders:
C:\Program Files\Microsoft\
Files:
C:\Program Files\Microsoft\WaterMark.exe
—————————————————————————————————————————-
Classification:
Antivirus   Version     Last Update     Result
F-Secure    9.0.16160.0     2010.11.23  Rootkit.41838
Kaspersky   7.0.0.125   2010.11.24  Backdoor.Win32.IRCNite.bwj
Microsoft   1.6402  2010.11.23  Worm:Win32/Ramnit.A
NOD32   5643    2010.11.23  a variant of Win32/Kryptik.HWL

—————————————————————————————————————————-

MD5 01d5dc5b58dc4a7d7a3644b52c33beb1

SHA1 9f3db6b7da392ecbb84088801d4dd446d31c6e6d

SHA256 f27609e00cdf1468225ad9944fb421281283a390663659a37678d30f038a059b

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Values modified:2
———————————-
(-) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “C:\WINDOWS\system32\userinit.exe,”
(+) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: “c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe”

———————————-
Files added:2
———————————-
C:\Program Files\Microsoft\WaterMark.exe
C:\WINDOWS\system32\dmlconf.dat

———————————-
Files [attributes?] modified:90
———————————-
C:\D\M\3B\3WARERUN.exe
C:\D\M\3B\3WARESRV.exe
C:\D\M\AM\AMDIDECO.dll
C:\D\M\AU3\COIN5288.dll
C:\D\M\C1\CPQCISS.dll
C:\D\M\C1\cpqsetup.exe
C:\D\M\E\ELXSTOR.dll
C:\D\M\IB4\DPRUN.exe
C:\D\M\IB5\DPRUN.exe
C:\D\M\N\123\IDECOI.dll
C:\D\M\N\123\NVCOI.dll
C:\D\M\N\4\IDECOI4.dll
C:\D\M\N\4\NVCOI4.dll
C:\D\M\N\4IN\IDECOI4IN.dll
C:\D\M\N\4IN\NVCOI4IN.dll
C:\D\M\N\5\IDECOI5.dll
C:\D\M\N\5\NVRAIDCO5.dll
C:\D\M\N\6\idecoi.dll
C:\D\M\N\6\nvraidco.dll
C:\D\M\N\TM\IDECOI.dll
C:\D\M\N\TM\NVCOI.dll
C:\D\M\P\K\PTIPBM.dll
C:\D\M\P\K\PTIPBMF.dll
C:\D\M\P\PTIPBMF.dll
C:\D\M\P\S\PTIPBMF.dll
C:\D\M\P2\K\PTIPBMF.dll
C:\D\M\P2\PTIPBMF.dll
C:\D\M\P2S\PTIPBMF.dll
C:\D\M\P3\ULUTIL2.dll
C:\D\M\P6\ULUTIL2.dll
C:\D\M\P7\ULUTIL2.dll
C:\D\M\Q2\QLSDM.dll
C:\D\M\Q3\QLSDM.dll
C:\D\M\S2\readme.htm
C:\D\M\SIS\PROPERTY.dll
C:\D\M\SIS1\PROPERTY.dll
C:\D\M\SIS2\PROPERTY.dll
C:\D\M\V4\VIDEINST.DLL
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\50icvyvs.default\bookmarks.html
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7effb67a-n\msvcr71.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\0000777c\cacheMod.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\2A67BCDDA912C9E1151DAC8A3886B099.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\2A67BCDDA912C9E1151DAC8A3886B099good.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\3DAFB498BB15D5260CB2C12B391A0D48good.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\4928FA5ED61C213B66AE8036A96037D1.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\51B4AC4B16AF290726DEC20AF78929FB.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\60547D65D6527B082116FB88F7F8993F.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\749F39EC981D04E4323CBAAE5EC78A4D.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@2A67BCDDA912C9E1151DAC8A3886B099.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@3DAFB498BB15D5260CB2C12B391A0D48.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@4928FA5ED61C213B66AE8036A96037D1.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@51B4AC4B16AF290726DEC20AF78929FB.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@60547D65D6527B082116FB88F7F8993F.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@749F39EC981D04E4323CBAAE5EC78A4D.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@84AD338DB12B2583B6B3BBF71AFC9C3D.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@BFA4AE30B3AC10E9223830BF103F5A3F.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@C0E8DBF2F9524B0F90EBB7B76CF598BB.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@C1B29B4E6EEA9510610DB2EC4D6DB160.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@C1DFA73699B4A1D6323C2069EE668BD5.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@C4B470269324517EE838789C7CF5E606.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\@FA579938B0733B87066546AFE951082C.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\BFA4AE30B3AC10E9223830BF103F5A3Fgood.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\C0E8DBF2F9524B0F90EBB7B76CF598BB.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\C1B29B4E6EEA9510610DB2EC4D6DB160.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\C1DFA73699B4A1D6323C2069EE668BD5.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\C4B470269324517EE838789C7CF5E606.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\F2DF0FDBD41B34112EE05ED04258F052.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\FA579938B0733B87066546AFE951082C.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\regruninfo.htm
C:\Documents and Settings\Administrator\Local Settings\Temp\GreatisTmp\report.html
C:\mute.exe
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_07.b06\msvcr71.dll
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_07.b06\regutils.dll
C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Citrus Punch.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Clear Day.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Fiesta.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Glacier.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Ivy.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Leaves.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Maize.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Nature.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Network Blitz.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Pie Charts.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Sunflower.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Sweets.htm
C:\Program Files\Common Files\Microsoft Shared\Stationery\Technical.htm
C:\Program Files\Common Files\Microsoft Shared\VC\msdia80.dll
C:\Program Files\Common Files\System\ado\MDACReadme.htm
C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL

———————————-
Folders added:1
———————————-
C:\Program Files\Microsoft

———————————-
Total changes:95
———————————-    
/r/techsupport Thread