MD5: 791119c7bf12e9e481d402aa2c0d6a61
SHA1: f0c52cba443d72ccafa52816491293755ddeb148
SHA256: f70debae9fc06cfd99c5efd2f07111fb5f9db54a4121c3898df6d7f5a49ae9f6
SSDeep: 24576:kyz3wpadWLz1zeIPcQsyTnX0iIdCl/w66yiOLD:kyz3hWL1bPcQsyTGCF1X
Size: 1155072 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Mail.Ru
Created at: 2017-01-31 07:16:54
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3360

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\xunxi.dll (806 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PKE6VURS.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\77IQI73P.txt (301 bytes)
C:\config.ini (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RGO0T4T8.txt (447 bytes)

The Trojan deletes the following file(s):

C:\gg.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PKE6VURS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\77IQI73P.txt (0 bytes)

Registry activity

The process %original file name%.exe:3360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\791119c7bf12e9e481d402aa2c0d6a61_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: exiaopi
Product Name: ????????
Product Version: 6.1.0.0
Legal Copyright: exiaopi ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 6.1.0.0
File Description: ????????
Comments: ????????
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.a.shifen.com/
hxxp://xunxi.lvdp.net/sid_xunxi/XUNXI34237020SWflHps/tongji.php	139.129.142.74
hxxp://xunxi.lvdp.net/sid_xunxi/XUNXI34237020SWflHps/tongji.php?onoffline=on	139.129.142.74
hxxp://xunxi.lvdp.net/sid_xunxi/XUNXI34237020SWflHps/tongji.php?var=pcs	139.129.142.74
hxxp://xunxi.lvdp.net/sid_xunxi/XUNXI34237020SWflHps/tongji.php?var=times	139.129.142.74
hxxp://xunxi.lvdp.net/sid_xunxi/XUNXI34237020SWflHps/tongji.php?var=update	139.129.142.74
hxxp://www.baidu.com/	58.217.200.113
002.3vftp.com	98.126.105.146

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 09 Feb 2017 00:52:35 GMT

Content-Type: text/html

Content-Length: 14613

Last-Modified: Tue, 17 Jan 2017 08:28:00 GMT

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=91D16C85DFB4C1ED94F0EB273AC9E502:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BIDUPSID=91D16C85DFB4C1ED94F0EB273AC9E502; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: PSTM=1486601555; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Server: BWS/1.1

X-UA-Compatible: IE=Edge,chrome=1

Pragma: no-cache

Cache-control: no-cache

Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>
;...<meta http-equiv="content-type" content="text/html;charset=utf-
8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">..
.<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link 
rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-pref
etch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="/
/t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.co
m"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...&l
t;link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="
dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........
................</title>...<link href="hXXp://s1.bdstatic.com
/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/cs
s" />...<!--[if lte IE 8]><style index="index" >#conten
t{height:480px\9}#m{top:260px\9}</style><![endif]-->...<
;!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:vis
ited{font-family:simsun}</style><![endif]-->...<script&
gt;var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if 
(hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace
("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};
</script>...<script>function h(obj){obj.style.behavior='ur
l(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}<
;/script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>

GET /sid_xunxi/XUNXI34237020SWflHps/tongji.php?onoffline=on HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: xunxi.lvdp.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 09 Feb 2017 00:52:56 GMT

Server: Apache

Vary: User-Agent,Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html
4..true..0......

GET /sid_xunxi/XUNXI34237020SWflHps/tongji.php?var=pcs HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: xunxi.lvdp.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 09 Feb 2017 00:53:04 GMT

Server: Apache

Vary: User-Agent,Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html
4..true..0..

GET /sid_xunxi/XUNXI34237020SWflHps/tongji.php?var=times HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: xunxi.lvdp.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 09 Feb 2017 00:53:31 GMT

Server: Apache

Vary: User-Agent,Accept-Encoding

Transfer-Encoding: chunked

Content-Type: text/html
4..true..0......

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

Jiu2.iu

1wK(.wE

xunxi.dll

gdiplus.dll

\config.ini

\xunxi.dll

1.2.0.0

.rdata

.data

.reloc

.aspack

.adata

.dp!s0\ 

?)=);):(

%X(-o

9.uHf

#=/;/9--

RP{ÑO

!dXr%s

`O.Jx)t

?x..zm

b.YNu

ÚE-

f%X_QN

h.fh2,

S%d 3

KR.rz

advapi32.dll

Winhttp.dll

ole32.dll

kernel32.dll

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

/tongji.php

hXXp://xunxi.lvdp.net/sid_xunxi/

/config.ini

@1970-01-01 08:00:00

hXXp://xunxi.lvdp.net/main/gettimes/index.php?key=

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

WinHttp

VBScript.RegExp

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

WS2_32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

j1.sy

.XZXJ

e%ue0k

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

rasapi32.dll

gdi32.dll

winmm.dll

winspool.drv

shell32.dll

oleaut32.dll

comctl32.dll

ws2_32.dll

wininet.dll

006.3vPTF.com

461514286

002.3vPTF.com

\gg.txt

/gg.txt

hXXps://update.xssyb.cn/

hXXps://xssyb.cn/

hXXps://xssyb.cn/forum

C:\lpl.xp

.txt'

\LPM.txt

/LPM.txt

: update.xssyb.cn

xssyb.cn/forum/member.php?mod=register

xssyb.cn/forum/home.php?mod=spacecp&ac=credit&op=buy

F%*.*f

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

GetWindowsDirectoryA

WSOCK32.dll

InternetOpenUrlA

FtpDeleteFileA

FtpPutFileA

FtpGetFileA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

\StringFileInfo\%s\Comments

\StringFileInfo\%s\ProductVersion

\StringFileInfo\%s\ProductName

\StringFileInfo\%s\OriginalFilename

\StringFileInfo\%s\LegalTrademarks

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\InternalName

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\CompanyName

\StringFileInfo\%s\FileVersion

000%x

hXXp://VVV.baidu.com

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

%s@%s:%d

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

(*.*)

6.1.0.0

%original file name%.exe_3360_rwx_100E7000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

rasapi32.dll

gdi32.dll

winmm.dll

winspool.drv

advapi32.dll

shell32.dll

ole32.dll

oleaut32.dll

comctl32.dll

ws2_32.dll

wininet.dll

comdlg32.dll

InternetCrackUrlA

1.2.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\xunxi.dll (806 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PKE6VURS.txt (103 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\77IQI73P.txt (301 bytes)
   C:\config.ini (57 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\RGO0T4T8.txt (447 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.