Gen.Variant.Zusy.183921_a4a0dacc6e
Gen:Variant.Zusy.183921 (BitDefender), Trojan-Dropper.Win32.Agent.fqvk (Kaspersky), Trojan.PWS.Vkontakte.259 (DrWeb), Gen:Variant.Zusy.183921 (B) (Emsisoft), Trojan-FKZY!A4A0DACC6E5E (McAfee), SMG.Heur!gen (Symantec), Trojan.Backdoor.Ircbot (Ikarus), Gen:Variant.Zusy.183921 (FSecure), Win32:Agent-AQRA [Trj] (AVG), Win32:Agent-AQRA [Trj] (Avast), TROJ_DROPPER_FD250377.UVPM (TrendMicro), Gen:Variant.Zusy.183921 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: a4a0dacc6e5eca689ad822846c4cda83
SHA1: aa7be6ace25969251186f8046887013c5ae22849
SHA256: 6ea4acfd9e8da70ad522828b20e8e3b8c6d36e9ce7e18c2b03b998aeced7aa93
SSDeep: 98304:lTtc4gZte8n3S2JXQLGix sTftF1nt3VM8/Z W4uASRrZ1cFuBa3:peZtn3S2OXF1ntFMevASh8F93
Size: 5101104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-09-24 18:34:15
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
install.exe:3132
go.exe:816
Temp51.exe:2688
wm_player.exe:2796
setup.exe:1292
%original file name%.exe:2668
The Trojan injects its code into the following process(es):
go.exe:3104
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process install.exe:3132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\79.arc (1340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\cry.obo (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\who.obo (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\go.exe (9474 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\wm_player.exe (9809 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\79.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\1111ProgStart.name (0 bytes)
The process go.exe:3104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Windows\driiver\wm_player.exe (7775 bytes)
The process go.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe (290 bytes)
The process Temp51.exe:2688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXE1A8.tmp (26426 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF62.exe (38671 bytes)
C:\%original file name%.exe (38295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX51.arc (295269 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\w.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX51.arc (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\ww.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF62.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\go.exe (0 bytes)
The process wm_player.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\driiver\date.obo (3 bytes)
The process setup.exe:1292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthMode.ini (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\AgeVerify.ini (1284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthAttention.ini (1122 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg65A6.tmp (0 bytes)
The process %original file name%.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\w.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\ww.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe (9918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp51.exe (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe (39784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\go.exe (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\31.arc (750 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\31.arc (0 bytes)
Registry activity
The process go.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\go_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\go_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wm_player_video_driver" = "C:\windows\driiver\wm_player.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process wm_player.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process setup.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\thriXXX\3DSexVilla2\3DSexVilla2SharedDLL]
"PNG" = "010218PNG"
"JP2" = "017010JP2"
Dropped PE files
MD5 | File path |
---|---|
2f6cb6b2cdf9c073de11c43d6cd5d58c | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe |
e18b0d94dd1e96b5b7d9485b6e44806f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe |
36b99a635a0d4f0f9fccbe2dda28ed6a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\wm_player.exe |
41f47d5ba84a9e073ee7276dfaf75648 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\go.exe |
36b99a635a0d4f0f9fccbe2dda28ed6a | c:\Windows\driiver\wm_player.exe |
98b6970ef3e12097323e8e29a7b1dbd7 | c:\%original file name%.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: 33333.exe
Internal Name: 33333.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.code | 4096 | 7205 | 7680 | 3.83637 | d583f61ca3321710ae3e88dbd1172e72 |
.text | 12288 | 85162 | 85504 | 4.62348 | 32092f473b5ba3180a37e4c44dbb6614 |
.rdata | 98304 | 25962 | 26112 | 5.23878 | b6ab1fe668ae5da27a25120ba9c173de |
.data | 126976 | 9288 | 8192 | 3.97575 | eee56163f1cf3a0cf154654949eb6c4e |
.rsrc | 139264 | 4972272 | 4972544 | 5.53749 | 0a3993cd73f49882f4881df607b0e945 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 81
ad06dc47cad0eaaf7a5a91f8a360a170
c2de3025ba774e2bd981868b82dbd9f9
2afc7afbdfd82c593e68dc26d7f4f1f9
c187dc99c32e6b7b020bf0b2b2879993
a73f9746f2b5462f52745aee302c5db4
c47e7cd0fd71efea2b8b084d8554f7a9
bae882acd5508ae579c6f1679b529144
b2895f3c0ebc3288901609868ef5bd21
be34bb453a3a533ed76ebaf129bbf29c
b7eeef00a96e8dacb8bc0c49d491ebdb
acc7477ce285288fd98c2bd15bc67d16
c1240437f101b26f39efe3ecd7a0a336
b9adc4b3afad28fe5aa0f0392c428f0a
a2c4063555916ce3daf65b40fa1dce86
c84f35cf303b160101a3366cc6145bda
b1135d96c0fca161d9e240d397083e01
b559f0c1d555bd90cd603610c7c400f1
a950fe6057d7ad05397e45cc2ab8683a
add1702212bfb732f2aeb2e55e57a150
b60911a6334a4815b7bba19e8ddea11b
ae66de753218cc28bfa27aa8149678fd
a8e2f9cbf7961cbdf41a87e0aca466e0
ce06d765ccc6635f7fb29a47ea1ada5e
b6a698197692135c4c5800cb77897080
a65fe433ae55b400b636cbb9c72879bb
c229b3eb8e67a932d35861086069134e
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.ndata
.rsrc
tDSSh
<iu2.iu
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
%s %s
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
... %d%%
verifying installer: %d%%
ADVAPI32.dll
~nsu.tmp
Au_.exe
shlwapi.dll
install.log
%u.%u%s%s
KERNEL32.dll
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
%Program Files%
Software\Microsoft\Windows\CurrentVersion
%s=%s
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
GetWindowsDirectoryA
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
ole32.dll
VERSION.dll
RichEd20.dll
adm\AppData\Local\Temp\nsw65B7.tmp\StealthAttention.ini
WARE\Microsoft\Windows NT\CurrentVersion
Your operating system is not supported.
Compatible versions are: Windows 95, NT4, 98, ME, 2000, XP, Vista.
Recommended: Windows XP with latest Service Pack.
.ODAZ
J%Dwv
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp
nsw65B7.tmp
MessageBox: 12910628,"Your operating system is not supported.
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\install.log
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\\setup.exe C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\\setup.exe
%Program Files%\thriXXX\3D SexVilla 2 - Everlust\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$
setup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsg65A6.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v20-Apr-2007.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
install.exe_3132:
.code
`.text
`.rdata
@.data
.rsrc
\$,;\$$}
u&SSh2
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
2147483648
WindowClass_%d
PB_Hotkey
uxtheme.dll
COMCTL32.DLL
msimg32.dll
Kernel32.DLL
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
Microsoft.NET\Framework\v2.0.50727
.NET Framework 2.0
Windows 2000
1111ProgStart.name
diu2.iu
MSVCRT.dll
KERNEL32.dll
CreatePipe
EnumWindows
MsgWaitForMultipleObjects
GetKeyState
EnumChildWindows
USER32.DLL
GDI32.DLL
IMAGEHLP.DLL
OLE32.DLL
ShellExecuteExA
SHELL32.DLL
WINMM.DLL
0;?<:?;00;?0=213
(y=.JA
AKh%u
\%%DY
`_5%U
uuu%ssswttr
F:".ut
D8RY]%fO5]
=.fdi
D&Z~L.Vb
<Le%x
.QM4de
j2kD%f
%f#iK
3.FiNU
.BZ'-J
J.wQ9$@
.Ge'5
<.hH|
g.naSB
%x\%U|
__.hk
p .Xc6
.oy' {
$%Sb.
0.MHA
4)E.iH
b%d{3]
.mlfU$$
.EJ6$
&DÏ4
ÿ2d&m`
%DO_j
*6.dU
%uF0B
W52.zk!9
>tcPM
%DOi]
TExe*
:J.pQ
)XCMd
&o^x%d
%S=gx
T.pne=/
.voix7h
.BpUG
.nt.]
.zIOR
.PHDk
9,.tf!
htCp
E.SBTX
%u7&3
version="1.0.0.0"
name="CompanyName.ProductName.YourApp"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
0.0.0.0
23.exe
Website
go.exe_3104_rwx_0037C000_00004000:
].Gj^
-.Gj^
go.exe_3104_rwx_079F0000_0000F000:
KEyb
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
install.exe:3132
go.exe:816
Temp51.exe:2688
wm_player.exe:2796
setup.exe:1292
%original file name%.exe:2668 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\79.arc (1340 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\cry.obo (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\engine\who.obo (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\go.exe (9474 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp912324$\driiver\wm_player.exe (9809 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬1.png (3 bytes)
C:\Windows\driiver\É¿ßp¡¬¿\É¿ßp¡«¬2.png (3 bytes)
C:\Windows\driiver\wm_player.exe (7775 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\setup.exe (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\RCXE1A8.tmp (26426 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\1111ProgStart.name (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\TempExeF62.exe (38671 bytes)
C:\%original file name%.exe (38295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\PureSFX51.arc (295269 bytes)
C:\Windows\driiver\date.obo (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthMode.ini (1303 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\AgeVerify.ini (1284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw65B7.tmp\StealthAttention.ini (1122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\w.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\ww.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\install.exe (9918 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\Temp51.exe (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\$msTemp639551$\go.exe (1016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\msoldfiles\31.arc (750 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"wm_player_video_driver" = "C:\windows\driiver\wm_player.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.