Trojan.Generic.16990321_2429198e86

by malwarelabrobot on May 1st, 2017 in Malware Descriptions.

Trojan.Generic.16990321 (BitDefender), Trojan.Win32.Vobfus.auqp (Kaspersky), Trojan.Generic.16990321 (B) (Emsisoft), Artemis!2429198E8664 (McAfee), Trojan.SuspectCRC (Ikarus), Trojan.Generic.16990321 (FSecure), Trojan.Generic.16990321 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 2429198e866499ddb56c515b61d1603f
SHA1: d3e591a4f5e29e5a2067ad1ceb9acbf9ed8bba3e
SHA256: 2e2aee86083d575530fd587e60645b47396c92e1aafc18042cc8d1901ac4a5b9
SSDeep: 12288:YAmXz4aQSq7HOC xDrKSLOCkel0QfzU9yvY9B3C0grCW/x37jrNEwJCXgsaWvDCH:yD4XC3qBSPnrjR9JVYxQr
Size: 970752 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-02 09:11:04
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2712

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\update[1].htm (3 bytes)

Registry activity

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2429198e866499ddb56c515b61d1603f_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????
Product Name: Justinmind???
Product Version: 0.0.0.54
Legal Copyright: Copyright (C) ?? 2014
Legal Trademarks:
Original Filename: Justinmind???.exe
Internal Name: Justinmind???
File Version: 0.0.0.63
File Description: Justinmind???
Comments:
Language: German (Germany)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	502586	502784	4.62061	1ddf7b614aab02142d260f00aa34d5dd
.rdata	507904	103698	103936	4.28294	d2e4750c7736d171453ec985b0b601ed
.data	614400	18680	9216	3.39751	2b188acebe3ec790c0cbefd48c37590b
.rsrc	634880	353608	353792	3.20914	e79c84b014908eeacd76e242e8899c68

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.jmstu.com/update.html#0.0012512588885159	103.254.148.134

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

Traffic

GET /update.html#0.0012512588885159 HTTP/1.1

User-Agent: Mozilla/4.0

Host: VVV.jmstu.com


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 30 Apr 2017 19:00:29 GMT

Content-Type: text/html

Content-Length: 3

Connection: keep-alive

X-Accel-Version: 0.01

Last-Modified: Sun, 04 Jan 2015 02:49:03 GMT

ETag: "3-50bca9de058b5"

Accept-Ranges: bytes

Vary: User-Agent

3.1HTTP/1.1 200 OK..Server: nginx..Date: Sun, 30 Apr 2017 19:00:29 GMT
..Content-Type: text/html..Content-Length: 3..Connection: keep-alive..
X-Accel-Version: 0.01..Last-Modified: Sun, 04 Jan 2015 02:49:03 GMT..E
Tag: "3-50bca9de058b5"..Accept-Ranges: bytes..Vary: User-Agent..3.1..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2712:

.text

`.rdata

@.data

.rsrc

?%uYG

xSSSh

FTPjKS

FtPj;S

C.PjRV

iu2.iu%

cmd.exe

Visual C   CRT: Not enough memory to complete call to strerror.

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

operator

_CMDLINE

import preload;

com.each = function(obj) begin

if(type(obj)==type.function)obj=obj();

if(!com.IsObject(obj))error('

try{enumerator = com.GetEnumerator(obj);}catch(e){err=e}if(err)error(err,2);var function iterator( index ) {var value = owner.Next();return ( value ? index 1 : null ) , value ;}return iterator, enumerator, 0;end

There was not enough memory to complete the operation

Windows error

Unsupported feature required

%d.%d

com.dll

Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}

Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}

Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}

Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}

Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}

Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}

com.getIUnknow() QueryInterface Failed!

-mapid %d

hh.exe

ID:0x%X: %s

pointer/*com.VARIANT*/

$Spp: AAuto v6.0 Copyright (C) ecranesoft.com $

$URL: VVV.ecranesoft.com $

File %s, Line %d

ExportConstants

ExportEnumerations

ole.host

expected: ::MSG struct

com.CreateEmbed

Invalid form.hwnd!

Union type not supported!

Record type not supported!

TKIND_MODULE and TKIND_MAX not supported!

Exception (%s)

IDispatch.Pointer

invalid object(com.IDispatch)

Property putref not supported.

Property puts with more than two parameters aren't supported.

showMsg

error: error during error handler execution.

load resource(%s/%s) failed!

bad argument:@%d '%s'

calling:'%s'

bad argument:@%d

expected:%s

got:%s

file:%s

line:#%d

invalid option:'%s'

%s.%s

attempt to use a closed object: %s:#%d ( type:'%s.%s')

stack overflow (%s)

name conflict for namespace '%s'

failed:%s

error:%s

field:'%s'

thread id:%d

thread error:%s

return %s

callback : _struct error '...%s'

Cannot load library '%s'.

%s._struct not found!

Invalid _struct{%s...},Expected a field name! [in]

field:%s

field:%s.%s

Invalid _struct: {...%s},Data Type Error(%c...key:%s) [out]

{ %s }

Invalid _struct{%s...},Expected a field name! [out]

Failed to get the size of the dynamic array!field(%s)

Cannot load remote library '%s'.

Cannot find remote function '%s' in the dll.

Cannot find function '%s' in the dll.

Declare Api:'%s'

Data type error: '...%s'

Struct size has more than %d

%s %s[%d]

invalid key to 'next'

Cann't modify a %s : '%s'

attempt to:%s

kind:%s

name:'%s'

type:%s

attempt to:compare two %s values

attempt to:compare %s with %s

file:%s:

join

^$* ?.:([\-{<%

invalid replacement value (a %s)

no function environment for tail call at level %d

in function '%s'

in function <%s:%d>

import-namespace conflict for global.%s

import

import ide;

importFile

import %s failed ! file not found

import %s failed !syntax error:

import %s failed :

import-namespace conflict for self.%s

%s: %p

io.FILE*

Invalid time:Invalid dayofweek(%d) outside valid range(0~6)

Invalid time:Invalid month(%d) outside valid range(1~12)

Invalid time:Invalid day(%d) outside valid range(1~31)

Invalid time:hour(%d) outside valid range(0~23)

Invalid time:minute (%d) outside valid range(0~59)

Invalid time:second(%d) outside valid range(0~59)

Invalid time:year(%d) outside valid range(1900~9999)

Invalid format directive(...%s)

thread.call() error

[%d]=

['%s']=

["%s"]=

%s'%s'

%s"%s"

%snull

%stopointer(0x%p)

io.file(closed)

io.file(%p)

standard %s file is closed

cdata( by raw.malloc() )

%s\%s

_exepath

_exedir

_exefile

char(%d)

near:...'%s'

byte:%s

$"%s"

%s: %s in precompiled chunk

expected:'%s'

main function has more than %d %s

function at line %d has more than %d %s

match for:'%s'

match line:%d

expected:keyword

%H:%M:%S

%m/%d/%y %H:%M:%S

%m/%d/%y

?#%X.y

%S#[k

KERNEL32.dll

USER32.dll

ole32.dll

SHDeleteKeyA

SHLWAPI.dll

GetProcessHeap

GetCPInfo

CreatePipe

SetViewportExtEx

SetViewportOrgEx

GDI32.dll

RegEnumKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegCloseKey

ADVAPI32.dll

OLEAUT32.dll

zcÁ

c:\%original file name%.exe

@E:\aauto\aauto\lib\com\picture.aau

com.picture

win.guid

win.ole

@E:\aauto\aauto\lib\fsys\_.aau

fsys.path

SHFileOperation

SHFileOperationA

operation

fsys.shortpath()

joinpath

int hwnd;INT wFunc;string pFrom;string pTo;WORD fFlags;int fAnyOperationsAborted;pointer hNameMappings;string lpszProgressTitle

@E:\aauto\aauto\lib\fsys\path.aau

Shlwapi.dll

[\/\:\*\?\"\<\>]

@E:\aauto\aauto\lib\gdi\_.aau

.LOGFONT

Gdi32.dll

int(ptr hdcDest,int xoriginDest,int yoriginDest,int wDest,int hDest,pointer hdcSrc,int xoriginSrc,int yoriginSrc,int wSrc,int hSrc,INT crTransparent)

ptr hdcSrc, struct ptSrc, INT crKey,struct blend, INT flags)

#X

#X

crKey

@E:\aauto\aauto\lib\inet\_.aau

Wininet.dll

pointer(string agent,INT accessType,string proxy,string proxyBypass,INT flags)

pointer(POINTER hInet,string serverName,INT serverPort,string userName,string password,INT service,INT flags,INT context)

FindFirstUrlCacheEntry

pointer(pointer lpszUrlSearchPattern,struct &lpFirstCacheEntryInfo,INT& lpcbCacheEntryInfo)

FindNextUrlCacheEntry

FindCloseUrlCache

GetUrlCacheEntryInfo

int(str url,struct &acheEntryInfo,INT &size)

DeleteUrlCacheEntry

int(string urlname)

bool(string url,str name,str &data,INT & size)

int(string url,str name,str data)

INT dwAccessType;string lpszProxy;string lpszProxyBypass

lpszProxyBypass

bypassList

INT reserved;INT exemptDelta

INT cbSize;string url;string fileName;INT cacheEntryType;INT useCount;INT hitRate;INT sizeLow;INT sizeHigh;struct lastModifiedTime;struct expireTime;struct lastAccessTime;struct lastSyncTime;string headerInfo;INT headerInfoSize;string fileExtension;union reserved;BYTE buffer[4016]

hXXp://

@E:\aauto\aauto\lib\inet\file.aau

inet.file

@E:\aauto\aauto\lib\inet\http.aau

inet.url

thread.shareHandle

HttpOpenRequest

HttpOpenRequestA

HttpAddRequestHeaders

HttpQueryInfoA

HttpSendRequest

HttpSendRequestA

HttpSendRequestEx

HttpEndRequest

Mozilla/4.0

{6D36619B-AC69-4570-BF75-EE3677A879E6}

inet.http

securityFlagIgnoreCertCnInvalid

securityFlagIgnoreCertDateInvalid

port

password

beginRequest->HttpOpenRequest

lastReuestUrl

tUrl

joinHeaders

[^/\\] \.[^.] $

index.html

Content-Type:application/x-www-form-urlencoded

proxyBypass

@E:\aauto\aauto\lib\inet\url.aau

UrlIsA

bool(str url,int urlis)

UrlCombine

UrlCombineA

UrlCanonicalize

UrlCanonicalizeA

int(str url,str& out,INT& size, INT flags)

UrlUnescape

UrlUnescapeA

int(str url,str &unescaped,INT& size,INT flags)

UrlEscape

UrlEscapeA

int(str url,str &escaped,INT& size,INT flags)

InternetCrackUrl

bool(str url,INT len,INT flags,struct &components)

InternetCreateUrl

bool(struct components,INT flags,str& url,INT& len)

turl

%%X

urlDecode

passwordLen

INT size;string scheme;INT schemeLen;INT schemeNum;string host;INT hostLen;WORD port;string user;INT userLen;string password;INT passwordLen;string path;INT pathLen;string extraInfo;INT extraInfoLen

urlComponents

URL_COMPONENTS

@E:\aauto\aauto\lib\preload\_.aau

User32.dll

Kernel32.dll

MsgWaitForMultipleObjects

EXCEPTION_FLT_DENORMAL_OPERAND

EXCEPTION_FLT_INVALID_OPERATIO

0xX

\.*(. )(%\[\])$

\.*(. )\.([^.] )$

keys

hasMsg

msgWaitForMultipleObjects

@E:\aauto\aauto\lib\process\_.aau

sys.info

Psapi.dll

ntdll.dll

ShellExecuteEx

ShellExecuteExA

int(string app, string &cmd, pointer processAttributes,pointer threadAttributes, bool inheritHandles, INT creationFlags,str environment, string lpCurrentDirectory, struct lpStartupInfo, struct& lpProcessInformation )

Advapi32.dll

int(string user,string domain,string pwd,INT flags,string app, string &cmd, INT creationFlags,str environment, string lpCurrentDirectory, struct lpStartupInfo, struct& lpProcessInformation )

FindExecutable

FindExecutableA

isExe

findExe

SHELLEXECUTEINFO

joinArguments

INT cbSize;INT fMask;int hwnd;string lpVerb;string lpFile;string lpParameters;string lpDirectory;int nShow;int hInstApp;pointer lpIDList;string lpClass;int hkeyClass;INT dwHotKey;union DUMMY;pointer hProcess

showCmd

Explorer.exe

szExePath

INT dwSize;INT th32ModuleID;INT th32ProcessID;INT GlblcntUsage;INT ProccntUsage;addr modBaseAddr;INT modBaseSize;pointer hModule;byte szModule[256];byte szExePath[260]

szExeFile

INT dwSize;INT cntUsage;INT th32ProcessID;INT th32DefaultHeapID;INT th32ModuleID;INT cntThreads;INT th32ParentProcessID;INT pcPriClassBase;INT dwFlags;BYTE szExeFile[260]

@E:\aauto\aauto\lib\sys\info.aau

@E:\aauto\aauto\lib\thread\shareHandle.aau

thread.table

{93B5BAF4-EE2F-4A70-8295-F0F1D896C775}

{6D47D215-F4AD-478E-8EC0-029CA5C39612}

{EF819EA3-9D57-4C32-A68C-6D39CA55BECE}

@E:\aauto\aauto\lib\thread\table.aau

INIT.THREAD.CALL.{7EC7B22E-F1A6-4AA7-B5A3-4741C583AA00}

@E:\aauto\aauto\lib\util\metaProperty.aau

@E:\aauto\aauto\lib\web\_.aau

mapurl

@E:\aauto\aauto\lib\win\_.aau

int(addr hwnd,INT msg,ADDR wParam,addr lParam)

int(ptr lpPrevWndFunc,addr hwnd,INT Msg,ADDR wParam,addr lParam)

addr(addr hwnd,INT msg,ADDR wParam,addr lParam)

addr(int idThread,INT msg,ADDR wParam,addr lParam)

addr(addr hwnd,INT msg,ptr wParam,ptr lParam)

addr(addr hwnd,INT msg,int &wParam,int &lParam)

addr(addr hwnd,INT msg,ptr wParam,ptr lParam,INT flags,INT timeout,int & resultult)

GetAsyncKeyState

word(int vKey)

GetKeyState

word( int vKey)

int( addr hwnd,INT uCmd)

bool(addr hwnd,int cmd)

msgbox

msgboxTest

msgboxErr

msgboxTimeout

win.invoke()

INT(int hDlg,struct IpMsgc)

UxTheme.dll

%s[TID:%d]

msg_observer

@E:\aauto\aauto\lib\win\guid.aau

util.metaProperty

Rpcrt4

Rpcrt4.dll

Ole32.dll

@E:\aauto\aauto\lib\win\ole\_.aau

Oleaut32.dll

@E:\aauto\aauto\lib\win\reg.aau

RegCreateKeyEx

int( addr hKey,str subKey,INT Reserved,str lpClass,INT opt,INT samDesired,struct lpSecurityAttributes,addr &phk,INT &lpdwDisposition)

RegOpenKeyEx

int(addr hKey,string subKey,INT ulOpt,INT samDesired,addr &phk)

int(addr hKey)

int(addr hKey,string name)

RegDeleteKey

RegDeleteKeyA

int(addr hKey,string lpSubKey)

int(addr hKey,string name,INT Reserved,INT dwType,struct lpData,INT cbData)

int(addr hKey,string name,INT Reserved,INT &dwType,struct&lpData,INT&lpcbData)

int(addr hKey,string name,INT Reserved,INT dwType,string lpData,INT cbData)

int(addr hKey,string name,INT Reserved,INT &dwType,string&lpData,INT&lpcbData)

int(addr hKey,string name,INT Reserved,INT &dwType,str&lpData,INT&lpcbData)

int(addr hKey,string name,INT Reserved,INT &dwType,pointer lpData,INT&lpcbData)

RegSaveKey

RegSaveKeyA

int(addr hKey,string lpFile,pointer lpSecurityAttributes)

RegRestoreKey

RegRestoreKeyA

int(addr hKey,string lpFile,int dwFlags)

int(addr hKey,int dwIndex,string &name,int& lpcbValueName,pointer lpReserved,int& lpType,string& lpData,int& lpcbData)

RegEnumKeyEx

int(addr hKey,int dwIndex,string &lpName,int& lpcbName,pointer lpReserved,string lpClass,int& lpcbClass,struct& lpftLastWriteTime)

RegOverridePredefKey

int(addr hKey,addr lpSubKey)

__predefinedKeys

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_CURRENT_USER_LOCAL_SETTINGS

overridePredefinedKey

eachKey

enumKey

delKey

delKeyTree

tkeys

keyname

tempkey

predKey

@E:\aauto\aauto\lib\win\ui\_.aau

win.ui.background

RegisterHotKey

UnregisterHotKey

int(int hwnd,int crKey,BYTE bAlpha,INT dwFlags)

.win.ui.ctrl

reghotkey

unreghotkey

cmdTranslate

_hotkeys

@E:\aauto\aauto\lib\win\ui\background.aau

win.ui

@Publish\release.win.ui.ctrl.aau

win.ui.ctrl.common

win.ui.ctrl.metaProperty

win.ui.ctrl.button

win.ui.ctrl

win.ui.ctrl.static

@E:\aauto\aauto\lib\win\ui\ctrl\button.aau

@E:\aauto\aauto\lib\win\ui\ctrl\common.aau

Comctl32.dll

@E:\aauto\aauto\lib\win\ui\ctrl\metaProperty.aau

@E:\aauto\aauto\lib\win\ui\ctrl\static.aau

@default.main.aau

win.reg

hXXp://VVV.jmstu.com/update.html#

HKEY_CLASSES_ROOT\Justinmind Prototyper File\shell\open\command

JustinmindPrototyper.exe

hXXp://VVV.jmstu.com/search/å¯åŠ¨å™¨

\.configprops

\.datastorage

configuration\.dat

softPath

version="5.1.0.0"

15.exe"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<requestedExecutionLevel level="highestAvailable" uiAccess="false" />

HKEY_LOCAL_MACHINE\Software

HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\Software

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Interface: %s

COM.PICTURE

FSYS.PATH

INET.FILE

INET.HTTP

INET.URL

SYS.INFO

THREAD.SHAREHANDLE

THREAD.TABLE

UTIL.METAPROPERTY

WIN.GUID

WIN.OLE

WIN.REG

WIN.UI

WIN.UI.BACKGROUND

WIN.UI.CTRL

WIN.UI.CTRL.BUTTON

WIN.UI.CTRL.COMMON

WIN.UI.CTRL.METAPROPERTY

WIN.UI.CTRL.STATIC

0.0.0.63

.........................exe>

0.0.0.54

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\update[1].htm (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.