Win32.Virtob.Gen.12_22d20130f2

by malwarelabrobot on August 26th, 2017 in Malware Descriptions.

Virus.Win32.Virut.ce (Kaspersky), Win32.Virtob.Gen.12 (B) (Emsisoft), Win32.Virtob.Gen.12 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 22d20130f272af83f9b184d25f90c360
SHA1: 9006785712781362c332cbc09960afd0b0695fd9
SHA256: df2e4b02924ba8b1ca3a2ec32c3f56908968ad702c315842b2a0102d76f07362
SSDeep: 3072:Vjz/Cu5HynJfEucdl1EpZBkFIGpuy/9kJFmLVQnRVX6JTF8hOJkQONcyEg:Vjz6KSJDcvupfIuy/9i9RFMsOSzaZg
Size: 166400 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3888
pgzfge.exe:3984
pgzfge.exe:3704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Server.ini (95 bytes)
C:\Windows\System32\pgzfge.exe (673 bytes)

The process pgzfge.exe:3704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Server.ini (95 bytes)

Registry activity

The process %original file name%.exe:3888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\Rssgyq hhhwsoiskcq]
"Description" = "Æô¶¯Äú¼ÒÍ¥ÍøÂçÉϵÄgghh Booth É豸µÄ¼ì²â¡£"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name:
Product Name: NewServers ????
Product Version: 1, 0, 0, 1
Legal Copyright: ???? (C) 2017
Legal Trademarks:
Original Filename: NewServers.EXE
Internal Name: NewServers
File Version: 1, 0, 0, 1
File Description: NewServers Microsoft ???????
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 233472 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 237568 118784 117248 5.50384 99d1f52312a839f4e5a6cda087e2a268
.rsrc 356352 49152 48128 4.76099 04ea7e77f6e539f0b36f2f31c970729e
dqgtago 405504 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
ilo.brenz.pl 148.81.111.121
abetoj.com
teredo.ipv6.microsoft.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup

Traffic

.a.a.{Pz...g..:h9..D..?.y]b".R.-..$.;....O..Eo....../...C...




:irc 001 rfutogmr :Hi virtu.:irc 376 rfutogmr :End of /MOTD command.:i
rc 001 rfutogmr :Hi virtu.:irc 376 rfutogmr :End of /MOTD command...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3888:

.rsrc
dHw2.Hw3;JwM Hw
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
c:\%original file name%.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
1zQoySsHd
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
WINSPOOL.DRV
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)
1, 0, 0, 1
NewServers.EXE

%original file name%.exe_3888_rwx_002A0000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK eecllvet
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1
UNC\192.168.50.163\SANDBOXOUTPUT\2017-08-25\22D20130F272AF83F9B184D25F90C360\DUMPS\22D20130F272AF83F9B184D25F90C360.EXE_3888.DMP
%WinDir%\SYSTEM32\MAGNIFY.EXE
\WMPLAYER.EXE
Zcyfumi.com
zfdsyl.com
rpient.com
ahscje.com
gdhado.com
mrimfq.com
egabia.com
lolawf.com
kudlui.com
vioqhp.com
oeuyei.com
rktoni.com
susufx.com
earuah.com
ymlaay.com
qfacap.com
cmyyut.com
uamyob.com
sektcd.com
ayaair.com
aqiyxu.com
idxews.com
jwmnue.com
jiaaio.com
tzosiv.com
qutetw.com
illhzy.com
ebkuks.com
aoetks.com
utyrlw.com
jtrymr.com
agdees.com
pusbcf.com
mryjyg.com
pottbr.com
donpqq.com
ivkaeo.com
etwexc.com
oirofr.com
kohotu.com
ruosga.com
upnddt.com
hfeyou.com
jplyaw.com
umgznq.com
hoqkum.com
aqjagu.com
lksbet.com
abpvqj.com
zmllii.com
iweovv.com
loqaty.com
mamdld.com
vwknmr.com
twuueu.com
vwurky.com
uoyypo.com
xotgox.com
unztio.com
fynips.com
owxfjy.com
mgjawy.com
kuynzz.com
jxduys.com
ranoef.com
remuea.com
imltki.com
ozolhk.com
oektby.com
ubysyo.com
xybuyd.com
qzucdz.com
lxbksk.com
sfhhcs.com
yatobk.com
abetoj.com
jgshzt.com
aqoiwk.com
zabasy.com
irloqo.com
eujyic.com
mquoek.com
leuyld.com
dyllof.com
iubead.com
xgggok.com
zvfuua.com
feyzoy.com
ffyfje.com
ejrcwt.com
laxwyj.com
cofqya.com
ilvtzk.com
iygicu.com
gaeeav.com
leuhvi.com
bgbarj.com
bbiblj.com
tyooci.com
congjl.com

%original file name%.exe_3888_rwx_00401000_00055000:

dHw2.Hw3;JwM Hw
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
c:\%original file name%.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
.rsrc
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)

pgzfge.exe_3984:

.rsrc
dHw2.Hw3;JwM Hw
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\pgzfge.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
1zQoySsHd
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
WINSPOOL.DRV
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)
1, 0, 0, 1
NewServers.EXE

%original file name%.exe_3888_rwx_0045B000_00008000:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
USER32.dll
WINSPOOL.DRV
RegCloseKey
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb

pgzfge.exe_3984_rwx_00401000_00055000:

dHw2.Hw3;JwM Hw
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\pgzfge.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
.rsrc
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)

pgzfge.exe_3984_rwx_0045B000_00008000:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
USER32.dll
WINSPOOL.DRV
RegCloseKey
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK kiwqkmes
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
windowsupdate
drweb

pgzfge.exe_3704:

.rsrc
dHw2.Hw3;JwM Hw
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\pgzfge.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
1zQoySsHd
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
WINSPOOL.DRV
RX5.pa
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)
1, 0, 0, 1
NewServers.EXE

pgzfge.exe_3704_rwx_00401000_00055000:

dHw2.Hw3;JwM Hw
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
SHELL32.dll
VVV.baidu.com
.text
`.rdata
@.data
.reloc
SPSSSSh
SSSh0$
SSShY0
SSSh&E
SSSh#J
SSSSh
s.WWWWh
GET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET ^&*().htmlGET %$#@!.aspGET !@#$%.htmGET !@#$%.htmGET %$#@!.aspGET ^&*().htmlGET !@#$%.htmGET ~!@#$%^&*())(*&^%$#@!ABCDEFGHIJKLMN!@#$%^.asp
MSVCRT.dll
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteExA
SHLWAPI.dll
SETUPAPI.dll
WS2_32.dll
WININET.dll
URLDownloadToFileA
urlmon.dll
DllMain.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
InternetOpenUrlA
wininet.dll
GET /index.php?ip=%s HTTP/1.1
Host: ip.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64);
ip.cn
%d.%d.%d.%d
Referer: VVV.qq.com
GET %s HTTP/1.1
Host: %s:%d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: hXXp://%s
\Program Files\Internet Explorer\iexplore.exe
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
hXXp://
#0%s!
%s/%s
GET / HTTP/1.1
\Server.ini
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
nnbbaa.f3322.net
c:\%s
%s:%d
Kernel32.dll
userenv.dll
%s Win7
M-%.2d-%.2d %.2d:%.2d
\\.\agmkis2
\??\%s\%s
%s\%s
%s.exe
%c%c%c%c%c%c.exe
Oleaut32.dll
Ole32.dll
%sMHz
kernel32.dll
minerd.exe
Logon.exe
BaiduSdSvc.exe
ServUDaemon.exe
DUB.exe
1433.exe
S.exe
mssecess.exe
QUHLPSVC.EXE
V3Svc.exe
patray.exe
AYAgent.aye
Miner.exe
TMBMSRV.exe
knsdtray.exe
QQ.exe
K7TSecurity.exe
QQPCRTP.exe
ksafe.exe
rtvscan.exe
ashDisp.exe
avcenter.exe
kxetray.exe
egui.exe
Mcshield.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
360tray.exe
ws2_32.dll
User32.dll
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
4O4L4
3034383<3@3
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
zcÁ
windows
KERNEL32.DLL
C:\Windows\system32\pgzfge.exe
GetCPInfo
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
.rsrc
ntdll.dll
Windows Update
Is the Windows update open?
(*.*)

pgzfge.exe_3704_rwx_0045B000_00001000:

KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
OLEPRO32.DLL
USER32.dll
WINSPOOL.DRV
RegCloseKey


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Server.ini (95 bytes)
    C:\Windows\System32\pgzfge.exe (673 bytes)
    C:\Windows\System32\Server.ini (95 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now