TROJAN-PSW.WIN32.ZBOT.4_64bit_6547c20e2c

by malwarelabrobot on March 31st, 2014 in Malware Descriptions.

Trojan.Win32.Bublik.caqm (Kaspersky), Trojan.GenericKD.1588089 (B) (Emsisoft), Trojan.GenericKD.1588089 (AdAware), GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6547c20e2ce10eed3739af76becbae17
SHA1: d7f45d7f003ce9ca20a8f31004730be73f31a22c
SHA256: 771e93819c7edc041e078d81e24e17646fdf75c601ef9b5eaec0770668ee7619
SSDeep: 96:BPosVfXYEI3k8 rd2HGkRiDtrQ57fShKn9vwAl17q8d7ZH1YI2op:a4fXYEI3X rd0fiJY809YkvdVVRtp
Size: 6746 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-04-15 18:24:28
Analyzed on: Windows7 SP1 64-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The TROJAN-PSW creates the following process(es):

WMIADAP.EXE:332
bcdedit.exe:1608
bcdedit.exe:1312
bcdedit.exe:1324
bcdedit.exe:2904
bcdedit.exe:2920
bcdedit.exe:908
bcdedit.exe:2916
bcdedit.exe:1464
bcdedit.exe:1296
bcdedit.exe:944
dutit.exe:2860
systeminfo.exe:2032
WatAdminSvc.exe:2880
WatAdminSvc.exe:2864
TrustedInstaller.exe:3224
reader_sl.exe:2744
sppsvc.exe:1136
wsqmcons.exe:3028
opera_autoupdater.exe:2676
wueva.exe:2124
WinMail.exe:2640

The TROJAN-PSW injects its code into the following process(es):

butit.exe:2828
cmd.exe:1556

File activity

The process WMIADAP.EXE:332 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (1846 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Windows\System32\wbem\Performance\WmiApRpl.h (0 bytes)

The process butit.exe:2828 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (15 bytes)
C:\Windows\client64.dll (278 bytes)
C:\Windows\zlib1.dll (59 bytes)
C:\Windows\aplib64.dll (12 bytes)
C:\Windows\client.dll (227 bytes)
C:\Windows\aplib.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\298383.cmd (105 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (0 bytes)

The process dutit.exe:2860 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LKF94D.bat (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1520 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)

The process WatAdminSvc.exe:2880 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail (4 bytes)
C:\Windows\SysWOW64 (128 bytes)
C:\Users\adm (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.pml (549 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp (4 bytes)
C:\Windows (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData (20 bytes)
C:\$Directory (2904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders (4 bytes)
C:\Windows\System32 (1616 bytes)

The process WatAdminSvc.exe:2864 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (852 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6 (561 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 (780 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (336 bytes)

The process TrustedInstaller.exe:3224 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (416 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (1368 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (280 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
C:\Windows\Logs\CBS\CBS.log (15573 bytes)
C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (3310 bytes)
C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (256 bytes)

The process reader_sl.exe:2744 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (5760 bytes)
C:\$Directory (192 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (7320 bytes)
C:\Windows\System32 (264 bytes)

The process sppsvc.exe:1136 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat (115 bytes)

The process opera_autoupdater.exe:2676 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dutit.exe (1138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHXUT0BO\Test[1].fb2 (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F9QIXL85\27UKp[1].fb2 (469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe (660 bytes)

The process wueva.exe:2124 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Windows\System32\drivers\4b7ba.sys (1725 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (1 bytes)
C:\ (192 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (16896 bytes)
C:\Windows (292 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (13544 bytes)
C:\$Directory (392 bytes)
C:\Windows\System32 (7408 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (0 bytes)

The process WinMail.exe:2640 makes changes in the file system.
The TROJAN-PSW creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (27880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)

The TROJAN-PSW deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)

Registry activity

The process bcdedit.exe:1608 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1312 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1324 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:2904 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:2920 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:908 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:2916 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1464 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:1296 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process bcdedit.exe:944 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\BCD00000000\Objects\{dcfaefcd-91cc-11e2-9557-a3a74339cda4}\Elements\16000049]
"Element" = "01"

The process butit.exe:2828 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "21 2F 6D ED CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

To automatically run itself each time Windows is booted, the TROJAN-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"forfPING" = "rundll32 C:\Windows\client64.dll,CreateProcessNotify"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process dutit.exe:2860 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "40 C9 77 EE CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"p2pcollab.dll,-8042" = "Peer to Peer Trust"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2D 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process systeminfo.exe:2032 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"mlang.dll,-4386" = "English (United States)"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

The process WatAdminSvc.exe:2880 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

The process TrustedInstaller.exe:3224 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package-TopLevel~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package-MiniLP~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
"SessionIdHigh" = "30362827"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Spelling-Parent-Package-English~31bf3856ad364e35~~~10.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Hyphenation-Parent-Package-English~31bf3856ad364e35~~~10.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing]
"SessionIdLow" = "217541315"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Hyphenation-Package-English~31bf3856ad364e35~amd64~~6.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

[HKLM\COMPONENTS\ServicingStackVersions]
"6.1.7601.17592 (win7sp1_gdr.110408-1631)" = "2014/3/31:10:21:59.212 6.1.7601.17592 (win7sp1_gdr.110408-1631)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-IE-Spelling-Package-English~31bf3856ad364e35~amd64~~6.2.9200.16437]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~en-US~10.2.9200.16521]
"Trusted" = "1"

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB958488~31bf3856ad364e35~amd64~~6.2.7600.16513]
"Trusted" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Microsoft-Windows-InternetExplorer-VistaPlus-Update~31bf3856ad364e35~amd64~~10.2.9200.16521]
"Trusted" = "1"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKLM\COMPONENTS]
"ExecutionState"
"PendingXmlIdentifier"
"RepairTransactionPended"
"PoqexecFailure"

The process reader_sl.exe:2744 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Umdejugi]
"17h0c258" = "2725182190"

The process wsqmcons.exe:3028 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SQMClient\Windows]
"WSqmConsLastEventTimeStamp" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\SQMClient\Windows\AdaptiveSqm\ManifestInfo]
"Version" = "0"

[HKLM\SOFTWARE\Microsoft\SQMClient\Windows]
"WSqmConsLastRunTime" = "Type: REG_QWORD, Length: 8"

The process opera_autoupdater.exe:2676 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "45 58 51 E7 CA 4C CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process wueva.exe:2124 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadNetworkName" = "Network 2"
"WpadDecisionTime" = "BB 31 A2 F2 CA 4C CF 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDecisionTime" = "40 C9 77 EE CA 4C CF 01"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Umdejugi]
"2i68e5jc" = "IfLCgV opXvh0JwoH"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Umdejugi]
"1bbjh9de" = "zPpZotmgo3CR0A==H"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 2E 00 00 00 09 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the TROJAN-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Wueva" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-ff-08-25]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B767065D-10FC-4F32-9B0E-0DA1C32FC6F6}]
"WpadDetectedUrl"

The process WinMail.exe:2640 makes changes in the system registry.
The TROJAN-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Identities\{3F6462B6-0D79-49A2-A5DF-1C1BA99503E4}]
"Identity Ordinal" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Settings Upgraded" = "10"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-VersionLow" = "0"
"Wow64-Revision" = "0"
"SubSysId" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VendorId" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "DE 07 03 00 01 00 1F 00 0A 00 15 00 1E 00 02 01"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-844" = "BitLocker Data Recovery Agent"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"SoftwareFallback" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32]
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKCU\Software\Microsoft\Windows Mail]
"Running" = "1"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Wow64-DXFeatureLevel" = "0"

[HKCU\Software\Microsoft\Windows Mail]
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Welcome Message" = "0"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"Revision" = "0"
"Wow64-SubSysId" = "0"
"Wow64-VersionHigh" = "0"
"Wow64-VendorId" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\24\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionHigh" = "0"
"DXFeatureLevel" = "0"
"Wow64-DeviceId" = "0"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{1EB81331-FC86-4AA6-8732-BE942D69423C}.oeaccount"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"DeviceID" = "0"

[HKCU\Software\Microsoft\IAM]
"Default LDAP Account" = "account{36371AF8-B4F9-4875-8144-FF4D5D7B9054}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

[HKCU\Software\Microsoft\Internet Explorer\GPU]
"VersionLow" = "0"

The TROJAN-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

Dropped PE files

MD5 File path
4437ea54e849d46273b260372c6dec20 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe
7db604c446cb21b06b7673a9206914be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\opera_autoupdater.exe
046a9363a58f8c4105e5871a514b63cc c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2
7fe2b0b3fc2078130f20070a05daf8d5 c:\Windows\aplib.dll
3f4fe60b6d1e05144f6efa098ac381a8 c:\Windows\aplib64.dll
01c1e3ab46762ef23eb2ac898ea84c2c c:\Windows\client.dll
86bb1de30ba26a8d34e6568ab59b89e0 c:\Windows\client64.dll
80e41408f6d641dc1c0f5353a0cc8125 c:\Windows\zlib1.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the TROJAN-PSW controls loading executable images into a memory by installing the Load image notifier.

Using the driver "UNKNOWN" the TROJAN-PSW controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1259 1536 3.48941 ea4a11f8ff9ed99ebc87aff02102a621
.data 8192 3146 3584 4.65409 6603bf6b43b300ad9e541effbd07fd89
.rsrc 12288 16 512 0 bf619eac0cdf3f68d496ea9344137e8b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Downloader (P2P Zeus dropper UA)
ET TROJAN Upatre Binary Download Jan 02 2014

Traffic

Web Traffic was not found.

butit.exe_2828_rwx_002E0000_00001000:

kernel32.dll

butit.exe_2828_rwx_02BF0000_0006D000:

.text
`.data
.idata
@.reloc
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
\\.\NtSecureSys
ntdll.dll
svchost.exe
EUDC\%d
KeDelayExecutionThread
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
=65!c
8=6(0?5 &
svp%uec
{zfnmt==.eno
0123456789
`82uURL
`8.sC
G%c_|
.Oex=
".xF=
.Ol (
cxa6.xb
X?(xg.TD
x.Na<\}
xKx.QW
!^!
http://www.google.com/
http://www.bing.com/
HTTP/1.1
REPORT
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
RegDeleteKeyExW
gdiplus.dll
GdiplusShutdown
t.Ht$HHt
w%fkN
L$$
m9.td
zcÁ
GetKeyboardState
MsgWaitForMultipleObjects
CryptGetKeyParam
CryptImportKey
CryptDestroyKey
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
PathIsURLW
UrlUnescapeA
SHLWAPI.dll
ShellExecuteW
Secur32.dll
ole32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXImportCertStore
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
IPHLPAPI.DLL
VERSION.dll
3'393 7%7
4&4-41484
7#7'7 7/737
8‚8C8O8_8k8s8{8
4%5x5<6
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
urlmon.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s
"%s" %s
/c "%s"
Wadvapi32.dll
kernel32.dll
shell32.dll
\StringFileInfo\xx\%s
cabinet.dll
C:\Users\"%CurrentUserName%"\AppData\Roaming
C:\Users\"%CurrentUserName%"\AppData\LocalLow
Global\{773C504E-EDB3-4088-A815-C48790E0E79A}

cmd.exe_1556:




.text
`.data
.rsrc
@.reloc
msvcrt.dll
ntdll.dll
KERNEL32.dll
api-ms-win-core-processthreads-l1-1-0.DLL
WINBRAND.dll
u.WhpF
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
Ju.hl
ADVAPI32.dll
USER32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
ShellExecuteExW
_amsg_exit
_pipe
GetWindowsDirectoryW
NeedCurrentDirectoryForExePathW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
CmdBatNotification
RegCloseKey
RegOpenKeyExW
RegDeleteKeyExW
RegCreateKeyExW
cmd.pdb
del "butit.exe"
f exist "butit.exe" goto 298383
del 298383.cmd
383.cmd
CMD Internal Error %s
version="5.1.0.0"
name="Microsoft.Windows.FileSystem.CMD"
Windows Command Processor
true
=#=)=8={=
9%9-949>9
CMD.EXE
()|&=,;"
CMDCMDLINE
COPYCMD
\XCOPY.EXE
0123456789
DisableCMD
Software\Policies\Microsoft\Windows\System
eKERNEL32.DLL
cmd.exe
DIRCMD
%d.%d.d
/K %s
%WINDOWS_COPYRIGHT%
Ungetting: '%s'
GeToken: (%x) '%s'
NTDLL.DLL
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
KEYS
%s %s
%s %s%s
X-X
\CMD.EXE
CMDEXTVERSION
<> -*/%()|^&=,
-%sd%sd%sd
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp>
butit.exe
.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
ndows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;%Program Files% (x86)\Wireshark
tit.exe"
\Local\Temp\butit.exe
butit.exe"
-h "butit.exe"
d%sd%s
d%sd%sd
(%s) %s
%s=%s
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC
&()[]{}^=;!%' ,`~
Windows Command Processor
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Cmd.Exe
Windows
Operating System
6.1.7601.17514

cmd.exe_1556_rwx_027C0000_0006D000:




.text
`.data
.idata
@.reloc
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
\\.\NtSecureSys
ntdll.dll
svchost.exe
EUDC\%d
KeDelayExecutionThread
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
=65!c
8=6(0?5 &
svp%uec
{zfnmt==.eno
0123456789
`82uURL
`8.sC
G%c_|
.Oex=
".xF=
.Ol (
cxa6.xb
X?(xg.TD
x.Na<\}
xKx.QW
!^!
http://www.google.com/
http://www.bing.com/
HTTP/1.1
REPORT
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
RegDeleteKeyExW
gdiplus.dll
GdiplusShutdown
t.Ht$HHt
w%fkN
L$$
m9.td
zcÁ
GetKeyboardState
MsgWaitForMultipleObjects
CryptGetKeyParam
CryptImportKey
CryptDestroyKey
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
PathIsURLW
UrlUnescapeA
SHLWAPI.dll
ShellExecuteW
Secur32.dll
ole32.dll
WS2_32.dll
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
PFXImportCertStore
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
IPHLPAPI.DLL
VERSION.dll
3'393 7%7
4&4-41484
7#7'7 7/737
8‚8C8O8_8k8s8{8
4%5x5<6
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
urlmon.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s
"%s" %s
/c "%s"
Wadvapi32.dll
kernel32.dll
shell32.dll
\StringFileInfo\xx\%s
cabinet.dll
C:\Users\"%CurrentUserName%"\AppData\Roaming
C:\Users\"%CurrentUserName%"\AppData\LocalLow
Global\{773C504E-EDB3-4088-A815-C48790E0E79A}






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    WMIADAP.EXE:332
    bcdedit.exe:1608
    bcdedit.exe:1312
    bcdedit.exe:1324
    bcdedit.exe:2904
    bcdedit.exe:2920
    bcdedit.exe:908
    bcdedit.exe:2916
    bcdedit.exe:1464
    bcdedit.exe:1296
    bcdedit.exe:944
    dutit.exe:2860
    systeminfo.exe:2032
    WatAdminSvc.exe:2880
    WatAdminSvc.exe:2864
    TrustedInstaller.exe:3224
    reader_sl.exe:2744
    sppsvc.exe:1136
    wsqmcons.exe:3028
    opera_autoupdater.exe:2676
    wueva.exe:2124
    WinMail.exe:2640
    

    3. 

  3. Delete the original TROJAN-PSW file.
    4. 

  4. Delete or disinfect the following files created/modified by the TROJAN-PSW:
    

    C:\Windows\System32\wbem\Performance\WmiApRpl_new.h (363 bytes)
    C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini (1846 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~8BF9.tmp (15 bytes)
    C:\Windows\client64.dll (278 bytes)
    C:\Windows\zlib1.dll (59 bytes)
    C:\Windows\aplib64.dll (12 bytes)
    C:\Windows\client.dll (227 bytes)
    C:\Windows\aplib.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\298383.cmd (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X6MBDP6\yahoo_com[1].htm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe (1138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA7B2D59B4E9BC2D316D1AECDFC12F63_56F60B94B5B4D7380F23CECD585FDA14 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1504 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (672 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LKF94D.bat (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE (1520 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D266D9E1E69FA1EEFB9699B009B34C8_8CA7164968F366C9A94AC8E71C4BDD9B (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail (4 bytes)
    C:\Windows\SysWOW64 (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\test.pml (549 bytes)
    C:\$Directory (2904 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders (4 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (852 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B8CC409ACDBF2A2FE04C56F2875B1FD6 (561 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6 (780 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (6 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
    C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 (336 bytes)
    C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms (416 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.0.regtrans-ms (1368 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.1.regtrans-ms (856 bytes)
    C:\Windows\System32\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf (280 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.2.regtrans-ms (856 bytes)
    C:\Windows\Logs\CBS\CBS.log (15573 bytes)
    C:\Windows\System32\config\COMPONENTS{15e3db19-917a-11e2-9ef7-000c29a8bd90}.TxR.blf (3310 bytes)
    C:\Windows\System32\config\TxR\{016888cd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms (256 bytes)
    C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (5760 bytes)
    C:\Users\"%CurrentUserName%"\NTUSER.DAT (7320 bytes)
    C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat (115 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dutit.exe (1138 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IHXUT0BO\Test[1].fb2 (256 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F9QIXL85\27UKp[1].fb2 (469 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\butit.exe (660 bytes)
    C:\Windows\System32\drivers\4b7ba.sys (1725 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NL7BBU8A\yahoo_com[1].htm (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (968 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (27880 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (23104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_2640_2 (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\06FF4E64-00000001.eml:OECustomProperty (260 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (200 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
    

    5. 

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "forfPING" = "rundll32 C:\Windows\client64.dll,CreateProcessNotify"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Wueva" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Zecois\wueva.exe"
    

    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2024 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now