Backdoor.Win32.PcClient_4635f277ed

by malwarelabrobot on September 16th, 2015 in Malware Descriptions.

Trojan.Win32.Patched.la (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4635f277ed77ce481a1d78981b0dcd2b
SHA1: c2af609904b675dc7721e6ff7963c8773065c140
SHA256: 172d2d83b724973c7c5e6b5eb19491b1d80c2df20ede8595ea06566d1c1ee3fa
SSDeep: 98304:34x8x56jfulCiTev8x1TGcBnRZM/tewLOC6oWRJ5Ce3:ygOfu8inx1TnZM/tjOC235
Size: 3504624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-02-05 00:10:18
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

net.exe:656
net.exe:1596
sc.exe:212
sc.exe:1020
sc.exe:700
sc.exe:1300
sc.exe:128
sc.exe:744
sc.exe:1916
net1.exe:1040
net1.exe:836
system.exe:476
%original file name%.exe:1116
Rundll32.exe:2044

The Backdoor injects its code into the following process(es):

%original file name%.exe:1332
Rundll32.exe:772

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process net.exe:1596 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\net1.exe (1860 bytes)

The process system.exe:476 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\rundll32.exe (1636 bytes)
%System%\hhfrim.dll (22 bytes)
%System%\bmkucm.dll (77 bytes)

The process %original file name%.exe:1332 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dd_4635f277ed77ce481a1d78981b0dcd2b_decompression_log.txt (666 bytes)

The process %original file name%.exe:1116 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\system.exe (172 bytes)
C:\%original file name%.exe (23072 bytes)

The process Rundll32.exe:2044 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\sc.exe (1444 bytes)
%System%\net.exe (1020 bytes)
%Program Files%\AAV\CDriver.sys (11 bytes)

The Backdoor deletes the following file(s):

%Program Files%\AAV\CDriver.sys (0 bytes)
%Program Files%\AAV (0 bytes)

The process Rundll32.exe:772 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
%System%\CatRoot2 (96 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\pchealth\helpctr\System\images (4 bytes)
%WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
%WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
%WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
%WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
%WinDir%\pchealth\helpctr\System\panels (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
%WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
%Documents and Settings%\Default User (540 bytes)
%WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
%WinDir%\pchealth\helpctr\System (4 bytes)
C:\$Directory (392 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (208 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
%WinDir%\Prefetch (2804 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
%System%\CatRoot (4 bytes)
%WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
%WinDir%\assembly\GAC_32 (4 bytes)
%WinDir%\Prefetch\4635F277ED77CE481A1D78981B0DC-10F3EAD3.pf (48 bytes)
%WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
%System% (25040 bytes)
%System%\config\systemprofile\Application Data\Microsoft (4 bytes)
%System%\usmt (4 bytes)
%WinDir%\Installer\$PatchCache$\Managed (4 bytes)
%WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
%Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
%WinDir%\assembly\GAC_MSIL (36 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies (8 bytes)
%WinDir%\SoftwareDistribution\Download (45 bytes)
%System%\oobe\html (4 bytes)
%WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
%WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
%Documents and Settings%\%current user%\Cookies (192 bytes)
%WinDir%\pchealth\helpctr\binaries (4 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (24 bytes)
%Program Files%\Movie Maker (4 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
%WinDir%\WinSxS (12 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
%WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US (4 bytes)
%WinDir% (1560 bytes)
%WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
%WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_654.dat (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
%Documents and Settings% (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%WinDir%\$hf_mig$ (8 bytes)
%System%\spool\XPSEP\amd64 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
%WinDir%\ime\imjp8_1 (4 bytes)
%WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Resource (4 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%WinDir%\Help\Tours\WindowsMediaPlayer (4 bytes)
%Documents and Settings%\NetworkService (4 bytes)
%WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
%WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
%WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
%System%\oobe (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Microsoft Office\Office14 (4 bytes)
%WinDir%\Temp (768 bytes)
%WinDir%\Installer (8 bytes)
%WinDir%\ime (4 bytes)
%WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
%WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1732 bytes)
%WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
%WinDir%\Prefetch\TSHARK.EXE-2564C650.pf (106 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\ime\imkr6_1 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
%WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
%WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
%WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Program Files%\Windows NT (4 bytes)
%WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%WinDir%\Web (4 bytes)
C:\totalcmd (4 bytes)
%Program Files%\Common Files\System (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%WinDir%\Prefetch\PERL.EXE-28C02382.pf (16 bytes)
%WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
%WinDir%\AppPatch (4 bytes)
%System%\Restore\rstrui.exe (1764 bytes)
%Program Files%\Common Files (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
%WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles (8 bytes)
%WinDir%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313 (4 bytes)
%WinDir%\msagent (4 bytes)
%Program Files% (8 bytes)
%Program Files%\Movie Maker\Shared (4 bytes)
%WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
%System%\wbem (2900 bytes)
%WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
%WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
%WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (96 bytes)
%WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%System%\mui (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\spool\XPSEP\i386 (4 bytes)
%WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
%WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
%System%\usmt\migwiz.exe (1428 bytes)
%WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
%System%\config\systemprofile\Start Menu\Programs (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
%System%\spider.exe (1252 bytes)
%Documents and Settings%\%current user%\Local Settings (20 bytes)
%WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
%WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
%System%\oobe\msoobe.exe (1444 bytes)
%System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
%WinDir%\assembly\NativeImages_v2.0.50727_32 (28 bytes)
%WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
%WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
%WinDir%\pchealth\helpctr\Config (4 bytes)
%Program Files%\Adobe\Reader 9.0 (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (672 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727 (1848 bytes)
%Documents and Settings%\%current user% (8 bytes)
%Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%System%\TOURSTART.EXE (228 bytes)
%WinDir%\Web\printers (4 bytes)
%WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
%WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
%WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
%WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
%WinDir%\security (4 bytes)
%WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
%WinDir%\pchealth\helpctr\System\sysinfo (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
%WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
%WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
%WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
%WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (704 bytes)
%System%\config\systemprofile\Local Settings (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security (4 bytes)
%WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
%Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
%WinDir%\Microsoft.NET\Framework\v3.5 (12 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\plug_ins (4 bytes)
%System%\oobe\html\mouse (4 bytes)
%WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
D: (148 bytes)
%WinDir%\assembly (4 bytes)

Registry activity

The process net.exe:656 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 18 C5 D2 D0 B0 0D 45 11 24 18 45 69 A9 40 D6"

The process net.exe:1596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 F2 00 E5 23 99 85 C1 F4 AA C9 0E 58 EC F9 3E"

The process sc.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 1E E5 05 35 4E AF 54 C6 1F 25 DD 46 36 04 C2"

The process sc.exe:1020 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 D2 BA 6D 90 E8 BA AF CE 98 C7 61 C1 D5 20 1D"

The process sc.exe:700 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D FA A9 01 5E CA 40 63 9B 09 D3 BA 48 60 0E 4F"

The process sc.exe:1300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 79 69 06 25 F5 EC 33 F1 3F B0 9D 3F 3B 35 02"

The process sc.exe:128 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 1E F6 60 BA 92 0D B4 42 A7 57 1F 79 01 DF 53"

The process sc.exe:744 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 F0 04 E5 B5 EF CE 45 C0 BE 60 E2 99 43 1C BC"

The process sc.exe:1916 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 F2 A5 77 53 C8 83 3E 77 2C 61 60 8A 35 C7 AD"

The process net1.exe:1040 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 A4 D9 5A F1 2F 8E 30 15 DA C7 F7 44 16 E7 5E"

The process net1.exe:836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 DD 0F 3F 30 77 8D 59 C4 06 32 18 6D 03 4D 96"

The process %original file name%.exe:1332 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 24 83 61 D7 4C 56 C8 C8 80 6B 0C CC 60 EE D2"

The process %original file name%.exe:1116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 30 A7 7C 27 4D E0 55 EC FE 05 2B A1 2A 68 4F"

The process Rundll32.exe:2044 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 CC 00 36 6A 5F 23 E2 A3 4B 13 4A DF 8F AB 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process Rundll32.exe:772 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D E2 05 B0 BC F6 25 73 A4 12 1A 3A B5 EF B3 59"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"System" = "%System%\system.exe"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
30c9493489fd157ce04b66f3b7fe5dfd c:\%original file name%.exe
7a4f775abb2f1c97def3e73afa2faedd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp
f510b1a852a523b15af21fc8dce1e7e6 c:\WINDOWS\system32\bmkucm.dll
f4585ef0972ddb52517b5c9b70e5ce1f c:\WINDOWS\system32\system.exe

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.Brenz.pl


Rootkit activity

The Backdoor installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft .NET Framework 4 RUS Language Pack
Product Version: 4.0.30319.01
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: dotNetFx40LP_Full_x86_x64ru.exe
Internal Name: dotNetFx40LP_Full_x86_x64ru.exe
File Version: 4.0.30319.01
File Description: Microsoft .NET Framework 4 RUS Language Pack Setup
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 165082 165376 4.5447 3937991f1b8dab6120482c7a74549e2e
.data 172032 14080 5120 1.66953 bb5865b2fbc323525c14802f6fc52a1e
.boxld01 188416 194 512 1.22659 d9b2a38908733c575903f7ed2bda6838
.rsrc 192512 7764 8192 3.22776 67cd9782ace4a44ac88cf65d3d8e231f
.reloc 200704 10258 10752 3.36655 0dcf8d378e6a57ca058f2681b12904d9
voiucfo 212992 4288 4608 0 b1e27aa018409de6bfd73f8afb883a65
qnpsbogh 221184 4288 4608 3.59092 163fc2b3a42aa20695f4900c1b6cecfe
229376 172032 172032 4.76278 f4585ef0972ddb52517b5c9b70e5ce1f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_1332:

.text
`.data
.boxld01
@.rsrc
@.reloc
GetProcessWindowStation
operator
Extraction took %d minutes and %d.%d seconds
Extraction took %d.%d seconds
Extraction took %d milliseconds
Failed to execute file
Exiting with result code: 0x%x
Failed to get error string from error: 0x%x
Failed to get error message for error: 0x%x.
Failed to set _SFX_CAB_EXE_PATH
Failed to set _SFX_CAB_EXE_PACKAGE
Failed to set _SFX_CAB_EXE_PARAMETERS
Unable to resolve the path of the exe
Executing command line: '%S'
Failed to stop reporting progress
Failed to open box from path: %S
Failed to start reporting progress
Extracting files to: %S
Failed to verify box container #%d.
Failed to extract all files out of box container #%d.
Failed to add file name on to status prefix: %S
Failed to create progress reporting initialization event
Failed to get path to executable.
Directory '%S' has been selected for file extraction
Cluster drive map: '%S'
Considering drive: '%S'...
Drive '%S' is rejected because it's a resource of a cluster
Drive '%S' is rejected because of the unknown or unsuitable drive type
Drive '%S' is rejected because it's not a hard disk or RAM disk
Drive '%S' is rejected because it can't be written to
Drive '%S' has been selected as the largest fixed drive
Drive '%S' has been selected as the largest removable drive
Failed to load advapi32.dll
Failed to load DecryptFileW from advapi.dll
Considering cluster resource: '%S'...
Drive map for cluster resource '%S' : '%S'
Cluster resource type: '%S'
Found a partition on cluster resource: '%S'
Ignoring the partition '%S' because it doesn't look like a DOS name
Failed to allocate the path ro the clusapi.dll
Failed to load clusapi.dll
Failed to load all required functions from the clusapi.dll
Successfully bound to the ClusApi.dll
--- logging level: %s ---
%u/%u/%u, %u:%u:%u
Error 0x%x: %s
=== Logging started: %S ===
Executable: %S v%d.%d.%d.%d
=== Logging stopped: %S ===
boxstub.pdb
j.Xf;
\$09^0~9
ADVAPI32.dll
KERNEL32.dll
COMCTL32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
GetCPInfo
GetProcessHeap
Cabinet.dll
OLEAUT32.dll
VERSION.dll
boxstub.exe
c:\%original file name%.exe
9/15/2015, 3:58:9
<assemblyIdentity name="BoxStub" version="1.0.0.0" processorArchitecture="x86" type="win32"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
6%6U6f6q6
:!:.:4:?:
6:7@7^7}7
> >$>(>,>0>4>8>
5 5$5,5@5
yKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
\dd_%s_decompression_log.txt
_SFX_CAB_EXE_PATH
H_SFX_CAB_EXE_PACKAGE
_SFX_CAB_EXE_PARAMETERS
%s...
\\.\?:
advapi32.dll
%s\clusapi.dll
=d/d/d d:d:d
\\?\UNC
kernel32.dll
%_SFX_CAB_EXE_PATH%\Setup.exe %_SFX_CAB_EXE_PARAMETERS% /x86 /x64 /lcid 1049
Microsoft .NET Framework 4 RUS Language Pack Setup
4.0.30319.01
dotNetFx40LP_Full_x86_x64ru.exe
Microsoft .NET Framework 4 RUS Language Pack
10.0.30203.0 built by: LocRTMRel(RAVIR01-ravir)
BoxStub.exe
.NET Framework
10.0.30203.0

Rundll32.exe_772:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
%xBTPt
0%X/ 
fKey
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

Rundll32.exe_772_rwx_0100A000_00001000:

5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

Rundll32.exe_772_rwx_01010000_00001000:

fKey


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    net.exe:656
    net.exe:1596
    sc.exe:212
    sc.exe:1020
    sc.exe:700
    sc.exe:1300
    sc.exe:128
    sc.exe:744
    sc.exe:1916
    net1.exe:1040
    net1.exe:836
    system.exe:476
    %original file name%.exe:1116
    Rundll32.exe:2044

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\net1.exe (1860 bytes)
    %System%\rundll32.exe (1636 bytes)
    %System%\hhfrim.dll (22 bytes)
    %System%\bmkucm.dll (77 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dd_4635f277ed77ce481a1d78981b0dcd2b_decompression_log.txt (666 bytes)
    %System%\system.exe (172 bytes)
    C:\%original file name%.exe (23072 bytes)
    %System%\sc.exe (1444 bytes)
    %System%\net.exe (1020 bytes)
    %Program Files%\AAV\CDriver.sys (11 bytes)
    %WinDir%\SoftwareDistribution\Download\8b9a83d2cde55eb19dc502cc2dd04e0d (4 bytes)
    %System%\CatRoot2 (96 bytes)
    %WinDir%\pchealth\helpctr\System\images (4 bytes)
    %WinDir%\SoftwareDistribution\Download\7dc26e8888d68d9e04bc52940c0f24b5 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\36a2296f631a54daefcc3b56e3d990e2 (4 bytes)
    %WinDir%\pchealth\helpctr\System\Remote Assistance (4 bytes)
    %WinDir%\pchealth\helpctr\Vendors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance (4 bytes)
    %WinDir%\SoftwareDistribution\Download\2e6b16219034e135b4f869efb7a10fee (4 bytes)
    %WinDir%\pchealth\helpctr\System\panels (4 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\plug_ins3d (4 bytes)
    %WinDir%\SoftwareDistribution\Download\6a410a1bd174bc123056d235ac4829af (4 bytes)
    %Documents and Settings%\Default User (540 bytes)
    %WinDir%\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9 (4 bytes)
    C:\$Directory (392 bytes)
    %Documents and Settings%\%current user%\My Documents (4 bytes)
    %System%\config (208 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\PresentationFramewo# (4 bytes)
    %WinDir%\Prefetch (2804 bytes)
    %Documents and Settings%\All Users\Application Data (4 bytes)
    %WinDir%\SoftwareDistribution\Download\01229cf5dcf0df67992cac35a2ba0b3f (4 bytes)
    %WinDir%\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59 (4 bytes)
    %WinDir%\assembly\GAC_32 (4 bytes)
    %WinDir%\Prefetch\4635F277ED77CE481A1D78981B0DC-10F3EAD3.pf (48 bytes)
    %WinDir%\SoftwareDistribution\Download\da2a33b6770f970d7fe7262040f98a4f (4 bytes)
    %Program Files%\Reference Assemblies\Microsoft\Framework\v3.0 (4 bytes)
    %System%\config\systemprofile\Application Data\Microsoft (4 bytes)
    %System%\usmt (4 bytes)
    %WinDir%\Installer\$PatchCache$\Managed (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b5f880834ad67f3d383ffff5f2fa46bd (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client (8 bytes)
    %Program Files%\Common Files\VMware\Drivers (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions (4 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
    %Program Files%\Adobe\Reader 9.0\Resource\Font (4 bytes)
    %Program Files%\Common Files\Microsoft Shared\OFFICE14 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\WPF (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\WPF (4 bytes)
    %WinDir%\assembly\GAC_MSIL (36 bytes)
    %Documents and Settings%\NetworkService\Local Settings (4 bytes)
    %WinDir%\WinSxS\Policies (8 bytes)
    %System%\oobe\html (4 bytes)
    %WinDir%\SoftwareDistribution\Download\f0fea42f69058000617da24986c3b109 (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\PresentationFramewo# (4 bytes)
    %WinDir%\SoftwareDistribution\Download\196fa81559690e2494e56094df51cdd8 (4 bytes)
    %Documents and Settings%\%current user%\Cookies (192 bytes)
    %WinDir%\pchealth\helpctr\binaries (4 bytes)
    %Documents and Settings%\%current user%\Favorites (4 bytes)
    %WinDir%\SoftwareDistribution\Download\621a08ac003b616bcaa86aa4d4292d50 (4 bytes)
    %Program Files%\Movie Maker (4 bytes)
    %WinDir%\Microsoft.NET\assembly\GAC_32 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation (4 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c0c52c03306062533f7dcb087bfcfa6b (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualBas# (4 bytes)
    %WinDir%\pchealth\helpctr\OfflineCache (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e0c0da396303f1dd2c82cd2ccc07020d (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e79028ac4f02e201b61b2c632cb0fc5e (4 bytes)
    %WinDir%\Help\Tours\WindowsMediaPlayer\Img (4 bytes)
    %WinDir%\Temp\Perflib_Perfdata_654.dat (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc81666f3868f34642e3f5adbc2719f9 (4 bytes)
    %Documents and Settings%\Default User\Local Settings (4 bytes)
    %WinDir%\$hf_mig$ (8 bytes)
    %System%\spool\XPSEP\amd64 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles (4 bytes)
    %WinDir%\ime\imjp8_1 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e8252bbfa91fcf5afb38775b18691074 (4 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466 (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
    %WinDir%\SoftwareDistribution\Download\8bb5f1c638778df6b77d80bc61ffc63c (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b91377d1d56820d9d699c0c2dc7c8e80 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\30438597a812a5d1d7979088d451747f (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
    %Program Files%\Microsoft Office\Office14 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\ee4e3d4bf0d346e1b8fdee8197195e59 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\211409fc1d99b95b32fb0344cad140df (4 bytes)
    %WinDir%\SoftwareDistribution\Download\dffcab319e36b852e5b2d51802010a7a (4 bytes)
    %WinDir%\SoftwareDistribution\Download\299840a657dd26ca3bbf3cee3ec999ba (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e5c5fc9bd7a4957f0a45c6db2957c5c9 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
    %WinDir%\SoftwareDistribution\Download\906245b7f0992255b054322b77475594 (4 bytes)
    %WinDir%\Prefetch\TSHARK.EXE-2564C650.pf (106 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
    %WinDir%\ime\imkr6_1 (4 bytes)
    %WinDir%\pchealth\helpctr\System\sysinfo\graphics (4 bytes)
    %WinDir%\SoftwareDistribution\Download\248802b74506342031e926839639c729 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cb88a2f03b29735db957d61a63df6504 (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers (4 bytes)
    %WinDir%\SoftwareDistribution\Download\21156e54b0f0f47f81dab4a39e109501 (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music (4 bytes)
    %Program Files%\Windows NT (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d (4 bytes)
    %WinDir%\Web (4 bytes)
    C:\totalcmd (4 bytes)
    %Program Files%\Common Files\System (4 bytes)
    %Program Files%\Windows Media Player (4 bytes)
    %WinDir%\Prefetch\PERL.EXE-28C02382.pf (16 bytes)
    %WinDir%\SoftwareDistribution\Download\aadd6ccc4585cbf4ee04287eb0e679df (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    %System%\Restore\rstrui.exe (1764 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG (4 bytes)
    %WinDir%\SoftwareDistribution\Download\6b7f938fb3db15dab273f3f1702c318c (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 (384 bytes)
    %WinDir%\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313 (4 bytes)
    %WinDir%\msagent (4 bytes)
    %Program Files%\Movie Maker\Shared (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc8ea6c22fd142de8dd67336d23310cf (4 bytes)
    %System%\wbem (2900 bytes)
    %WinDir%\SoftwareDistribution\Download\de81b460c3abcfc5b8494c785a5f3944 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\21cbd3f70584651805685eba1753505f (4 bytes)
    %WinDir%\SoftwareDistribution\Download\b6f4642d2b8dc03c5ce1b1a4f77b1bda (4 bytes)
    %WinDir%\SoftwareDistribution\Download\9460002f6d8231358fc1eb590f9b1dce (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
    %System%\mui (4 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %System%\spool\XPSEP\i386 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\1c47f41cc76cde4c629564d7564f2795 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\57b4b90cc3eead9f6c29b58581d03ae4 (4 bytes)
    %System%\usmt\migwiz.exe (1428 bytes)
    %WinDir%\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0 (4 bytes)
    %System%\config\systemprofile\Start Menu\Programs (4 bytes)
    %WinDir%\assembly\NativeImages_v2.0.50727_32\System.DirectorySer# (4 bytes)
    %System%\spider.exe (1252 bytes)
    %WinDir%\Microsoft.NET\assembly\GAC_MSIL (28 bytes)
    %WinDir%\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig (4 bytes)
    %System%\oobe\msoobe.exe (1444 bytes)
    %System%\config\systemprofile\Start Menu\Programs\Accessories (4 bytes)
    %WinDir%\SoftwareDistribution\Download\bc529fa49cb2cb097fdf1e22d25872da (4 bytes)
    %WinDir%\SoftwareDistribution\Download\e104dcd29adf1c6c473a5efad2d509be (4 bytes)
    %Program Files%\Common Files\Adobe\Acrobat\ActiveX (4 bytes)
    %WinDir%\pchealth\helpctr\Config (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\System.ServiceModel# (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
    %System%\drivers (672 bytes)
    %Program Files%\Common Files\Microsoft Shared\DW (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
    %System%\TOURSTART.EXE (228 bytes)
    %WinDir%\Web\printers (4 bytes)
    %WinDir%\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6 (4 bytes)
    %WinDir%\assembly\NativeImages_v4.0.30319_32\System.DirectorySer# (4 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cedca0128a48437390192d906f83a717 (4 bytes)
    %WinDir%\security (4 bytes)
    %WinDir%\SoftwareDistribution\Download\a4c07d9275eb613d842cb1e140d8a426 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\17e46901add634f15d293735648771e6 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\50e2c72fd814d3841e776dd2c4918260 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\c0e4033a7ec549e982572f0d830cf5d0 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\0000894bab70b145c3629920ba907f7a (4 bytes)
    %WinDir%\SoftwareDistribution\Download\cd75fc2c9aa3d47009fe2d95c9f43154 (4 bytes)
    %WinDir%\SoftwareDistribution\Download\0c1e5e0ffeb238b1ee5c9ea3a4878374 (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\temp_wincheck.txt (704 bytes)
    %System%\config\systemprofile\Local Settings (4 bytes)
    %WinDir%\SoftwareDistribution\Download\78cf8552430e25a8f24bc1e4dfb1970e (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %WinDir%\SoftwareDistribution\Download\f2adb0f8440e5dbd459aa6bfcaed1ba5 (4 bytes)
    %Program Files%\Reference Assemblies\Microsoft\Framework\v3.5 (4 bytes)
    %Documents and Settings%\LocalService\Local Settings (4 bytes)
    %WinDir%\SoftwareDistribution\Download\23e79e5fb28793d8cb1c2055b0d8dcb9 (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard (4 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
    %System%\oobe\html\mouse (4 bytes)
    %WinDir%\SoftwareDistribution\Download\abaf10b7d55d3716fbb63e0b568cb4b6 (4 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
    %WinDir%\SoftwareDistribution\Download\163d01893aa68b49abc63d8d6c9a7bb2 (4 bytes)
    D: (148 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "System" = "%System%\system.exe"

  6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now