Backdoor.Win32.PcClient_561e1a8d76
Susp_Dropper (Kaspersky), Trojan.Agent3!IK (Emsisoft), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 561e1a8d7650f5dbe7b0ac5215a8429d
SHA1: 7987cc1c0fdd7dde66ba24fd07476c8892ae618b
SHA256: ac5ad2d158450b9d8f4500592effa151bf213a97de44ef1d203d4dbe503412d8
SSDeep: 24576:5wkTlvhSYtv4/037vbmv/eN/j7e/FeiPh/MMnMMMMM4NqsdHAEGYf:5phSYtjbbfVf4eiPh/MMnMMMMMyqW3f
Size: 914944 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-21 00:07:24
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
9fe65d0f.exe:120
b3626cf5.exe:1700
2e777248.exe:1096
561e1a8d7650f5dbe7b0ac5215a8429d.exe:516
rundll32.exe:1656
20018060.exe:1344
The Backdoor injects its code into the following process(es):
spoolsv.exe:1436
rundll32.exe:492
ukfaLIXCpkTKHl.exe:240
File activity
The process 9fe65d0f.exe:120 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3SV8RA7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D8R47TVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4VGDJ1T9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L630S0M\desktop.ini (67 bytes)
The process 2e777248.exe:1096 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
The process 561e1a8d7650f5dbe7b0ac5215a8429d.exe:516 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\20018060.exe (12350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9fe65d0f.exe (42433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b3626cf5.exe (2205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e777248.exe (15283 bytes)
The process spoolsv.exe:1436 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Temp\3.tmp (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (4 bytes)
The Backdoor deletes the following file(s):
%WinDir%\Temp\3.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)
The process 20018060.exe:1344 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\ifidfox.dll (114 bytes)
Registry activity
The process 9fe65d0f.exe:120 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp, , \??\%WinDir%\TEMP\5.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp6.tmp,"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data]
"ukfaLIXCpkTKHl.exe" = "WTR Loader"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Internet Explorer\Download]
"CheckExeSignatures" = "no"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 D7 E0 49 C5 74 F1 C5 96 FD CF 9E 04 AC 6B E9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes" = "/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ukfaLIXCpkTKHl" = "%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Task Manager is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process b3626cf5.exe:1700 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C D9 1F 4B 5B E6 C0 FF 6A 75 34 D8 03 94 B6 78"
The process 2e777248.exe:1096 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 49 48 DF 21 F1 53 F3 E7 30 52 AF D2 39 B2 F8"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"
The process 561e1a8d7650f5dbe7b0ac5215a8429d.exe:516 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 B7 89 79 70 0C 5A 3E DB BF C7 6A 8C 3B D0 42"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"9fe65d0f.exe" = "WTR Loader"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"2e777248.exe" = "2e777248"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"20018060.exe" = "Voxware MetaSound Audio Decoder"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"b3626cf5.exe" = "b3626cf5"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process spoolsv.exe:1436 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Print\Providers\4195731056]
"Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2.tmp"
[HKLM\System\CurrentControlSet\Services\682bda70]
"type" = "1"
[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 4195731056"
[HKLM\System\CurrentControlSet\Services\682bda70]
"imagepath" = "\??\%WinDir%\TEMP\3.tmp"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp, , \??\%WinDir%\TEMP\5.tmp,"
The Backdoor deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\Print\Providers\4195731056]
[HKLM\System\CurrentControlSet\Services\682bda70\Enum]
[HKLM\System\CurrentControlSet\Services\682bda70]
The process rundll32.exe:1656 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 94 9B B8 61 EF EB E7 AD 44 0C 38 71 29 86 E8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
The process rundll32.exe:492 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 2D 6E C2 A2 D2 6E 33 2D D7 13 99 CD A3 FB 83"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "186"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\ifidfox.dll,Startup"
The process 20018060.exe:1344 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 D3 06 2B 4C 32 3F 11 B2 8B 29 CE 8C 53 FB 8C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Ydapup" = "39 01 35 03 33 05 47 07 4B 09 38 0B 3B 0D 48 0F"
The process ukfaLIXCpkTKHl.exe:240 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE A8 21 A3 07 DA E7 B1 28 94 10 59 53 66 A6 69"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://000207dd102c.voonder.net/get2.php?c=HUXKCMMH&d=26606B6739343F343F2F676268307D3F2220232320242F3177757E4469747A2219151A4210121F150E5C434F1114191871720004720373060E0D0A0E0B040A7A70047001710077040B0C0B7F0F6B2C263E27372169646E617E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E49B4B4B2B7B2A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F5F5F4FAF0F3FAFAEB8B8082 |  69.43.161.167 |
| hxxp://ww2.000207dd102c.voonder.net/get2.php?c=HUXKCMMH&d=26606B6739343F343F2F676268307D3F2220232320242F3177757E4469747A2219151A4210121F150E5C434F1114191871720004720373060E0D0A0E0B040A7A70047001710077040B0C0B7F0F6B2C263E27372169646E617E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E49B4B4B2B7B2A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F5F5F4FAF0F3FAFAEB8B8082 | 208.73.211.29 |
| findadvertisem.org |  Unresolvable |
| searchmodern.org | Unresolvable |
Rootkit activity
Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
The Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:
StartIo
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
9fe65d0f.exe:120
b3626cf5.exe:1700
2e777248.exe:1096
561e1a8d7650f5dbe7b0ac5215a8429d.exe:516
rundll32.exe:1656
20018060.exe:1344 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3SV8RA7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D8R47TVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4VGDJ1T9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L630S0M\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\20018060.exe (12350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9fe65d0f.exe (42433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b3626cf5.exe (2205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e777248.exe (15283 bytes)
%WinDir%\Temp\3.tmp (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (4 bytes)
%WinDir%\ifidfox.dll (114 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ukfaLIXCpkTKHl" = "%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\ifidfox.dll,Startup" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
