Dropped.Generic.Malware.SBdld.3A16F05C_197383db27

by malwarelabrobot on November 28th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Dropped:Generic.Malware.SBdld!.3A16F05C (B) (Emsisoft), Dropped:Generic.Malware.SBdld!.3A16F05C (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Backdoor, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 197383db272e4570e1ffe382ec859eff
SHA1: 8c6b615dd9da424e8a55cef19d2291b46930075d
SHA256: 6d9919204ae07b11b30160c859cb7fe8fee241cc44d6c31b08e326df5858ee2f
SSDeep: 768:jwumGFcCo2CG52SdwxOBxib9/3a0eIo5vN4DUYHBFf9qc:EumGFc9GkBxQKHV
Size: 36320 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: FSGv133Eng_v1, FSGv133Eng_v2, FSGv133, UPolyXv05_v6
Company: r-installer
Created at: 1987-09-11 05:35:02
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

install.exe:1376
%original file name%.exe:1852
knzwd.exe:1176
iexplarer.exe:368
taskmgr.exe:508
sihf8.exe:212
mlo5jupht9mejgm.exe:1688
win.exe:948
Regsvr32.exe:1364
debug.exe:1220

The Dropped injects its code into the following process(es):

rundll32.exe:1204
Explorer.EXE:1988

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process install.exe:1376 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yawghd72y7huhd.tmp (4 bytes)

The process %original file name%.exe:1852 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mlo5jupht9mejgm.exe (60 bytes)
%System%\tzwv2w.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sihf8.exe (30 bytes)
C:\p2hhr.bat (46 bytes)
%System%\g7e7n5i.dll (30 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3449327852.exe (0 bytes)

The process knzwd.exe:1176 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\osjfs873wuhd.tmp (16 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3463859102.exe (0 bytes)

The process sihf8.exe:212 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\knzwd.exe (30 bytes)

The process mlo5jupht9mejgm.exe:1688 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%WinDir%\win.exe (60 bytes)
%WinDir%\taskmgr.exe (60 bytes)
%WinDir%\iexplarer.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install.exe (60 bytes)
%WinDir%\debug.exe (60 bytes)

The process rundll32.exe:1204 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sdkik3fsiedfahfyg.tmp (16 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3465890352.exe (0 bytes)

Registry activity

The process install.exe:1376 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 D2 4E 78 17 9F 84 A6 9A 8C 50 66 B4 24 51 90"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden" = "0"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1852 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"winid" = "1D00A31CCB61186"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 42 85 99 B6 C6 3C BE 6D 2C E9 E2 76 00 B9 E1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"p2hhr.bat" = "p2hhr"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process knzwd.exe:1176 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 F7 52 BC 9A 7D 1B 38 06 3B 32 19 7C 42 FC 1B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process iexplarer.exe:368 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 05 4B E1 D1 20 88 45 85 36 A5 78 03 C8 BC 11"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc" = "%WinDir%\iexplarer.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKbuqc" = "%WinDir%\iexplarer.exe"

The process taskmgr.exe:508 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 45 82 FE 61 90 2D D8 21 BF 58 B2 87 9E A4 AA"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKerb" = "%WinDir%\taskmgr.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKerb" = "%WinDir%\taskmgr.exe"

The process sihf8.exe:212 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 ED 04 86 AD 3D DB 46 81 0B D8 17 7A 8D E8 F0"

The process mlo5jupht9mejgm.exe:1688 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 B3 08 06 20 D5 AF 31 FB E6 D2 CB D2 31 9A F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
"UserId" = "1D00A31CEA85D00"

The process rundll32.exe:1204 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 2A 8F D9 0C 0B 2D 54 64 A8 3B 7C 0E 83 6A 61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process win.exe:948 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 A7 BB 3A 4C 3B 68 91 07 32 CC C0 E5 75 7F D0"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKfa" = "%WinDir%\win.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKfa" = "%WinDir%\win.exe"

The process Regsvr32.exe:1364 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 DA E1 CB 52 80 C4 03 26 FC D6 40 CB 70 83 6A"

[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B6BA40C1-A501-59BD-F413-03B03A2C8952}" = "dfskea98e4iagjiufhg87df87u"

[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}]
"(Default)" = "%System%\tzwv2w.dll"

[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}\InProcServer32]
"(Default)" = "%System%\tzwv2w.dll"

[HKCR\CLSID\{B6BA40C1-A501-59BD-F413-03B03A2C8952}]
"ThreadingModel" = "Apartment"

The Dropped deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The process debug.exe:1220 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 86 ED 91 B0 B0 9F F9 E5 0F C0 6C 36 82 0A E5"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MKaoc" = "%WinDir%\debug.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MKaoc" = "%WinDir%\debug.exe"

Dropped PE files

MD5 File path
7b164d5f12a262de73d6de3514c39297 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\install.exe
4f4b18521cebd7d0b8230808c87d6b73 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\knzwd.exe
2271f5b5ae21d67450a8f9b33148da78 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\mlo5jupht9mejgm.exe
4d5f476ab5728c9c1c33c3e4d855f4a1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sihf8.exe
7b164d5f12a262de73d6de3514c39297 c:\WINDOWS\debug.exe
7b164d5f12a262de73d6de3514c39297 c:\WINDOWS\iexplarer.exe
98dd737a06bdaa4773cc7580957df796 c:\WINDOWS\system32\g7e7n5i.dll
84541ff8b993aa4d57c5af5f6207b664 c:\WINDOWS\system32\tzwv2w.dll
7b164d5f12a262de73d6de3514c39297 c:\WINDOWS\taskmgr.exe
7b164d5f12a262de73d6de3514c39297 c:\WINDOWS\win.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 192512 0 0 d41d8cd98f00b204e9800998ecf8427e
196608 36864 35808 5.39635 3c539893f1b208fb89bea5b2a01ada8d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://instunes.com/dw/vp1.php?id=1D00A31CCB61186&ver=v10&v=2010_10_20&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- 50.63.75.1
hxxp://instunes.com/dw/dw.php?id=1D00A31CCB61186&ver=v11 50.63.75.1
hxxp://instunes.com/dw/dw.php?id=&ver=v11 50.63.75.1
hxxp://instunes.com/dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11 50.63.75.1
hxxp://nupilo.com/rz/mn.php?ver=H2 185.53.177.8


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11 HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:16 GMT
Server: Apache
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
stunes/dw/dw.php was not found on this server.</p>.<p>Addi
tionally, a 404 Not Found.error was encountered while trying to use an
 ErrorDocument to handle the request.</p>.<hr>.<address
>Apache Server at instunes.com Port 80</address>.</body>
;</html>...



GET /rz/mn.php?ver=H2 HTTP/1.1
User-Agent: Mozilla/4.0 (SPGK)
Host: nupilo.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Nov 2014 16:09:19 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Check: 3c12dc4d54f8e22d666785b733b0052100c53444
X-Language: english
X-Template: tpl_CleanPeppermintBlack_twoclick
X-Buckets: 
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_h00Cslewff37o4uaKyyLoQV/44NDl3Qx4Kgp/Pp969SOwago45dofa9mdeKa4IdyWn96S9KFS8oEkbRMeHS oA==
df9..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<htm
l data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP
7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CA
wEAAQ==_h00Cslewff37o4uaKyyLoQV/44NDl3Qx4Kgp/Pp969SOwago45dofa9mdeKa4I
dyWn96S9KFS8oEkbRMeHS oA==" xmlns="hXXp://VVV.w3.org/1999/xhtml" xml:l
ang="en" lang="en">.<head>.<meta http-equiv="Content-Type"
 content="text/html; charset=utf-8"/>.<title>nupilo.com</t
itle>.<script src="hXXp://VVV.google.com/adsense/domains/caf.js"
 type="text/javascript" ></script>.<link href="hXXp://f.mo
vfst.net/themes/saledefault.css" rel="stylesheet" type="text/css" medi
a="screen" />.<link href="hXXp://f.movfst.net/themes/assets/styl
e.css" rel="stylesheet" type="text/css" media="screen" />.<link 
href="hXXp://f.movfst.net/themes/cleanPeppermintBlack/style.css" rel="
stylesheet" type="text/css" media="screen" />.<link href='http:/
/fonts.googleapis.com/css?family=Libre Baskerville:400,700' rel='style
sheet' type='text/css'>.</head>.<body id="afd" style="visi
bility:hidden">.<script src="hXXp://VVV.parkingcrew.net/scripts/
sale_form.js" type="text/javascript"></script>.<div id="sa
le_banner_orange">.<a class="firstlink" href="hXXp://domainnames
ales.com/lcontact?d=nupilo.com" target="_blank" onmousedown="tlink('in
g', 'nupilo.com');">.Click here to buy nupilo.com  for your web
<<< skipped >>>


GET /dw/vp1.php?id=1D00A31CCB61186&ver=v10&v=2010_10_20&er=S_wd_rd_wrd_rrd_we_re_wc_rc_W5.1- HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:13 GMT
Server: Apache
Content-Length: 398
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
stunes/dw/vp1.php was not found on this server.</p>.<p>Add
itionally, a 404 Not Found.error was encountered while trying to use a
n ErrorDocument to handle the request.</p>.<hr>.<addres
s>Apache Server at instunes.com Port 80</address>.</body&g
t;</html>...



GET /dw/dw.php?id=&ver=v11 HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:14 GMT
Server: Apache
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
stunes/dw/dw.php was not found on this server.</p>.<p>Addi
tionally, a 404 Not Found.error was encountered while trying to use an
 ErrorDocument to handle the request.</p>.<hr>.<address
>Apache Server at instunes.com Port 80</address>.</body>
;</html>...



GET /dw/dw.php?id=1D00A31CCB61186&ver=v11 HTTP/1.1
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: instunes.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Date: Thu, 27 Nov 2014 16:11:14 GMT
Server: Apache
Content-Length: 397
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /in
stunes/dw/dw.php was not found on this server.</p>.<p>Addi
tionally, a 404 Not Found.error was encountered while trying to use an
 ErrorDocument to handle the request.</p>.<hr>.<address
>Apache Server at instunes.com Port 80</address>.</body>
;</html>...

The Dropped connects to the servers at the folowing location(s):

rundll32.exe_1204:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

rundll32.exe_1204_rwx_10001000_00017000:

hXXp://instunes.com/dw/dw.php?id=&ver=v11
3465890352.exe
rundll32.exe %System%\g7e7n5i.dll, SystemServer
em32\g7e7n5i.dll
Mozilla/4.0 (SP3 WINLD)
%lu.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GET %s HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: %s
sdkik3fsiedfahfyg.tmp
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
rundll32.exe %s, SystemServer
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
InternetOpenUrlA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
.text
`.bss
.rdata
@.data
.reloc

knzwd.exe_1176:

KERNEL32.dll
user32.dll
shell32.dll
ShellExecuteA
kernel32.dll
advapi32.dll
RegOpenKeyExA
RegCreateKeyExA
RegCloseKey
wininet.dll
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
InternetOpenUrlA
DeleteUrlCacheEntryA
wsock32.dll
Mozilla/4.0 (SP3 WINLD)
Software\Microsoft\Windows\CurrentVersion\Explorer
%lu.exe
%lu.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 _.exe
osjfs873wuhd.tmp
GET %s HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: %s
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
3463859102.exe
\LOCALS~1\Temp\knzwd.exe
hXXp://instunes.com/dw/dw.php?id=1D00A31CCB61186&ver=v11
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe
#$%&'()*
 ,-./012
3456789:
12345678
.co~m7dw
.dlx=y

debug.exe_1220:

KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
user32.dll
ExitWindowsEx
EnumChildWindows
kernel32.dll
GetWindowsDirectoryA
GetProcessHeap
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
wininet.dll
InternetOpenUrlA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
urlmon.dll
URLDownloadToFileA
gdi32.dll
ole32.dll
oleaut32.dll
psapi.dll
oleacc.dll
gdiplus.dll
GdiplusShutdown
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
rz/report.php
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
%&'()* ,&-.
789:;<=>
.dlx<V
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
validclick.net
7search.com
LURL
CURL
img.php?
&url=
%lX.ttp
%lX.png
iexplorer.exe
captcha.php
ppiicc63jfnb.gif
pic/pst.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\debug.exe
?!%Xw%
%F?G[R
%&'()* ,
-./01234
56789:;<
456789 /
SRE@XW=.
L32.dl
.dlx=I

install.exe_1376:

KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
user32.dll
ExitWindowsEx
EnumChildWindows
kernel32.dll
GetWindowsDirectoryA
GetProcessHeap
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
wininet.dll
InternetOpenUrlA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
urlmon.dll
URLDownloadToFileA
gdi32.dll
ole32.dll
oleaut32.dll
psapi.dll
oleacc.dll
gdiplus.dll
GdiplusShutdown
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
rz/report.php
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
%&'()* ,&-.
789:;<=>
.dlx<V
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
validclick.net
7search.com
LURL
CURL
img.php?
&url=
%lX.ttp
%lX.png
iexplorer.exe
captcha.php
ppiicc63jfnb.gif
pic/pst.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe
?!%Xw%
%F?G[R
%&'()* ,
-./01234
56789:;<
456789 /
SRE@XW=.
L32.dl
.dlx=I

taskmgr.exe_508:

KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
user32.dll
ExitWindowsEx
EnumChildWindows
kernel32.dll
GetWindowsDirectoryA
GetProcessHeap
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
wininet.dll
InternetOpenUrlA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
urlmon.dll
URLDownloadToFileA
gdi32.dll
ole32.dll
oleaut32.dll
psapi.dll
oleacc.dll
gdiplus.dll
GdiplusShutdown
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
rz/report.php
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
%&'()* ,&-.
789:;<=>
.dlx<V
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
validclick.net
7search.com
LURL
CURL
img.php?
&url=
%lX.ttp
%lX.png
iexplorer.exe
captcha.php
ppiicc63jfnb.gif
pic/pst.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\taskmgr.exe
?!%Xw%
%F?G[R
%&'()* ,
-./01234
56789:;<
456789 /
SRE@XW=.
L32.dl
.dlx=I

win.exe_948:

KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
user32.dll
ExitWindowsEx
EnumChildWindows
kernel32.dll
GetWindowsDirectoryA
GetProcessHeap
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
wininet.dll
InternetOpenUrlA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
urlmon.dll
URLDownloadToFileA
gdi32.dll
ole32.dll
oleaut32.dll
psapi.dll
oleacc.dll
gdiplus.dll
GdiplusShutdown
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
rz/report.php
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
%&'()* ,&-.
789:;<=>
.dlx<V
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
validclick.net
7search.com
LURL
CURL
img.php?
&url=
%lX.ttp
%lX.png
iexplorer.exe
captcha.php
ppiicc63jfnb.gif
pic/pst.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\win.exe
?!%Xw%
%F?G[R
%&'()* ,
-./01234
56789:;<
456789 /
SRE@XW=.
L32.dl
.dlx=I

iexplarer.exe_368:

KERNEL32.dll
1Content-Type: application/x-www-form-urlencoded
user32.dll
ExitWindowsEx
EnumChildWindows
kernel32.dll
GetWindowsDirectoryA
GetProcessHeap
advapi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
wininet.dll
InternetOpenUrlA
HttpOpenRequestA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
HttpSendRequestA
urlmon.dll
URLDownloadToFileA
gdi32.dll
ole32.dll
oleaut32.dll
psapi.dll
oleacc.dll
gdiplus.dll
GdiplusShutdown
nupilo.com
hXXp://nupilo.com/rz/mn.php?ver=H2
im/pst.php
rz/report.php
Mozilla/4.0 (SPGK)
yawghd72y7huhd.tmp
%lu.exe
Software\Microsoft\Internet Explorer\New Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
W%d.%d-
Software\Microsoft\Windows\CurrentVersion\Explorer
gdi32#wininst#sysedit#debug#winamp#system#win#login#setup#install#taskmgr#mdm#csrss#lsass#services#smss#spoolsv#svchost#winlogon#avp#drweb#cmd#user#mdm#nvsvc32#win32#win16#avp32#hexdump#iexplarer#taskmgr#
F%D,3
%&'()* ,&-.
789:;<=>
.dlx<V
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3#Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.9 (KHTML, like Gecko) Chrome/6.0.401.1 Safari/533.9#Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0#
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FURL
validclick.net
7search.com
LURL
CURL
img.php?
&url=
%lX.ttp
%lX.png
iexplorer.exe
captcha.php
ppiicc63jfnb.gif
pic/pst.php
pic/pst3.php
hXXp://%s/pic/sese.php?h=%s&q=%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
%WinDir%\iexplarer.exe
?!%Xw%
%F?G[R
%&'()* ,
-./01234
56789:;<
456789 /
SRE@XW=.
L32.dl
.dlx=I

Explorer.EXE_1988_rwx_01EA1000_00019000:

hXXp://instunes.com/dw/dw.php?id=1-1D00A31CFE7D81C&ver=v11
3498390352.exe
%WinDir%\Explorer.EXE
Mozilla/4.0 (SP3 WINLD)
{B6BA40C1-A501-59BD-F413-03B03A2C8952}
%lu.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
CLSID\%s
SOFTWARE\Classes\CLSID\%s\InProcServer32
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
GET %s HTTP/1.0
User-Agent: Mozilla/4.0 (SP3 WINLD)
Host: %s
hse87ejdjfhiw3dfdfd.tmp
hXXp://instunes.com/dw/dw.php?id=%s&ver=v11
hXXp://setservs.com/dw/dw.php?id=%s&ver=v11
hXXp://lator.in/dw/dw.php?id=%s&ver=v11
opera
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
UnhookWindowsHookEx
SetWindowsHookExA
InternetOpenUrlA
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
DeleteUrlCacheEntryA
.text
`.bss
.rdata
@.data
.reloc
lv.aj
!"#$%&'()* ,-./0123456789:;<
Mozilla/4.0 (SP3 W
-A501-59BD-F413-03B03A2C8952}
\%sSOFTWA
GET %s HTTP/1;
pmhXXp://4>un
7).com/dw
.php?
gEKey
`.bssg
.rd2i


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install.exe:1376
    %original file name%.exe:1852
    knzwd.exe:1176
    iexplarer.exe:368
    taskmgr.exe:508
    sihf8.exe:212
    mlo5jupht9mejgm.exe:1688
    win.exe:948
    Regsvr32.exe:1364
    debug.exe:1220

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    %Documents and Settings%\%current user%\Local Settings\Temp\yawghd72y7huhd.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mlo5jupht9mejgm.exe (60 bytes)
    %System%\tzwv2w.dll (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sihf8.exe (30 bytes)
    C:\p2hhr.bat (46 bytes)
    %System%\g7e7n5i.dll (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\osjfs873wuhd.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\knzwd.exe (30 bytes)
    %WinDir%\win.exe (60 bytes)
    %WinDir%\taskmgr.exe (60 bytes)
    %WinDir%\iexplarer.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\install.exe (60 bytes)
    %WinDir%\debug.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sdkik3fsiedfahfyg.tmp (16 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HNUjHTgotd" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\install.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HNUjHTgpg" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\knzwd.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MKbuqc" = "%WinDir%\iexplarer.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MKbuqc" = "%WinDir%\iexplarer.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MKerb" = "%WinDir%\taskmgr.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MKerb" = "%WinDir%\taskmgr.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "uPc MV0NXQaGuo" = "rundll32.exe %System%\g7e7n5i.dll, SystemServer"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MKfa" = "%WinDir%\win.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MKfa" = "%WinDir%\win.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MKaoc" = "%WinDir%\debug.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MKaoc" = "%WinDir%\debug.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now