MD5: 0d19bc5683ced18fbce2b577b666f101
SHA1: 65f07e155cc7e3e65c78d0925c0722b5cbb65c59
SHA256: 72687ec070d467e59f6c9511f492e8c8b30075f114be8d186b93e04501b10b42
SSDeep: 24576:eE dlDuHz NCPFAyoB053FVa1TQb3iXSD3FQaNh9JVEkOa:eAHRhQq3nZjwWaaNhpMa
Size: 1820160 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-27 12:45:58
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:188

Mutexes

The following mutexes were created/opened:

!PrivacIE!SharedMemory!Mutex
WininetConnectionMutex
WininetProxyRegistryMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
ZonesLockedCacheCounterMutex
_!MSFTHISTORY!_
ZoneAttributeCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
!IETld!Mutex
__DDrawCheckExclMode__
__DDrawExclMode__
DDrawWindowListMutex
DDrawDriverObjectListMutex
CTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\2345_com[1].txt (14513 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)
%System%\Injective.dll (192 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 49 7A B5 5C 93 89 36 7D FB AF 82 0D 0A 5B 6C"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k89076094"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1414406758"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: QQ970952380
Product Name: ??2014?9?17????
Product Version: 2014.4.25.1
Legal Copyright: ???????,?????????????? ??QQ970952380
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2014.4.25.1
File Description: ??????,????
Comments: ??QQ970952380
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.2345.com/?k89076094	42.62.30.180

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /?k89076094 HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: VVV.2345.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 30 Dec 2014 05:39:57 GMT

Server: Apache

Last-Modified: Tue, 30 Dec 2014 05:18:48 GMT

ETag: "1bf67-50b68202ede00"

Accept-Ranges: bytes

Cache-Control: max-age=21600

Expires: Tue, 30 Dec 2014 11:39:57 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 31140

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=gb2312
.............w...0...9....#...}!D..H..(..HI.l=..0..X.....e..Ev..E..Q..
}.$J.....9v.8.o6Gqr^U.,=..BR.7...L.3......U...._JII.Z...Z..|.?........
o.A...Z.....D.m.TT...9.u..$..kS.I..U..d...A.e......y...v....(.J.*&.,..
[email protected].....$...|....x.n. .r'.B......X.&AI.bI..".G/}
....._==3s...O..|u.'..=1??...>}..._>....G^_<rg...;.z..~b..{G^
?...?.y}...<.....:..A=.w..V<..[...z...O..}....=}z....=....o.....
.4p.....y..o..z...o.y.._...~....-|{...?z...?<}~..S.Z.....o?.......7
?.s...,.hW.wb1-1.............y#....8...gj..NU....\....9N...6.T..Q.r2.)
&...8%(....2.....4....S,.)w... ....zp.t.....wN.z.x....\.....so.....S..
.^...O.g.....o.........W.47...F..ML.8....a..Fk)XP......*....R.1......b
&.."..fPT^...."3...t...|..([email protected].|R
"_.........).J..e..r..N...._.z.p...N#V...EH.,.!].8!$Iye..%Y....PL..C..
.-. ...r.D.[<...9......2.B1.O..)..9.k.$...M..b.....Q..=.l.........g
[email protected]..'[email protected]*)j5/(YA.F.\.....@M.....}.?&x.{y......p
1..t7<....BZ.cs...u.....\.............p....?.....U.......o.....'.}N
 2...eU4*ac...g....Vrb.(...xi.....smYQ..]R.\......P..y<7...G3......
&^..5#..Ssa.._Q....y*.'eA(..i>..Xm.../[email protected]..^{.
...7O.0...y.v..d.".Iu/..h!=.G..q........;O.v....?zSLq'f..cx.e@.)......
B..x....SH,....^}.?<....t.H.m;(g..U.z8)[email protected]....
Uqu.U.1U*......f..fYT.}"...P.%..[L.C.XL..i..k..y7N17.\;...^,v...u.:.C.
....,~=1.]............F.....v...s.\.......PvX^..>[..;........3....B
.aG...rY...:$....tZ,.OU....:......r.dq.^.?.d.W..(....X."..iwQ9..2C
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

wininet.dll

WinINet.dll

ntdll.dll

user32.dll

winmm.dll

advapi32.dll

kernel32.dll

KERNEL32.DLL

psapi.dll

Psapi.dll

shlwapi.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

ShellExecuteA

RegCloseKey

RegCreateKeyA

RegOpenKeyA

UnloadKeyboardLayout

GetKeyboardLayoutList

GetKeyboardLayout

ActivateKeyboardLayout

GetKeyboardLayoutNameA

RegDeleteKeyA

RegFlushKey

LoadKeyboardLayoutA

E9326F3E-A23C-46D3-9C20-3AE825EFA0A7

hXXp://VVV.2345.com/?ktt659189

hXXp://VVV.2345.com/?k61246890

hXXp://VVV.2345.com/?k6591892

hXXp://VVV.2345.com/?k6591893

hXXp://VVV.2345.com/?k6591894

taslogin.exe

123.dll

123.ime

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

@\\.\

Kernel32.dll

Gdi32.dll

User32.dll

Mpr.dll

Advapi32.dll

Shell32.dll

\Del.exe

`.data

Cannot install kernel mode driver %s.

DelFile.sys

DeleteFile failed %x.

\\.\%s

D:\by\DelFile\test\objfre_w2K_x86\i386\test.pdb

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

SHDeleteKeyA

SHLWAPI.dll

\DelFile.sys

h.rdata

H.data

.reloc

Close file handle %x in %x OK.

Close file handle %x in %x failed.

MmFlushImageSection:%x

D:\by\DelFile\objfre_w2K_x86\i386\delfile.pdb

ntoskrnl.exe

HAL.dll

\Del.exe "

Injective.dll

.vmp0

`.vmp1

@.rsrc

GetKeyState

USER32.dll

GetCPInfo

OffsetViewportOrgEx

GDI32.dll

COMCTL32.dll

.EP.I\eH

$0,040<0

6#6'6 6/6=6

6#7,7;7@7

GetProcessHeap

WINSPOOL.DRV

ÙHYL

).Et1].\

rU,.BtC

.WF/9

6JT.Ef

7.AmF:

5P%s<

ScaleViewportExtEx

SetViewportExtEx

%fX9]

}5m

&.yE'

dy.dll

RegOpenKeyExA

SetWindowsHookExA

RegCreateKeyExA

R1V5f%f%~1

UnhookWindowsHookEx

SetViewportOrgEx

tencent://Message/?Uin=970952380&websiteName=q-zone.qq.com&Menu=yes

crossfire.exe

(12820430)

18:25:20

Shutdown.exe -s -t 60

CF.2.8.5

18:25:29

V2.8.5

_y\SKinH_EL.dll

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

SkinH_EL.dll

k%UPp

fg.VG

%C',@

>Ùd

ce_%D

%C@0H

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

5r.US

:mD].tB

l.rfH

%s;@;r

,.0.-*.Yw

**.dU

sSHIPM[u

}~~}||{|{}

~~~}}}~~

~}{{||}~

~~|}{|}~

~|{{{{|}~

~}|{{||}~

~}}}|}}~~

~~}}}}~~

.PNLMOD0@r

`.tls

.PNLMOD18T

$.toef

dbghelp.dll

,GQ%X2

&8n=-%do5j

hXXp://VVV.usertrust.com1

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

hXXp://ocsp.usertrust.com0

.Class 3 Public Primary Certification Authority0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0>

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

hXXp://VVV.360.cn 0

C:\123.dll

C:\123

tencent://QQInterLive/?Cmd=2&Uin=970952380

iexplore.exe

hXXp://VVV.2345.com/?k89076094

C:\123.ime

VVV.2345.com/?k744606640

VVV.2345.com/?keyybc

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\MainHKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

Num.Del

DNF.exe

00400000

DNF.exe035840D0

04149920

06000000

ws2_32.dll

gdi32.dll

GLU32.DLL

aclui.dll

acsmib.dll

activeds.dll

AcXtrnal.dll

adimage.dll

adptif.dll

ADVAPI32.DLL

advpack.dll

atl.dll

authz.dll

avicap32.dll

avifil32.dll

browseui.dll

CABINET.DLL

clusapi.dll

comctl32.dll

comdlg32.dll

comsvcs.dll

crtdll.dll

crypt32.dll

cryptnet.dll

D3DRM.DLL

ddraw.dll

DHCPCSVC.DLL

digest.dll

DINPUT.DLL

dplay.dll

dplayx.dll

dsound.dll

dsprop.dll

dsuiext.dll

ftsrch.dll

gpedit.dll

hhctrl.ocx

hlink.dll

iasperf.dll

icm32.dll

ICMP.DLL

icmui.dll

idq.dll

iedkcs32.dll

iissuba.dll

IMAGEHLP.DLL

imm32.dll

inetcpl.cpl

IPHLPAPI.DLL

iprop.dll

KSUSER.DLL

loadperf.dll

lz32.dll

mapi32.dll

mgmtapi.dll

MOBSYNC.DLL

mpg4dmod.dll

mpr.dll

mprapi.dll

mqrt.dll

msacm32.dll

msafd.dll

mscms.dll

mscpxl32.dLL

msgina.dll

MSHTML.DLL

MSI.DLL

msimg32.dll

msorcl32.dll

MSPATCHA.DLL

msrating.dll

mstlsapi.dll

msvbvm50.dll

msvfw32.dll

MSWSOCK.DLL

MTXDM.DLL

MTXOCI.DLL

NDDEAPI.DLL

ndisnpp.dll

netapi32.dll

npptools.dll

ntdsapi.dll

ntdsbcli.dll

ntmsapi.dll

nwprovau.dll

odbc32.dll

ODBCBCP.DLL

odbccp32.dll

ODBCTRAC.DLL

ole32.dll

OLEACC.DLL

oleaut32.dll

olecli32.dll

oledlg.dll

olesvr32.dll

opengl32.dll

password.cpl

pdh.dll

Powrprof.dll

qosname.dll

query.dll

rasapi32.dll

raschap.dll

rasdlg.dll

rasman.dll

rassapi.dll

rastls.dll

resutils.dll

RICHED20.DLL

rpcns4.dll

rpcrt4.dll

RSRC32.dll

rtm.dll

rtutils.dll

scarddlg.dll

secur32.dll

SENSAPI.DLL

setupapi.dll

SFC.DLL

shdocvw.dll

shell32.dll

snmpapi.dll

softpub.dll

spoolss.dll

SVRAPI.DLL

tapi32.dll

TLBINF32.dll

traffic.dll

url.dll

URLMON.DLL

userenv.dll

USP10.DLL

uxtheme.dll

VB5STKIT.DLL

vba6.dll

VDMDBG.DLL

version.dll

winfax.dll

winscard.dll

winspool.dll

winspool.drv

wintrust.dll

wldap32.dll

WOW32.DLL

wsnmp32.dll

wtsapi32.dll

xolehlp.dll

google chrome

Google Chrome

Super-EChXXp://VVV.super-ec.cnhXXp://VVV.eyybc.com/forum-17-1.html/forum-12-1.html/memcp.php/ip.asp/time.asp/gonggao.txt/ec-user6.php/ec-bd.php/ec-jh.php

hXXp://VVV.super-ec.cn

<input type="text" name="field_2new" size="25" value="" disabled class="txt" />" class="txt" />Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

@.reloc

^}•D

__MSVCRT_HEAP_SELECT

IMM32.dll

imehost.dll

ImeProcessKey

Windows

:):3:9:|:

= =$=(=,=0=4=8=

? ?$?(?,?

.ime.bak

*.bak

Keyboard Layout

Keyboard Layout\Preload

22:57:51

$$$((    ////   ((('

$$'(  //00333/0//  (((

3!&.*/866678/*.'%3

ÍIKKKKKKKKKKKJHCB%

0112111.

#.355553.#

$*4655.$

18:30:27

More information: hXXp://VVV.ibsensoftware.com/

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

iphlpapi.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

WinExec

GetWindowsDirectoryA

RegisterHotKey

UnregisterHotKey

GetViewportOrgEx

RegEnumKeyA

RegQueryInfoKeyA

RegSetKeySecurity

RegGetKeySecurity

SHELL32.dll

OLEAUT32.dll

WSOCK32.dll

DeleteUrlCacheEntry

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

WININET.dll

CreateDialogIndirectParamA

GetViewportExtEx

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

index.dat

desktop.ini

TermType%d

Service%d

Machine%d

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

\e161255a-37c3-11d2-bcaa-00c04fd929db

\Data\e161255a-37c3-11d2-bcaa-00c04fd929db

Software\Microsoft\Internet Explorer\TypedURLs

%s,%d

%s.lnk

glViewport

glTexEnvfv

glTexEnvf

\glu32.dll

\Opengl32.dll

glPassThrough

%d%d%d

rundll32.exe shell32.dll,

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

?456789:;<=

!"#$%&'()* ,-./0123

&&&&6666????

""""****

2222::::

$$$$\\\\

00006666

####====

crt_init

(*.htm;*.html)|*.htm;*.html

its:%s::%s

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1.0.0.0

(hXXp://VVV.eyuyan.com)

1, 0, 6, 6

- Skin.dll

[email protected]

1, 0, 0, 1

imedllhost09.ime

(*.*)

2014.4.25.1

%original file name%.exe_188_rwx_10076000_00001000:

SetWindowsHookExA

RegCreateKeyExA

R1V5f%f%~1

UnhookWindowsHookEx

SetViewportOrgEx

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\2345_com[1].txt (14513 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (4545 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (3361 bytes)
   %System%\Injective.dll (192 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.