GenPack.Generic.Malware.SIBg.20A29979_3fe91d1493
Trojan-Dropper.Win32.Agent.ano (Kaspersky), GenPack:Generic.Malware.SI!Bg.20A29979 (B) (Emsisoft), GenPack:Generic.Malware.SI!Bg.20A29979 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 3fe91d14931fb6d70d418477a8813407
SHA1: 800ef45b89681d6bfb4770fa942cc4d0cd6a0259
SHA256: 106b1fc62ed0cca20a61d553eb45facbfbfce542057037b040a55b724122bf34
SSDeep: 1536:VMvCvspprwFvG50QctoYRN7dvC8ZtmbycedueXBVRRbWiQXERd7mW:VMavMpcxG5Fq71C8lVRRbW9ERdCW
Size: 89814 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-07-14 18:12:49
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):
systec32.exe:1492
~z545158.tmp:496
The GenPack injects its code into the following process(es):
%original file name%.exe:644
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process ~z545158.tmp:496 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HMNHLGIO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\systec32.exe (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PBX2QB5C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\55UO2EVH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CT48K6BI\desktop.ini (67 bytes)
The process %original file name%.exe:644 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~z545158.tmp (33 bytes)
The GenPack deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
Registry activity
The process systec32.exe:1492 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 96 FD DF E3 DC 40 1B E0 20 FD F4 3F 7C 8A 55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
To automatically run itself each time Windows is booted, the GenPack adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"systec32.exe" = "systec32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"systec32.exe" = "systec32.exe"
The process ~z545158.tmp:496 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 FA 61 F1 E6 89 75 25 0F A5 42 E2 65 AD 32 80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process %original file name%.exe:644 makes changes in the system registry.
The GenPack creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 EF 20 CE DE CB 04 F1 03 66 2E 88 91 AD 88 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 8d044d5c3cfda151f961eb26b8558ac2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\~z545158.tmp |
| 8d044d5c3cfda151f961eb26b8558ac2 | c:\WINDOWS\system32\systec32.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 204800 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 208896 | 20480 | 18432 | 5.44525 | 2b72c47a9deccd0c25eab5bbf438bba7 |
| .entry | 229376 | 28672 | 27648 | 4.00987 | 0b4972200c4e0642bbecbb7ee1ffc36b |
| 258048 | 33920 | 34304 | 4.35016 | 63a414472ccbf8aa9bf880fb19ddd256 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| irc.webchat.org |  216.152.78.166 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET CNC Shadowserver Reported CnC Server IP group 22
ET CHAT IRC PONG response
ET TROJAN IRC DNS request on non-standard port
ET CHAT IRC JOIN command
ET CHAT IRC NICK command
ET CHAT IRC USER command
ET CHAT IRC PING command
Traffic
The GenPack connects to the servers at the folowing location(s):
`.entry
t%SPV
tDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
... %d%%
verifying installer: %d%%
unpacking data: %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
c:\%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
GetWindowsDirectoryA
RegEnumKeyA
RegOpenKeyExA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
ShellExecuteA
SHFileOperationA
ExitWindowsEx
.text
`.rdata
@.data
.ndata
.rsrc
.wuepOp(oc$s4
NEL \*.*
umKey
11111111111111
@@@`777-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.29</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
ole32.dll
SHELL32.dll
USER32.dll
VERSION.dll
~z545158.tmp
P`.data
.rdata
[email protected]
.idata
systec32.exe
0903176650
irc.webchat.org
[%d-%d-%d %d:%d:%d] %s
%d, %d : USERID : UNIX : %s
PRIVMSG
%s %s :%s
PONG %s
JOIN %s %s
[%s]: Users in %s: %s
[%s]: nick %s already in use.
JOIN
[%s]: %s has joined %s.
[%s]: %s has left %s.
wtf %s?
[%s]: %s has quit(%s).
NICK
[%s]: %s is now known as %s.
[%s]: %s sets mode: %s
[%s]: * %s %s
[%s]: <%s> %s
%s%s%s
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
%s [%s]
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ý %dh %dm
invalid URL.
url visited.
error visiting URL.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
%s\r.bat
%%comspec%% /c %s %s
PRIVMSG %s :couldn't open %s.
file download (%s - %dkb transferred)
update (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
bad url, or dns error.
USERHOST %s
user %s logged out.
NOTICE %s :%s
screw you %s!
joined channel %s.
NOTICE %s :
VERSION %s
login
password accepted.
user %s(%s) logged in.
$rndnick
rndnick
QUIT :%s
sdbot 0.5b ready. Up Ý %dh %dm.
sdbot 0.5b by [sd] ([email protected]). homepage: hXXp://sdbot.n3.net/
%d. %s
%d. %s = %s
nick
NICK %s
join
PART %s
c_rndnick
%s -> %s
privmsg
ACTION %s
MODE %s
%s %s %s :%s
c_nick
c_join
%s\%s.exe
update (%s)
downloading update from %s...
couldn't execute file.
clone (%s)
clone created on %s:%d, in channel %s.
download (%s)
downloading %s...
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
c_privmsg
[%s] <%s> %s
[%s] * %s %s
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
spy (%s)
spy created on %s:%d, in channel %s.
USER %s 0 0 :%s
connected to %s.
ICMP.DLL
kernel32.dll
Mozilla/4.0 (compatible)
WININET.DLL
udp $1 100 2048 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
HttpOpenRequestA
HttpSendRequestA
InternetCrackUrlA
InternetOpenUrlA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
WSOCK32.DLL
%original file name%.exe_644_rwx_00401000_00036000:
t%SPV
tDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
... %d%%
verifying installer: %d%%
unpacking data: %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
c:\%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
GetWindowsDirectoryA
RegEnumKeyA
RegOpenKeyExA
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
ShellExecuteA
SHFileOperationA
ExitWindowsEx
.text
`.rdata
@.data
.ndata
.rsrc
.wuepOp(oc$s4
NEL \*.*
%original file name%.exe_644_rwx_0043F000_00009000:
~z545158.tmp
.text
P`.data
.rdata
[email protected]
.idata
systec32.exe
0903176650
irc.webchat.org
[%d-%d-%d %d:%d:%d] %s
%d, %d : USERID : UNIX : %s
PRIVMSG
%s %s :%s
PONG %s
JOIN %s %s
[%s]: Users in %s: %s
[%s]: nick %s already in use.
JOIN
[%s]: %s has joined %s.
[%s]: %s has left %s.
wtf %s?
[%s]: %s has quit(%s).
NICK
[%s]: %s is now known as %s.
[%s]: %s sets mode: %s
[%s]: * %s %s
[%s]: <%s> %s
%s%s%s
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
%s [%s]
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ý %dh %dm
invalid URL.
url visited.
error visiting URL.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
%s\r.bat
%%comspec%% /c %s %s
PRIVMSG %s :couldn't open %s.
file download (%s - %dkb transferred)
update (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
bad url, or dns error.
USERHOST %s
user %s logged out.
NOTICE %s :%s
screw you %s!
joined channel %s.
NOTICE %s :
VERSION %s
login
password accepted.
user %s(%s) logged in.
$rndnick
rndnick
QUIT :%s
sdbot 0.5b ready. Up Ý %dh %dm.
sdbot 0.5b by [sd] ([email protected]). homepage: hXXp://sdbot.n3.net/
%d. %s
%d. %s = %s
nick
NICK %s
join
PART %s
c_rndnick
%s -> %s
privmsg
ACTION %s
MODE %s
%s %s %s :%s
c_nick
c_join
%s\%s.exe
update (%s)
downloading update from %s...
couldn't execute file.
clone (%s)
clone created on %s:%d, in channel %s.
download (%s)
downloading %s...
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
c_privmsg
[%s] <%s> %s
[%s] * %s %s
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
spy (%s)
spy created on %s:%d, in channel %s.
USER %s 0 0 :%s
connected to %s.
ICMP.DLL
kernel32.dll
Mozilla/4.0 (compatible)
WININET.DLL
udp $1 100 2048 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
RegCloseKey
RegCreateKeyExA
ShellExecuteA
HttpOpenRequestA
HttpSendRequestA
InternetCrackUrlA
InternetOpenUrlA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
WSOCK32.DLL
systec32.exe_1492:
.text
P`.data
.rdata
[email protected]
.idata
systec32.exe
0903176650
irc.webchat.org
[%d-%d-%d %d:%d:%d] %s
%d, %d : USERID : UNIX : %s
PRIVMSG
%s %s :%s
PONG %s
JOIN %s %s
[%s]: Users in %s: %s
[%s]: nick %s already in use.
JOIN
[%s]: %s has joined %s.
[%s]: %s has left %s.
wtf %s?
[%s]: %s has quit(%s).
NICK
[%s]: %s is now known as %s.
[%s]: %s sets mode: %s
[%s]: * %s %s
[%s]: <%s> %s
%s%s%s
PRIVMSG %s :error sending pings to %s.
PRIVMSG %s :finished sending pings to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
%s [%s]
cpu: %dMHz. ram: %dKB total, %dKB free. os: Windows %s (%d.%d, build %d). uptime: Ý %dh %dm
invalid URL.
url visited.
error visiting URL.
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
%s\r.bat
%%comspec%% /c %s %s
PRIVMSG %s :couldn't open %s.
file download (%s - %dkb transferred)
update (%s - %dkb transferred)
downloaded %.1f kb to %s @ %.1f kb/sec.
PRIVMSG %s :opened %s.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
update failed: error executing file.
bad url, or dns error.
USERHOST %s
user %s logged out.
NOTICE %s :%s
screw you %s!
joined channel %s.
NOTICE %s :
VERSION %s
login
password accepted.
user %s(%s) logged in.
$rndnick
rndnick
QUIT :%s
sdbot 0.5b ready. Up Ý %dh %dm.
sdbot 0.5b by [sd] ([email protected]). homepage: hXXp://sdbot.n3.net/
%d. %s
%d. %s = %s
nick
NICK %s
join
PART %s
c_rndnick
%s -> %s
privmsg
ACTION %s
MODE %s
%s %s %s :%s
c_nick
c_join
%s\%s.exe
update (%s)
downloading update from %s...
couldn't execute file.
clone (%s)
clone created on %s:%d, in channel %s.
download (%s)
downloading %s...
redirect (%d->%s:%d)
redirect created on port %d to %s:%d.
c_privmsg
[%s] <%s> %s
[%s] * %s %s
ping (%s)
sending %d pings to %s. packet size: %d, timeout: %d[ms]
icmp.dll not available
spy (%s)
spy created on %s:%d, in channel %s.
USER %s 0 0 :%s
connected to %s.
ICMP.DLL
kernel32.dll
Mozilla/4.0 (compatible)
WININET.DLL
udp $1 100 2048 50
raw PRIVMSG $1 :$chr(1)$2-$chr(1)
ctcp
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
../../gcc-3.4.5/gcc/config/i386/w32-shared-ptr.c
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
[9-14-2016 14:50:15] joined channel #pnp0807.
[9-14-2016 14:50:14] connected to irc.webchat.org.
RegCloseKey
RegCreateKeyExA
ShellExecuteA
HttpOpenRequestA
HttpSendRequestA
InternetCrackUrlA
InternetOpenUrlA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
WSOCK32.DLL
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
systec32.exe:1492
~z545158.tmp:496 - Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HMNHLGIO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\systec32.exe (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PBX2QB5C\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\55UO2EVH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CT48K6BI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~z545158.tmp (33 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"systec32.exe" = "systec32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"systec32.exe" = "systec32.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
