Gen.Trojan.Heur.AmZHDZAyYai_d351880780
Gen:Trojan.Heur.AmZ@HDZAyYai (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.PWS.Wsgame.40509 (DrWeb), Gen:Trojan.Heur.AmZ@HDZAyYai (B) (Emsisoft), Artemis!D3518807808F (McAfee), Trojan.Gampass!gen3 (Symantec), Trojan-PWS.Win32.OnLineGames (Ikarus), Gen:Trojan.Heur.AmZ@HDZAyYai (FSecure), Dropper.Generic8.NSW (AVG), Win32:Dropper-gen [Drp] (Avast), TROJ_GEN.R0CBC0RI613 (TrendMicro), Gen:Trojan.Heur.AmZ@HDZAyYai (AdAware), Trojan.Win32.IEDummy.FD (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: d3518807808f73f138c26652137d79fa
SHA1: e758a285a05320c22c02d7757dfe75a54aaf9384
SHA256: 3d255f1d1974fd59ede82fe59e178fe84f4c2f172317b9068ccc005071495acd
SSDeep: 6144:WtGmmpFE1YvZ5r JIYGN8W0T3RT7GB/SWgmYyDftj0T9D3ZZhCfZ3mst7iyJNex9:5mm2UvmI8xCB/tJ4x3hCRdtbJNexSHs
Size: 439567 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: LLC Pentagon
Created at: 2013-04-06 15:33:40
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
CTFMON.EXE:296
Updater.exe:1676
e0441.exe:208
ping.exe:1332
Binder.exe:520
regsvr32.exe:560
e0347.tmp:1396
%original file name%.exe:1932
%original file name%.exe:2004
The Trojan injects its code into the following process(es):
iexplore.exe:1252
File activity
The process e0441.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files (4096 bytes)
%WinDir%\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83 (4096 bytes)
C:\ (4096 bytes)
%WinDir%\Prefetch\D3518807808F73F138C26652137D7-2A674A76.pf (40960 bytes)
%System%\wbem\Logs (4096 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (16384 bytes)
%WinDir%\Registration (4096 bytes)
%WinDir%\WinSxS (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Coor.bat (160 bytes)
%System%\wshtcpip.dll (480768 bytes)
%WinDir%\AppPatch (4096 bytes)
%Documents and Settings%\%current user%\Local Settings (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5 (4096 bytes)
%System%\config\software.LOG (115712 bytes)
%Documents and Settings%\%current user%\Application Data\WIRESHARK (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19968 bytes)
%System%\drivers\2656d939.sys (39680 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4096 bytes)
%Documents and Settings%\All Users\àðñþчøù ÑÂтþû (4096 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4096 bytes)
%System%\wshtcptk.dll (19456 bytes)
%System% (77824 bytes)
%System%\config\SysEvent.Evt (4096 bytes)
%System%\midimap.dll (18944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir% (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ysyrfihr.dll (546304 bytes)
%WinDir%\WinSxS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.0.2600.5512_X-WW_DFB54E0C (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18944 bytes)
%Documents and Settings%\%current user%\Local Settings\History (4096 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (1404928 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (32768 bytes)
%System%\config (61440 bytes)
%System%\wbem (8192 bytes)
%System%\drivers (20480 bytes)
%System%\config\SOFTWARE (360448 bytes)
%System%\kakutk.dll (606208 bytes)
%System%\wbem\Logs\wbemcore.log (4096 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû (4096 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4096 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (16384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hy8H.dll (546304 bytes)
%Documents and Settings%\%current user% (4096 bytes)
%System%\drivers\5afdecbf.sys (88960 bytes)
%Documents and Settings%\%current user%\Cookies (8192 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\test@mediaplex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@apmebf[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%System%\drivers\2656d939.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@java[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bluekai[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@scorecardresearch[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cgi-bin[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@quizful[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\test@live[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process Binder.exe:520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\YouPin.exe (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YouPin1.exe (0 bytes)
The process e0347.tmp:1396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\%original file name%.exe (199413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\e0441.exe (231936 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Updater.exe (158744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Binder.exe (42496 bytes)
The process %original file name%.exe:2004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\e0347.tmp (439567 bytes)
Registry activity
The process CTFMON.EXE:296 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process Updater.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\internetdownload\update]
"upToday" = "20140213"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 B7 68 3F E4 A9 D1 4A 88 B0 F1 1B 04 73 2F 71"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process e0441.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\HOOK_ID]
"Name" = "e0441.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 44 70 93 FA 40 41 E4 F3 CF 4D 94 95 01 4C 5C"
[HKCR\CLSID\SYS_DLL]
"Name" = "ysyrfihr.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\e0347.tmp, , \??\%System%\19DHuji, \??\%System%\19DHuji"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"
"ProxyServer"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"
The process ping.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 74 02 3A 96 77 51 75 87 E4 7D 33 07 F2 A3 CE"
The process Binder.exe:520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"YouPin1.exe" = "YouPin1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C FF E5 E7 56 FD 79 C3 EC F3 07 73 98 6B 23 12"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YouPin" = "%System%\YouPin.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process iexplore.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Type" = "4"
"Count" = "7"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\áÑÂыûúø]
"Order" = "08 00 00 00 02 00 00 00 C2 01 00 00 01 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\iexplore]
"Time" = "DE 07 02 00 04 00 0D 00 10 00 1D 00 26 00 67 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Type" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Ãâ€Ã¸Ã°Ã³Ã½Ã¾ÑÂтøúð ÿрþñûõü ÿþôúûючõýøÑÂ..."
[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
"MRUListEx" = "01 00 00 00 00 00 00 00 03 00 00 00 02 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
"NodeSlots" = "02 02 02 02 02 02 02 02"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
"Locked" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\iexplore]
"Count" = "1"
[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Count" = "7"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Window_Placement" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\iexplore]
"Type" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Time" = "DE 07 02 00 04 00 0D 00 10 00 1D 00 26 00 77 03"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Time" = "DE 07 02 00 04 00 0D 00 10 00 1D 00 26 00 87 03"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 45 A1 11 ED 6D CA B7 9E AE D5 EB DE 10 1F 4D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Ø÷ñрðýýþõ"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regsvr32.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\VersionIndependentProgID]
"(Default)" = "IEHlprObj.IEHlprObj"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\0\win32]
"(Default)" = "%System%\kakutk.dll"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib]
"(Default)" = "{AB705628-B25B-491B-A6BF-4A46FDDBC88E}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\IEHlprObj.IEHlprObj\CurVer]
"(Default)" = "IEHlprObj.IEHlprObj.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\IEHlprObj.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{AB705621-B25B-491B-A6BF-4A46FDDBC88E}]
"(Default)" = "IIEHlprObj"
[HKCR\IEHlprObj.IEHlprObj]
"(Default)" = "IEHlprObj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKCR\IEHlprObj.IEHlprObj.1\CLSID]
"(Default)" = "{AB705622-B25B-491B-A6BF-4A46FDDBC88E}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 9B 84 FC 7C 31 E1 E2 77 45 97 E0 D4 05 49 53"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}]
"(Default)" = "IEHlprObj Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\InprocServer32]
"(Default)" = "%System%\kakutk.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\CLSID\{AB705622-B25B-491B-A6BF-4A46FDDBC88E}\ProgID]
"(Default)" = "IEHlprObj.IEHlprObj.1"
[HKCR\TypeLib\{AB705628-B25B-491B-A6BF-4A46FDDBC88E}\1.0\HELPDIR]
"(Default)" = "%System%\"
The process e0347.tmp:1396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\e0347.tmp,"
The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 AE 7C 9F DF 24 D7 FC FC 47 D8 04 9F 73 D8 1A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Binder.exe" = "Binder"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Updater.exe" = "Updater"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://67.198.128.109/get.asp?mac=1FBDC7BEA7C2046838DB10766CEFB8C5&os=Windows Xp&avs=unknow&ps=NO.&ver=jack |  |
| hxxp://www.jqlgg.com/update.txt | 98.126.147.94 |
| hxxp://update.ucfdb.co.kr/version/freeware/priority-util |  115.68.58.8 |
| hxxp://data.boilez.com/data/ | 209.222.14.3 |
| www.daum.net |  117.52.2.237 |
| update.internetdownload.co.kr.ukraine.luluoffice.com |  |
| tickle.weitzv.com | |
| data.voliez.com | |
| www.internetdownload.co.kr | |
| www.internetdownload.co.kr.ukraine.luluoffice.com | |
| whoops.kiuzaz.com | |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\5afdecbf.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .LIM0Z8A | 4096 | 1680 | 2048 | 3.02008 | b6188836ec2f2f75a1514616f3669b07 |
| .text | 8192 | 1357 | 1536 | 3.50848 | 9099a31c1aa6503c2e99ebfac006e3cd |
| .rsrc | 12288 | 3420 | 3584 | 3.65544 | 3927026663287e2f04d1d35d6fc5ba19 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Updater.exe:1676
e0441.exe:208
ping.exe:1332
Binder.exe:520
regsvr32.exe:560
e0347.tmp:1396
%original file name%.exe:1932
%original file name%.exe:2004 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files (4096 bytes)
%WinDir%\WinSxS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83 (4096 bytes)
%WinDir%\Prefetch\D3518807808F73F138C26652137D7-2A674A76.pf (40960 bytes)
%System%\wbem\Logs (4096 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools (4096 bytes)
%WinDir%\Registration (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Coor.bat (160 bytes)
%System%\wshtcpip.dll (480768 bytes)
%WinDir%\AppPatch (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5 (4096 bytes)
%System%\config\software.LOG (115712 bytes)
%Documents and Settings%\%current user%\Application Data\WIRESHARK (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19968 bytes)
%System%\drivers\2656d939.sys (39680 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4096 bytes)
%Documents and Settings%\All Users\àðñþчøù ÑÂтþû (4096 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4096 bytes)
%System%\wshtcptk.dll (19456 bytes)
%System%\config\SysEvent.Evt (4096 bytes)
%System%\midimap.dll (18944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ysyrfihr.dll (546304 bytes)
%WinDir%\WinSxS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.0.2600.5512_X-WW_DFB54E0C (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18944 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (1404928 bytes)
%System%\wbem\Repository\FS\OBJECTS.DATA (32768 bytes)
%System%\config\SOFTWARE (360448 bytes)
%System%\kakutk.dll (606208 bytes)
%System%\wbem\Logs\wbemcore.log (4096 bytes)
%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû (4096 bytes)
%Program Files%\Common Files\Adobe\Acrobat\ActiveX (4096 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (16384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Hy8H.dll (546304 bytes)
%System%\drivers\5afdecbf.sys (88960 bytes)
%Documents and Settings%\%current user%\Cookies (8192 bytes)
%System%\YouPin.exe (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YouPin1.exe (0 bytes)
C:\%original file name%.exe (199413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\e0441.exe (231936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Updater.exe (158744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Binder.exe (42496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\e0347.tmp (439567 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YouPin" = "%System%\YouPin.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
