Gen.Variant.Adware.Kazy.281894_87cedc15ab

by malwarelabrobot on February 12th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.Hebogo.acy (Kaspersky), Gen:Variant.Adware.Kazy.281894 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 87cedc15abf7d949c90f11e3f771f291
SHA1: 1ed1dbe338720bd54430d250485c62be2757bf45
SHA256: feeb4ae049c71f455822b767c49db39916fe2535922b5d1975f2650fc3253b08
SSDeep: 24576:8cgCYQ1LGum4sx8Kofd/uV wQ7fGJUI3Sl:DgCh1LGumhuW vzGiI3C
Size: 838064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-11-06 21:53:27
Analyzed on: WindowsXP SP3 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

%original file name%.exe:552
irsetup.exe:980
WinCtrCon.exe:1944
WinCtrProc.exe:156

The PUP injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:552 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process irsetup.exe:980 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%System%\VB6KO.DLL (2712 bytes)
%System%\MSINET.OCX (2784 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process WinCtrCon.exe:1944 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\sTakeList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (418761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\PrgGsRetain[1].htm (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\WinCtrProc[1].exe (418761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\Uninstall[1].exe (89729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\ProgramUpdateLab[1].htm (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\FcTimeLab[1].htm (157 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF62AD.tmp (0 bytes)

The process WinCtrProc.exe:156 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\WinCtrCon[1].exe (52969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\UCg_LPrMLab[1].htm (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\FormLocation[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\StakePsList[1].htm (917 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\FcPimSLab[1].htm (157 bytes)
%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (51185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\TransSiteString[1].htm (12 bytes)

The PUP deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF9FC8.tmp (0 bytes)

Registry activity

The process %original file name%.exe:552 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E F4 5D F3 DC CE C7 BE 3C D4 C3 6E BD 72 46 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process irsetup.exe:980 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"PDR" = "asdfaeiqwerh"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKCU\Software\WinCtrView]
"SUBNAME" = "MAIN"
"Commit" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\WinCtrView]
"CURDIR" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\WinCtrView]
"ver" = "sup"
"USER_NO" = "3236"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\WinCtrView]
"Version" = "0000"
"S_NO" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 4B 4D 29 08 FC E1 8B 73 70 06 ED B1 2B DC 26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Upmom" = "Y"
"Owner" = "admin"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrProc.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrCon.exe"

The process WinCtrCon.exe:1944 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"

[HKCU\Software\WinCtrView]
"Upmom" = "N"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\WinCtrView]
"Commit" = "N"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "%System%\MSINET.OCX"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCU\Software\WinCtrView]
"Version" = "1683"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 48 3B 95 74 E1 6D A1 C0 08 0F 47 6A C7 E1 7C"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "%System%\MSINET.OCX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"

[HKCU\Software\WinCtrView]
"firstTime" = "0"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "%System%\MSINET.OCX, 1"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\WinCtrView]
"MomDate" = "2/11/2015"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -SmdTh"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "\.exe"

The PUP deletes the following registry key(s):

[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProProc"

The process WinCtrProc.exe:156 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\WinCtrView]
"USER_NO" = "3236"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\WinCtrView]
"AdFlag" = "Y"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\WinCtrView]
"Intro_No" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\WinCtrView]
"Version" = "1707"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 24 E7 ED 8D 59 55 4A 27 EB 4A 55 8A 34 D3 05"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -PjZQe"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -PjZQe"

The PUP deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

"AutoConfigURL"

The PUP disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroProCon"

"MicroProProc"

Dropped PE files

MD5 File path
c3a2676fd2bec4903dea49c7e31f890b c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe
8ce0f2978cb1f47686491ef6386c9bfd c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe
18abd3c70dd9fe8bcb72e74f5f728020 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe
3fe7c92dba5c9240b4ab0d6a87e6166a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe
157da463e8356493e74b41a05869d13c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\WinCtrCon[1].exe
18abd3c70dd9fe8bcb72e74f5f728020 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\WinCtrProc[1].exe
c3a2676fd2bec4903dea49c7e31f890b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\Uninstall[1].exe
90a39346e9b67f132ef133725c487ff6 c:\WINDOWS\system32\MSINET.OCX
84742b5754690ed667372be561cf518d c:\WINDOWS\system32\VB6KO.DLL

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Setup Factory 8.0 Runtime
Product Version: 8.2.1.0
Legal Copyright: Setup Engine Copyright (c) 2004-2009 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf80_launch.exe
Internal Name: suf80_launch
File Version: 8.2.1.0
File Description: Setup Application
Comments: Created with Setup Factory 8.0
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 28836 32768 4.26507 a8dbcac095aef6f1ff0f56e91c5abc15
.rdata 36864 10370 12288 3.44532 efb6029b9a5f70171975f6b5a16c78ce
.data 49152 6440 4096 1.54728 cf8d7dd9f4b828868db85743b8601f51
.rsrc 57344 28040 28672 4.06487 05962a2c16ea40395e7b662814eba9fd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 64
0e1bf09cea8e7cf2d8ff215b54ccc3ff
d75730ea026fe5382675843835ded6a9
718e9f2f2d034517ca9cdaa9832319ad
02adc8c2d1b9d35456648d00b2e113cd
670c94280fdc3b0cb140feae731d4c0d
0c98a0bbf155499f661f9197ebe6f911
e0c73ec709eb023aa74b3ab3e34cec8c
10a837ecb7ad77be14a8f216ba9a27e9
1e40a2e8dc545db1b3951b03bc6f1d8b
1bca3e164a7694e2bfc2629ad0b7db8b
c7a919798d24e17663a9c150955521f3
2e4800fb97b05f0d1e4fcaeb813d1f8d
3d3c9407fd88f380fe0ecf16ee272c75
0322bada829af4fbc99deccc6787594b
9e89d8604f37b8d9d910ca8bf2f15198
16e80409037afd6531a3c25648efd36a
0e59ac54f3f9d686876ffca3ab8d0156
662f48cd18a06ab7fa7a036c39dd5009
a05a82856ecb0e9f04dee5f2b945355c
c3150d4a50452db71ce563353ba982af
30e1a69c0102c91804e02b385310b1ef
d96bf3515187f64e04bc30c105eeffaa
17a2073789197d2833c22b7dba0bffb9
a5d7544dc7fcd215554f142ad7882408
c0bf80b9314aec2b1dca0dcb2662f42d

URLs

URL IP
hxxp://mainserver.kr/Config/sTakeList.asp?n=3236 220.73.162.57
hxxp://220.73.162.39/Config/AdNw/FcTimeLab.asp
hxxp://220.73.162.39/Config/NewConf/ProgramUpdateLab.asp?version=1683
hxxp://220.73.162.4/Download/WinCtrProc.exe
hxxp://220.73.162.39/Config/NewConf/PrgGsRetain.asp?uno=3236&ver=0000&wver=5
hxxp://220.73.162.4/Download/Uninstall.exe
hxxp://mainserver.kr/Config/AdNw/StakePsList.asp?uno=3236 220.73.162.57
hxxp://220.73.162.43/Config/FormLocation.asp
hxxp://220.73.162.43/Config/AdNw/FcPimSLab.asp
hxxp://220.73.162.43/Config/newConf/UCg_LPrMLab.asp?user_no=3236
hxxp://220.73.162.43/Config/TransSiteString.asp?nation=KOREA
hxxp://220.73.162.4/Download/WinCtrCon.exe


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Config/AdNw/StakePsList.asp?uno=3236 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: mainserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSDTRSQD=DFMHLLHBKDJPGPHPIDAKMPFG; path=/
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:32:47 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDQSDTRSQD=DFMHLLHBKDJPGPHPIDAKMPFG; path=/..X-Powered-By: ASP.NET.
.Date: Wed, 11 Feb 2015 06:32:47 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/AdNw/FcTimeLab.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.39
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACDQCRQT=FCMKMKHBAPOJFCPHPLCMMGGD; path=/
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:30:09 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y..HTTP/1.1 200 OK..Cache-Control: private..Content-Leng
th: 157..Content-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cooki
e: ASPSESSIONIDACDQCRQT=FCMKMKHBAPOJFCPHPLCMMGGD; path=/..X-Powered-By
: ASP.NET..Date: Wed, 11 Feb 2015 06:30:09 GMT..5|5|60|hXXp://loadform
.co.kr/Download,hXXp://220.73.162.2/Download,hXXp://220.73.162.3/Downl
oad,hXXp://220.73.162.4/Download|5|100|100||100|120|Y|Y|Y|Y|Y|Y..t>....


GET /Config/NewConf/ProgramUpdateLab.asp?version=1683 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.39
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACDQCRQT=FCMKMKHBAPOJFCPHPLCMMGGD


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:30:13 GMT
1707|WinCtrProc.exeHTTP/1.1 200 OK..Cache-Control: private..Content-Le
ngth: 19..Content-Type: text/html..Server: Microsoft-IIS/7.0..X-Powere
d-By: ASP.NET..Date: Wed, 11 Feb 2015 06:30:13 GMT..1707|WinCtrProc.ex
e....


GET /Config/NewConf/PrgGsRetain.asp?uno=3236&ver=0000&wver=5 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.39
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACDQCRQT=FCMKMKHBAPOJFCPHPLCMMGGD


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 218
Content-Type: text/html
Expires: Wed, 11 Feb 2015 06:30:21 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:30:21 GMT
RetainGard|..26/WinCtrView/Engin/Retain|..RetainGard|..RetainPt:130|..
00000176|..WinCtrView|..26/WinCtrView/Engin/ProVersion|..1706|..WinCtr
Con:112,MicroProProc:700|..Actdate:>:3|..anytime|..1000|..N|..N|..E
|..00000176HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 21
8..Content-Type: text/html..Expires: Wed, 11 Feb 2015 06:30:21 GMT..Se
rver: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Wed, 11 Feb 2015
 06:30:21 GMT..RetainGard|..26/WinCtrView/Engin/Retain|..RetainGard|..
RetainPt:130|..00000176|..WinCtrView|..26/WinCtrView/Engin/ProVersion|
..1706|..WinCtrCon:112,MicroProProc:700|..Actdate:>:3|..anytime|..1
000|..N|..N|..E|..00000176..



GET /Config/sTakeList.asp?n=3236 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: mainserver.kr
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 917
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQSDTRSQD=AIGHLLHBGGEMBFABGCMBMGAF; path=/
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:32:30 GMT
hXXp://220.73.162.22,..hXXp://220.73.162.23,..hXXp://220.73.162.24,..h
ttp://220.73.162.25,..hXXp://220.73.162.26,..hXXp://220.73.162.27,..ht
tp://220.73.162.28,..hXXp://220.73.162.29,..hXXp://220.73.162.30,..htt
p://220.73.162.31,..hXXp://220.73.162.32,..hXXp://220.73.162.33,..http
://220.73.162.34,..hXXp://220.73.162.35,..hXXp://220.73.162.36,..http:
//220.73.162.37,..hXXp://220.73.162.38,..hXXp://220.73.162.39,..http:/
/220.73.162.40,..hXXp://220.73.162.41,..hXXp://220.73.162.42,..hXXp://
220.73.162.43,..hXXp://220.73.162.44,..hXXp://220.73.162.45,..hXXp://2
20.73.162.46,..hXXp://220.73.162.47,..hXXp://220.73.162.48,..hXXp://22
0.73.162.49,..hXXp://220.73.162.50,..hXXp://220.73.162.51,..hXXp://220
.73.162.52,..hXXp://220.73.162.53,..hXXp://220.73.162.54,..hXXp://220.
73.162.55,..hXXp://220.73.162.56,..hXXp://220.73.162.57,..hXXp://220.7
3.162.58,..hXXp://220.73.162.59,..hXXp://220.73.162.60,..hXXp://220.73
.162.61HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 917..C
ontent-Type: text/html..Server: Microsoft-IIS/7.0..Set-Cookie: ASPSESS
IONIDQSDTRSQD=AIGHLLHBGGEMBFABGCMBMGAF; path=/..X-Powered-By: ASP.NET.
.Date: Wed, 11 Feb 2015 06:32:30 GMT..hXXp://220.73.162.22,..hXXp://22
0.73.162.23,..hXXp://220.73.162.24,..hXXp://220.73.162.25,..hXXp://220
.73.162.26,..hXXp://220.73.162.27,..hXXp://220.73.162.28,..hXXp://220.
73.162.29,..hXXp://220.73.162.30,..hXXp://220.73.162.31,..hXXp://220.7
3.162.32,..hXXp://220.73.162.33,..hXXp://220.73.162.34,..hXXp://220.73
.162.35,..hXXp://220.73.162.36,..hXXp://220.73.162.37,..hXXp://220
<<< skipped >>>


GET /Config/FormLocation.asp HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.43
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5287
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACCTDSSQ=IOIOJKHBEKGPMPFLEEEMDOLB; path=/
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:31:05 GMT
hXXp://blink.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://cafe.naver.co
m/CafeRankingSectionList.nhn?|961|C|962|50|R|L|8|8|283#..hXXp://kin.na
ver.com/db/detail.php?|961|C|962|50|R|L|10|10|283#..hXXp://news.naver.
com|961|C|962|50|R|L|8|8|283#..hXXp://section.blog.naver.com|961|C|962
|50|R|L|8|8|283#..hXXp://sample.naver.com|781|C|870|260|R|L|12|12|255#
..hXXp://weather.news.naver.com|961|C|962|50|R|L|8|8|283#..hXXp://VVV.
naver.com|882|C|882|260|R|L|6|6|255#..hXXp://agora.media.daum.net|978|
C|58.34|900|R|L|9|9|430#..hXXp://agoraplaza.media.daum.net/petition/pe
tition.do?|978|C|58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/?|978|C|
58.34|900|R|L|9|9|430#..hXXp://blog.daum.net/_blog/_top|978|C|58.34|90
0|R|L|9|9|430#..hXXp://blog.daum.net/_top/|978|C|58.34|900|R|L|9|9|430
#..hXXp://blog.daum.net/_top/layout|978|C|58.34|900|R|L|9|9|430#..http
://cafe.daum.net/_c21_/cafefocus_list?|978|C|58.34|900|R|L|9|9|430#..h
ttp://cafe.daum.net/_ranking/rank_top100_1.html?|978|C|58.34|900|R|L|9
|9|430#..hXXp://cafe.daum.net/support/cafesupport.html?|978|C|58.34|90
0|R|L|9|9|430#..hXXp://cafe.daum.net/brand/brandstar.html?|978|C|58.34
|900|R|L|9|9|430#..hXXp://cafe.daum.net/event/event_list.html?|978|C|5
8.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/_bbs/0noti/bbs_read?|978|C
|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/?_top_blogtop=navi_cafeh
ome|978|C|58.34|900|R|L|9|9|430#..hXXp://cafe.daum.net/top/top.html?_t
op_cafetop=cafehome|978|C|58.34|900|R|L|9|9|430#..hXXp://cartoon.media
.daum.net|978|C|58.34|900|R|L|9|9|430#..hXXp://issue.media.daum.ne
<<< skipped >>>

GET /Config/AdNw/FcPimSLab.asp HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.43
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCTDSSQ=IOIOJKHBEKGPMPFLEEEMDOLB


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 157
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:31:05 GMT
5|5|60|hXXp://loadform.co.kr/Download,hXXp://220.73.162.2/Download,htt
p://220.73.162.3/Download,hXXp://220.73.162.4/Download|5|100|100||100|
120|Y|Y|Y|Y|Y|Y......


GET /Config/newConf/UCg_LPrMLab.asp?user_no=3236 HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.43
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCTDSSQ=IOIOJKHBEKGPMPFLEEEMDOLB


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 396
Content-Type: text/html
Expires: Wed, 11 Feb 2015 06:31:06 GMT
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:31:06 GMT
KOREA|Y|N|N|Y|hXXp://kr.search.yahoo.com/search?fr=clickstory_kr_synd_
search&ovt=A_P_AB_cityfriend_5&p=|Y|N|N|0|hXXp://220.73.162.55/config/
LanguageTranslate.asp?hl=[u]&sl=[u]&tl=[1]&p=[KEYWORD]|name="p" value=
,16|hXXp://kr.dictionary.search.yahoo.com/search/dictionaryp?subtype=[
1]&prop=7&p=[KEYWORD]|50|N|N|N|0|hXXp://VVV.hebogo.com/search/csearch.
asp|N|0|N|0|Y|N|N|N|N|Y|Y|Y|0|N|ALRIM|Y|N|N|N|....


GET /Config/TransSiteString.asp?nation=KOREA HTTP/1.1


Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.43
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACCTDSSQ=IOIOJKHBEKGPMPFLEEEMDOLB


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12071
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:31:06 GMT
KOREA,ko,hXXp://kr.search.yahoo.com,hXXp://kr.search.yahoo.com/search?
p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u]
,ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,hXXp://search.yahoo.com
/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[1
],tl=[u],ie=UTF-8,,|CHINA,zh-TW,hXXp://one.cn.yahoo.com,hXXp://one.cn.
yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][KEYWO
RD],sl=[1],tl=[u],ie=UTF-8,,|CANADA,ca,hXXp://ca.search.yahoo.com,http
://ca.search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.y
ahoo.com,hXXp://de.search.yahoo.com/search?p=,hXXp://translate.google.
com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|FRANCE,fr,http:
//fr.search.yahoo.com,hXXp://fr.search.yahoo.com/search?p=,hXXp://tran
slate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JA
PAN,ja,hXXp://VVV.yahoo.co.jp,hXXp://search.yahoo.co.jp/search?p=,http
://translate.google.com/translate?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF
-8,,|KOREA,ko,hXXp://search.naver.com,hXXp://search.naver.com/search.n
aver?query=,hXXp://translate.google.com/translate?,u=[3][KEYWORD],sl=[
1],tl=[u],ie=UTF-8,,|GERMAN,de,hXXp://de.search.yahoo.com,hXXp://de.se
arch.yahoo.com/search?p=,hXXp://translate.google.com/translate?,u=[3][
KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|ENGLISH,en,hXXp://search.yahoo.com,h
ttp://search.yahoo.com/search?p=,hXXp://translate.google.com/translate
?,u=[3][KEYWORD],sl=[1],tl=[u],ie=UTF-8,,|JAPAN,ja,hXXp://VVV.goog
<<< skipped >>>


GET /Download/WinCtrProc.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.4
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 06 Feb 2015 01:13:19 GMT
Accept-Ranges: bytes
ETag: "1f512018aa41d01:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:20:25 GMT
Content-Length: 851416
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........MTK.,:..,:.
.,:.~04..,:..33..,:..37..,:.Rich.,:.................PE..L...5..T......
...............P.......r............@.................................
............................................(.........................
..................................................0... ...............
.....................text............................... ..`.data....5
[email protected]...............................@..@
l.[J............MSVBVM60.DLL..........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /Download/Uninstall.exe HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.4
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 28 Jul 2014 00:07:13 GMT
Accept-Ranges: bytes
ETag: "96535e2f7a9cf1:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:20:34 GMT
Content-Length: 191984
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........y.........
....................`.......Rich............................PE..L...8.
yS..................... .......(............@.........................
.........(..........................................(.......@.........
..........................................................8... .......
.............................text............................... ..`.d
[email protected]...@.......................
....@..@=..H............MSVBVM60.DLL..................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /Download/WinCtrCon.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Microsoft URL Control - 6.01.9782
Host: 220.73.162.4
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 06 Feb 2015 01:13:19 GMT
Accept-Ranges: bytes
ETag: "1149db17aa41d01:0"
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 11 Feb 2015 06:20:43 GMT
Content-Length: 114144
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......}...9...9...
9.......8...P...?.......8...Rich9...........PE..L...C..T..............
...p... ......."[email protected].......
.................................i..(.................................
..........................................(... .......................
.............text...tb.......p.................. ..`.data.............
[email protected]...............................@..@l.[J....
........MSVBVM60.DLL..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

The PUP connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:552
    irsetup.exe:980
    WinCtrCon.exe:1944
    WinCtrProc.exe:156

  2. Delete the original PUP file.
  3. Delete or disinfect the following files created/modified by the PUP:

    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (1861 bytes)
    %System%\VB6KO.DLL (2712 bytes)
    %System%\MSINET.OCX (2784 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\sTakeList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe (418761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\PrgGsRetain[1].htm (218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\Uninstall\Uninstaller.exe (89729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\WinCtrProc[1].exe (418761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\Uninstall[1].exe (89729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\ProgramUpdateLab[1].htm (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\FcTimeLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\WinCtrCon[1].exe (52969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YKSOEOQZ\UCg_LPrMLab[1].htm (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4XEJOP2R\FormLocation[1].htm (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\StakePsList[1].htm (917 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MN4NDACR\FcPimSLab[1].htm (157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\49QZSDEN\TransSiteString[1].htm (12 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrProc.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%ApplicationDataFolder%\WinCtrView\Engin\ProVersion\WinCtrCon.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -SmdTh"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "\.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "(Default)" = "\.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrProc" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrProc.exe -PjZQe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WinCtrCon" = "%Documents and Settings%\%current user%\Application Data\WinCtrView\Engin\ProVersion\WinCtrCon.exe -PjZQe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now