Gen.Variant.Kazy.530639_3219d18fda

by malwarelabrobot on March 29th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.530639 (B) (Emsisoft), Gen:Variant.Kazy.530639 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3219d18fda4eb8b4a60ac48aaf92c606
SHA1: e1ab400d42721da187a5a95e458dcb238304c686
SHA256: 22413227d79882903e295138c7ff9817f5673baeb7044f607de9023999ca5c03
SSDeep: 24576:VS5u exNLTnc//a yYuvmjKUe7mkOTkMEMzl MOmXKF82Yei:Vku exNLw//fmeF9THOmX0YV
Size: 1007104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

:0
cscript.exe:556
cscript.exe:456
cscript.exe:1972
cscript.exe:392
cscript.exe:236
cscript.exe:1712
cscript.exe:1612
cscript.exe:1944
cscript.exe:656
cscript.exe:2036
cscript.exe:1520
cscript.exe:368
cscript.exe:1236
cscript.exe:996
cscript.exe:1216
cscript.exe:1312
cscript.exe:896
cscript.exe:564
cscript.exe:1592
cscript.exe:860
cscript.exe:908
cscript.exe:1648
cscript.exe:720
cscript.exe:1384
cscript.exe:1688
cscript.exe:2008
cscript.exe:1004
cscript.exe:376
%original file name%.exe:1128
%original file name%.exe:604
%original file name%.exe:600
%original file name%.exe:596
%original file name%.exe:488
%original file name%.exe:608
%original file name%.exe:456
%original file name%.exe:552
%original file name%.exe:1052
%original file name%.exe:1968
%original file name%.exe:656
%original file name%.exe:1652
%original file name%.exe:1756
%original file name%.exe:916
%original file name%.exe:2012
%original file name%.exe:1024
%original file name%.exe:564
%original file name%.exe:588
%original file name%.exe:380
%original file name%.exe:1032
%original file name%.exe:1492
%original file name%.exe:228
%original file name%.exe:268
%original file name%.exe:1284
%original file name%.exe:908
%original file name%.exe:1972
%original file name%.exe:2020
%original file name%.exe:532
%original file name%.exe:296
%original file name%.exe:1516
%original file name%.exe:1380
%original file name%.exe:680

The Trojan injects its code into the following process(es):

zuMEoUcg.exe:1728
hmwooYMM.exe:232
hEMQMIQs.exe:1212

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process :0 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OUQkMkgc.bat (4 bytes)
\Device\HarddiskVolume1\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\QiAIQsMM.bat (112 bytes)

The Trojan deletes the following file(s):

\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OUQkMkgc.bat (0 bytes)
\Device\HarddiskVolume1\%original file name%.exe (0 bytes)
\Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ukIMccQI.bat (0 bytes)

The process %original file name%.exe:1128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KcUMMkYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SgEQUAEM.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KcUMMkYM.bat (0 bytes)

The process %original file name%.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JaUkkMwI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OMAQMUUA.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OMAQMUUA.bat (0 bytes)

The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DOIcsUgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pMcgsIgQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pMcgsIgQ.bat (0 bytes)

The process %original file name%.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sgAwMEEo.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KaQAgIIo.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KaQAgIIo.bat (0 bytes)

The process %original file name%.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gSwcUcYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qUkcoAQQ.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gSwcUcYI.bat (0 bytes)

The process %original file name%.exe:608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IcEsIYMQ.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\okIsMskQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\okIsMskQ.bat (0 bytes)

The process %original file name%.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hgwgIgkQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqgoAMQc.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hgwgIgkQ.bat (0 bytes)

The process %original file name%.exe:1052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mYAkMsMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vYkgQkck.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mYAkMsMk.bat (0 bytes)

The process %original file name%.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dYIAcgwE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TgskcMgg.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dYIAcgwE.bat (0 bytes)

The process %original file name%.exe:656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UGEIgoMw.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UgUIcscI.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UgUIcscI.bat (0 bytes)

The process %original file name%.exe:1652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iOQUkUkI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ukwAoUUA.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ukwAoUUA.bat (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQwkAQIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wagowYEQ.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQwkAQIc.bat (0 bytes)

The process %original file name%.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jakIMgck.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwggksso.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jakIMgck.bat (0 bytes)

The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IksUUgcQ.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pcgAsYYw.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pcgAsYYw.bat (0 bytes)

The process %original file name%.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sgkAMock.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eKYUMQQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pGQUkYMw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xSockgQg.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sgkAMock.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xSockgQg.bat (0 bytes)

The process %original file name%.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CwYcsAwg.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMQYsskA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CwYcsAwg.bat (0 bytes)

The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eMQwAIIs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JUYIgcko.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JUYIgcko.bat (0 bytes)

The process %original file name%.exe:380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YQsgcUoA.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SIgEIcUg.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SIgEIcUg.bat (0 bytes)

The process %original file name%.exe:1032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEYoQMwI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PugQUgsE.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZEYoQMwI.bat (0 bytes)

The process %original file name%.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCwwEwUY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgAAIwks.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EgAAIwks.bat (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vEwEgEUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZgQwIgwg.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vEwEgEUQ.bat (0 bytes)

The process %original file name%.exe:268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zAggkAYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zwgcooko.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zAggkAYM.bat (0 bytes)

The process %original file name%.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZEoIwAQE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DQcIMUgE.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZEoIwAQE.bat (0 bytes)

The process %original file name%.exe:908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fQoYIIAY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tQUMYIYU.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tQUMYIYU.bat (0 bytes)

The process %original file name%.exe:1972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AskkMcUk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZIIokooY.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AskkMcUk.bat (0 bytes)

The process %original file name%.exe:2020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cEEosQwY.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEAwAAMI.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cEEosQwY.bat (0 bytes)

The process %original file name%.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PcwEUQgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xAogEQwM.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PcwEUQgI.bat (0 bytes)

The process %original file name%.exe:296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oyYwYIwg.bat (112 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lOgQsMEQ.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lOgQsMEQ.bat (0 bytes)

The process %original file name%.exe:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WiYQEkcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LgQkscIE.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LgQkscIE.bat (0 bytes)

The process %original file name%.exe:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hUowwosQ.bat (4 bytes)
%Documents and Settings%\All Users\xWAMIgUE\zuMEoUcg.exe (7713 bytes)
%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe (7761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nGcsAMQM.bat (112 bytes)
%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe (7785 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hUowwosQ.bat (0 bytes)

The process %original file name%.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qeoogIgQ.bat (4 bytes)
C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xyoMMAEA.bat (112 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qeoogIgQ.bat (0 bytes)

The process hEMQMIQs.exe:1212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\NAAo.txt (44558 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)

Registry activity

The process :0 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 6D 63 1D CC B4 E8 4F 5C 8C F2 D1 44 59 13 FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

The process cscript.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 1D E9 FB FB 9F 5F 3B A0 1B 09 2C 9E 8A 52 22"

The process cscript.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 02 1B 68 21 57 F9 34 9A 67 6F 2A A1 7E DD F8"

The process cscript.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 2B A6 88 5A 5B 06 72 D9 E5 07 35 97 5B DD 91"

The process cscript.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F C1 AA 64 DA E9 DB FD 4E BD E1 DE 5F 84 DA AF"

The process cscript.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 60 83 C3 E8 68 07 45 D4 34 8D DB 70 16 35 17"

The process cscript.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 7D D6 9E CD 47 FE 32 CC 57 72 6B E6 6C C9 7C"

The process cscript.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 4C 3C 33 F5 29 55 C5 7E D3 56 53 A6 DC 1A 7C"

The process cscript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 DD E9 54 95 A1 A8 C9 19 4B 5D 7D 2D E2 F3 9C"

The process cscript.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 41 50 5F B7 0B 8F 91 63 9D A0 54 DD 56 15 BD"

The process cscript.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 54 76 2C CC 6F 40 8D 79 9B 9E 70 C9 F2 A2 01"

The process cscript.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 0E F2 A9 69 DC 3F 92 9C C2 C6 2B 26 77 72 1D"

The process cscript.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 0F 6A 8C 11 6C 80 F3 E7 28 74 52 50 8D 2F 83"

The process cscript.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 6C 3F 66 58 23 09 FD 5E 82 71 B6 5A F5 3F 9F"

The process cscript.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 72 EB C7 F9 F0 8C 50 05 1E EA 29 65 1A 95 6C"

The process cscript.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 ED F6 01 BC 37 3C 10 64 40 F1 92 57 02 38 7A"

The process cscript.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 47 36 B9 6E 9D 78 A7 F4 2E 50 58 32 2C 7A 23"

The process cscript.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 E0 4E FD 38 8F 91 D2 37 4E 0B 1F 56 7D 2F 43"

The process cscript.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 C5 F0 E5 0E F1 24 AD EB 73 89 88 78 4D 90 47"

The process cscript.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 AF 37 35 93 6B F4 6E C5 2C C7 52 50 9E 0B 31"

The process cscript.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 7D 48 FD 34 97 CD 67 29 59 C9 59 F3 C4 B7 38"

The process cscript.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 98 CC 9F D5 BC 9A CC 9D 0E B4 CB F1 75 74 84"

The process cscript.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 95 19 27 B0 F7 20 B3 5F 89 A8 E7 22 FE EB 59"

The process cscript.exe:720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 60 42 7F 72 71 C1 AE 68 D9 D0 2C 2B A7 91 39"

The process cscript.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D F5 96 AE 9A F1 3A DB 17 CC D6 32 76 35 98 33"

The process cscript.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 FC 2B 81 C6 6E A5 D3 AE 76 41 6D 6B 20 B3 D5"

The process cscript.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C BB A0 30 DA C7 8C FB D3 40 20 D3 C2 BB 66 9A"

The process cscript.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 4E EF 88 4A F0 51 C2 46 34 56 A3 24 F8 85 93"

The process cscript.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 4F D5 71 48 F0 AC 2A DE 97 11 32 AE 50 5E 9D"

The process zuMEoUcg.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 C6 8A E2 CE 39 AB A1 42 D0 D9 86 63 54 F2 31"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"

The process %original file name%.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 3C DF C1 60 BB 53 2F FD 08 C1 3D 7F A0 A0 82"

The process %original file name%.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 DA 2D 22 01 81 69 3F 57 2A 97 41 2B 0A DE B9"

The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 1E 0F 6A 24 9A F3 1B CD 3B 45 8A 64 30 50 D4"

The process %original file name%.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 B5 39 35 DB 77 91 26 D0 37 95 7F C7 F0 C5 E4"

The process %original file name%.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 3F 20 2D AB D9 76 06 A3 30 78 D6 03 F0 EB 0A"

The process %original file name%.exe:608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 C5 9E B6 2F 1F 8D D5 45 0E 4D 22 1E 79 A3 96"

The process %original file name%.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 4D A7 16 E6 01 A2 F5 88 49 6B 4E F3 65 06 DB"

The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 D4 5E 18 AF 87 0F 60 B8 64 38 38 F5 F2 5D D3"

The process %original file name%.exe:1052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A AB 6D 6F 55 BD B4 5B F3 7F C6 EB C0 43 47 FC"

The process %original file name%.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 2D 28 42 67 AA 2B 07 28 B9 FB 78 81 8D 6F 81"

The process %original file name%.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 C7 76 00 DC D4 31 14 29 A6 8B 90 BB 1C DB F2"

The process %original file name%.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 35 AA 72 52 F5 05 CD E3 32 8D A9 42 86 84 63"

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 26 F0 7F 6E 80 4E D1 91 E3 39 4B AF EF 59 89"

The process %original file name%.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 CA 9E 07 08 9C 88 DF 66 41 9E 9C F6 67 E3 01"

The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C BB 9E 44 91 FE 8B F1 CB 19 2C C3 5E C3 D1 E5"

The process %original file name%.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D EE C7 1F 27 74 01 F8 41 16 C8 FE 3C FF 9B 1B"

The process %original file name%.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE A2 BA 2F C4 96 5C 31 D4 AA 00 D6 62 F3 BB 5F"

The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 1A 59 BD 86 F9 60 13 48 6E B9 99 DB A3 2C 20"

The process %original file name%.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E E8 73 70 98 A3 7A B8 7C 9A 3F C3 D7 F6 61 B0"

The process %original file name%.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 4E F7 A7 53 38 88 A6 76 06 33 EE 26 54 0A 4F"

The process %original file name%.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 66 DF 0C 18 D9 C9 14 44 11 22 F2 94 16 FA 82"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 1D 4D 07 73 6B 92 AC B2 A4 86 75 98 A4 75 37"

The process %original file name%.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A F5 D2 83 04 0A CF 0F 6B 2E C4 17 0B 99 15 55"

The process %original file name%.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 05 85 EA EC 14 2E 71 8D 57 63 E5 3B 1B CB C7"

The process %original file name%.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 39 E8 59 10 0D E8 3D F1 46 F5 B1 34 47 14 25"

The process %original file name%.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 84 31 69 A3 2D E2 E3 3E 71 F5 7C 4F 89 ED 08"

The process %original file name%.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 2C 18 CE B1 2B 1B 39 A5 C9 DD 1A AE D5 5A 39"

The process %original file name%.exe:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 92 F8 83 F6 18 01 E7 AA E8 9C F9 A2 46 30 AC"

The process %original file name%.exe:296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 5F BF 5D B2 23 C8 69 09 CB F5 EA D9 CE AF 51"

The process %original file name%.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 64 D8 32 A7 31 77 B4 D2 AC 4F 36 3B BD 78 9D"

The process %original file name%.exe:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 C6 0D 07 63 D3 7A 79 92 19 4E BA CA 1B DA EE"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hmwooYMM.exe" = "%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"

The process %original file name%.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 5E DE DB 1B 1B 6A 2B CE F8 AA 63 7A 79 8D 27"

The process hmwooYMM.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 D9 5F C6 A7 21 C8 B6 2F A2 2F EA A9 FE 6B 0B"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hmwooYMM.exe" = "%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe"

The process hEMQMIQs.exe:1212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D E2 2C ED 94 42 7F 2B 7E ED EB AA 8F 46 AB CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"

Dropped PE files

MD5 File path
16e9ef9922de52a6121a399124f5d116 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
c2347f2083e2248f2776e7762ee31ac1 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
c3751db9b1084c836ec869fd935a05b4 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
742d4a4c09f2b17bb44a6e51ed203c6c c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
cb998a377ae3fe466f46de4550130aaf c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
77abf77b3c274b7323b089fdad3d1101 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
243271b45a15e00a6a9875fde78c2ef5 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
617ad05567897b3e2c4ae7831f2113d3 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
41305f836fabc005496634616872b585 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
c1f578d58572596c65431c0b812a5c12 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
cb225cd967fdc396db7a8c864057830d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
b2fa775b8f9eff48174a4438d1218e5a c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
0ace2376b0bea6666e35971627dc071d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
7aa4fc359028f0b911464c592a8d9a82 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
89c9169322824ad1f4f4fa183b675c0a c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
ba827b2a03a829a161623d23f82ef494 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
d7116cde86fe0bb623d7e8d02ea9428d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
2da4542ae5c1b7826df6e9eb0c8efaea c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
35d2feef75dde4a7b221d385d775ac30 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
b36b355f06f39172f07da53c1516c170 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
b9be41cc75f3925077e84cc1f7e13485 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
37536a66e2e74f7647542cbb362d5e37 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
f738a145054a5cac5f6e1b8db0b9d12e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
33d3dfd406005e3d93cf05da68df2019 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
4edcd336e89ba119fb5320d6bf59124d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
c9d4f78ad0dd64051d10938a2b9b4b86 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
2e7bbb013482597ad32196d96aec740c c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
b7417fe9566e95ad1dc53d8ffd5e42f4 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
3c36342c9cd7a01c3c93ec33672a632c c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
94875bd812a18843d59d4cb30398760f c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
a9e81db96a92c1d265fc784333ca2cf1 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
9bae8cc8b1c9fa061b580346b5eade6b c:\Documents and Settings\All Users\JUsIccwo\hEMQMIQs.exe
b42f72f388ba7a47249b53199509988d c:\Documents and Settings\All Users\xWAMIgUE\zuMEoUcg.exe
a078128a85182ab367ec4accc5dc7ec9 c:\Documents and Settings\"%CurrentUserName%"\tiMscAww\hmwooYMM.exe
79df908d65ee283443bb906c833ae105 c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
681ba744d8475a3f97465530be40b6ca c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
7ba45c1b09a493b53ae00eadb7896334 c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
286086977565d3c64771260d8c63f436 c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
e99caa2cbb690d99ae36f64334c2bbd0 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
5b1243e17e699e5cca42a343ce6de267 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
838522bfc71e07cd9b338e733c2ce8f0 c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1003520 1003008 5.45196 eff1ec6132a066b251a5828e711bf0dc
.rdata 1007616 4096 512 1.8422 1a4ee8ca4a76932f2e24490992aa0328
.data 1011712 4 512 0.053811 b0eaf7ee5b4e1579ad069e19b91a07b5
.rsrc 1015808 1372 1536 2.29584 ce6dd03e2cb57f1b3db7a1002f243800

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    :0
    cscript.exe:556
    cscript.exe:456
    cscript.exe:1972
    cscript.exe:392
    cscript.exe:236
    cscript.exe:1712
    cscript.exe:1612
    cscript.exe:1944
    cscript.exe:656
    cscript.exe:2036
    cscript.exe:1520
    cscript.exe:368
    cscript.exe:1236
    cscript.exe:996
    cscript.exe:1216
    cscript.exe:1312
    cscript.exe:896
    cscript.exe:564
    cscript.exe:1592
    cscript.exe:860
    cscript.exe:908
    cscript.exe:1648
    cscript.exe:720
    cscript.exe:1384
    cscript.exe:1688
    cscript.exe:2008
    cscript.exe:1004
    cscript.exe:376
    %original file name%.exe:1128
    %original file name%.exe:604
    %original file name%.exe:600
    %original file name%.exe:596
    %original file name%.exe:488
    %original file name%.exe:608
    %original file name%.exe:456
    %original file name%.exe:552
    %original file name%.exe:1052
    %original file name%.exe:1968
    %original file name%.exe:656
    %original file name%.exe:1652
    %original file name%.exe:1756
    %original file name%.exe:916
    %original file name%.exe:2012
    %original file name%.exe:1024
    %original file name%.exe:564
    %original file name%.exe:588
    %original file name%.exe:380
    %original file name%.exe:1032
    %original file name%.exe:1492
    %original file name%.exe:228
    %original file name%.exe:268
    %original file name%.exe:1284
    %original file name%.exe:908
    %original file name%.exe:1972
    %original file name%.exe:2020
    %original file name%.exe:532
    %original file name%.exe:296
    %original file name%.exe:1516
    %original file name%.exe:1380
    %original file name%.exe:680

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    \Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\OUQkMkgc.bat (4 bytes)
    \Device\HarddiskVolume1\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
    \Device\HarddiskVolume1\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\QiAIQsMM.bat (112 bytes)
    C:\3219d18fda4eb8b4a60ac48aaf92c606 (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KcUMMkYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SgEQUAEM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JaUkkMwI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OMAQMUUA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DOIcsUgY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pMcgsIgQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sgAwMEEo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KaQAgIIo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gSwcUcYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qUkcoAQQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IcEsIYMQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\okIsMskQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hgwgIgkQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hqgoAMQc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mYAkMsMk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vYkgQkck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dYIAcgwE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TgskcMgg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UGEIgoMw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UgUIcscI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iOQUkUkI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ukwAoUUA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dQwkAQIc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wagowYEQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jakIMgck.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uwggksso.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IksUUgcQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pcgAsYYw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sgkAMock.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eKYUMQQY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pGQUkYMw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xSockgQg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CwYcsAwg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yMQYsskA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eMQwAIIs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JUYIgcko.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YQsgcUoA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SIgEIcUg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZEYoQMwI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PugQUgsE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SCwwEwUY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EgAAIwks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vEwEgEUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZgQwIgwg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zAggkAYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zwgcooko.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZEoIwAQE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DQcIMUgE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fQoYIIAY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tQUMYIYU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AskkMcUk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZIIokooY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cEEosQwY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AEAwAAMI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PcwEUQgI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xAogEQwM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oyYwYIwg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lOgQsMEQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WiYQEkcQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LgQkscIE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hUowwosQ.bat (4 bytes)
    %Documents and Settings%\All Users\xWAMIgUE\zuMEoUcg.exe (7713 bytes)
    %Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe (7761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nGcsAMQM.bat (112 bytes)
    %Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe (7785 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qeoogIgQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xyoMMAEA.bat (112 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\NAAo.txt (44558 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
    C:\totalcmd\TcUsbRun.exe (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hEMQMIQs.exe" = "%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "hmwooYMM.exe" = "%Documents and Settings%\%current user%\tiMscAww\hmwooYMM.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\JUsIccwo\hEMQMIQs.exe,"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now