MD5: 64c9b37e9476ffe70a972cc1408ebbf9
SHA1: efc96c69e88bc09168f48ac38d7cea854e108b9e
SHA256: 910e3b62205864dae7ce8beb50720131ab95c516cf88b2476fba7dcb8ddca74e
SSDeep: 24576:oNBIy/bnCg21JDA/VApvzwAAdOhC9z1CwoltA:JyLCg2HDAKpbwAAKuz1CNlK
Size: 1410385 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-01 10:08:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

jGrbN.exe:1400
%original file name%.exe:1328
vbc.exe:1068
vbc.exe:500

The Trojan injects its code into the following process(es):

RegSvcs.exe:976

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process jGrbN.exe:1400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\qlyrr\run.vbs (92 bytes)
%Documents and Settings%\%current user%\qlyrr\51765.vbs (189 bytes)
%Documents and Settings%\%current user%\qlyrr\55353.cmd (66 bytes)

The process %original file name%.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\qlyrr\WUqkweguSm.PPY (181227 bytes)
%Documents and Settings%\%current user%\qlyrr\nbNKdt.CHX (550 bytes)
%Documents and Settings%\%current user%\qlyrr\ccqQijycpUdB.WUQ (138 bytes)
%Documents and Settings%\%current user%\qlyrr\jGrbN.exe (15361 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\qlyrr\__tmp_rar_sfx_access_check_519453 (0 bytes)

The process RegSvcs.exe:976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%System%\wbem\Logs\wbemprox.log (300 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\logff.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\logmail.txt (0 bytes)

The process vbc.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\logff.txt (2 bytes)

Registry activity

The process jGrbN.exe:1400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 C3 B9 A5 5C 99 6D 74 E7 0F 84 83 07 22 A6 ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"qlyrr" = "C:\DOCUME~1\"%CurrentUserName%"\qlyrr\51765.vbs"

The process %original file name%.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 E5 19 B8 78 03 A7 B0 7B FF C5 B6 61 EA 09 E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\qlyrr]
"jGrbN.exe" = "AutoIt v3 Script"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process RegSvcs.exe:976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 4A 48 C8 45 A7 59 FE 61 9D 2F 1F 20 A0 D5 B8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process vbc.exe:1068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 75 0C 64 5B 4A 51 30 7F 67 7B 4C 05 55 FF 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process vbc.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 FD 1B 47 5E 69 E9 C8 33 48 A8 27 1D C9 61 21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
907cbd4841d37e8552a6cada497a03c3

URLs

URL	IP
hxxp://myip.ru/en-EN/index.php
hxxp://www.myip.ru/en-EN/index.php	77.72.80.9
smtp.gmail.com	173.194.71.108

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY myip.ru IP lookup

Traffic

GET /en-EN/index.php HTTP/1.1

Host: VVV.myip.ru

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx/1.6.2

Date: Thu, 11 Jun 2015 10:55:00 GMT

Content-Type: text/html

Content-Length: 184

Location: hXXp://VVV.myip.ru:8009/

Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.6.2</center>..</body>..</html>..HTTP/1
.1 301 Moved Permanently..Server: nginx/1.6.2..Date: Thu, 11 Jun 2015 
10:55:00 GMT..Content-Type: text/html..Content-Length: 184..Location: 
hXXp://VVV.myip.ru:8009/..Connection: keep-alive..<html>..<he
ad><title>301 Moved Permanently</title></head>..&
lt;body bgcolor="white">..<center><h1>301 Moved Permane
ntly</h1></center>..<hr><center>nginx/1.6.2<
;/center>..</body>..</html>....

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

s%j.Zf

8crtsu

:crts

crts

GetProcessWindowStation

operator

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

USERENV.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

L.aVFY)

.ijjrc

g%D`-

sssh6

uW.MW

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

3.3/464(5,5054585

8 8$8(8,808

= =$=(=,=0=4=8=<=@=

0 0$0(0,0004080<0

:*;3;?;|;

11

2 323[3.5

? ?<?@?`?

= =$=(=,=0=4=

5 5$5(5,5054585

CADjD%D<D

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

Line %d:

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

%s (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 8, 1

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

%Documents and Settings%\%current user%\qlyrr\jGrbN.exe

:%Documents and Settings%\%current user%\qlyrr\WUqkweguSm.PPY

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.)Array variable subscript badly formatted.'Subscript used with non-Array variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

hXXp://VVV.autoitscript.com/autoit3/

AutoIt3.exe

RegSvcs.exe_976:

.text

`.rsrc

@.reloc

r.rE9

v2.0.50727

Microsoft.VisualBasic

MyWebServices

Microsoft.VisualBasic.ApplicationServices

.ctor

Microsoft.VisualBasic.Devices

.cctor

get_WebServices

m_MyWebServicesObjectProvider

WebServices

RECOVER_CHROME

RECOVER_FIREFOX

RECOVER_OPERA

RECOVER_COREFTP

RECOVER_SMARTFTP

System.Threading

createLowLevelKeyboardHook

mutexKey

System.ComponentModel

System.CodeDom.Compiler

System.Diagnostics

Microsoft.VisualBasic.CompilerServices

System.ComponentModel.Design

HelpKeywordAttribute

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

System.Reflection

System.Windows.Forms

get_ExecutablePath

System.IO

GetExecutingAssembly

Operators

System.IO.Compression

Payload.resources

limserve.exe

8.0.0.0

My.WebServices

My.Application

My.Computer

My.User

4System.Web.Services.Protocols.SoapHttpClientProtocol

_CorExeMain

mscoree.dll

PrivateKey

KeyHook

SetEPASSWORD

SetSMTP

smtp.gmail.com

SetPORT

ClearCookiesChrome

ClearCookiesFirefox

Limitless Logger : : Keyboard Records : :

GetFtp

FTPUpload

0.0.0.0

RegSvcs.exe_976_rwx_00150000_00076000:

.text

`.rsrc

@.reloc

r.rE9

v2.0.50727

Microsoft.VisualBasic

MyWebServices

Microsoft.VisualBasic.ApplicationServices

.ctor

Microsoft.VisualBasic.Devices

.cctor

get_WebServices

m_MyWebServicesObjectProvider

WebServices

RECOVER_CHROME

RECOVER_FIREFOX

RECOVER_OPERA

RECOVER_COREFTP

RECOVER_SMARTFTP

System.Threading

createLowLevelKeyboardHook

mutexKey

System.ComponentModel

System.CodeDom.Compiler

System.Diagnostics

Microsoft.VisualBasic.CompilerServices

System.ComponentModel.Design

HelpKeywordAttribute

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

System.Reflection

System.Windows.Forms

get_ExecutablePath

System.IO

GetExecutingAssembly

Operators

System.IO.Compression

Payload.resources

limserve.exe

8.0.0.0

My.WebServices

My.Application

My.Computer

My.User

4System.Web.Services.Protocols.SoapHttpClientProtocol

_CorExeMain

mscoree.dll

PrivateKey

KeyHook

SetEPASSWORD

SetSMTP

smtp.gmail.com

SetPORT

ClearCookiesChrome

ClearCookiesFirefox

Limitless Logger : : Keyboard Records : :

GetFtp

FTPUpload

0.0.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   jGrbN.exe:1400
   %original file name%.exe:1328
   vbc.exe:1068
   vbc.exe:500

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\qlyrr\run.vbs (92 bytes)
   %Documents and Settings%\%current user%\qlyrr\51765.vbs (189 bytes)
   %Documents and Settings%\%current user%\qlyrr\55353.cmd (66 bytes)
   %Documents and Settings%\%current user%\qlyrr\WUqkweguSm.PPY (181227 bytes)
   %Documents and Settings%\%current user%\qlyrr\nbNKdt.CHX (550 bytes)
   %Documents and Settings%\%current user%\qlyrr\ccqQijycpUdB.WUQ (138 bytes)
   %Documents and Settings%\%current user%\qlyrr\jGrbN.exe (15361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %System%\wbem\Logs\wbemprox.log (300 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\logff.txt (2 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   "qlyrr" = "C:\DOCUME~1\"%CurrentUserName%"\qlyrr\51765.vbs"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.