Gen.Variant.Symmi.26168_63e3838fe1

by malwarelabrobot on October 26th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.26168 (B) (Emsisoft), Gen:Variant.Symmi.26168 (AdAware), Trojan-PSW.Win32.Zbot.6.FD, Sinowal.YR, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 63e3838fe158a62db49c515e20755f6f
SHA1: bbc40bbe01d2ba32272d23449687ee679aae0940
SHA256: 4775082c14f2d32a5dffe42ba8b7a97ffd2ab9fec4f0967c19a2eaab99b81506
SSDeep: 6144:3WAYrHMa7H7hCAaMHLE9asVQojQ2dDr7lBanSnMYKOuaddUfywgXS:9Yrs2H7wKHA8cXja3rawfbgi
Size: 316416 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2013-07-25 18:41:25
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ozdi.exe:3472
WinMail.exe:3316
%original file name%.exe:2492

The Trojan injects its code into the following process(es):

ozdi.exe:4040
taskhost.exe:1940
Dwm.exe:2008
Explorer.EXE:2024
conhost.exe:2972

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WinMail.exe:3316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (39728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\31F9535E-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD98E.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3316_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (25384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\31F9535E-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD98F.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.pat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD98E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3316_2 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\WindowsMail.MSMessageStore (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3316_2.ui (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD98F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old\edb00001.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\old (0 bytes)

The process %original file name%.exe:2492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpc29ced5d.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Rioghi\ozdi.exe (635 bytes)

Registry activity

The process ozdi.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Bytu]
"Fuixo" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

The process WinMail.exe:3316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Size" = "330"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"Compact Check Count" = "2"
"Settings Upgraded" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Block Senders List]
"Version" = "327680"

[HKCU\Software\Microsoft\Windows Mail]
"LastBackup" = "E1 07 0A 00 03 00 19 00 11 00 37 00 1A 00 82 01"
"Running" = "1"
"V7StoreMigDone" = "01 00 00 00"
"StoreMigratedV5" = "1"

[HKCU\Software\Microsoft\Windows Mail\Junk Mail\Safe Senders List]
"Version" = "327680"

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerDlgPos" = "2C 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF"

[HKCU\Software\Microsoft\IdentityCRL\Dynamic Salt]
"Value" = "01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00 C0"

[HKCU\Identities]
"Identity Ordinal" = "2"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Secure Safe Attachments" = "1"
"Welcome Message" = "0"
"Default_CodePage" = "28591"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount" = "1"

[HKCU\Software\Microsoft\IAM\Accounts]
"ConnectionSettingsMigrated" = "1"

[HKCU\Software\Microsoft\Windows Mail]
"SpoolerTack" = "0"

[HKCU\Software\Microsoft\IAM]
"Default News Account" = "account{CE54EE8F-8454-4E11-A69C-0E6F9BED6C0A}.oeaccount"

[HKCU\Software\Microsoft\Windows Mail]
"lastrun" = "13 A5 E9 73 BA 4D D3 01"

[HKCU\Software\Microsoft\Windows Mail\Mail]
"Safe Attachments" = "1"

[HKCU\Software\Microsoft\IAM]
"Server ID" = "2"

[HKCU\Software\Microsoft\WAB]
"NamedProps" = "04 20 06 00 00 00 00 00 C0 00 00 00 00 00 00 46"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\WAB]
"NamedPropCount"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Identities]
"Changing"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Identities]
"IncomingID"
"OutgoingID"

[HKCU\Software\Microsoft\WAB]
"NamedProps"

Dropped PE files

MD5	File path
ef4fe1237b95dd2d7a0a1ceb03176fab	c:\Users\"%CurrentUserName%"\AppData\Roaming\Rioghi\ozdi.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WINMM.dll:

waveOutWrite
PlaySoundW

The Trojan installs the following user-mode hooks in WININET.dll:

HttpEndRequestW
HttpSendRequestExA
HttpSendRequestA
InternetSetFilePointer
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestA
HttpSendRequestExW
InternetReadFileExA
InternetQueryDataAvailable
InternetReadFile
HttpQueryInfoA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

SetCursorPos
ReleaseCapture
SetCapture
GetMessagePos
DefDlgProcW
CallWindowProcA
DefMDIChildProcA
DefFrameProcA
GetUpdateRgn
DefFrameProcW
DefMDIChildProcW
DefDlgProcA
GetClipboardData
GetMessageW
TranslateMessage
PeekMessageW
EndPaint
BeginPaint
GetDC
ReleaseDC
DefWindowProcW
GetWindowDC
GetDCEx
CallWindowProcW
PeekMessageA
GetMessageA
RegisterClassExW
RegisterClassW
RegisterClassA
DefWindowProcA
GetUpdateRect
GetCursorPos
GetCapture
RegisterClassExA
OpenInputDesktop
SwitchDesktop

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

CreateProcessAsUserA
CreateProcessAsUserW

The Trojan installs the following user-mode hooks in WS2_32.dll:

gethostbyname
send
WSASend
getaddrinfo
closesocket

The Trojan installs the following user-mode hooks in kernel32.dll:

ExitProcess
GetFileAttributesExW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
ZwCreateUserProcess

Propagation

VersionInfo

Company Name:
Product Name: tgh
Product Version: 18, 15, 10, 13
Legal Copyright: Copyright (C) 2011
Legal Trademarks:
Original Filename: gg.EXE
Internal Name: rfr
File Version: 18, 15, 10, 13
File Description: fr
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	10418	12288	4.21712	993bcf424aec6943c614b1072e3c1761
.rdata	16384	2052	4096	2.06457	f564fb021da9da96296d60b35b983e56
.data	20480	276	4096	0.015584	f3f633d7826b2528fb12a70433b52b6c
.rsrc	24576	289100	290816	5.53548	08ae297862fac7677b50808b88499f62

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
43c1acb7918bc0f14eb0d9fbb583a8b3

URLs

URL	IP
hxxp://a1363.dscg.akamai.net/pki/crl/products/CodeSignPCA.crl
hxxp://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl	62.140.236.171
ab679852bd7e6eab.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pki/crl/products/CodeSignPCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com


HTTP/1.1 200 OK

Content-Length: 558

Content-Type: application/pkix-crl

Content-MD5: PMABL5b49EFkwY194FAj2Q==

Last-Modified: Wed, 23 Aug 2017 20:44:38 GMT

ETag: 0x8D4EA67C5E6D892

Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

x-ms-request-id: a02d63f4-0001-0004-5dc6-1cb2f2000000

x-ms-version: 2009-09-19

x-ms-lease-status: unlocked

x-ms-blob-type: BlockBlob

Date: Wed, 25 Oct 2017 17:55:32 GMT

Connection: keep-alive

0..*0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Copyright (c) 20
00 Microsoft Corp.1#0!..U....Microsoft Code Signing PCA..111110211944Z
..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0... .....7.......
..0...*.H...............&..%PIu@.....\0KF....0..^.h9=.1jT,5.L....Ed ..
6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud);.?....J_...Fu...
.<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..Tr..Ch.[.z:....#.
..T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . ....G..#....T..G;.....
.HTTP/1.1 200 OK..Content-Length: 558..Content-Type: application/pkix-
crl..Content-MD5: PMABL5b49EFkwY194FAj2Q==..Last-Modified: Wed, 23 Aug
 2017 20:44:38 GMT..ETag: 0x8D4EA67C5E6D892..Server: Windows-Azure-Blo
b/1.0 Microsoft-HTTPAPI/2.0..x-ms-request-id: a02d63f4-0001-0004-5dc6-
1cb2f2000000..x-ms-version: 2009-09-19..x-ms-lease-status: unlocked..x
-ms-blob-type: BlockBlob..Date: Wed, 25 Oct 2017 17:55:32 GMT..Connect
ion: keep-alive..0..*0......0...*.H........0..1.0...U....US1.0...U....
Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U...
"Copyright (c) 2000 Microsoft Corp.1#0!..U....Microsoft Code Signing P
CA..111110211944Z..420416234935Z.7050...U.#..0...%. K].rT....*.....S.0
... .....7.........0...*.H...............&..%PIu@.....\0KF....0..^.h9=
.1jT,5.L....Ed ..6.......i.6.xva....oX.^f'....s...!......O...h.1a..Ud)
;.?....J_...Fu....<v.zx..t..h.0JU%.nk;..B[4.?&Zm^..M.!.'...w.u.\T..
Tr..Ch.[.z:....#...T.4Ct.......,...c..}F..U....:..7J...%.#..D6 . .

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

ozdi.exe_4040:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

C:\Users\"%CurrentUserName%"\AppData\Roaming

{0BC17F7C-43D0-5D22-3690-42C857B03810}

ozdi.exe_4040_rwx_00400000_00045000:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

C:\Users\"%CurrentUserName%"\AppData\Roaming

{0BC17F7C-43D0-5D22-3690-42C857B03810}

ozdi.exe_4040_rwx_00560000_00045000:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

.po-T

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\{9DBACD59-F1F5-CB59-3690-42C857B03810}

:\Users\"%CurrentUserName%"\AppData\Roaming\Utafm\razau.tye

C:\Users\"%CurrentUserName%"\AppData\Roaming\Utafm

razau.tye

C:\Users\"%CurrentUserName%"\AppData\Roaming

{0BC17F7C-43D0-5D22-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup\duot.cii

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup

duot.cii

lobal\{9DBACD58-F1F4-CB59-3690-42C857B03810}

taskhost.exe_1940_rwx_01260000_00045000:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

f[.wCE4

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\{9DBACD59-F1F5-CB59-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Utafm\razau.tye

C:\Users\"%CurrentUserName%"\AppData\Roaming\Utafm

razau.tye

C:\Users\"%CurrentUserName%"\AppData\Roaming

{0BC17F7C-43D0-5D22-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup\duot.cii

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup

duot.cii

Global\{9DBACD58-F1F4-CB59-3690-42C857B03810}

Dwm.exe_2008_rwx_004C0000_00045000:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

.po-T

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\{9DBACD59-F1F5-CB59-3690-42C857B03810}

:\Users\"%CurrentUserName%"\AppData\Roaming\Utafm\razau.tye

C:\Users\"%CurrentUserName%"\AppData\Roaming\Utafm

razau.tye

{0BC17F7C-43D0-5D22-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup\duot.cii

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup

duot.cii

lobal\{9DBACD58-F1F4-CB59-3690-42C857B03810}

Explorer.EXE_2024_rwx_038A0000_00045000:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\{9DBACD59-F1F5-CB59-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{0BC17F7C-43D0-5D22-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup\duot.cii

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup

duot.cii

conhost.exe_2972_rwx_003F0000_00045000:

.text

`.data

.reloc

Ew.AEw

.wb\-w1S-w

cit_ffcookie.module

cit_video.module

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)

HTTP/1.1

urlmon.dll

cabinet.dll

hXXp://xxxxxxxx.com/xxxx/xxxx.php

 130/1'3

1,&51&6 6,

3><=16">77)

oyO_xseyf{m~U_f`ictq]CrtwaUNo]MMTS]nx^CSGZN^

-#!!1$%>7

%.8$;&0#

62770$\\

02=>415(

&*P76aL<7utdosvv"E8o^.!sn|`9P/zU#.EG

>=)5-;-=3

update.exe

config.bin

￥

value=[%s], code=[%s]

HTTP/1.0

hXXps://

%s, u %s %u u:u:u GMT

GET /favicon.ico HTTP/1.1

HTTP/1.

HTTP/1.1 200 OK

Date: %s

Content-Length: %u

Expires: %s

Content-Type: %s

%COMMANDSERVER%

hXXp://127.0.0.1:%u/

X-Type: %s

facebook.com

Cookie: %s

Referer: %s

Accept: %s

Accept-Language: %s

Accept-Encoding: %s

PR_OpenTCPSocket

hXXp://VVV.google.com/webhp

_getFirefoxCookie

hXXp://

; charset=%s

HTTP/1.1 %u %s

Content-Type: %s%s

ID: %s

value_%s

value_%s_%s

%s = "%s";

%s%s%s

gdiplus.dll

GdiplusShutdown

ole32.dll

gdi32.dll

9.tI3

.lT:)4

GetProcessHeap

GetWindowsDirectoryW

CreatePipe

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

GetKeyboardState

SetKeyboardState

MapVirtualKeyW

GetKeyboardLayoutList

OpenWindowStationW

GetProcessWindowStation

CreateWindowStationW

CloseWindowStation

SetProcessWindowStation

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyW

ADVAPI32.dll

UrlUnescapeA

SHDeleteKeyW

PathIsURLW

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

SetViewportOrgEx

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

PFXImportCertStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpQueryInfoA

InternetCrackUrlA

HttpAddRequestHeadersW

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestExA

HttpSendRequestExW

HttpSendRequestW

GetUrlCacheEntryInfoW

HttpOpenRequestW

HttpEndRequestA

HttpAddRequestHeadersA

HttpEndRequestW

WININET.dll

OLEAUT32.dll

NETAPI32.dll

VERSION.dll

WINMM.dll

PSSSSSSh

SSShd

6-6}6

5%6U6b6=7B7P7\7

;$;0;7;=;

ntdll.dll

\StringFileInfo\xx\%s

kernel32.dll

"%s" %s

/c "%s"

%sx.%s

%sx

SELECT * FROM %s

%sd1%

%sd2%

Name: %s

Path: %s

Hash: %s

Time: u.u.u

*.css

*.png

*.jpg

*.ico

*.gif

*.flv

Process: %s

Input: %s

Global\XXX

nspr4.dll

chrome.dll

SysShadow

Chrome

Firefox

sXXXX

Company: %s

Product: %s

Version: %s

Software\Microsoft\Windows\CurrentVersion\Uninstall

%u: %s | %s | %s

Global\{9DBACD59-F1F5-CB59-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming

{0BC17F7C-43D0-5D22-3690-42C857B03810}

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup\duot.cii

C:\Users\"%CurrentUserName%"\AppData\Roaming\Cozeup

duot.cii

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

ozdi.exe:3472
WinMail.exe:3316
%original file name%.exe:2492
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore (39728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol (560 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol (608 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\edb00002.log (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol (592 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\31F9535E-00000001.eml (1924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\tmp.edb (1728 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabD98E.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ppcrlui_3316_2 (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.log (25384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\31F9535E-00000001.eml:OECustomProperty (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edb.chk (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735 (558 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735 (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows Mail\edbtmp.log (3466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarD98F.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmpc29ced5d.bat (179 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Rioghi\ozdi.exe (635 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Symmi.26168_63e3838fe1

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet