Susp_Dropper_9290cf79eb

by malwarelabrobot on March 13th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 9290cf79eb4c325b60a1c46504c1d23c
SHA1: 8e549b690405322e007f65b80d383cf00f9550b5
SHA256: 644e034770072f51ab7c17b048a0d3e0b69ec8520d571d3e19a0b7d8ad1b7b51
SSDeep: 24576:MjEhAeMW6MoXRCIFuOTqjDraXKZpwbaqqqGsDxcKk8IHtfZJ5h3GtB48ag3dtm:hMMoBfuOPKzGqkTkx5VJI4pQtm
Size: 1516806 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-07 10:46:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

b3b1f.exe:852
Enumerate_gt_gongik_update_20140311.exe:504
enumerate_gtu.exe:1804
b3b8c.tmp:488
regsvr32.exe:860
b38dd.tmp:364
%original file name%.exe:1792
%original file name%.exe:816
%original file name%.exe:1396
b3ee8.exe:204

The Trojan injects its code into the following process(es):

enumerate_gtu.exe:1456

File activity

The process b3b1f.exe:852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\enumerate\gt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (15374 bytes)
C:\ (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Enumerate_gt_gongik_update_20140311[1].exe (3560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (38 bytes)
%System%\version.dll (119 bytes)
%WinDir%\WinSxS (96 bytes)
%Documents and Settings%\%current user%\Application Data\Enumerate_gt_gongik_update_20140311.exe (2640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (828 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (800 bytes)
%System%\config\SOFTWARE.LOG (10726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (39 bytes)
%System%\drivers\12a073ba.sys (72 bytes)
%WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
%System%\godlion.dll (196 bytes)
%WinDir% (196 bytes)
C:\$Directory (900 bytes)
%System%\vorsion.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%System%\midimap.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFeFk.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (38 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (40 bytes)
%System%\config (96 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sFHdHf.dll (119 bytes)
%System%\config\software (4124 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
%System% (5072 bytes)
%System%\drivers\6e0b463c.sys (28 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%System%\drivers\6e0b463c.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process Enumerate_gt_gongik_update_20140311.exe:504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\SelfDelete.dll (784 bytes)
%Program Files%\enumerate\gt\enumerate_gtu.exe (32128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\version.dll (784 bytes)
%Program Files%\enumerate\gt\uninstall.exe (2365 bytes)
C:\DelUS.bat (232 bytes)
%Program Files%\enumerate\gt\enumerate_gt.dll (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\IEKill.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UnProtectMode.dll (9320 bytes)
%Program Files%\enumerate\gt\enumerate_gongik.dll (66088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (85403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\DLLWebCount.dll (784 bytes)

The Trojan deletes the following file(s):

%Program Files%\enumerate\gt\Temp.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\version.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\SelfDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UnProtectMode.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\DLLWebCount.dll (0 bytes)

The process enumerate_gtu.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Enumerate_gt_gongik_update_20140311[1].exe (124127 bytes)
%Documents and Settings%\%current user%\Application Data\Enumerate_gt_gongik_update_20140311.exe (72570 bytes)

The process b3b8c.tmp:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\%original file name%.exe (3902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b3ee8.exe (327 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process b38dd.tmp:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\b3b1f.exe (1616 bytes)
C:\%original file name%.exe (7386 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\b3b8c.tmp (7547 bytes)

The process %original file name%.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\b38dd.tmp (9605 bytes)

The process %original file name%.exe:1396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\IEKill.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\SelfDelete.dll (784 bytes)
%Program Files%\enumerate\gt\uninstall.exe (2365 bytes)
C:\DelUS.bat (138 bytes)
%Program Files%\enumerate\gt\enumerate_gt.dll (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (57148 bytes)
%Program Files%\enumerate\gt\enumerate_gtu.exe (32128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\UnProtectMode.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\DLLWebCount.dll (784 bytes)
%Program Files%\enumerate\gt\enumerate_gongik.dll (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\version.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\IEKill.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\SelfDelete.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\UnProtectMode.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\DLLWebCount.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\version.dll (0 bytes)

The process b3ee8.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BWf.bat (159 bytes)

Registry activity

The process b3b1f.exe:852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b38dd.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b3b8c.tmp, , \??\%System%\hGyubif, \??\%System%\hGyubif"

[HKCR\CLSID\HOOK_ID]
"name" = "b3b1f.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 92 70 9B 48 92 03 FE 45 EE 43 07 84 0E F8 27"

[HKCR\CLSID\SYS_DLL]
"name" = "sFHdHf.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Enumerate_gt_gongik_update_20140311.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\enumerate_gt]
"TB_0" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enumerate_gt uninstall]
"DisplayName" = "Enumerate Top Search - gt"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\TypeLib]
"(Default)" = "{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enumerate_gt uninstall]
"DisplayIcon" = "%Program Files%\enumerate\gt\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\TypeLib]
"(Default)" = "{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}]
"(Default)" = "IonetapsSO"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\InprocServer32]
"(Default)" = "%Program Files%\enumerate\gt\enumerate_gt.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"(Default)" = "Enumerate Top Search - GT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\ProgID]
"(Default)" = "onetaps.onetapsSO.1"

[HKCU\Software\enumerate_gt]
"stver" = "20140311"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\VersionIndependentProgID]
"(Default)" = "onetaps.onetapsSO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"NoExplorer" = "1"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0]
"(Default)" = "onetaps 1.0 Çü½Ä ¶óÀ̺귯¸®"

[HKCR\onetaps.onetapsSO]
"(Default)" = "onetapsSO Class"

[HKCR\onetaps.onetapsSO\CurVer]
"(Default)" = "onetaps.onetapsSO.1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\HELPDIR]
"(Default)" = ""

[HKCU\Software\AppDataLow\Software\enumerate_gt]
"TB_0" = "1"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\TypeLib]
"Version" = "1.0"

[HKCR\onetaps.onetapsSO.1\CLSID]
"(Default)" = "{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}]
"AppName" = "enumerate_gtu.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enumerate_gt uninstall]
"UninstallString" = "%Program Files%\enumerate\gt\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\enumerate_gt]
"nid" = "gongik"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 F9 8A 77 18 55 6A 02 D8 66 7A 6C 9C AE 82 0D"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}]
"AppPath" = "%Program Files%\enumerate\gt\"

[HKCR\onetaps.onetapsSO\CLSID]
"(Default)" = "{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"(Default)" = "Enumerate Top Search - GT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\AppID\onetaps.DLL]
"AppID" = "{4A005145-FD42-48BC-9C19-BD8331620AE8}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\0\win32]
"(Default)" = "%Program Files%\enumerate\gt\enumerate_gt.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"AppID" = "{4A005145-FD42-48BC-9C19-BD8331620AE8}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\onetaps.onetapsSO.1]
"(Default)" = "onetapsSO Class"

[HKCR\AppID\{4A005145-FD42-48BC-9C19-BD8331620AE8}]
"(Default)" = "onetaps"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Enumerate_gt" = "%Program Files%\enumerate\gt\enumerate_gtu.exe Runcmd"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\onetaps.onetapsSO\CurVer]
[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\InprocServer32]
[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\VersionIndependentProgID]
[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\ProxyStubClsid32]
[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0]
[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}]
[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\0]
[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\TypeLib]
[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\HELPDIR]
[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
[HKCR\onetaps.onetapsSO.1\CLSID]
[HKCR\onetaps.onetapsSO\CLSID]
[HKCR\AppID\{4A005145-FD42-48BC-9C19-BD8331620AE8}]
[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\0\win32]
[HKCR\onetaps.onetapsSO.1]
[HKCR\AppID\onetaps.DLL]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\ProgID]
[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\ProxyStubClsid]
[HKCR\onetaps.onetapsSO]
[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\TypeLib]
[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\Programmable]
[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\FLAGS]
[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCR\AppID\onetaps.DLL]
"AppID"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\InprocServer32]
"ThreadingModel"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"AppID"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"NoExplorer"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Enumerate_gtst"

"Enumerate_gt"

The process enumerate_gtu.exe:1456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\enumerate_gt]
"AP_2" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\enumerate_gt]
"AC_2" = "0"
"AC_1" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C F7 BB 2D 52 99 5F A6 B9 A4 23 96 B0 04 4A 22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\enumerate_gt]
"AU_2" = "0"
"TB_0" = "1"
"AU_1" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\enumerate_gt]
"AP_1" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process enumerate_gtu.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\enumerate_gt]
"verup" = "20140311"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"Enumerate_gt_gongik_update_20140311.exe" = "Enumerate_gt_gongik_update_20140311"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 7D 0D A9 D7 6D 90 86 5C 8D 28 E1 12 92 4D 6A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\enumerate_gt]
"onegtu" = "20140312"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process b3b8c.tmp:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b38dd.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b3b8c.tmp,"

The process regsvr32.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\godlion.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\godlion.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 0C FE 10 B0 31 4D DD E4 E4 3E 7E 6D 50 C8 95"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"

The process b38dd.tmp:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b38dd.tmp,"

The process %original file name%.exe:1396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\enumerate_gt]
"TB_0" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enumerate_gt uninstall]
"DisplayName" = "Enumerate Top Search - gt"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\TypeLib]
"(Default)" = "{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enumerate_gt uninstall]
"DisplayIcon" = "%Program Files%\enumerate\gt\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\TypeLib]
"(Default)" = "{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}]
"(Default)" = "IonetapsSO"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\InprocServer32]
"(Default)" = "%Program Files%\enumerate\gt\enumerate_gt.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"(Default)" = "Enumerate Top Search - GT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\ProgID]
"(Default)" = "onetaps.onetapsSO.1"

[HKCU\Software\enumerate_gt]
"stver" = "20131030"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}\VersionIndependentProgID]
"(Default)" = "onetaps.onetapsSO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"NoExplorer" = "1"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0]
"(Default)" = "onetaps 1.0 Çü½Ä ¶óÀ̺귯¸®"

[HKCR\onetaps.onetapsSO]
"(Default)" = "onetapsSO Class"

[HKCR\onetaps.onetapsSO\CurVer]
"(Default)" = "onetaps.onetapsSO.1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\HELPDIR]
"(Default)" = ""

[HKCU\Software\AppDataLow\Software\enumerate_gt]
"TB_0" = "1"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\TypeLib]
"Version" = "1.0"

[HKCR\onetaps.onetapsSO.1\CLSID]
"(Default)" = "{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}]
"AppName" = "enumerate_gtu.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Enumerate_gt uninstall]
"UninstallString" = "%Program Files%\enumerate\gt\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\Interface\{A8DD25C9-B4AA-4468-8041-E104F9EEBFF5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\enumerate_gt]
"nid" = "gongik"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}]
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 CD 4A 72 FF 1E 38 3F 65 69 7F 0B B7 85 FE A9"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}]
"AppPath" = "%Program Files%\enumerate\gt\"

[HKCR\onetaps.onetapsSO\CLSID]
"(Default)" = "{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"(Default)" = "Enumerate Top Search - GT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\AppID\onetaps.DLL]
"AppID" = "{4A005145-FD42-48BC-9C19-BD8331620AE8}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{7C3A6FC2-0EE4-4B2E-8029-3766C8DAF951}\1.0\0\win32]
"(Default)" = "%Program Files%\enumerate\gt\enumerate_gt.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{DE084F45-537A-4554-AFDA-8CF3E80FA1A9}]
"AppID" = "{4A005145-FD42-48BC-9C19-BD8331620AE8}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\onetaps.onetapsSO.1]
"(Default)" = "onetapsSO Class"

[HKCR\AppID\{4A005145-FD42-48BC-9C19-BD8331620AE8}]
"(Default)" = "onetaps"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Enumerate_gt" = "%Program Files%\enumerate\gt\enumerate_gtu.exe Runcmd"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Enumerate_gtst"

"Enumerate_gt"

The process b3ee8.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 84 9B 28 2C EF B9 90 37 C4 1F 40 CA 5D 2F EE"

Network activity (URLs)

URL IP
hxxp://www.enumstates.co.kr/cnt/index.php?pid=gongik&type=6 121.78.182.82
hxxp://www.enumstates.co.kr/check/gongik/update/enum.php
hxxp://down.enumstates.co.kr/download/Enumerate_gt_gongik_update_20140311.exe 121.78.93.23
enumstates.co.kr 121.78.182.82


HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\12a073ba.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

ZwCreateFile

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    b3b1f.exe:852
    Enumerate_gt_gongik_update_20140311.exe:504
    enumerate_gtu.exe:1804
    b3b8c.tmp:488
    regsvr32.exe:860
    b38dd.tmp:364
    %original file name%.exe:1792
    %original file name%.exe:816
    %original file name%.exe:1396
    b3ee8.exe:204

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\enumerate\gt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\test.pml (15374 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Enumerate_gt_gongik_update_20140311[1].exe (3560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (38 bytes)
    %System%\version.dll (119 bytes)
    %WinDir%\WinSxS (96 bytes)
    %Documents and Settings%\%current user%\Application Data\Enumerate_gt_gongik_update_20140311.exe (2640 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (828 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (800 bytes)
    %System%\config\SOFTWARE.LOG (10726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (39 bytes)
    %System%\drivers\12a073ba.sys (72 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
    %System%\godlion.dll (196 bytes)
    C:\$Directory (900 bytes)
    %System%\vorsion.dll (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
    %System%\midimap.dll (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HFeFk.dll (119 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (38 bytes)
    %WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sFHdHf.dll (119 bytes)
    %System%\config\software (4124 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %System%\drivers\6e0b463c.sys (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\SelfDelete.dll (784 bytes)
    %Program Files%\enumerate\gt\enumerate_gtu.exe (32128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\version.dll (784 bytes)
    %Program Files%\enumerate\gt\uninstall.exe (2365 bytes)
    C:\DelUS.bat (232 bytes)
    %Program Files%\enumerate\gt\enumerate_gt.dll (11048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\KillProcDLL.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\IEKill.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\UnProtectMode.dll (9320 bytes)
    %Program Files%\enumerate\gt\enumerate_gongik.dll (66088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (85403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp\DLLWebCount.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    C:\%original file name%.exe (3902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b3ee8.exe (327 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b3b1f.exe (1616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b3b8c.tmp (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b38dd.tmp (9605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\IEKill.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\SelfDelete.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (57148 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\UnProtectMode.dll (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\KillProcDLL.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\DLLWebCount.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\version.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BWf.bat (159 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Enumerate_gt" = "%Program Files%\enumerate\gt\enumerate_gtu.exe Runcmd"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now