Susp_Dropper_d23e8846dc

by malwarelabrobot on December 8th, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), Win32.Virlock.Gen.8 (B) (Emsisoft), BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d23e8846dc99071f3b61403cea0e9294
SHA1: 6d244ff9c0738af18299b790d09207c7d44f41e7
SHA256: ac966b21b9fdf43665936d7b40d45d7b6e3d788b284cdeab641cdb4d76dc5554
SSDeep: 49152:4k5utn98Q8/7htj cqrO9TNLcPbks9WTcu0F7nz5L0ns69YZEAo:4k5ut98Q8/7htqrKwPbfu05nz5L0n
Size: 3715072 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-11-25 23:31:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1092
%original file name%.exe:860
%original file name%.exe:1940
%original file name%.exe:1756
%original file name%.exe:1488
%original file name%.exe:820

The Trojan injects its code into the following process(es):

UOYUAYsk.exe:488
uyoUsggM.exe:1312
lWEUMcgA.exe:1492

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KIoEcxMs.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KIoEcxMs.bat (0 bytes)

The process %original file name%.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmAoIUMY.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nmAoIUMY.bat (0 bytes)

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14187 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bCAEQIkM.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bCAEQIkM.bat (0 bytes)

The process %original file name%.exe:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pGAwYUoU.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pGAwYUoU.bat (0 bytes)

The process %original file name%.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oqoAIoQU.bat (4 bytes)
C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqoAIoQU.bat (0 bytes)

The process UOYUAYsk.exe:488 makes changes in the file system.
The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process uyoUsggM.exe:1312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\YuogIoUc\QkUe.exe (16317 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gYYE.exe (15962 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aYUC.exe (20128 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QkMM.exe (17147 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uccU.exe (16771 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mcso.exe (18325 bytes)
%Documents and Settings%\%current user%\YuogIoUc\asca.exe (16880 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xkkg.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsQc.exe (15385 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XYAs.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQI.exe (16411 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQgo.exe (16321 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lsce.exe (15068 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aMww.exe (14501 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15799 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gUIe.exe (16407 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hEwC.exe (16701 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AgwE.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yski.exe (16375 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YMwi.exe (16346 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VgAY.exe (16383 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wggI.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OMMo.exe (14803 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZEYu.exe (16015 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bIYu.exe (16125 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\egMk.exe (15962 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (16582 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zgkK.exe (15745 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xQkw.exe (16375 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsEW.exe (18379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OsEK.exe (16787 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mUEk.exe (15941 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OgEs.exe (16321 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Bgog.exe (16346 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BIIQ.exe (15435 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgkO.exe (16411 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lYIo.exe (16366 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ykEu.exe (23361 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MQAu.exe (16410 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIwU.exe (14775 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kgMq.exe (45140 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukso.exe (15999 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qQcm.exe (16791 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cwsk.exe (16722 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tQgY.exe (16338 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KQEE.exe (16407 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Ikoq.exe (15962 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JkkU.exe (16317 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iokC.exe (34572 bytes)
%Documents and Settings%\%current user%\YuogIoUc\DQQq.exe (16375 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uggG.exe (15987 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\fcMw.exe (15547 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAoe.exe (16362 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aUIG.exe (16057 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIIC.exe (16342 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KgYI.exe (15950 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GwAK.exe (16334 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQM.exe (16325 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17072 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LYAC.exe (16019 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\twkK.exe (17116 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgIg.exe (16387 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sYwQ.exe (15365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYkG.exe (18346 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YwUq.exe (16338 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LgMq.exe (16375 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\YuogIoUc\QkUe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gYYE.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aYUC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\QkMM.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uccU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OgEs.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\asca.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xkkg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsQc.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XYAs.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQI.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
C:\%original file name%.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Lsce.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aMww.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gUIe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\hEwC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AgwE.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yski.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YMwi.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VgAY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wggI.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OMMo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZEYu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bIYu.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\egMk.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zgkK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\xQkw.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UsEW.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\OsEK.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\DQQq.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQgo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Bgog.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\uggG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BIIQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\fcMw.exe (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgkO.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\lYIo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ykEu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MQAu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIwU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kgMq.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ukso.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mUEk.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qQcm.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cwsk.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\tQgY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KQEE.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Ikoq.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JkkU.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iokC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Mcso.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eAoe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\aUIG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\AIIC.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\KgYI.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\GwAK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\bQQM.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LYAC.exe (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\twkK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\cgIg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sYwQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nYkG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\YwUq.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LgMq.exe (0 bytes)

Registry activity

The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 7D B4 CA 13 85 71 97 FA 09 4E 82 27 B0 42 54"

The process %original file name%.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 9D 3C A8 40 CA 3E AF 0A 9D 76 7F 24 74 28 6A"

The process %original file name%.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 2F 7E F7 25 CF 56 45 E9 FB 0D 5B 65 15 7D 8B"

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F B2 42 B1 D7 F0 CE A3 35 3E 4A C1 AA 59 37 93"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

The process %original file name%.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 CF 5C A8 6D 5B C7 FF 02 BE 61 A3 5C F4 FD 8B"

The process %original file name%.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 66 A1 13 03 69 B7 E2 CA 8F B1 0F F7 B5 C6 50"

The process UOYUAYsk.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 CE 60 C1 0D 7D 13 CF 8E 75 56 A3 11 65 EE 43"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

The process uyoUsggM.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 83 B0 F2 EF CB F2 3C F4 88 4C 52 8C 27 47 CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"

The process lWEUMcgA.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 20 FD FC 07 B7 38 78 F7 4D 11 C2 C6 C7 73 59"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

Dropped PE files

MD5 File path
54d3bd5918333be2142e54e8a6c974af c:\Documents and Settings\All Users\AUUoUgAI\UOYUAYsk.exe
f374e574b9703fd6f6b32e07070c94b4 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
49320fa4aa6b6d34bdeb91cb559217b2 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
f802886b75f5372a605212baf369322e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
71079a63f751d27f53572c0edf167548 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
f9fbefbd757f9cdc1fb2e8fe058110ee c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
e06bf905023abbec4948f158dee969c6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
eff0f589102d1ebc83f5f2c5e4361249 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
6e87b03c712af7bf26af604ee947b5a3 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
26c17fb49223419c500a9e835285020f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
bd1fa55de8e99f14611c4821a741b148 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
1683f0a34140f605c8236ac963364abf c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
b61626fb724c186d1716223f5080440e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
e3258918f6ded145c4b91cc619e0ea2e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
8155f5ee7b2c541d08964f2acaa01fec c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
639a512d650e7fa3370cb30bb041ee02 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
94733968204b10e2aec4d44483f52d5a c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
e8542f173bcd87685da43c365ac50599 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
c158e83b96f306af314914b51cb54086 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
915ec4dd85a2e27ebe23003818ee3404 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
e7fbc641ef67cea60a5f6d7fc08daa79 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
29014193d8035ffeddb7d4f4eecfe627 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
2f2eba2c97b2a67350fe3f9a46080121 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
66e79fb026bcc85a5483401f3855deec c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
16506c391918d6853af95f16e2ff62c7 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
e7387ea62f0c7ea0afb10bec0cf528cc c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
92bc6dbcf561ad0d8572e95ba7a563d0 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
138950411fe1990607fc3cb368381d2b c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
c5b614a9581985c841b5b715fe2e870a c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
0112c54c0043dcd4f5c8daa905c6e8fd c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
203c9388fd65ec6bdf3732256fb4bdaf c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
88b4bb372df4cad9fc6993a228dd0d8b c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
6d9092eaa6e6cca2e280e3857bedb96d c:\Documents and Settings\All Users\NSIsgYEw\lWEUMcgA.exe
11eb719cd876f79563752ea7b20d8d45 c:\Documents and Settings\"%CurrentUserName%"\YuogIoUc\uyoUsggM.exe
cc9939b9b584295a8080e735af859c29 c:\Perl\eg\IEExamples\ie_animated.gif.exe
de8cc379ae093af056fa71ab673c6915 c:\Perl\eg\IEExamples\psbwlogo.gif.exe
aefab310117f73dd1475c25748e2a8bf c:\Perl\eg\aspSamples\ASbanner.gif.exe
258950248fe417bfd93d955833f7f79f c:\Perl\eg\aspSamples\Main_Banner.gif.exe
4265755f6e37e3c88290ddb1ef481a72 c:\Perl\eg\aspSamples\psbwlogo.gif.exe
d763749a5300eed0f7ba7cc8544eb7e9 c:\Perl\html\images\AS_logo.gif.exe
3983b2d417fd2aef38920f44d8e38978 c:\Perl\html\images\PerlCritic_run.png.exe
1fa5ad2cd6598f10887692a25892fe29 c:\Perl\html\images\aslogo.gif.exe
df0a095a96000de54a18ba3793fbe778 c:\Perl\html\images\ppm_gui.png.exe
6defb268f8bf60a8cf3a45cf7f12e91f c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
67cdc3105280f30e7e38bf19c372088c c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
86ea1f32968b775961ff07ae846da9a5 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
eb91b3be0b1a3c38e36cfb873fbc5380 c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
beb562487a2a2541cc44caef05401a61 c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
5adce1166f0bd5dad6ae5046ab3c193a c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
c01f9b50f3c808da2ae2fafbd4ffc427 c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
035a5d7e6f5bdd41d0c1c5377550a670 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
4d1ca8d96754e550df43d2ab168d366d c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
f43de3530f0cde62ba977344c0c160be c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2199552 2199552 5.42129 aa35a221e10962a5c59782f84a8b651f
.rdata 2203648 8192 10240 0.158459 2dd1661ede7e6f9277c24c1ca1efad30
.data 2211840 1499136 1499136 4.06382 69557aac6e0675416e37c0ac04db057e
.rsrc 3710976 4608 4608 3.07545 59465b1d9824ce562746fca68ad3a437

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1092
    %original file name%.exe:860
    %original file name%.exe:1940
    %original file name%.exe:1756
    %original file name%.exe:1488
    %original file name%.exe:820

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\KIoEcxMs.bat (4 bytes)
    C:\d23e8846dc99071f3b61403cea0e9294 (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nmAoIUMY.bat (4 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
    %Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14187 bytes)
    %Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bCAEQIkM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pGAwYUoU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oqoAIoQU.bat (4 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\QkUe.exe (16317 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\gYYE.exe (15962 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (15278 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\aYUC.exe (20128 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\QkMM.exe (17147 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\uccU.exe (16771 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Mcso.exe (18325 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\asca.exe (16880 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\xkkg.exe (16350 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\UsQc.exe (15385 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\XYAs.exe (16350 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\bQQI.exe (16411 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\iQgo.exe (16321 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Lsce.exe (15068 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\aMww.exe (14501 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15799 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (45846 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\gUIe.exe (16407 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\hEwC.exe (16701 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\AgwE.exe (16354 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\yski.exe (16375 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\YMwi.exe (16346 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\VgAY.exe (16383 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\wggI.exe (16354 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\OMMo.exe (14803 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\ZEYu.exe (16015 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\bIYu.exe (16125 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\egMk.exe (15962 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (16582 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\zgkK.exe (15745 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\xQkw.exe (16375 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15278 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\UsEW.exe (18379 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\OsEK.exe (16787 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\mUEk.exe (15941 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\OgEs.exe (16321 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Bgog.exe (16346 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\BIIQ.exe (15435 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\EgkO.exe (16411 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\lYIo.exe (16366 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\ykEu.exe (23361 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\MQAu.exe (16410 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\AIwU.exe (14775 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15278 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\kgMq.exe (45140 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\ukso.exe (15999 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\qQcm.exe (16791 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\cwsk.exe (16722 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\tQgY.exe (16338 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\KQEE.exe (16407 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Ikoq.exe (15962 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (16158 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\JkkU.exe (16317 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\iokC.exe (34572 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\DQQq.exe (16375 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\uggG.exe (15987 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\fcMw.exe (15547 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\eAoe.exe (16362 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\aUIG.exe (16057 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\AIIC.exe (16342 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\KgYI.exe (15950 bytes)
    C:\totalcmd\TcUsbRun.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\GwAK.exe (16334 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\bQQM.exe (16325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17072 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\LYAC.exe (16019 bytes)
    %Documents and Settings%\All Users\KAYc.txt (55978 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\twkK.exe (17116 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\cgIg.exe (16387 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\sYwQ.exe (15365 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15278 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\nYkG.exe (18346 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\YwUq.exe (16338 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\LgMq.exe (16375 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now