MD5: 534929d7257c9bc4f62fcf3e8620c7d8
SHA1: b8ee86e2342c81f592602319ecc407625fd4faf5
SHA256: d768cb2b8f065c86fcdf702dc5375a25dd4f5558a190f2be499b39a0acd22e0c
SSDeep: 12288:waWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8IJze68PvanRJkHVphYJGTaTFxfj5kMx:3aHMv6CorjqnyC8IJK007QGTojfjlyY
Size: 1074485 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ICorporation
Created at: 2010-04-16 10:47:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

RSOP.exe:1336
RSOP.exe:136
RSOP.exe:468
%original file name%.exe:188
%original file name%.exe:1364

The Trojan injects its code into the following process(es):

taskmgr.exe:488
svchost.exe:444

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uzmvweb (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (2769 bytes)
%WinDir%\RSOP.exe (1425 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uzmvweb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)
%WinDir%\RSOP.exe (0 bytes)

The process taskmgr.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SJKR0F2D\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.dat (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q37GRL1S\desktop.ini (67 bytes)
%System%\Microsoft\Protect\System.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNKX8HU1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.xtr (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\1234567890[1].htm (68015 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\1234567890[1].htm (0 bytes)

Registry activity

The process RSOP.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 67 BD D2 5E DE 9F BC 71 69 C1 2F 59 29 BC 6A"

The process RSOP.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 CF BD 7C 3F B7 D3 68 3A ED 4F 42 CB 95 58 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process RSOP.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 0F F3 AA 9F 96 2C 2E 52 18 62 97 0F 5D 6C AF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "YWHq0Sews"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 13 A9 A1 41 54 A0 FB 6A FE 4F 5B 39 8C 80 75"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D EF 7C BF 37 A3 B7 53 DC 4E D3 B1 68 0D 9D D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process taskmgr.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\YWHq0Sews]
"ServerStarted" = "22/05/2016 19:29:33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1208111732"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "taskmgr.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\YWHq0Sews]
"ServerName" = "%System%\Microsoft\Protect\System.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 C3 3F 93 CB AF DE 82 17 E4 0D F6 CF DC 09 B5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update" = "%System%\Microsoft\Protect\System.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\Microsoft\Protect\System.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\Microsoft\Protect\System.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
alonedevil.no-ip.org	204.95.99.193

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN Win32/Xtrat.A Checkin

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_444_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLD

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

nerozhack.ddns.com.br

alonedevil.no-ip.org

gameszero.dyndns.org

System.exe

%System%\taskmgr.exe

{4YBTO35S-O1AV-5TE3-5AUC-1PW370X4E08Q}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

.HKCU

KeyScrambler Tray Icon %SERVER%

%WinDir%\WinSxS\x86_Microsoft.WinYWHq0SewsEXIT

PTF.ftpserver.com

ftpuser

taskmgr.exe_488:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

iphlpapi.dll

COMCTL32.dll

SHLWAPI.dll

SHELL32.dll

Secur32.dll

VDMDBG.dll

taskmgr.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

WTSAPI32.dll

WINSTA.dll

MSGINA.dll

NetGetJoinInformation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

UTILDLL.dll

ole32.dll

taskmgr.pdb

SSSSh

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

GetProcessHeap

SetProcessShutdownParameters

GetKeyState

ExitWindowsEx

GetAsyncKeyState

EnumWindowStationsW

EnumWindows

CloseWindowStation

SetProcessWindowStation

GetProcessWindowStation

OpenWindowStationW

CascadeWindows

TileWindows

ntdll.dll

RegOpenKeyExA

<assemblyIdentity name="WindowsShell" processorArchitecture="x86" version="5.1.0.0" type="win32"/>

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows NT\CurrentVersion\TaskManager

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system

mcmd.exe

%ComSpec%

Software\Microsoft\Windows\CurrentVersion\Policies\System

%d %%

%s -p %ld

-%sd%sd

d %

lsass.exe

services.exe

smss.exe

winlogon.exe

csrss.exe

ntvdm.exe

drwtsn32.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

ShadowHotkeyShift

ShadowHotkeyKey

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

The Processor Affinity setting controls which CPUs the process will be allowed to execute on.

Connect Password Required

Enter the selected User's password:

Hot key

To end a remote control session, press this key, plus the keys selected below:

To end a remote control session, press this key on the numeric keypad, plus the keys selected below:

&Windows

&Log Off %s

WinKey L

Windows TaskManager

5.1.2600.5512 (xpsp.080413-2105)

taskmgr.exe

Windows

Operating System

5.1.2600.5512

;Brings a task to the foreground, switch focus to that task.BBrings a task to the front, but does not switch focus to that taskCTask Manager remains in front of all other windows unless minimized@Task Manager is minimized when a SwitchTo operation is performed$Minimizes the selected windows tasks0Maximizes the windows to the size of the desktop

4Restores the selected windows to their default state6Cascades the selected windows diagonally on the screen.Tiles the selected windowed tasks horizontally,Tiles the selected windowed tasks vertically#Displays tasks by using large icons

Graph bytes received.-Graph the sum of the bytes sent and received.<Select which columns will be visible on the Networking page.;Shows all the data that passed through the network adapter.

;Displays program information, version number, and copyright$Updates the display twice per second%Updates the display every two seconds&Updates the display every four seconds%Display does not automatically update

8Select which columns will be visible on the Process pageDForce Task Manager to update now, regardless of Update Speed setting'Provides access to point and click help?Controls which processors the process will be allowed to run on.Displays kernel time in the performance graphs;The process must have affinity with at least one processor.

CPU %d

Create New TaskeType the name of a program, folder, document, or Internet resource, and Windows will open it for you.

Windows Task Manager

Non Operational

Operational

'The operation could not be completed.

Unable to Change Priority,The operation is not valid for this process.

Minimizes the windows

Maximizes the windows.Cascades the windows diagonally on the desktop-Tiles the windows horizontally on the desktop

9Shows 16-bit Windows tasks under the associated ntvdm.exe

This operation will attempt to terminate this process and any

be ended. The operation was not fully successful.6Select which columns will be visible on the Users page

Message from %s - %s2Unhandled error occurred while connecting.

#%u %s#Enter the selected User's password.'Session (ID %lu) remote control failed.YCan't remote control Session (ID %lu) because Remote control is disabled on that Session.iCan't remote control Session (ID %lu) because it is disconnected with user's required permission enabled.

&The password was incorrect. Try again.

Tasks: %d

Processes: %d

CPU Usage: %d%%

 Tiles the windows vertically on the desktop

;Your message to user %s (SessionId=%d) could not be sent. 1User %s (SessionId=%d) could not be logged off. 3User %s (SessionId=%d) could not be disconnected.

taskmgr.exe_488_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLD

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

nerozhack.ddns.com.br

alonedevil.no-ip.org

gameszero.dyndns.org

System.exe

%System%\taskmgr.exe

{4YBTO35S-O1AV-5TE3-5AUC-1PW370X4E08Q}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

.HKCU

KeyScrambler Tray Icon %SERVER%

%WinDir%\WinSxS\x86_Microsoft.WinYWHq0SewsEXIT

PTF.ftpserver.com

ftpuser

%WinDir%\RSOP.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   RSOP.exe:1336
   RSOP.exe:136
   RSOP.exe:468
   %original file name%.exe:188
   %original file name%.exe:1364
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\uzmvweb (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (2769 bytes)
   %WinDir%\RSOP.exe (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SJKR0F2D\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.dat (322 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q37GRL1S\desktop.ini (67 bytes)
   %System%\Microsoft\Protect\System.exe (1425 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNKX8HU1\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\YWHq0Sews.xtr (601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GZAXCZ41\1234567890[1].htm (68015 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft Update" = "%System%\Microsoft\Protect\System.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "HKLM" = "%System%\Microsoft\Protect\System.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HKCU" = "%System%\Microsoft\Protect\System.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.