Trojan.Generic.12118556_a8dbb8dd94

by malwarelabrobot on May 23rd, 2016 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Generic.12118556 (B) (Emsisoft), Trojan.Generic.12118556 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: a8dbb8dd94c354ea54998e26f65f9919
SHA1: 088add1281267dc27423057f37580ed05b023bf4
SHA256: 9e0de14345d6acccd56ce7c5838afd9449caa71ff8ddfa8f7bcb8ed6590a25f5
SSDeep: 24576:aAQrwd IvWHPKrYfN7Qk/BUlGFlsySBsQnQU6/IzjMJ52HF/Cc19e:at8vgqYfN7QEdFlPSBsZnIPDCc1
Size: 1312256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: PC Utilities Software Limited
Created at: 2014-10-29 20:33:00
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:

__DDrawCheckExclMode__
__DDrawExclMode__
DDrawWindowListMutex
DDrawDriverObjectListMutex
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bgOBPueBRw[1].js (2841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5d27ee1370e502bb660d47d79d2c3df7[1].png (4537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\d9e4d035bd0ff6a08bdd391cbe2f4796[1].jpg (4393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\21.1[1].png (378 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\712a1a3ba7d8971dbc61f6f2c9be83f0[1].jpg (3147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f6f7d1aff11ef3c3cacb03d770e45bbe[1].jpg (9999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tiexue0515[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\daa311835335c49a3b2339f22dd36956[1].png (6093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1].htm (15900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\0521zc[1].png (5821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\richanglogo168_24[1].png (2833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c7adfb176b5499bbf466d9768b1f337d[1].jpg (4205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPHrjiqQTd[1].css (17235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPHrjiqQTd[2].css (15429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1419388771[1].png (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YwJDjomYOd[1].js (10085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ttx123[1].htm (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slidetoolbar-icon[1].png (1307 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1] (40049 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0521zc1[1].png (5821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c883d0fb7e275e42339963d3bb05ccdc[1].png (10017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon_ie6[1].png (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index_widthlg[1].png (2727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lanyuechuanqi[1].png (1150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\10138.2[1].png (1276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8.411[1].png (806 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_icon[1].png (21129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\defaultIcon1229[1].png (1311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\401bd6b15f5e3f83cace42f09284e732[1].jpg (4319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bgOBPueBRw[2].js (4165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\07eb92f77f9786c99347c8d42319259b[1].png (4020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\5a2949a074f35ab8f397caba90a85f14[1].jpg (6093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6282[1].png (983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f9a51408e5d19bcb7fd096be922779b4[1].jpg (1961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\692a2605277b6de2b69801ab50ddc9a0[1].png (1303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\51619[1].png (1298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\chaonv2016[1].png (1455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\closeskin[1].png (403 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ef3d0c7aa618686baf0f25ccbbbeb7ae[1].jpg (4219 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\yunnanzhilv0519[1].png (1434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xinbanchuanqi160510[1].jpg (5194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YwJDjomYOd[2].js (9732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1f955fdb77200a7e9dafe2e4ce908dc7[1].jpg (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\56e3ee549cc309274f821aa836016dfa[1].png (266 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game0331[1].png (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\50a68bff5fedff6fca26ad422ee28716[1].jpg (18869 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YwJDjomYOd[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bgOBPueBRw[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPHrjiqQTd[1].css (0 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1414607580"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 96 A6 59 72 8F E7 CE 2C 2F EB A3 0B 75 C1 7F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
147127382e001f495d1842ee7a9e7912	c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.2.5.8
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.2.5.8
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
....	4096	770048	0	0	d41d8cd98f00b204e9800998ecf8427e
....	774144	1241088	1239040	5.42384	afa0c8a498b60077c51487e585586087
.rsrc	2015232	73728	72192	4.17785	e06f1f88257dbf67071fdaf2d3939863

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://im2.n.shifen.com/urghfettofbltzd/item/a6a5e12d8a0cfa5f2b0f1c0b
hxxp://www.ttx123.cn/?u=woaihushan	223.4.32.53
hxxp://im2.n.shifen.com/search/error.html
hxxp://hi.baidu.com/urghfettofbltzd/item/a6a5e12d8a0cfa5f2b0f1c0b	123.125.114.169
hxxp://im.baidu.com/search/error.html	123.125.114.169
gss0.bdstatic.com	111.206.76.31
gss2.bdstatic.com	111.206.76.31
gss3.bdstatic.com	111.206.76.31
gss1.bdstatic.com	111.206.76.31

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /search/error.html HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: im.baidu.com

Cache-Control: no-cache

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 22 May 2016 03:52:58 GMT

Server: Apache

Last-Modified: Mon, 07 Dec 2015 10:58:52 GMT

ETag: "3dc35cc-a92-5264cbe191036"

Accept-Ranges: bytes

Content-Length: 2706

Connection: Keep-Alive

Content-Type: text/html
<html>.<head>..<title>....--..............</title
>..<META http-equiv=content-type content="text/html; charset=gb2
312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></
HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE:
 14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12
px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; col
or: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink
=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.
<table width=650 border=0 align="center">.  <tr height=60>
.    <td width=139 valign="top" height="66"><a href="hXXps://
VVV.baidu.com"><img src="img/logo.gif" border="0"></a>&
lt;/td>.    <td valign="bottom" width="100%">.      <table
 width="100%" border="0" cellpadding="0" cellspacing="0">.        &
lt;tr bgcolor="#e5ecf9">.          <td height="24"> <
b class="p1">..............</b></td>.          <td h
eight="24" class="p2">.            <div align="right"><a  
href="hXXps://VVV.baidu.com">........</a>   </div>
</td>.        </tr>.        <tr>.          <td he
ight="20" class="p2" colspan="2"></td>.        </tr>.  
  </table></td>.  </tr>.</table>.<br>.&l
t;table width=650 border=0 align="center" cellpadding=8 cellspacing=0&
gt;.  <tr> .    <td  align=center><div align="left"<<< skipped >>>

GET /urghfettofbltzd/item/a6a5e12d8a0cfa5f2b0f1c0b HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: hi.baidu.com

Cache-Control: no-cache


HTTP/1.1 302 Found

Date: Sun, 22 May 2016 03:52:57 GMT

Server: Apache

Location: hXXp://im.baidu.com/search/error.html

Content-Length: 221

Connection: Keep-Alive

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://im.baidu.com/search/error.html">here</a>.</p&
gt;.</body></html>.HTTP/1.1 302 Found..Date: Sun, 22 May 2
016 03:52:57 GMT..Server: Apache..Location: hXXp://im.baidu.com/search
/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type
: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DT
D HTML 2.0//EN">.<html><head>.<title>302 Found<
;/title>.</head><body>.<h1>Found</h1>.<p
>The document has moved <a href="hXXp://im.baidu.com/search/erro
r.html">here</a>.</p>.</body></html>...

GET /?u=woaihushan HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ttx123.cn

Connection: Keep-Alive


HTTP/1.1 200 OK

Connection: close

Date: Sun, 22 May 2016 03:52:57 GMT

Server: Microsoft-IIS/6.0

Set-Cookie: ff_id=qJKEGY5ErlydjAsOmU; expires=Sat, 20-Aug-2016 03:52:57 GMT

Content-type: text/html
<title>hao123_..............</title>..<script language=
javascript> ..window.location="hXXps://VVV.hao123.com/?tn=39015028_
203_hao_pg"//window.location="hXXp://VVV.taobeike.com/hao123/ffffffff.
php" ..</script>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

`.rsrc

t$(SSh

~%UVW

u$SShe

wininet.dll

kernel32.dll

user32.dll

advapi32.dll

SkinH_EL.dll

ole32.dll

OLEACC.DLL

gdi32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

GetProcessHeap

MsgWaitForMultipleObjects

RegCreateKeyA

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegFlushKey

RegDeleteKeyA

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

hXXp://VVV.youku.com

hXXp://VVV.baidu.com

hXXp://hi.baidu.com/urghfettofbltzd/item/bba25789f72c9583ef083d7d

[email protected]

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

0@hXXps://auth.alipay.com/login/index.htm

hXXp://VVV.taobao.com

portal/i.htm

fill.htm?_pdType=

hXXps://shenghuo.alipay.com/send/payment/fill.htm?_pdType=

hXXps://my.alipay.com/portal/i.htm

hXXps://personalweb.alipay.com/portal/i.htm

\test.txt

[email protected]

hXXp://VVV.ttx123.cn/?u=woaihushan

hXXp://hi.baidu.com/urghfettofbltzd/item/a6a5e12d8a0cfa5f2b0f1c0b

hXXp://user.qzone.qq.com/2063362484/blog/1407346463

fJ.WM_

CX%xm

Õ6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

b\SkinH_EL.dll

.rsrc

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

hXXps://auth.alipay.com/login/homeB.htm?redirectType=parent

hXXps://VVV.alipay.com/

hXXps://shenghuo.alipay.com/send/confirm.htm

/cashier.htm?orderId=

result.htm?outBizNo=

<DIV style="PADDING-BOTTOM: 10px; PADDING-LEFT: 5px; PADDING-RIGHT: 5px; PADDING-TOP: 10px"><A style="MARGIN-TOP: 10px; FONT-SIZE: 14px" href="hXXps://lab.alipay.com/consume/queryTradeDetail.htm?tradeNo=

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

%System%\Macromed\Flash\Flash10q.ocx

%System%\Macromed\Flash\Flash10s.ocx

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

WinExec

GetCPInfo

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

ShellExecuteA

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

InternetCanonicalizeUrlA

InternetCrackUrlA

.text

`.rdata

@.data

.pT39

evs%Sl;

#include "l.chs\afxres.rc" // Standard components

ADVAPI32.dll

OLEAUT32.dll

oledlg.dll

RASAPI32.dll

SHELL32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

1, 0, 6, 6

(*.*)

1.2.5.8

(hXXp://VVV.eyuyan.com)

%original file name%.exe_464_rwx_00401000_001EA000:

t$(SSh

~%UVW

u$SShe

wininet.dll

kernel32.dll

user32.dll

advapi32.dll

SkinH_EL.dll

ole32.dll

OLEACC.DLL

gdi32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

GetProcessHeap

MsgWaitForMultipleObjects

RegCreateKeyA

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegFlushKey

RegDeleteKeyA

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

hXXp://VVV.youku.com

hXXp://VVV.baidu.com

hXXp://hi.baidu.com/urghfettofbltzd/item/bba25789f72c9583ef083d7d

[email protected]

hXXp://

hXXps://

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

0@hXXps://auth.alipay.com/login/index.htm

hXXp://VVV.taobao.com

portal/i.htm

fill.htm?_pdType=

hXXps://shenghuo.alipay.com/send/payment/fill.htm?_pdType=

hXXps://my.alipay.com/portal/i.htm

hXXps://personalweb.alipay.com/portal/i.htm

\test.txt

[email protected]

hXXp://VVV.ttx123.cn/?u=woaihushan

hXXp://hi.baidu.com/urghfettofbltzd/item/a6a5e12d8a0cfa5f2b0f1c0b

hXXp://user.qzone.qq.com/2063362484/blog/1407346463

fJ.WM_

CX%xm

Õ6m*

n.BjCw

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

.WE= T!N

#?%s(C(

u.Jck~

zx/%FN[

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

b\SkinH_EL.dll

.rsrc

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

hXXps://auth.alipay.com/login/homeB.htm?redirectType=parent

hXXps://VVV.alipay.com/

hXXps://shenghuo.alipay.com/send/confirm.htm

/cashier.htm?orderId=

result.htm?outBizNo=

<DIV style="PADDING-BOTTOM: 10px; PADDING-LEFT: 5px; PADDING-RIGHT: 5px; PADDING-TOP: 10px"><A style="MARGIN-TOP: 10px; FONT-SIZE: 14px" href="hXXps://lab.alipay.com/consume/queryTradeDetail.htm?tradeNo=

javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}

javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};

var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');

text|password|file

comdlg32.dll

WarnOnHTTPSToHTTPRedirect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

%System%\Macromed\Flash\Flash10q.ocx

%System%\Macromed\Flash\Flash10s.ocx

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSH_SCROLL_LINES_MSG

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

WinExec

GetCPInfo

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

ShellExecuteA

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

InternetCanonicalizeUrlA

InternetCrackUrlA

.text

`.rdata

@.data

1, 0, 6, 6

%original file name%.exe_464_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bgOBPueBRw[1].js (2841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5d27ee1370e502bb660d47d79d2c3df7[1].png (4537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\d9e4d035bd0ff6a08bdd391cbe2f4796[1].jpg (4393 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\21.1[1].png (378 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\712a1a3ba7d8971dbc61f6f2c9be83f0[1].jpg (3147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\f6f7d1aff11ef3c3cacb03d770e45bbe[1].jpg (9999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tiexue0515[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\daa311835335c49a3b2339f22dd36956[1].png (6093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1].htm (15900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\0521zc[1].png (5821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\richanglogo168_24[1].png (2833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c7adfb176b5499bbf466d9768b1f337d[1].jpg (4205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPHrjiqQTd[1].css (17235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPHrjiqQTd[2].css (15429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1419388771[1].png (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YwJDjomYOd[1].js (10085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ttx123[1].htm (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\slidetoolbar-icon[1].png (1307 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0521zc1[1].png (5821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c883d0fb7e275e42339963d3bb05ccdc[1].png (10017 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon_ie6[1].png (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index_widthlg[1].png (2727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lanyuechuanqi[1].png (1150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\10138.2[1].png (1276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\8.411[1].png (806 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_icon[1].png (21129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\defaultIcon1229[1].png (1311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\401bd6b15f5e3f83cace42f09284e732[1].jpg (4319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bgOBPueBRw[2].js (4165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\07eb92f77f9786c99347c8d42319259b[1].png (4020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\5a2949a074f35ab8f397caba90a85f14[1].jpg (6093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\6282[1].png (983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\f9a51408e5d19bcb7fd096be922779b4[1].jpg (1961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\692a2605277b6de2b69801ab50ddc9a0[1].png (1303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\51619[1].png (1298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\chaonv2016[1].png (1455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\closeskin[1].png (403 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ef3d0c7aa618686baf0f25ccbbbeb7ae[1].jpg (4219 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\yunnanzhilv0519[1].png (1434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xinbanchuanqi160510[1].jpg (5194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YwJDjomYOd[2].js (9732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1f955fdb77200a7e9dafe2e4ce908dc7[1].jpg (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\56e3ee549cc309274f821aa836016dfa[1].png (266 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game0331[1].png (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\50a68bff5fedff6fca26ad422ee28716[1].jpg (18869 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Generic.12118556_a8dbb8dd94

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Generic.12118556_a8dbb8dd94

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet