MD5: 20938f7441a5a842593c1e7177378580
SHA1: cbb9d8e6bdd9844818699b0da9eaf334278bc6a7
SHA256: 41ac5996569efb820233cbe3cec77cc79a65a36d7fbd70bd37670636b39d6b72
SSDeep: 49152:esFlmAWAdQTfj6YaE7Eq0HdNhngC6zW0iHHi12sRe/OH3SueEV4lLm56:essAdQ7j6ayHXhnF6zW0qHiYge6SueOG
Size: 2690068 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Firseria
Created at: 2012-02-05 00:43:24
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:344
adb.exe:1876
adb.exe:1768

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\geno\adb.exe (1953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\geno.jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (3601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (3313 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\Superuser.apk (8161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\AdbWinApi.dll (1345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autC.tmp (4177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\root.sh (563 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autA.tmp (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB.tmp (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\fastboot.exe (9553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut8.tmp (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\flash_image (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut9.tmp (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\mempodroid (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\AdbWinUsbApi.dll (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\7z.exe (5985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geno\su (980 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process adb.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\adb.log (38 bytes)

Registry activity

The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 4C 4A 44 ED CD 8D 16 E2 7F 6C 92 13 F3 F7 87"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process adb.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 A0 0F 34 73 FA BC 54 FC 52 66 C7 A0 3E 66 71"

The process adb.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A F6 B7 47 77 24 5C CA 77 66 10 98 6F E2 D2 73"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright: ?? [email protected]
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.3.9.0
File Description: android????????
Comments: ???????
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
7163c5ac7c472e823d7ceabbdedbb069
57b3e633886760a80e96510e8979dbbd
0bc03a557b2836b1c2e4cf7f42d59b0b

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

s%j.Zf

8crtsu

:crts

crts

?#%X.y

GetProcessWindowStation

operator

This is a compiled AutoIt script. AV researchers please email [email protected] for support.

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with PCRE_UCP support

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

USERENV.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

#.hH4h

P-h%us

,jcp.le&O

.ke&O

.ke5<xr

%d]WH

.le|T

 ic*.leg5sl

.kelq

%c]3Z

.kf3a

.kenb

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 9, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\%original file name%.exe

:C:\%original file name%.exe

3.3.9.0

[email protected]

adb.exe_1768:

.text

P`.data

.rdata

`@.bss

.idata

:.tWj

libgcj_s.dll

%s::%s():

tcp:%d

unable to parse '%s' as <console port>,<adb port>

Invalid port numbers: Expected positive numbers, got '%s'

Emulator on port %d already registered.

Connected to emulator on ports %d,%d

Could not connect to emulator on ports %d,%d

bad host name %s

bad port number %s

%s:%d

already connected to %s

unable to connect to %s:%d

client: connected on remote on fd %d

connected to %s

CreatePipe() failure, error %ld

--- adb starting (pid %d) ---

unknown local portname '%s'

cannot bind '%s'

parse_banner: %s

error: %s:

handle_packet() %c%c%c%c

handle_packet: what is x?!

transport

transport-usb

transport-local

transport-any

transport:

OKAYx%s

%s:5555

No such device %s

error: could not connect to TCP port %d

system/core/adb/transport.c

%s: run_transport_disconnects

transport_write_action: on fd %d, error %d: %s

transport: %s unref (kicking and closing)

transport: %s removed

cannot write transport registration socket

transport: %s unref (count=%d)

transport: %s registered

%s: %s: [%s] arg0=%s arg1=%s (len=%d)

fd=%d

%s: write_packet (fd=%d) error ret=%d errno=%d: %s

%s: read_packet (fd=%d), error ret=%d errno=%d: %s

cannot open transport registration socketpair

transport_socket_events(fd=%d, events=x,...)

%s: failed to read packet from transport socket on fd %d

check_header(): %d > MAX_PAYLOAD

writex: fd=%d len=%d:

writex: fd=%d error %d: %s

writex: fd=%d disconnected

readx: fd=%d wanted=%d

readx: fd=%d error %d: %s

readx: fd=%d disconnected

readx: fd=%d wanted=%d got=%d

transport: %p init'ing for usb_handle %p (sn='%s')

transport: %s init'ing for socket %d, on port %d

%s: starting transport input thread, reading from fd %d

%s: failed to read apacket from transport on fd %d

%s: transport SYNC offline

%s: transport SYNC online

%s: transport ignoring SYNC %d != %d

%s: transport got packet, sending to remote

%s: transport ignoring packet while offline

%s: transport input thread is exiting, fd %d

%s: starting transport output thread on fd %d, SYNC online (%d)

%s: failed to write SYNC packet

%s: data pump started

%s: received remote packet, sending to transport

%s: failed to write apacket to transport

%s: remote read failed for transport

%s: SYNC offline for transport

%s: failed to write SYNC apacket to transport

%s: transport output thread is exiting

Transport is null

Transport is null

cannot enqueue packet on transport socket

transport_read_action: on fd %d, error %d: %s

cannot read transport registration socket

transport: %s removing and free'ing %d

cannot open transport socketpair

transport: %s (%d,%d) starting

register_usb_transport

register_transport

transport_write_action

transport_unref_locked

remove_transport

register_socket_transport

transport_registration_func

transport_read_action

transport_socket_events

run_transport_disconnects

system/core/adb/transport_local.c

transport: local %s init

cannot create local socket %s thread

transport: server_socket_thread() starting

server: trying to get new connection from %d

server: new connection on fd %d

transport: client_socket_thread() starting

local transport for port %d already registered (%p)?

cannot register more emulators. Maximum is %d

init_socket_transport

local_connect_arbitrary_ports

system/core/adb/transport_usb.c

transport: usb

init_usb_transport

host-serial:%s:%s

%s:%s

can't find '%s' to install

can't install '%s' because it's not a file

error: adb %s not implemented on Win32

Android Debug Bridge version %d.%d.%d

connect <host>[:<port>] - connect to a device via TCP/IP

Port 5555 is used by default if no port number is specified.

disconnect [<host>[:<port>]] - disconnect from a TCP/IP device.

will disconnect from all connected TCP/IP devices.

tcp:<port>

adb jdwp - list PIDs of processes hosting a JDWP transport

adb bugreport - return all information from the device

that should be included in a bug report.

to "backup.ab" in the current directory.

(-apk|-noapk enable/disable backup of the .apks themselves

the -all or -shared flags are passed, then the package

adb tcpip <port> - restarts the adbd daemon listening on TCP on the specified port

1 or all, adb, sockets, packets, rwx, usb, sync, sysdeps, transport, jdwp

read_and_dump(): pre adb_read(fd=%d)

read_and_dump(): post adb_read(fd=%d): len=%d

%s\%s

copy_to_file(%d -> %d)

copy_to_file() : error %d

error: %s

stdin_read_thread(): pre unix_read(fdi=%d,...)

stdin_read_thread(): post unix_read(fdi=%d,...)

%s\config\envsetup.make

ANDROID_ADB_SERVER_PORT

adb: Env var ANDROID_ADB_SERVER_PORT must be a positive number. Got "%s"

adb: Couldn't get CWD: %s

adb: bad ANDROID_BUILD_TOP value "%s"

adb: bad TOP value "%s"

%s\out\target\product\%s

adb: Couldn't find a product dir based on "-p %s"; "%s" doesn't exist

adb: could not resolve "-p %s"

host:%s

Usage: adb connect <host>[:<port>]

host:connect:%s

Usage: adb disconnect [<host>[:<port>]]

host:disconnect:%s

shell:%s

interactive shell loop. buff=%s

about to read_and_dump(fd=%d)

interactive shell loop. return r=%d

tcpip

bugreport

failure: %s *

host-serial:%s:forward:%s;%s

host-usb:forward:%s;%s

host-local:forward:%s;%s

host:forward:%s;%s

%c[2J%c[2H

State: %s

shell:export ANDROID_LOG_TAGS="%s" ; exec logcat

adb: -f passed with no filename

adb: unable to open file %s

backup. filename=%s buf=%s

/data/local/tmp/%s

/sdcard/tmp/%s

If you truly wish to continue, execute 'adb shell pm uninstall -k %s'

protocol fault (status x x x x?!)

_adb_connect: %s

host:transport:%s

Switch transport in progress

Switch transport failed

Switch transport success

_adb_connect: return fd %d

adb_connect: service %s

* daemon not running. starting it now on port %d *

adb_connect: return fd %d

adb_query: %s

switch_socket_transport

SS(%d): created %p

entered. LS(%d) fd=%d

LS(%d): closing peer. peer->id=%d peer->fd=%d

LS(%d): destroying fde.fd=%d

LS(%d): discarding %d bytes

LS(%d): closed

LS(%d): closing

LS(%d): put on socket_closing_list fd=%d

Connect_to_remote call RS(%d) fd=%d

LS(%d): connect('%s')

LS(%d): created (fd=%d)

FAILx

SS(%d): closed

SS(%d): ready

SS(%d): enqueue %d

SS(%d): overflow

SS(%d): bad size (%d)

SS(%d): len is %d

SS(%d): waiting for %d more bytes

SS(%d): '%s'

SS(%d): handled host service '%s'

SS(%d): okay transport

LS(%d) bound to '%s'

SS(%d): couldn't create host service '%s'

SS(%d): okay

RS(%d): created

remote_socket_disconnect RS(%d)

entered remote_socket_close RS(%d) CLOSE fd=%d peer->fd=%d

RS(%d) peer->close()ing peer->id=%d peer->fd=%d

RS(%d): closed

entered remote_socket_ready RS(%d) OKAY fd=%d peer.fd=%d

entered remote_socket_enqueue RS(%d) WRITE fd=%d peer.fd=%d

LS(%d): bound to '%s' via %d

LS(%d): event_func(fd=%d(==%d), ev=x)

closing after write because r=%d and errno is %d

LS(%d): post adb_read(fd=%d,...) r=%d (errno=%d) avail=%d

LS(%d): fd=%d post avail loop. r=%d is_eof=%d forced_eof=%d

LS(%d): fd=%d post peer->enqueue(). r=%d

closing because is_eof=%d r=%d s->fde.force_eof=%d

LS(%d): FDE_ERROR (fd=%d)

LS(%d): enqueue %d

LS(%d): not ready, errno=%d: %s

service thread started, %d:%d

wait_for_state %d

cannot open '%s': %s

error seeking in file '%s'

could not allocate buffer for '%s'

error reading from file: '%s'

file '%s' is not a valid zip file

AndroidManifest.xml

file '%s' does not contain AndroidManifest.xml

cannot read '%s': %s

failed to copy '%s' to '%s': %s

%s%s/

skipping special file '%s'

cannot stat '%s': %s

%spush: %s -> %s

%d file%s pushed. %d file%s skipped.

syncing %s...

%s/%s

x x x %s

cannot create '%s': %s

cannot write '%s': %s

remote object '%s' does not exist

pull: %s -> %s

%d file%s pulled. %d file%s skipped.

remote object '%s' not a file or directory

system/core/adb/usb_windows.c

adding a new device %s

register_new_device failed for %s

usb_read %d

usb_write got: %ld, expected: %d, errno: %d

usb_read failed: %d

usb_write %d

usb_write got: %ld, expected: %d

usb_write failed: %d

adb_usb.ini

.android

%s\%s\%s

Invalid content in %s. Quitting.

adb_win32: waiting for %d events

handle count %d exceeds MAXIMUM_WAIT_OBJECTS.

Unable to allocate thread array for %d handles.

Unable to create main event. Error: %d

Unable to create a waiting thread %d of %d. errno=%d

adb_win32: got one (index %d)

adb_win32: signaling %s for %x

_fh_from_int: invalid fd %d

event_looper_unhook: events %x not registered for fd %d

adb_close: %s

fd out of range (%d)

event_looper_hook: invalid fd=%d

event_looper_hook: call hook for %d (new=%x, old=%x)

event_looper_hook: ignoring events %x for %d wanted=%x)

fdevent_update: remove %x from %d

fdevent_update: add %x to %d

bogus negative fd (%d)

bogus huuuuge fd (%d)

could not expand fd_table to %d entries

bip_buffer_read: error %d->%d WaitForSingleObject returned %d, error %ld

assertion failed '%s' on %s:%ld

bip_buffer_write: error %d->%d WaitForSingleObject returned %d, error %ld

_socket_set_errno: unhandled value %d

_event_socket_start: no event for %s

_event_socket_start: hooking %s for %x (flags %ld)

_event_socket_start: WSAEventSelect() for %s failed, error %d

load_file: could not read %ld bytes from '%s'

_event_socketpair_start: hook %s for %x wanted=%x

_event_socket_check %s returns %d

adb_socketpair: not enough memory to allocate pipes

%d(pair:%d)

adb_socketpair: returns (%d, %d)

adb_socket_accept: invalid fd %d

adb_socket_accept: accept on fd %d return error %ld

%d(accept:%s)

adb_socket_accept on fd %d returns fd %d

%d(any-server:%s%d)

socket_inaddr_server: port %d type %s => fd %d

%d(net-client:%s%d)

socket_network_client: host '%s' port %d type %s => fd %d

%d(lo-server:%s%d)

socket_loopback_server: port %d type %s => fd %d

socket_loopback_client: could not connect to %s:%d

%d(lo-client:%s%d)

socket_loopback_client: port %d type %s => fd %d

adb_shutdown: %s

adb_creat: could not open '%s':

%d(%s)

adb_creat: '%s' => fd %d

adb_open: invalid options (0x%0x)

adb_open: could not open '%s':

adb_open: '%s' => fd %d

adb_file_write: could not write %d bytes from %s

adb_read: could not read %d bytes from %s

entryCount=%d

1.2.5

zerr=%d Z_STREAM_END=%d total_out=%lu

Length is %d -- too small

Zip EOCD: expected >= %d bytes, found %d

EOCD(%d)   comment(%d) exceeds len (%d)

Archive spanning not supported

inflate 1.2.5 Copyright 1995-2010 Mark Adler

CreatePipe

KERNEL32.dll

msvcrt.dll

SHELL32.DLL

WS2_32.DLL

AdbWinApi.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:344
   adb.exe:1876
   adb.exe:1768

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\geno\adb.exe (1953 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\geno.jpg (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (3601 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (3313 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (1345 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (549 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\Superuser.apk (8161 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\AdbWinApi.dll (1345 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autC.tmp (4177 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\root.sh (563 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autA.tmp (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (278 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autB.tmp (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\fastboot.exe (9553 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut8.tmp (5873 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\flash_image (588 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (1568 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut9.tmp (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\mempodroid (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\AdbWinUsbApi.dll (745 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (196 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\7z.exe (5985 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\geno\su (980 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\adb.log (38 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.