Trojan.Generic.909324_130279a225

by malwarelabrobot on November 20th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Generic.909324 (B) (Emsisoft), Trojan.Generic.909324 (AdAware), Backdoor.Win32.PcClient.FD, Trojan.Win32.BHO.FD, GenericInjector.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 130279a225bf50988513867465af07d6
SHA1: 987782dbeb610a0b8542a518d6cb99e981403d8a
SHA256: 77ba58684ea6a9e336f5c44ae8c0a280fed635d7f50f17193b518d59b49b082c
SSDeep: 24576:Kta1 qTG4a1aSfB j1qiEdeWgAbOdve E:KQ1y1FfBVBlkeWg42m E
Size: 832596 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-01-26 11:43:41
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

explor.exe:600
net.exe:824
net1.exe:372
small686.exe:784
sc.exe:1252
sc.exe:1080
regsvr32.exe:1072
ping.exe:632
ping.exe:292
setup.exe:1696
selvice.exe:508
%original file name%.exe:468
mpsvc.exe:1508
mpsvc.exe:1064
updateqq.exe:1988
rundll32.exe:1552
rundll32.exe:1504
svehost.exe:164
syseter.exe:140
lqbzse.exe:1992

The Trojan injects its code into the following process(es):

rundll32.exe:588
Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process explor.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Internet Explorer\IETimbar\Uninstall.exe (206 bytes)
%Program Files%\Internet Explorer\IETimbar\httpf.dat (107 bytes)
%Program Files%\Internet Explorer\IETimbar\cfg.dat (80 bytes)
%Program Files%\Internet Explorer\IETimbar\IETimbar.dll (3196 bytes)
%Program Files%\Internet Explorer\IETimbar\vercfg.dat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

The process small686.exe:784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dllcache\fly2997.dll (66 bytes)
%System%\fly2997.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\afc9fe2f418b00a0.bat (2 bytes)

The process setup.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\mssrcid.ini (16 bytes)

The process selvice.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ufixnk.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\updateqq.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ColorPix.exe (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\svehost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (33145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\small686.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\selvice.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\syseter.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\explor.exe (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lqbzse.exe (3312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)

The process mpsvc.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\mssrcid.ini (22 bytes)

The process updateqq.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysmain.dat (1837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysvc.dat (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\setup.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\nvsys.ini (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\mqtrig.dll (4274 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa3.tmp (0 bytes)

The process rundll32.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\Web.ini (59185 bytes)

The process syseter.exe:140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\messenger\messenger.exe (2851 bytes)

The process lqbzse.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dllcache\ipfltdrv.sys.sys (32 bytes)
%System%\esentprf.ini (120 bytes)
%WinDir%\repair\tgy7324 (6626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (41 bytes)
%System%\drivers\nsypfo.log (41 bytes)
%System%\drivers\ipfltdrv.sys.txt (41 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (0 bytes)
%System%\drivers\ipfltdrv.sys (0 bytes)

Registry activity

The process explor.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 88 1E 61 27 99 0D 76 F2 BC A4 86 41 B8 C2 C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IETimbar]
"SoftVer" = "3.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IETimbar]
"tm" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\IETimbar]
"AgentID" = "-50331499"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"

[HKLM\SOFTWARE\IETimbar]
"DataVer" = "3.0.0.0"
"Install_Dir" = "%Program Files%\Internet Explorer\IETimbar"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
"${UserAgent}"

The process net.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 FD 1C 71 E5 60 F1 CE FE 1B AF DC 6E 51 A9 41"

The process net1.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 0A 95 2F 64 A0 85 54 1D 7C CB 56 51 FA DA BE"

The process small686.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Softfy\PlugDown]
"PlugOne" = "1.0.0"

[HKLM\SOFTWARE\Softfy\Plug]
"PlugUpdate" = "1.6.7"

[HKLM\SOFTWARE\Softfy\WebIni]
"WebIniSection" = "5"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"Path" = "D:\FlySoft;C:\Perl\site\bin;C:\Perl\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\Wireshark"

[HKLM\SOFTWARE\Softfy\Plug]
"PlugUserName" = "fullman"
"PlugSoftName" = "C2"
"PlugSoftVer" = "1.0.1"
"PlugStat" = "0"

[HKLM\SOFTWARE\Softfy\PlugName]
"LogonMainName" = "fly2997.dll"

[HKLM\SOFTWARE\Softfy\Plug]
"CoreDll" = "0"
"PlugSendNum" = "0"

[HKLM\SOFTWARE\Softfy\WebIni]
"HitProbaby" = "0"

[HKLM\SOFTWARE\Softfy\PlugName]
"LogonName" = "fly2997.dll"

[HKLM\SOFTWARE\Softfy\PlugDown]
"PlugTwo" = "1.0.0"

[HKLM\SOFTWARE\Softfy\LockPage]
"NeedLockPage" = "0"

[HKLM\SOFTWARE\Softfy\WebIni]
"WebIniVer" = "1.0.0"

[HKLM\SOFTWARE\Softfy\LockPage]
"LockPageNum" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,D:\FlySoft\micsoft.exe"

The process sc.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD D6 FA 8D 12 94 6F E8 9D F1 50 B9 36 CB 8B 41"

The process sc.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB F8 C7 85 00 46 DD 04 E2 96 7F 14 97 7F 36 39"

The process regsvr32.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\TypeLib]
"(Default)" = "{FF5795DC-245C-42C3-A882-7C0AAB708619}"

[HKCR\IETimbar.CRNP.1\CLSID]
"(Default)" = "{1163E531-B58E-4BB9-B877-0906A0A22AEC}"

[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\InprocServer32]
"(Default)" = "%Program Files%\Internet Explorer\IETimbar\IETimbar.dll"

[HKCR\IETimbar.CRNP\CurVer]
"(Default)" = "IETimbar.CRNP.1"

[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0]
"(Default)" = "IETimbar 1.0 Type Library"

[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}]
"(Default)" = "IIEBho"

[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}]
"(Default)" = "IETimbar"

[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\TypeLib]
"(Default)" = "{FF5795DC-245C-42C3-A882-7C0AAB708619}"

[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\ProgID]
"(Default)" = "IETimbar.CRNP.1"

[HKCR\CLSID\{1163E531-B58E-4BB9-B877-0906A0A22AEC}\VersionIndependentProgID]
"(Default)" = "IETimbar.CRNP"

[HKCR\IETimbar.CRNP.1]
"(Default)" = "IETimbar"

[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Internet Explorer\IETimbar\"

[HKCR\IETimbar.CRNP]
"(Default)" = "IETimbar"

[HKCR\IETimbar.CRNP\CLSID]
"(Default)" = "{1163E531-B58E-4BB9-B877-0906A0A22AEC}"

[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{FF5795DC-245C-42C3-A882-7C0AAB708619}\1.0\0\win32]
"(Default)" = "%Program Files%\Internet Explorer\IETimbar\IETimbar.dll"

[HKCR\Interface\{5E7F36B2-E909-4C3F-8A47-A3F70D840720}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1163E531-B58E-4BB9-B877-0906A0A22AEC}]
"NoExplorer" = "1"

The process ping.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 72 B1 9B 5D 97 D3 20 B0 DA AC C4 A6 31 58 D6"

The process ping.exe:292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 84 D8 A1 BC FA 0F FE 9C 76 20 7E 6B 7F E6 35"

The process setup.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 70 43 50 A4 B2 A9 3E 51 8E C1 B5 DD 41 ED 2A"

The process selvice.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 22 ED A8 E0 A8 6C 9A A9 57 7B 82 05 4C E7 B6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 05 4D 5F C5 D0 31 80 1C 57 B4 78 AE 00 86 D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"explor.exe" = "explor"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"selvice.exe" = "selvice"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"small686.exe" = "Micronas Software"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"syseter.exe" = "Windows Messenger"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"updateqq.exe" = "updateqq"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"lqbzse.exe" = "lqbzse"
"svehost.exe" = "svehost"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process mpsvc.exe:1508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 77 E7 56 D8 14 06 FE 8B 7D 2A 60 F4 AB 0D 62"

[HKCR\AppID\{5733B228-03E6-4fdd-8686-B51B0E4D473F}]
"LocalService" = "usnsvc"

[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\AppID\{5733B228-03E6-4fdd-8686-B51B0E4D473F}]
"(Default)" = "DSPLALER"
"ServiceParameters" = "-Service"

[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\AppID\usnsvc.EXE]
"AppID" = "{5733B228-03E6-4fdd-8686-B51B0E4D473F}"

[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0\0\win32]
"(Default)" = "%System%\mpsvc.exe"

[HKCR\TypeLib\{5733B228-03E6-4FDD-8686-B51B0E4D473F}\1.0]
"(Default)" = "usnsvc 1.0 Type Library"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{5733B228-03E6-4fdd-8686-B51B0E4D473F}]
"LocalService"

The process mpsvc.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 24 9E 71 A2 64 AC 8E CC A3 B4 B9 E7 FA 57 11"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process updateqq.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 10 86 F9 B9 F8 3D CC 19 FA 57 8B 75 1E 7F 0D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process rundll32.exe:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 9D DE 4B F4 CF E4 E2 1B 34 99 95 8E 98 F6 16"

The process rundll32.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 1F C0 D2 E5 1A 34 5C 60 04 B5 9C DB 1E 08 C0"

The process rundll32.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Softfy\Plug]
"PlugSendNum" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 69 F3 18 76 60 04 50 3A 73 6C D4 99 79 D8 42"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process svehost.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 0C 75 29 DF 90 AF A6 ED 5E 04 CF 91 61 16 F3"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process syseter.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA C2 84 5F CD 0A 9B 03 F4 E1 49 7B D3 63 1E AA"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JSsetup" = "c:\windows\system\jssetup\JSsetup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Messenger" = "c:\windows\messenger\messenger.exe"

The process lqbzse.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C7 D8 5A C6 CF 6E D0 5A CE 58 C4 C6 A3 68 09"

Dropped PE files

MD5	File path
a9b2b7f281c9970360fbe11b59f81feb	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ColorPix.exe
46646cc7504aee8d3feb32d6df1a437b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Messenger\mqtrig.dll
b5896c52362e5f88817c2e70464e6a41	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Messenger\setup.exe
5201080e5629ba964b41c1f747e3e08c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\explor.exe
1dde84ecf031155375cf40b14cf5cb99	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\svehost.exe
83ffb171e457b28074b6d235d228670a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\syseter.exe
0b53e16b6c41b758f5152cd6e7342d16	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\updateqq.exe
a62da78ecdf01bef5d3898788fdcd314	c:\Program Files\Internet Explorer\IETimbar\IETimbar.dll
8dd7eda5261e98795212bbfd70259d2d	c:\Program Files\Internet Explorer\IETimbar\Uninstall.exe
83ffb171e457b28074b6d235d228670a	c:\WINDOWS\messenger\messenger.exe
31e55b358a0ebdd07474451f7e8b3407	c:\WINDOWS\system32\dllcache\fly2997.dll
731f22ba402ee4b62748adaf6363c182	c:\WINDOWS\system32\dllcache\ipfltdrv.sys.sys
f36be33977a145e94bcb8e6faebb3104	c:\WINDOWS\system32\drivers\nsypfo.sys
31e55b358a0ebdd07474451f7e8b3407	c:\WINDOWS\system32\fly2997.dll
0a412ad8da58d93f0d0948825df1a32c	c:\WINDOWS\system32\mpsvc.exe
1d9f85b2b8c7fc2f002cb8cd8d53b4c3	c:\WINDOWS\system32\nkhex.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	26044	26112	4.4578	7ad88049be53eeb66e1b9b03250958f4
.rdata	32768	4534	4608	3.64412	db27e0a5d47aa7859fc2e5fd4bd7e85f
.data	40960	297972	3072	3.54319	4dda1eff088551454feb2c2e0a87d9b1
.ndata	339968	270336	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	610304	4096	2048	2.14695	e37cf438f05cea102159ea993a534fc1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 3
6e30abc8876286898498ebd0a4637a2a
944c3a22503446e46ab36c912c65a309
63fef6d7da85d2cecd32e7b7c46e09c4

URLs

URL	IP
hxxp://www.xz-2-vc.net.cn/news/image.jpg	65.19.157.201
hxxp://www.xz-2-vc.net.cn/nba/image.jpg	65.19.157.201
hxxp://www.xz-2-vc.net.cn/files/image.jpg	65.19.157.201
hxxp://www.xz-2-vc.net.cn/sports/image.jpg	65.19.157.201
hxxp://65.19.157.201/sports/image.jpg
hxxp://65.19.157.201/nba/image.jpg

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /nba/image.jpg HTTP/1.1

Host: 65.19.157.201


HTTP/1.1 502 Bad Gateway

Server: Tengine/1.4.2

Date: Wed, 19 Nov 2014 11:05:29 GMT

Content-Type: text/html

Content-Length: 614

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>502 Bad Gateway</title></head>.
.<body bgcolor="white">..<h1>502 Bad Gateway</h1>..&
lt;p>The proxy server received an invalid response from an upstream
 server. Sorry for the inconvenience.<br/>..Please report this m
essage and include the following information to us.<br/>..Thank 
you very much!</p>..<table>..<tr>..<td>URL:<
;/td>..<td>hXXp://65.19.157.201/nba/image.jpg</td>..<
;/tr>..<tr>..<td>Server:</td>..<td>he11<
/td>..</tr>..<tr>..<td>Date:</td>..<td&g
t;2014/11/19 03:05:29</td>..</tr>..</table>..<hr/
>Powered by Tengine/1.4.2..</body>..</html>..HTTP/1.1 5
02 Bad Gateway..Server: Tengine/1.4.2..Date: Wed, 19 Nov 2014 11:05:29
 GMT..Content-Type: text/html..Content-Length: 614..Connection: keep-a
live..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<ht
ml>..<head><title>502 Bad Gateway</title></hea
d>..<body bgcolor="white">..<h1>502 Bad Gateway</h1&
gt;..<p>The proxy server received an invalid response from an up
stream server. Sorry for the inconvenience.<br/>..Please report 
this message and include the following information to us.<br/>..
Thank you very much!</p>..<table>..<tr>..<td>U
RL:</td>..<td>hXXp://65.19.157.201/nba/image.jpg</t<<< skipped >>>

GET /sports/image.jpg HTTP/1.1

Host: 65.19.157.201


HTTP/1.1 502 Bad Gateway

Server: Tengine/1.4.2

Date: Wed, 19 Nov 2014 11:05:38 GMT

Content-Type: text/html

Content-Length: 617

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>502 Bad Gateway</title></head>.
.<body bgcolor="white">..<h1>502 Bad Gateway</h1>..&
lt;p>The proxy server received an invalid response from an upstream
 server. Sorry for the inconvenience.<br/>..Please report this m
essage and include the following information to us.<br/>..Thank 
you very much!</p>..<table>..<tr>..<td>URL:<
;/td>..<td>hXXp://65.19.157.201/sports/image.jpg</td>..
</tr>..<tr>..<td>Server:</td>..<td>he11&
lt;/td>..</tr>..<tr>..<td>Date:</td>..<t
d>2014/11/19 03:05:38</td>..</tr>..</table>..<
hr/>Powered by Tengine/1.4.2..</body>..</html>....

GET /news/image.jpg HTTP/1.1

Host: VVV.xz-2-vc.net.cn

Cache-Control: no-cache


HTTP/1.1 502 Bad Gateway

Server: Tengine/1.4.2

Date: Wed, 19 Nov 2014 11:05:29 GMT

Content-Type: text/html

Content-Length: 620

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>502 Bad Gateway</title></head>.
.<body bgcolor="white">..<h1>502 Bad Gateway</h1>..&
lt;p>The proxy server received an invalid response from an upstream
 server. Sorry for the inconvenience.<br/>..Please report this m
essage and include the following information to us.<br/>..Thank 
you very much!</p>..<table>..<tr>..<td>URL:<
;/td>..<td>hXXp://VVV.xz-2-vc.net.cn/news/image.jpg</td>
;..</tr>..<tr>..<td>Server:</td>..<td>he
11</td>..</tr>..<tr>..<td>Date:</td>..&l
t;td>2014/11/19 03:05:29</td>..</tr>..</table>..&
lt;hr/>Powered by Tengine/1.4.2..</body>..</html>..HTTP
/1.1 502 Bad Gateway..Server: Tengine/1.4.2..Date: Wed, 19 Nov 2014 11
:05:29 GMT..Content-Type: text/html..Content-Length: 620..Connection: 
keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..
<html>..<head><title>502 Bad Gateway</title>&l
t;/head>..<body bgcolor="white">..<h1>502 Bad Gateway&l
t;/h1>..<p>The proxy server received an invalid response from
 an upstream server. Sorry for the inconvenience.<br/>..Please r
eport this message and include the following information to us.<br/
>..Thank you very much!</p>..<table>..<tr>..<t
d>URL:</td>..<td>hXXp://VVV.xz-2-vc.net.cn/news/ima<<< skipped >>>

GET /files/image.jpg HTTP/1.1

Host: VVV.xz-2-vc.net.cn

Cache-Control: no-cache


HTTP/1.1 502 Bad Gateway

Server: Tengine/1.4.2

Date: Wed, 19 Nov 2014 11:05:36 GMT

Content-Type: text/html

Content-Length: 621

Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>502 Bad Gateway</title></head>.
.<body bgcolor="white">..<h1>502 Bad Gateway</h1>..&
lt;p>The proxy server received an invalid response from an upstream
 server. Sorry for the inconvenience.<br/>..Please report this m
essage and include the following information to us.<br/>..Thank 
you very much!</p>..<table>..<tr>..<td>URL:<
;/td>..<td>hXXp://VVV.xz-2-vc.net.cn/files/image.jpg</td&g
t;..</tr>..<tr>..<td>Server:</td>..<td>h
e11</td>..</tr>..<tr>..<td>Date:</td>..&
lt;td>2014/11/19 03:05:36</td>..</tr>..</table>..
<hr/>Powered by Tengine/1.4.2..</body>..</html>..HTT
P/1.1 502 Bad Gateway..Server: Tengine/1.4.2..Date: Wed, 19 Nov 2014 1
1:05:36 GMT..Content-Type: text/html..Content-Length: 621..Connection:
 keep-alive..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.
.<html>..<head><title>502 Bad Gateway</title>&
lt;/head>..<body bgcolor="white">..<h1>502 Bad Gateway&
lt;/h1>..<p>The proxy server received an invalid response fro
m an upstream server. Sorry for the inconvenience.<br/>..Please 
report this message and include the following information to us.<br
/>..Thank you very much!</p>..<table>..<tr>..<
td>URL:</td>..<td>hXXp://VVV.xz-2-vc.net.cn/files/i<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

syseter.exe_140:

.text

`.rdata

@.data

.rsrc

t.Ht4

f9=N%D

$f95L%D

%s%s/test1/%s

hXXp://VVV.sun

facepizza.cn

pizza.cn

GET hXXp://%s%s HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

HOST:%s

HOST:%s:%d

X-X-X-X-X-X

rpcrt4.dll

d/d/d d:d:d

%Program Files%\Windows NT\fsdd.log

%WinDir%\inf\pp3.inf

%System%\setup\licxnoc.dll

%WinDir%\Help\nvwcprz.hlp

%System%\1033\test.log

%System%\drivers\etc\service3.ini

c:\windows\fdsdf\FlashsAssistant21.dll

c:\windows\system\jssetup\JSsetup.log

c:\windows\system\jssetup\JSsetup.temp

c:\windows\system\jssetup\JSsetup.dll

c:\windows\system\jssetup\JSsetup.exe

c:\windows\system32\JSsetup\JSsetup.ini

c:\windows\messenger\messenger.log

c:\windows\messenger\messenger.temp

c:\windows\messenger\messenger.dll

c:\windows\messenger\messenger.exe

c:\windows\security\Messenger.ini

Software\Microsoft\Windows\CurrentVersion\Run

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Start_%d&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s

%d_%s

LastStartTime_%d

ddd

hXXp://888888.2288.org/Monitor_INI14/Messenger.txt

hXXp://VVV.gamedanji.cn/ExeIni14/Messenger.txt

hXXp://88888888.7766.org/ExeIni14/Messenger.txt

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Setup_1_0&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s

1_0_%s

VVV.sina.com

VVV.163.com

%s %s

%d %d

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=error2-%d-%d-%d-%d-%d-%d&Mac=%s&Version=%d&ValidateCode=&ParentName=%s

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=warn1&Mac=%s&Version=%d&ValidateCode=&ParentName=%s

%s %d

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Setup_0_%d&Mac=%s&Version=%d&ValidateCode=%u&ParentName=%s

0_%d_%s

%WinDir%\Help

%System%\1033

%WinDir%\Help\nvwdsbcprz.hlp

%System%\1033\disctinct.hlp

%d.exe

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=InternetMonitor_Copy_error1&Mac=%s&Version=%d&ValidateCode=&ParentName=%s

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=error1-%d-%d-%d-%d-%d-%d&Mac=%s&Version=%d&ValidateCode=&ParentName=%s

VVV.6666.8800.org

/Start.htm?AreaID=NaN&MediaID=50011&AdNo=%d&OriginalityID=%d&Url=test11&Mac=%s&Version=%d&ValidateCode=&ParentName=%s

ntdll.dll

kernel32.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

%s.dll

CCmdTarget

COMCTL32.DLL

hhctrl.ocx

commctrl_DragListMsg

CNotSupportedException

MSWHEEL_ROLLMSG

user32.dll

ole32.dll

mscoree.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

OLEACC.dll

e:\JinZQ\pcGame\PageMonitor-p4\MainModule_2\Release\MainModule_2.pdb

VERSION.dll

HttpQueryInfoA

InternetOpenUrlA

WININET.dll

WINMM.dll

WS2_32.dll

GetCPInfo

KERNEL32.dll

GetKeyState

SetWindowsHookExA

CreateDialogIndirectParamA

UnhookWindowsHookEx

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegDeleteKeyA

RegEnumKeyA

RegOpenKeyA

RegCreateKeyExA

ADVAPI32.dll

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

OLEAUT32.dll

.?AVCCmdTarget@@

.PAVCMemoryException@@

.PAVCException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCObject@@

.PAVCOleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

%original file name%.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\syseter.exe

||}}}}~~~

*)'4156,9..

*'41567,-.0$

*'41568,-.0#"&

*)42567,9-/#"$

=*)'2<67,-./##":

*'4157,9-/0#$""

(4157,9-.0##"::

3568,-//#""%:

6669-./##"$:

09-./0#"::

accKeyboardShortcut

Windows Messenger

1.0.0.14008

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

#Unable to load mail system support.

svehost.exe_164:

.text

`.itext

`.data

.idata

.rdata

@.reloc

B.rsrc

regsvr32.exe /s "

00-00-00-00-00-00

NETAPI32.DLL

NetWkstaTransportEnum

TCPIP

hXXp://msg.0912345.com/html/downloader.gif

hXXp://msg.0912345.com/html/downloader_

hXXp://msg.0912345.com/html/agentcfg/news

hXXp://dlc.0912345.com:8080/4/

tmpxw01Ex.ext

system.ini

2342349804112

spoolsv.exe

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

user32.dll

GetKeyboardType

kernel32.dll

WinExec

GetWindowsDirectoryA

wininet.dll

DeleteUrlCacheEntry

URLMON.DLL

URLDownloadToFileA

ws2_32.dll

4$5*505;5

9%9U9

?#? ?0?;?\?

4O4x4

7 7$7(7,7

KWindows

rundll32.exe_588:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

rundll32.exe_588_rwx_10001000_00036000:

\System32\PlugOne.css

\System32\PlugTwo.css

1.dll

hXXp://VVV.sianm.com/MainDll/SoftSize.asp

hXXp://VVV.sianm.com/MainDll/UpdateSoft.asp

WebIniSection

SOFTWARE\Softfy\WebIni

FloodCore.dll

FloodCore.dll Has Run

.text

`.rdata

@.data

.reloc

GetWindowsDirectoryA

KERNEL32.dll

SHELL32.dll

WS2_32.dll

MSVCRT.dll

WinSSLCore.dll

hXXp://floodad.com/web/download/

hXXp://floodad.com/web/

GET %s HTTP/1.1

Referer: %s

Accept-Language: %s

User-Agent: %s

Host: %s

Cookie: %s

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50215)

%s-%x

%s%s&machinename=%s

runremote.asp?type=run

get_ad.asp?type=loadall

%s\%s

ComCtl32.dll

Ole32.dll

Gdi32.dll

Oleaut32.dll

AdvApi32.dll

GetKeyboardType

User32.dll

Kernel32.dll

ShellExecuteA

Shell32.dll

URLDownloadToFileA

urlmon.dll

Can not support PE file with no bind.

This Version does not support system file.

This Version does not support terminal server aware.

This Version does not support windows driver model.

This Version does not support dynamic link library.

This Version does not support COM Runtime structure.

Too much ImageImportDescriptors!

\\.\PhysicalDrive0

\\.\SMARTVSD

\System32\HtmlPeek.dll

Windows98,

360Safe.exe

WoptiClean.exe

webscanx.exe

vsstat.exe

UpLive.exe

UmxPol.exe

UmxFwHlp.exe

UmxCfg.exe

UmxAttachment.exe

UmxAgent.exe

UIHost.exe

TrojDie.kxp

Trojanwall.exe

TrojanDetector.exe

SysSafe.exe

symlcsvc.exe

SREng.exe

SmartUp.exe

shcfg32.exe

scan32.exe

safelive.exe

runiep.exe

rstray.exe

rsnetsvr.exe

Rsaupd.exe

RsAgent.exe

rfwstub.exe

rfwsrv.exe

rfwProxy.exe

rfwmain.exe

rfwcfg.exe

RegTool.exe

regmon.exe

RegClean.exe

RawCopy.exe

RavStub.exe

RavMonD.exe

Ras.exe

QQKav.exe

QQDoctor.exe

QHSET.exe

procexp.exe

PFWLiveUpdate.exe

PFW.exe

OllyICE.exe

OllyDBG.exe

NPFMntor.exe

nod32kui.exe

nod32krn.exe

nod32.exe

Navapw32.exe

Navapsvc.exe

mmsk.exe

mmqczj.exe

mcconsol.exe

MagicSet.exe

KWatchX.exe

KWatch9x.exe

KWatch.exe

KvXP_1.kxp

KvXP.kxp

kvwsc.exe

kvupload.exe

KVStub.kxp

KVSrvXP.exe

KVScan.kxp

KvReport.kxp

kvolself.exe

kvol.exe

KVMonXP_1.kxp

KVMonXP.kxp

KvfwMcl.exe

KvDetect.exe

KVCenter.kxp

KsLoader.exe

KRepair.com

KRegEx.exe

KPfwSvc.exe

KPFW32X.exe

KPFW32.exe

KMFilter.exe

KMailMon.exe

KISLnchr.exe

KAVStart.exe

KAVSetup.exe

KAVPFW.exe

KAVPF.exe

KAVDX.exe

KAV32.exe

KASTask.exe

KASMain.exe

KaScrScn.SCR

kabaload.exe

isPwdSvc.exe

Iparmor.exe

iparmo.exe

IceSword.exe

HijackThis.exe

FYFireWall.exe

FTCleanerShell.exe

filemon.exe

FileDsty.exe

EGHOST.exe

ccSvcHst.exe

CCenter.exe

avp.exe

avp.com

AvMonitor.exe

avgrssvc.exe

avconsol.exe

autoruns.exe

AppSvc32.exe

AgentSvr.exe

adam.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

hXXp://VVV.hao12580.com

LockPageUrl

Test3 Loop Pass 1 Min

ravmond.exe

X:X:X:X:X:X

\System32\Web.ini

WebSection7

WebSection6

WebSection5

WebSection4

WebSection3

WebSection2

WebSection1

Web3Hit

Web2Hit

Web1Hit

Web0Hit

hXXp://VVV.fyyxyz.com

hXXp://VVV.woyaozhi.com

WebSection0

hXXp://VVV.softfy.com

hXXp://VVV.codearticle.com

hXXp://VVV.superqqface.com

hXXp://VVV.fygamedown.com

AleaxWeb

hXXp://VVV.fydownload.com

hXXp://VVV.hao12580.com/XueHu

PlugTwoSizeUrl

/PlugTwo/SoftSize.asp

/PlugTwo/UpdateSoft.asp

PlugOneSizeUrl

/PlugOne/SoftSize.asp

/PlugOne/UpdateSoft.asp

hXXp://VVV.sianm.com/CPA/

SoftAdsSizeUrl

hXXp://VVV.sianm.com/plug/SoftSize.asp

SoftAdsUrl

hXXp://VVV.sianm.com/plug/HtmlPeek.dll

hXXp://VVV.fyyxyz.com/plug/HtmlPeek.dll

hXXp://VVV.fyyxyz.com/plug/SoftSize.asp

hXXp://VVV.fyyxyz.com/PlugOne/PlugOne.css

hXXp://VVV.fyyxyz.com/PlugTwo/PlugTwo.css

hXXp://VVV.fyyxyz.com/PlugOne/SoftSize.asp

hXXp://VVV.fyyxyz.com/PlugTwo/SoftSize.asp

.PAVCInternetException@@

Content-Type: application/x-www-form-urlencoded

Content-Length: %d

1.0.0

VVV.k-fc.cn

//lin//lin.asp

%Program Files%\Internet Explorer\IEXPLORE.EXE

Chrome_XPFrame

MozillaUIWindowClass

Software\Microsoft\Internet Explorer\New Windows

-f1.4.0

VVV.hao12580.com

wNowUrlNum=%d

mMin=%d

CWebBrowser2

WebIniVer

hXXp://VVV.fyyxyz.com/WebIni3/WebIniUpdate.asp

\System32\Web.Ini

\System32\WebNew.Ini

\System32\WebNew.ini

hXXp://VVV.fyyxyz.com/WebIni3/WebIniSize.asp

00000000000000000010

%WinDir%\System32\Web.ini

RegCloseKey

RegOpenKeyExA

RegEnumKeyA

RegDeleteKeyA

OpenWindowStationA

SetProcessWindowStation

GetProcessWindowStation

UnhookWindowsHookEx

SetWindowsHookExA

HttpQueryInfoA

InternetOpenUrlA

`.PlugOne

`.ReadPluP

`.ShellPrP

`.UpdateP`

`.UpdateP

`.Release

`.GetMatc

`.GetHtml

`.ShellSo

`.LoadHtmP

`.FindSpc

`.ReadLoc

`.GetHome

`.CreateW

`.GetWebU

`.GetWebH

`.IsSoftA

`.PostReq

`.ReadPlu

`.PostMes

`.LoadToW

`.OnInitDp

`.PopupMgp

`.OnDocum

`.EnumLin0

`.GetEnte

`.JudgeFi

`.WriteWe

`.UpdateW

`.GetServ

`.GetFileP

`.InitWebp

.rsrc

@.reloc

\\.\Physi

Urlk

{8856F961-340A-11D0-A96B-00C04FD705A2}

mpsvc.exe_1064:

.text

`.rdata

@.data

.rsrc

InternetOpenUrlA

WININET.dll

MFC42.DLL

MSVCRT.dll

_acmdln

GetWindowsDirectoryA

WinExec

KERNEL32.dll

USER32.dll

RegDeleteKeyA

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

RegEnumKeyExA

RegQueryInfoKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

explorer.exe

%s\%s.exe

IETemp%s

%s\kbietmp2.ini

%s\mssrcid.ini

%s\%s.ini

rundll32 "%s",DllCanUnloadNow

%s\%s.dll

%s\sysmain.dat

%s\nvsys.ini

%s\sysvc.dat

SYSTEM\CurrentControlSet\Services\Eventlog\Application\%s

%s\aaaaaaa.ini

hXXp://%s/up/update.htm

hXXp://%s/myconfig/index.htm

hXXp://

%Y-%m-%d %H:%M:%S

{5733B228-03E6-4fdd-8686-B51B0E4D473F}

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

{5733B228-03E6-4fdd-8686-B51B0E4D473F} = s 'DSPLALER'

'usnsvc.EXE'

val AppID = s {5733B228-03E6-4fdd-8686-B51B0E4D473F}

.REGISTRY

8, 1, 5467, 4655

rundll32.exe_1504:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Explorer.EXE_1140_rwx_01E80000_00003000:

user32.dll

shlwapi.dll

%WinDir%\repair\tgy7324

{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}

\\.\{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}

Explorer.EXE_1140_rwx_01EB0000_00003000:

user32.dll

shlwapi.dll

%WinDir%\repair\tgy7324

{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}

\\.\{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}

Explorer.EXE_1140_rwx_02140000_00008000:

.text

`.rdata

@.data

.reloc

433f4c96-d7dd-4262-a701-e9ead9ce9cce

\\.\%s

\ntdll.dll

ntdll.dll

explorer.exe

\esentprf.ini

%s.old

64a6d595-ec37-4857-8350-8b4cdf4155d6

\\.\PhysicalDrive%d

\Internet Explorer\iexplore.exe

&dt=%.16I64x&k=%.8x&idf=%.16I64x&hd=%s&ct=%d&v=%u&o=%u&d=%.4x&i=%.4d

upup.4pu.com

hXXp://%s/up.php?%s%s

%d-%d

hXXp://VVV.7xar.com/list.php?k=%u&v=%.8x&ml=%s&rl=%s&vk=%d

VVV.baidu.com

%s\%s

&dt=%.16I64x&k=%.8x&idf=%.16I64x&hd=%s&ct=%d&v=%u&o=%u&res=%s

down.upup.4pu.com

hXXp://%s/down.php?%s

d3a7b1e2-3b23-4390-9db7-d8487a307c4c

b9fbd434-4e60-4a1d-8c5c-b6b73eb04630

msspref_1.tlb

msspref_2.tlb

msdpref.tlb

&idf=%.16I64x&v=%u&o=%u

URLDownloadToCacheFileA

urlmon.dll

WS2_32.dll

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

GetProcessHeap

KERNEL32.dll

USER32.dll

SHELL32.dll

ole32.dll

daemon.dll

{5D42434E-BCA3-4061-9FAC-C3ABEE0B82EC}

%WinDir%\temp\

%WinDir%\Help\tg8541.hlp

%WinDir%\web\

%WinDir%\msapps\ej3309.nfo

%WinDir%\srchasst\af7910.lex

%WinDir%\repair\tgy7324

4 565;5@5[5}5

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

explor.exe:600
net.exe:824
net1.exe:372
small686.exe:784
sc.exe:1252
sc.exe:1080
regsvr32.exe:1072
ping.exe:632
ping.exe:292
setup.exe:1696
selvice.exe:508
%original file name%.exe:468
mpsvc.exe:1508
mpsvc.exe:1064
updateqq.exe:1988
rundll32.exe:1552
rundll32.exe:1504
svehost.exe:164
syseter.exe:140
lqbzse.exe:1992
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Program Files%\Internet Explorer\IETimbar\Uninstall.exe (206 bytes)
%Program Files%\Internet Explorer\IETimbar\httpf.dat (107 bytes)
%Program Files%\Internet Explorer\IETimbar\cfg.dat (80 bytes)
%Program Files%\Internet Explorer\IETimbar\IETimbar.dll (3196 bytes)
%Program Files%\Internet Explorer\IETimbar\vercfg.dat (4 bytes)
%System%\dllcache\fly2997.dll (66 bytes)
%System%\fly2997.dll (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\afc9fe2f418b00a0.bat (2 bytes)
%System%\mssrcid.ini (16 bytes)
%System%\ufixnk.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updateqq.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ColorPix.exe (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\svehost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (33145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\small686.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\selvice.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\syseter.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\explor.exe (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lqbzse.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysmain.dat (1837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\sysvc.dat (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\setup.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\nvsys.ini (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Messenger\mqtrig.dll (4274 bytes)
%System%\Web.ini (59185 bytes)
%WinDir%\messenger\messenger.exe (2851 bytes)
%System%\dllcache\ipfltdrv.sys.sys (32 bytes)
%System%\esentprf.ini (120 bytes)
%WinDir%\repair\tgy7324 (6626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.tmp (41 bytes)
%System%\drivers\nsypfo.log (41 bytes)
%System%\drivers\ipfltdrv.sys.txt (41 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JSsetup" = "c:\windows\system\jssetup\JSsetup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Messenger" = "c:\windows\messenger\messenger.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,D:\FlySoft\micsoft.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.