Trojan.GenericKD.1878345_4462910d01

by malwarelabrobot on October 10th, 2014 in Malware Descriptions.

Trojan.Win32.Nimnul.ffx (Kaspersky), Trojan.GenericKD.1878345 (AdAware), Backdoor.Win32.Farfli.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4462910d01ecf25824cde6735cf5d045
SHA1: 6d70eaa5509eade60871067feda92f6cc03cd53e
SHA256: 08b954245a11d8bea26d40d1d8f68a5c52cc4b540d0eb9ba806fd7bedca3a55b
SSDeep: 1536:WgQVLDlZ1Ulw8RdcGv8VDeHIwl07/WYyxxSipB3o H gah0m4G524wSTIJBoD:WguZv656eIJ/W7eipB4/V0d4wBK
Size: 113592 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-09-03 19:41:09
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3936
%original file name%.exe:3640
xqhsahxo.exe:4040
xqhsahxo.exe:3960

The Trojan injects its code into the following process(es):

mscorsvw.exe:424
svchost.exe:3228
svchost.exe:1640
svchost.exe:340
jqs.exe:480
services.exe:760
lsass.exe:772
svchost.exe:928
svchost.exe:1012
svchost.exe:1096
svchost.exe:1144
svchost.exe:1188
spoolsv.exe:1432
Explorer.EXE:1948
wmiprvse.exe:3704

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xqhsahxo.exe (601 bytes)

The process %original file name%.exe:3640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\BE432C2EE45E016635C9B13C029DA7E7 (391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\BE432C2EE45E016635C9B13C029DA7E7 (144 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B1AA84065EC5876DF7F06B36A34A8167 (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB7.tmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B1AA84065EC5876DF7F06B36A34A8167 (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB6.tmp (56 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (0 bytes)

The process xqhsahxo.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fwoixcmg.exe (601 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\orpnsuoi.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\goxbiuiu\orpnsuoi.exe (601 bytes)

Registry activity

The process mscorsvw.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process %original file name%.exe:3640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C FE 8F AE BE E3 86 A0 37 F3 C5 94 43 FF C9 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 0B 6C D9 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"6252DC40F71143A22FDE9EF7348E064251B18118"

The process xqhsahxo.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"UAC_bypassed" = "TRUE"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 21 61 68 32 27 DE 1B DC 32 56 6C 32 3B C6 F5"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wuauserv]
"Start" = "4"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"OrpNsuoi" = "%Documents and Settings%\%current user%\Local Settings\Application Data\goxbiuiu\orpnsuoi.exe"

The following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "4"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"

The process xqhsahxo.exe:3960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 6C C6 6B C2 F4 AA D1 49 B4 3F 47 D8 4D B2 3D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile

Propagation

VersionInfo

Company Name:
Product Name: GrsPQQmZO
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2014
Legal Trademarks:
Original Filename: GrsPQQmZO.exe
Internal Name: GrsPQQmZO.exe
File Version: 1.0.0.0
File Description: GrsPQQmZO
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 104852 104960 4.55459 9deea8789630da7346ab93c3d0d5e5bf
.rsrc 114688 1344 1536 2.73426 71a7d6d117eae797c4f3410fea2902b3
.reloc 122880 12 512 0.070639 35196a87dab0cd68cc38a311da629c5a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/6252DC40F71143A22FDE9EF7348E064251B18118.crt
hxxp://crl.certum.pl/ca.crl 213.222.201.150
hxxp://crl.certum.pl/l3.crl 213.222.201.150
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 184.84.243.34
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 184.84.243.34
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/6252DC40F71143A22FDE9EF7348E064251B18118.crt 184.84.243.34
hgyudheedieibxy.com 94.126.178.29
google.com 74.125.226.67
anrylixwcbnjopdd.com 86.124.164.25
itktxexjghvvxa.com 176.31.62.76
knpqxlxcwtlvgrdyhd.com 95.141.36.218
hufqifjq.com 166.78.62.91
nvlyffua.com 217.23.13.42


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET DNS Reply Sinkhole - Zinkhole.org

Traffic

GET /ca.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.certum.pl
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Date: Thu, 09 Oct 2014 23:35:42 GMT
Server: Apache
Last-Modified: Thu, 17 Apr 2014 10:39:06 GMT
ETag: "30016-187-a472e680"
Accept-Ranges: bytes
Content-Length: 391
Connection: close
Content-Type: application/x-pkcs7-crl
0...0m0...*.H........0>1.0...U....PL1.0...U....Unizeto Sp. z o.o.1.
0...U....Certum CA..140417102343Z..150417102343Z0...*.H..............p
.hT.%2..../.........D.px.J...V...%:r;..U...Q...n.;a..R...E....l...Fi..
.z!}........EyF7......#_.v......wS.....gla.....,..n...Q.?.kH.U]...].q.
.}j..........~.Jy...."S...A..`S...c9n[.f.y.,n..{/`@s...a.].V0.g.c..^..
o.\[G.CQ#.....s...[........>..a....... u..]...



GET /l3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.certum.pl
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Date: Thu, 09 Oct 2014 23:35:43 GMT
Server: Apache
Last-Modified: Thu, 09 Oct 2014 18:02:01 GMT
ETag: "30013-904b-3aabd840"
Accept-Ranges: bytes
Content-Length: 36939
Connection: close
Content-Type: application/x-pkcs7-crl
0..G0../...0...*.H........0x1.0...U....PL1"0 ..U....Unizeto Technologi
es S.A.1'0%..U....Certum Certification Authority1.0...U....Certum Leve
l III CA..141009180019Z..141019180019Z0..\0I..U{....lT...R.!....140116
192758Z0&0...U.......0...U......20140116000000Z0I..V&. ...e*.]...(...1
40613120149Z0&0...U.......0...U......20140612000000Z0I..U.....P)qf....
....140807122748Z0&0...U.......0...U......20140801000000Z0/..^eO...k!.
....A.p..140411112557Z0.0...U.......0/[email protected]."...140425104817
Z0.0...U.......0/..."w..C...y.Y......131211092248Z0.0...U.......0/...&
gt;.........k......131126092304Z0.0...U.......0...-.....v..D.&/`...140
327121639Z0.0...U.......0I..d.........&l.P....140415132817Z0&0...U....
...0...U......20140415000000Z0I....~......]Z`...P..140519080323Z0&0...
U.......0...U......20140519000000Z0/..`....s.{H.........140425094549Z0
.0...U.......0I..SO...Q.B..ol..Z...131209152607Z0&0...U.......0...U...
...20131209000000Z0/..b7.......0....,...140326104440Z0.0...U.......0/.
.s..7eN*..g...!....140409121302Z0.0...U.......0/..U. ...9...n...i`..14
0515103511Z0.0...U.......0/....v2...o...._..%..140515100727Z0.0...U...
....0/..^..)\..C.w...$....140125082547Z0.0...U.......0/[email protected].~..
1L...140409114918Z0.0...U.......0/..M..}q..6:F..j.....140411120841Z0.0
...U.......0/..n.T.}.Q......T.>..140327122320Z0.0...U.......0/..Y..
^f...udY.S.....140409120821Z0.0...U.......0/..vB..c.....w....Y..140411
120240Z0.0...U.......0I..%.......I..x.3....121128122453Z0&0...U.......
0...U......20121128000000Z0/..c.,j....qZ&..6Y(..130529130426Z0.0..
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 12 Sep 2014 18:02:51 GMT
Accept-Ranges: bytes
ETag: "80179bc4b3cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=8720
Date: Thu, 09 Oct 2014 23:35:41 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
1401CFCEB3C4C42958....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Cache-Control: max-age=8808
Date: Thu, 09 Oct 2014 23:35:41 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/6252DC40F71143A22FDE9EF7348E064251B18118.crt HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 12 Sep 2014 18:02:51 GMT
Accept-Ranges: bytes
ETag: "80179bc4b3cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 784
Date: Thu, 09 Oct 2014 23:35:42 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
0...0............ 0...*.H........0>1.0...U....PL1.0...U....Unizeto 
Sp. z o.o.1.0...U....Certum CA0...020611104639Z..270611104639Z0>1.0
...U....PL1.0...U....Unizeto Sp. z o.o.1.0...U....Certum CA0.."0...*.H
.............0.............O|.%..>O..o.js.[Q......\...u......#R...3
..-..v. 9....K...x.sC{.a..X..lf~...^Uc.......0h..<..n..Z.N4.6....P.
m.B......AK.jk...~b.g..&_.&..O..W(....E.n.%].n9.../.G.r...[..S?....V.n
..f.&...S.....O).B.^... ..h.......Fc..."....FY~.5,...].H3.T...o.......
.;.Y.......0.0...U.......0....0...*.H.......................D.l.9>.
.n..!w..w... A......c..7..v$...L.=.go-...e1p......`{mX..I.c2.k.:...;..
..Q....4.. ...`.'l2w...r....?..$B..W..&C.......T(>.?..M.j.:...;.#.c
.?..'y.LQ....].;..s.....nd.ZV....Lt..q;..G.io...^...|R......Yg...p...i
[email protected].)f.!.,.`*[email protected].$...,s..

The Trojan connects to the servers at the folowing location(s):

svchost.exe_3228:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_3228_rwx_002B0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xqhsahxo.exe

svchost.exe_3228_rwx_15110000_00071000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\631D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
getexec
complete.dat
SRQVWh.exe
h.exeVj
tvh.exe
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
.TNIRPTN.
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
UAC_bypassed
cmd.exe
%TEMP%\p.exe
" %TEMP%\p.exe
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
wmic.exe QFE where "HotFixID='KB2778930'" get HotFixID, Description
\cache.dat
CheckBypassed ok
di32.dll
loader.exe
_CheckBypassed@0
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
/C ""%s"" %s
/C ""%s""
svchost.exe
user32.DLL
p.exe
Rapport
:Zone.Identifier
consent.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xqhsahxo.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
RegOpenKeyA
RegEnumKeyA
ShellExecuteExA
keybd_event
EnumWindows
.rdata
.rsrc
n.iws
t.TNIRP
>.%s.t
s\cmd
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
ntprint.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat

svchost.exe_3228_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1640:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

svchost.exe_1640_rwx_000C0000_00001000:

|C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xqhsahxo.exe

svchost.exe_1640_rwx_15110000_00071000:

`.rsrc
.text
`.rdata
@.data
.reloc
Gh.logWj
h.logPj
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeA
kernel32.dll
ExitWindowsEx
user32.dll
RegCloseKey
RegDeleteKeyA
RegEnumKeyExA
RegOpenKeyExA
RegQueryInfoKeyA
advapi32.dll
modules.dll
{X-X-X-X-XX}
ntdll.dll
shlwapi.dll
SHDeleteKeyA
SOFTWARE\Microsoft\Windows\CurrentVersion
shell32.dll
%CommonProgramFiles%
\/*.*
\\.\pipe\
VWRQRh.exe
h.exe
ws2_32.dll
RegCreateKeyExA
ShellExecuteA
gdi32.dll
ole32.dll
rmnsoft.dll
google.com:80
bing.com:80
yahoo.com:80
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Defender
Software\Microsoft\Windows\CurrentVersion\Policies
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Software\Microsoft\Windows\CurrentVersion\policies\system
\ SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
"ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Run
HTTP/*.*
/HTTPMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Referer: %s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Disposition: form-data; name="%s"
--%s--
%s /%s HTTP/1.1
Host: %s
User-Agent: %s
%sAccept-Language: %s
HTTP/1.x 301 Moved Permanently
Server: Apache/2.2.14
gdiplus.dll
GdiplusShutdown
\\.\631D2408D44C4f47AC647AB96987D4D5
\Google\Chrome\User Data\Default\Cookies
\Google\Chrome\User Data\Default\Extension Cookies
%APPDATA%\Apple Computer\Safari\Cookies\Cookies.plist
%APPDATA%\Mozilla\Firefox\
%WinDir%\Application Data\Mozilla\Firefox\
profiles.ini
Profile%d
\cookies.txt
\cookies.sqlite
%APPDATA%\Opera\
\profile\cookies4.dat
\cookies4.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Opera.exe
FireFox Cookies\Profile %d\cookies.txt
FireFox Cookies\Profile %d\cookies.sqlite
Chrome\Cookies
Chrome\Extension Cookies
Opera\Profile %d\cookies4.dat
Safari\Cookies.plist
getexec
complete.dat
SRQVWh.exe
h.exeVj
tvh.exe
PSSSSSSh
More information: hXXp://VVV.ibsensoftware.com/
.TNIRPTN.
com.%s.sdb
%s\cmd.%s.bat
start "" "%s"
"%%windir%%\%s\ntprint.exe"
"%%windir%%\system32\sdbinst.exe" "%s"
"%%windir%%\system32\sdbinst.exe" /q /u "%s"
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
UAC_bypassed
cmd.exe
%TEMP%\p.exe
" %TEMP%\p.exe
SOFTWARE\Microsoft\Updates\Windows XP\SP4
SOFTWARE\Microsoft\Updates\Windows XP\SP3
SOFTWARE\Microsoft\Updates\Windows XP\SP10
SOFTWARE\Microsoft\Updates\Windows XP\SP0
SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages
wmic.exe QFE where "HotFixID='KB2778930'" get HotFixID, Description
\cache.dat
CheckBypassed ok
di32.dll
loader.exe
_CheckBypassed@0
\/{X-X-X-X-XX}
|ZwDelayExecution
%ProgramFiles%\Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
http\shell\open\command
chrome.exe
opera.exe
/C ""%s"" %s
/C ""%s""
svchost.exe
user32.DLL
p.exe
Rapport
:Zone.Identifier
consent.exe
%Program Files%\Internet Explorer\iexplore.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xqhsahxo.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\p.exe
RegOpenKeyA
RegEnumKeyA
ShellExecuteExA
keybd_event
EnumWindows
.rdata
.rsrc
n.iws
t.TNIRP
>.%s.t
s\cmd
PF8-.XU
O3$dS7"%U9
KERNEL32.DLL
multipart/*boundary={*}application/x-www-form-urlencodedname="{*}"{*}hXXps://hXXp://
2.1.0.3
ntprint.exe
RedirectEXE
%temp%\..\..\LocalLow\cmd.%username%.bat

svchost.exe_1640_rwx_20010000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1640_rwx_20031000_000A0000:

i<%u-
.iniu>
.exeuZH
=.datuLh
Q=.bpsuLh
.xmluIh
t%SVP
.iniu
.prfu1
h.log
Q.Rjv
H.Qjv
#$%&'()* ,--
-4-4--567
s%j.Zf
j%Xf;
>%u[f
FtpControl
32bit FTP
LeapFtp
SoftFx FTP
ClassicFTP
WebSitePublisher
FtpExplorer
Core ftp
Coffee cup ftp
FFFtp
TurboFtp
SmartFtp
BulletproofFTP
FtpCommander
Cute FTP
WS FTP
Windows/Total commander
PTF://
Password
password
FtpIniName
\Ipswitch\WS_FTP Home\Sites
\Ipswitch\WS_FTP\Sites
\%.d.0
Quick.dat
port
sitemanager.xml
Port
Software\Microsoft\Windows\CurrentVersion\Uninstall
History.dat
Favorites.dat
\Frigate3\FtpSite.XML
\sites.xml
\FTPRush\RushSite.xml
SET PASS
NODE: TYPE = FTP
\BitKinex\bitkinex.ds
_Password
FtpUserName
FtpServer
FtpDirectory
FtpDescription
_FtpPassword
SELECT ServerName, Url, ServerUser, ServerPass, RemoteDir FROM "TServers"
SharedSettings.ccs
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
sites.dat
LeapFTP
HostPassword
\32BitFtp.ini
PassWord
%USERPROFILE%
Kernel32.dll
sql_trace
sqlite_version
sqlite_rename_trigger
sqlite_rename_table
RowKey
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
ABORTABLEFTEMPORARYADDATABASELECTHENDEFAULTRANSACTIONATURALTERAISEACHECKEYAFTEREFERENCESCAPELSEXCEPTRIGGEREGEXPLAINITIALLYANALYZEXCLUSIVEXISTSTATEMENTANDEFERRABLEATTACHAVINGLOBEFOREIGNOREINDEXAUTOINCREMENTBEGINNERENAMEBETWEENOTNULLIKEBYCASCADEFERREDELETECASECASTCOLLATECOLUMNCOMMITCONFLICTCONSTRAINTERSECTCREATECROSSCURRENT_DATECURRENT_TIMESTAMPLANDESCDETACHDISTINCTDROPRAGMATCHFAILIMITFROMFULLGROUPDATEIFIMMEDIATEINSERTINSTEADINTOFFSETISNULLJOINORDEREPLACEOUTERESTRICTPRIMARYQUERYRIGHTROLLBACKROWHENUNIONUNIQUEUSINGVACUUMVALUESVIEWHEREVIRTUAL
f){-.gBsu1Z2^
3.3.14
Ad-d-d d:d:d
d:d:d
d-d-d
M@d
2147483647
%s\etilqs_
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
Page %d is never used
Unable to malloc %d bytes
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
freelist leaf count too big on page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
2nd reference to page %d
invalid page number %d
Fragmented space is %d byte reported as %d on page %d
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
On page %d at right child:
On tree page %d cell %d:
initPage() returns error code %d
unable to get the page. error code=%d
Page %d:
%s(%d)
keyinfo(%d
%s-mjX
Aunable to use function %s in the requested context
Unsupported module operation: xNext
Unsupported module operation: xColumn
Unsupported module operation: xRowid
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
sqlite_master
sqlite_temp_master
transaction - SQL statements in progress
variable number must be between ?1 and ?%d
not authorized to use function: %s
ambiguous column name: %s
no such column: %s
%.*s%Q%s
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE %Q.sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name, %d 18,10) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
table %s may not be altered
sqlite_
there is already another table or index with this name: %s
%s OR name=%Q
UPDATE %Q.%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d,length(sql)) WHERE type = 'table' AND name = %Q
Cannot add a PRIMARY KEY column
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
sqlite_detach
sqlite_attach
unable to open database: %s
database %s is already in use
too many attached databases - max %d
database %s is locked
cannot detach database %s
no such database: %s
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY
no such table: %s
no such table: %s.%s
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
table "%s" has more than one primary key
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#0, sql=%Q WHERE rowid=#1
CREATE %s %.*s
view %s is circularly defined
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
use DROP TABLE to delete table %s
table %s may not be dropped
UPDATE %Q.%s SET rootpage=%d WHERE #0 AND rootpage=#0
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#0,%Q);
CREATE%s INDEX %.*s
table %s has no column named %s
sqlite_autoindex_
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s may not be indexed
indexed columns are not unique
DELETE FROM %Q.%s WHERE name=%Q
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
unable to identify the object to be reindexed
no such collation sequence: %s
cannot modify %s because it is a view
table %s may not be modified
table %S has no column named %s
%d values for %d columns
table %S has %d columns but %d values were supplied
PRIMARY KEY must be unique
error during initialization: %s
no entry point [%s] in shared library [%s]
unable to open shared library [%s]
sqlite3_extension_init
automatic extension loading failed: %s
unsupported encoding: %s
*** in database %s ***
foreign_key_list
SELECT name, rootpage, sql FROM '%q'.%s
unsupported file format
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T%s%T%s%T
%z:%d
column%d
%s.%s
sqlite_subquery_%p_
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s BY column number %d out of range - should be between 1 and %d
SELECTs to the left and right of %s do not have the same number of result columns
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
ORDER BY term number %d does not match any result column
ORDER BY position %d should be between 1 and %d
sqlite3_get_table() called with two or more incompatible queries
cannot create INSTEAD OF trigger on table: %S
cannot create %s trigger on view: %S
no such trigger: %S
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14,100000000) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#1
no such module: %s
vtable constructor did not declare schema: %s
vtable constructor failed: %s
%z VIRTUAL TABLE INDEX %d:%s
%z USING PRIMARY KEY
%z WITH INDEX %s
%z AS %s
TABLE %s
B}Tat most %d tables in a join
incomplete SQL statement
kernel lacks large file support
SQL logic error or missing database
Invalid parameter passed to C runtime function.
SOFTWARE\Far2\SavedDialogHistory\FTPHost
SOFTWARE\Far2\Plugins\FTP\Hosts
\wcx_PTF.ini
Software\Ghisler\Windows Commander
CSMFTPItem
\sm.dat
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Home
\GlobalSCAPE\CuteFTP Lite
\Quick.dat
\Sites.dat
<schema> <document name="FileZilla3"> <collection name="Servers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> <text name="Name"/> <text name="Comments"/> <text name="LocalDir"/> <text name="RemoteDir"/> <text name="SyncBrowsing"/> </collection> </collection> </document></schema>
<schema> <document name="FileZilla3"> <collection name="RecentServers"> <collection name="Server" type="mixed"> <text name="Host"/> <text name="Port"/> <text name="Protocol"/> <text name="Type"/> <text name="User"/> <text name="Pass"/> <text name="Logontype"/> <text name="TimezoneOffset"/> <text name="PasvMode"/> <text name="MaximumMultipleConnections"/> <text name="EncodingType"/> <text name="BypassProxy"/> </collection> </collection> </document></schema>
\FileZilla\sitemanager.xml
\FileZilla\recentservers.xml
\ftplist.txt
FTP Commander Pro
FTP Navigator
FTP Commander
FTP Commander Deluxe
Software\BFTP
\BulletProof Software\BulletProof FTP Client 2009
\BulletProof Software\BulletProof FTP Client
<schema> <document name="FavoriteItem"> <text name="Version"/> <text name="Name"/> <text name="Id"/> <text name="Protocol"/> <text name="Host"/> <text name="Port"/> <text name="User"/> <text name="Password"/> <text name="Path"/> <text name="Description"/> <collection name="Settings"> </collection> <collection name="Statistics"> </collection> </document></schema>
\SmartFTP\Client 2.0\Favorites
\SmartFTP
\TurboFTP
\addrbk.dat
Software\TurboFTP
Software\Sota\FFFTP
DefaultPassword
Software\Sota\FFFTP\Options
Software\FTPWare\COREFTP\Sites
<schema> <document name="FTPx10"> <text name="Name"/> <text name="Host"/> <text name="Login"/> <text name="Password"/> <text name="LocalPath"/> <text name="RemotePath"/> <text name="Description"/> <text name="Anonymous"/> <text name="Cache"/> <text name="Default"/> <text name="PasvMode"/> <text name="Retries"/> <text name="RetryDelay"/> <text name="Port"/> </document></schema>
</FTPx10>
<FTPx10>
\FTP Explorer\profiles.xml
<schema> <document name="Ftp"> <collection name="Item"> <attribute name="Name"/> <attribute name="Host"/> <attribute name="Home"/> <attribute name="User"/> <attribute name="Pass"/> <attribute name="Port"/> <attribute name="UserProxy"/> <attribute name="Passive"/> <attribute name="SecureType"/> <attribute name="UploadType"/> <attribute name="CodePage"/> <attribute name="SingleConnect"/> <attribute name="RequestPassword"/> </collection> </document></schema>
<schema> <document name="SITES"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <collection name="CONNECT"> <attribute name="RETRYCOUNT"/> <attribute name="DELAY"/> <attribute name="FTPTIMEOUT"/> </collection> <text name="HOST"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </document></schema>
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UltraFXP
<schema> <document name="SITES"> <collection name="GROUP"> <collection name="GROUP"> <attribute name="NAME"/> <collection name="SITE"> <attribute name="NAME"/> <attribute name="UID"/> <text name="HOST"/> <text name="SHORT"/> <text name="USER"/> <text name="PASS"/> <text name="RPATH"/> </collection> </collection> </collection> </document></schema>
Software\Cryer\WebSitePublisher
Software\NCH Software\ClassicFTP\FTPAccounts
Software\SoftX.org\FTPClient\Sites
Software\FTPClient\Sites
<schema><document name="ftpsites"> <collection name="site"> <attribute name="cfgflags"/> <attribute name="flags"/> <attribute name="flags2"/> <attribute name="indexmax"/> <attribute name="name"/> <attribute name="siteflags"/> <attribute name="type"/> <collection name="host"> <attribute name="comment"/> <attribute name="host"/> <attribute name="pass"/> <attribute name="port"/> <attribute name="user"/> </collection> <text name="dir"/> </collection></document></schema>
\GPSoftware\Directory Opus\ConfigFiles\PTF.oxc
Software\Dev Zero G\FTP Uploader\FTP Uploader
Software\South River Technologies\WebDrive\Connections
<schema> <document name="FTP"> <collection name="Site"> <attribute name="Type"/> <attribute name="Name"/> <attribute name="UID"/> <text name="Address"/> <text name="User"/> <text name="Pass"/> <text name="Drive"/> <text name="Port"/> <text name="ConnectAtRun"/> <text name="Anonymous"/> <text name="Passive"/> <text name="ConnectAtBoot"/> <text name="Encoding"/> <text name="SSL"/> <text name="WriteFtpLogs"/> <text name="FtpLogsPath"/> <text name="SessionsLimit"/> <text name="SessionsLimitNumber"/> <text name="FTPListA"/> <text name="ProxyType"/> <text name="ProxyAddress"/> <text name="ProxyPort"/> <text name="ProxyUser"/> <text name="ProxyPass"/> </collection> </document></schema>
klfhuw%$#%fgjlvf
</FTP>
<FTP>
\NetDrive\NDSites.ini
zcÁ
GetWindowsDirectoryA
GetProcessHeap
PeekNamedPipe
RegEnumKeyExA
RegOpenKeyA
RegCloseKey
.flat
.text
`.rdata
@.data
.idata
.asmdata
@.reloc
TPFk/dPipeG
;-keXE
 .ho"

svchost.exe_340_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

mscorsvw.exe_424_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

jqs.exe_480_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

services.exe_760_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

lsass.exe_772_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_928_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1012_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1096_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1144_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

svchost.exe_1188_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

spoolsv.exe_1432_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

Explorer.EXE_1948_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc

wmiprvse.exe_3704_rwx_20140000_00001000:

.text
`.rdata
@.data
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3936
    %original file name%.exe:3640
    xqhsahxo.exe:4040
    xqhsahxo.exe:3960

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\xqhsahxo.exe (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\BE432C2EE45E016635C9B13C029DA7E7 (391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB3.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabB2.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB5.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\BE432C2EE45E016635C9B13C029DA7E7 (144 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B1AA84065EC5876DF7F06B36A34A8167 (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB7.tmp (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabB4.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B1AA84065EC5876DF7F06B36A34A8167 (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabB6.tmp (56 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fwoixcmg.exe (601 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\orpnsuoi.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\goxbiuiu\orpnsuoi.exe (601 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "OrpNsuoi" = "%Documents and Settings%\%current user%\Local Settings\Application Data\goxbiuiu\orpnsuoi.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now