Trojan.GenericKD.2038627_a37f632cd0

by malwarelabrobot on January 9th, 2015 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.oeqy (Kaspersky), Trojan.GenericKD.2038627 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a37f632cd07b0ac1d2d4cb30c414ebc0
SHA1: 2d775fdeed42362a441258572cffe224e5c8032d
SHA256: 1b85bc4974e1afca1a3d2d5e95bad6963fc4381d47455f3d24f53a3e29261e5d
SSDeep: 6144:3sbVYe3dL8sNQZlPWYGUiOZw1gh1HK5wyHDRaw:gSoZRNQZPG1Sw1ghdyHdaw
Size: 387992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

22.scr:404
svhost.exe:1012
netsh.exe:1756
netsh.exe:348

The Trojan injects its code into the following process(es):

CnetInstaller-7:744
%original file name%.exe:1696

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!docume~1!adm!locals~1!temp!cookies!
c:!docume~1!adm!locals~1!temp!history!history.ie5!
c:!docume~1!adm!locals~1!temp!temporary internet files!content.ie5!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process 22.scr:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system\svhost.exe (46100 bytes)

The process svhost.exe:1012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\sysdrv32.sys (392 bytes)

The process CnetInstaller-7:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\check-icon.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressbar-left.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish.zip (1176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\index.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\topleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\topright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\topleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\topright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressbar-right.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\index.html (1256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\download-logo.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\bottomright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\grey-btn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome.zip (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressfilled-left.png (992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\topright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\propccleaner.zip (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\download-logo.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\av.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\installer-bg.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\green-btn.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\resume-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\installer-bg.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\script.js (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\grey-btn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\stop-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\check-icon.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\bottomleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\installer-bg.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation.zip (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\bottomleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\topleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\bottomright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\topright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\styles.css (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\green-btn.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\styles.css (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\script.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\windows-32x32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\bottomright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\installer-bg.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\bg.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\index.html (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\grey-btn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\grey-btn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\script.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\grey-btn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\installer-bg.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\script.js (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\bottomright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\bottomleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\windows-32x32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\styles.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25.zip (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\download-logo.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\windows-32x32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\windows-32x32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\bottomright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Common\jquery.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\bottomleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KLUJGDAJ\iconimg_283791[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\topleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\check-icon.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\windows-32x32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\download-logo.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\pause-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\script.js (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\bottomleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\topright.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\green-btn.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressfilled-right.png (996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\index.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\topleft.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Common\json3.min.js (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Common\stats.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\styles.css (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\green-btn.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\green-btn.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\download-logo.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\styles.css (196 bytes)

The process %original file name%.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\ILKN6TC9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7E.tmp (2491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\5UVVXIDV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\2EEALLZ0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\CnetInstaller-75761429.exe (54176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\5UVVXIDV\CnetInstaller[1] (54176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\nsRandom.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KLUJGDAJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\inetca.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn7D.tmp (0 bytes)

Registry activity

The process 22.scr:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E C8 5E 9A 36 2C E1 1F B2 86 3B D8 CF A4 1F 7E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL]
"(Default)" = "Service"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL]
"(Default)" = "Service"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The process svhost.exe:1012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 92 3F EB 05 FC 6E ED 66 D8 18 6B 1B 53 F5 03"

The process CnetInstaller-7:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\Styles]
"MaxScriptStatements" = "4294967295"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "CnetInstaller-75761429.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1419348163"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 2D A9 46 45 E8 5B 75 DF 22 C7 EF CA 0D 7A 20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process netsh.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C DA B0 A6 F0 90 A0 D9 7E E9 CA E8 8A 5E 6F A4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The process netsh.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 55 DA A8 19 0A D0 10 4D A3 43 CD 1C DB A6 F8"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process %original file name%.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
5dd4110c9b6099c0d7dff7dfde849ad4 c:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IR6VD5AK\x[1]
f5f8712336640770d8f120235226a82a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\5UVVXIDV\CnetInstaller[1]
f5f8712336640770d8f120235226a82a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi7F.tmp\CnetInstaller-75761429.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi7F.tmp\System.dll
7579ade7ae1747a31960a228ce02e666 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi7F.tmp\UserInfo.dll
134b93f8bd1f82cd2f1b06c878580703 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi7F.tmp\inetca.dll
ab467b8dfaa660a0f0e5b26e28af5735 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsi7F.tmp\nsRandom.dll

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.Brenz.pl


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.5
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 73728 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 221184 158208 158208 4.58298 d3a14be87667ecf910e25cf20aec2d56

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
2689f737b3fa553e6cba920ec09969be
2ba0dd2e5f017e04bec91b3edd68261d
4bd6abce31c13cf73534ba36884046ee
651800a207df45b7df8fd74d529b3f43
a581b30aea0127f4089acfc24a2511cf

URLs

URL IP
hxxp://64.30.224.89/rest/v2.0/software/productDLM?partTag=spigotinstaller&productSetId=75761429
hxxp://a868.g.akamai.net/cnwk.1d/i/tim2/2014/04/17/iconimg_283791.png
hxxp://i.i.cbsi.com/cnwk.1d/i/tim2/2014/04/17/iconimg_283791.png 184.84.243.224
hxxp://api.cnet.com/rest/v2.0/software/productDLM?partTag=spigotinstaller&productSetId=75761429


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection

Traffic

GET /rest/v2.0/software/productDLM?partTag=spigotinstaller&productSetId=75761429 HTTP/1.1
Host: api.cnet.com
Accept: */*
Accept-Encoding: gzip


HTTP/1.1 200 OK
Date: Thu, 08 Jan 2015 21:09:59 GMT
Server: nginx
Content-Type: application/json
X-Powered-By: PHP/5.4.7
Content-Length: 1287
{ "response" : {    "id" : "13665343",  "setId" : "75761429",  "name" 
: "Letasoft Sound Booster - 1.2", "productName" : "Letasoft Sound Boos
ter",  "productVersion" : "1.2",     "fileName" : "SoundBoosterSetup.e
xe",  "fileSize" : "6255560",  "fileMd5Checksum" : "e337b1904376d479eb
ab1e2e4fb092d7",     "publishDate" : "2014-04-17T04:54:00-07:00" ,    
"categoryId": "2169",  "category" : "Downloads^MP3 & Audio Software^Au
dio Plugins",       "license" : "Free to try",        "downloadLink" :
 "http:\/\/software-files-a.cnet.com\/s\/software\/13\/66\/53\/43\/Sou
ndBoosterSetup.exe?token=1420787399_524b79e0bf1238df188e6ce3289848e2&f
ileName=SoundBoosterSetup.exe",      "trackedDownloadLink" : "http:\/\
/dw.cbsi.com\/redir?edId=1174&siteId=4&lop=feed.dl&ontId=2169&tag=tdw_
dlman&pid=13665343&destUrl=http://software-files-a.cnet.com/s%
2Fsoftware/13/66/53/43/SoundBoosterSetup.exe?token=14207
87399_524b79e0bf1238df188e6ce3289848e2&fileName=SoundBoosterSetup.
exe",       "icons" : "http:\/\/i.i.cbsi.com\/cnwk.1d\/i\/tim2\/2014\/
04\/17\/iconimg_283791.png",  "iconLabel" : "Letasoft Sound Booster", 
   "linkUrl" : "http:\/\/download.cnet.com\/Letasoft-Sound-Booster\/30
00-2169_4-75761429.html?tag=api",     "weeklyDlCnt" : "2941",      "pa
rtnerSiteCode" : ""    } } ..



GET /cnwk.1d/i/tim2/2014/04/17/iconimg_283791.png HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i.i.cbsi.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Server: Apache
Accept-Ranges: bytes
Content-Length: 2854
Last-Modified: Thu, 17 Apr 2014 18:59:03 GMT
ETag: "b26"
P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA"
Content-Type: image/png
Cache-Control: max-age=451637
Expires: Wed, 14 Jan 2015 02:37:17 GMT
Date: Thu, 08 Jan 2015 21:10:00 GMT
Connection: keep-alive
.PNG........IHDR... ... .....szz.....sRGB.........gAMA......a.... cHRM
..z&..............u0...`..:....p..Q<....IDATXG.WyL.w......d.V..z.. 
..r.0..1.7.."..(...(*..}.A.."x....>.oVm.z.....z4....]...{.y_Y.f.MI.
.d.7.........y._?|=.....Q.FM.........z..!C...0`...l6..|.._O.<....7n
....={......Nf..#.3~......v.......u.O.......^.|.........^.j.v...N.8=W.
\..g..=.t..5......?...~I.......Cm..]Zy........{o..%....Kt..I:|.0544..p
L........[[[....%%%U....,6.. ........I.....n.. ..moo'.BUUU...O........
.C.y..........x.o..Immm...........!b....T.............H.@,.UVV*...'L..
c...qr...s.^>.`=..N..111\QQ..[..[.g..y........#!.I.....s..5.?~.....
..............^......!.u...........3c..........c..%....%.'''C_9~......
...d.?8p......xd(.....B..i...p...".>.._...".&.1.......)A.h4....%.)c
78so...v.].....]..z......#I&6............"gg.B....H.C.EN``.........)..
....v.D.Fdd$..,A.'.U5}...0HZ..../P...'NPff..Z...QQ....F..Z......x.....
.(2.........h.$w.i...%...A.*.A"55.QR..3...\3...4..":..;Q'..u.... .#.vt
tb__?......hN.<uf.I...TJM.....hnJ*.'$.$.......h....r I..a... ..~...
A..}..3f...S..B}....].'5...e..M.....=.N.h^.|.S.L....Y..9{q........4cF.
.,[email protected])))...[0..m....&..Pg.T..g.N..y..2.%...4F0*..Y...
d)/ *....\.....f..i..O....p....)S...M...J......e...YT.....h."......e..
.P......%.....3Tybb.x...*... y..ru..........`..H)[email protected]...
.(...K.."j{[email protected]>.6
.....E.z....Ls..}.....w....B@./...K.'N.j.>11..B.)11........?G.....\
...?.....9#3K...-).!...t.k..B.-........w..........m......0....rZz.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1696:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7F.tmp\CnetInstaller-75761429.exe /home "c:" /ts 1418885975 /env prod
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7F.tmp\System.dll
-2063532032
adm\LOCALS~1\Temp\nsi7F.tmp
am="C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7F.tmp\CnetInstaller-75761429.exe" dir=in action=allow enable=yes
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7F.tmp\System.dll
KERNEL32.DLL
advapi32.dll
oleaut32.dll
user32.dll
nsRandom.dll
.pdata
@.rsrc
@.reloc
nKey
kernel32.dll
T8<%f_
geP%F
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7F.tmp
nsi7F.tmp
netInstaller-75761429.exe" dir=in action=allow enable=yes
Download.com
7556517
.reporting-download.com/advplatform/api.cgi?act=getDownloadLink
tp://VVV.reporting-download.com/advplatform/api.cgi?act=getDownloadLink
VVV.reporting-download.com/advplatform/api.cgi?act=getDownlo
..adLink
.adLink
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn7D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
83951616
-2147284440
hXXp://VVV.reporting-download.com/advplatform/api.cgi?act=getDownloadLink&appid=75761429&ts=1418885975&dlip=1625869425&dlid=7556517&proto=1
hXXp://VVV.reporting-download.com/advplatform/CnetInstaller.exe?appid=75761429
hXXp://VVV.reporting-download.com/advplatform/api.cgi?act=postStat&proto=1
75761429
1418885975
1625869425
CnetInstaller-75761429.exe
WindowsXP
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_1696_rwx_10004000_00001000:

callback%d

CnetInstaller-75761429.exe_744:

.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
uDPV
uŸLtE9G,|@
u.VWj
vSSSh
tGHt.Ht&
FTPjK
FtPj;
C.PjRV
Could not resolve %s: %s; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
%s:%d
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
%5[^:]:%d:%5s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
Protocol %s not supported or disabled in libcurl
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
Closing connection %d
Connection %d seems to be dead!
Found bundle for host %s: %p
<url> malformed
:]://%[^
[^:]:%[^
Re-using existing connection! (#%ld) with host %s
%s://%s
Connection #%ld to host %s left intact
Internal error removing splay node = %d
Internal error clearing splay node = %d
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
In state %d with no easy_conn, bail out!
Pipe broke: handle 0x%p, url = %s
[%s %s %s]
Send failure: %s
Recv failure: %s
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
23[^;
=]=I99[^;
%s%s%s
# Fatal libcurl error
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
WARNING: failed to save cookies in %s
Failed to set SO_KEEPALIVE on fd %d
bind failed with errno %d: %s
Local port: %hu
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
couldn't connect to %s at %s:%d
Failed connect to %s:%ld; %s
Unable to parse FTP file list
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: Accepting server connect has timed out
FTP: The server failed to connect to data port
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
Unsupported protocol
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
%d.%d.%d.%d
%s%s%s%s%s%s
Session: %s
%s %s RTSP/1.0
Range: %s
Referer: %s
Accept-Encoding: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Transport: %s
Transport:
Refusing to issue an RTSP request [%s] without a session ID.
Got RTSP Session ID Line [%s], but wanted ID [%s]
Unable to read the CSeq header: [%s]
SMTP
LOGIN
EHLO %s
HELO %s
AUTH %s %s
No known authentication mechanisms supported!
AUTH %s
Got unexpected smtp-server response: %d
Remote access denied: %d
Access denied: %d
smtp
Authentication failed: %d
MAIL FROM:%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s
RCPT TO:<%s>
RCPT TO:%s
MAIL failed: %d
RCPT failed: %d
SMTPS not supported!
STARTTLS denied. %c
USER %s
APOP %s %s
Access denied. %c
PASS %s
%s %s
POP3S not supported!
LOGINDISABLED
%s CAPABILITY
%s LOGIN %s %s
%s AUTHENTICATE %s
%s STARTTLS
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s LOGOUT
IMAPS not supported!
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
invalid tsize -:%s:- value in OACK packet
%s (%ld)
blksize is smaller than min supported
%s (%d)
blksize is larger than max supported
%s (%d) %s (%d)
got option=(%s) value=(%s)
Received unexpected DATA packet block %d, expecting block %d
Received last DATA packet block %d again.
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
tftp_tx: internal error, event: %i
bind() failed; %s
%s%c%s%c
tftp_send_first: internal error
TFTP finished
TFTP response timeout
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, d %s M d:d:d GMT
Couldn't open file %s
There are more than %d entries
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%hu
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.29.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s %s %s
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Syntax error in telnet option: %s
Unknown telnet option %s
7[^= ]%*[ =]%5s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
7[^,],7s
%c%c%c%c
WSAEnumNetworkEvents failed (%d)
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
PORT
Failure sending PORT command: %s
,%d,%d
Failure sending EPRT command: %s
%s |%d|%s|%hu|
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
bind(port=%hu) on non-local address failed: %s
socket failure: %s
failed to resolve the address provided to PORT: %s
getsockname() failed: %s
Connect data stream passively
STOR %s
APPE %s
SIZE %s
RETR %s
ftp server doesn't support SIZE
PBSZ %d
Access denied: d
ACCT %s
ACCT rejected by server: d
Connecting to %s (%s) port %d
Failure sending QUIT command: %s
Uploading to a URL without a file name!
FTPS not supported!
FTP response aborted due to select/poll error: %d
FTP response timeout
MDTM %s
Bad PASV/EPSV response: d
Can't resolve new host %s:%hu
Can't resolve proxy host %s:%hu
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
Illegal port number in EPSV reply
%c%c%c%u%c
ddd d:d:d GMT
dddddd
unsupported MDTM reply format
QUOT string not accepted: %s
Wildcard - "%s" skipped by user
Wildcard - START of "%s"
Preparing for accepting server on data port
CWD %s
Failed FTP upload: 

RETR response: d
server did not report OK, got %d
Failure sending ABOR command: %s
Remembering we are in dir "%s"
PRET RETR %s
PRET STOR %s
PRET %s
REST %d
Got a d response code instead of the assumed 200
TYPE %c
Failed to do PORT
PRET command not accepted: d
Failed to MKD dir: d
MKD %s
QUOT command failed with d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
Got a d ftp-server response when 220 was expected
%sAuthorization: Basic %s
%s:%s
%s auth using %s with user '%s'
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
The requested URL returned error: %s
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
%s%s=%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
PTF://
Host: %s%s%s:%hu
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
HTTP error before end of send, stop sending
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
RTSP/%d.%d =
HTTP =
HTTP/%d.%d =
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
%s:%s:x:%s:%s:%s
%s:%.*s
%s:%s:%s
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
Received HTTP code %d from proxy after CONNECT
CONNECT %s HTTP/%s
%s%s%s%s
Host: %s
%s%s%s:%hu
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
TUNNEL_STATE switched to: %d
HTTP/1.%d %d
password
login
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
operation aborted by callback
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Operation timed out after %ld milliseconds with %lld bytes received
No URL set!
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
d:d
d:d:d
%s xxxxxxxxxxxxxxxx
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s
%s/%s
12345678
00000001
%c%c==
%c%c%c=
0123456789-
.jpeg
.html
; filename="%s"
--%s--
couldn't open file "%s"
Content-Type: %s
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
kernel32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
GetProcessWindowStation
USER32.DLL
operator
F%D,3
RegDeleteKeyExW
inflate 1.2.7.f-hanba-win64 Copyright (C) 2012 Jonathan Hanba
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
()$^.* ?[]|\-{},:=!
.\MainDlg.cpp
invalid _N_type: %d
D:\Autobuild\Work\WinWrapper\Application\Release\Wrapper.pdb
RegQueryInfoKeyW
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
ADVAPI32.dll
PeekNamedPipe
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
WS2_32.dll
WLDAP32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
zcÁ
.?AUDWebBrowserEvents2@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7F.tmp\CnetInstaller-75761429.exe
Welcome/av.js
Welcome/img/bottomleft.png
Welcome/img/bottomright.png
F~.VVn]z
Welcome/img/check-icon.png
Welcome/img/download-logo.png
;].cy
Welcome/img/green-btn.png
Welcome/img/grey-btn.png
Welcome/img/installer-bg.jpg
\v.WQ
Welcome/img/topleft.png
Welcome/img/topright.png
Welcome/img/windows-32x32.png
Welcome/index.html
Welcome/script.js
Welcome/styles.css
Common/GALocalStorage.js
Common/jquery.min.js
sZ.yb
0][ø
pg.Zo
$0.DP
H6l.Emj
Common/json3.min.js
\.sSwn
Common/stats.js
Installation/index.html
Installation/script.js
Installation/styles.css
Installation/img/bottomleft.png
Installation/img/bottomright.png
Installation/img/download-logo.png
Installation/img/green-btn.png
Installation/img/grey-btn.png
Installation/img/installer-bg.jpg
Installation/img/pause-button.png
Installation/img/progressbar-left.png
Installation/img/progressbar-right.png
Installation/img/progressfilled-left.png
Installation/img/progressfilled-right.png
Installation/img/resume-button.png
Installation/img/stop-button.png
Installation/img/topleft.png
Installation/img/topright.png
Installation/img/windows-32x32.png
Finish/index.html
Finish/script.js
Finish/styles.css
Finish/img/bottomleft.png
Finish/img/bottomright.png
Finish/img/download-logo.png
Finish/img/green-btn.png
Finish/img/grey-btn.png
Finish/img/installer-bg.jpg
Finish/img/topleft.png
Finish/img/topright.png
Finish/img/windows-32x32.png
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
6#6'6 6/6
5 5$5(5,50545~5
7 7$7(7,7
6'6,60646]6
7-7R7e7}7
8 8$8(8,8
9 9$9,9@9`9
0,0004080\0`0
mscoree.dll
KERNEL32.DLL
%H:%M:%S
Line %d
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
Advapi32.dll
isRegKeyPresent
Download.com
%s(%d)
explorer.exe
The installer cannot be initialized. Please go back to Download.com and try again.
SCREENS_NO_CRT
welcome.zip
welcome\index.html
installation.zip
installation\index.html
finish.zip
finish\index.html
h...tt...p:/.../w...ww.re...p...or...t-d...ow...nlo...ad.c...om/a...dv...pla...tfo...rm/ap...i.c...gi?a...ct=g...etC...onfi...g&ap...pid=%1&p...ro...to=%2
SOFTWARE\Mozilla\Mozilla Firefox
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
iexplore.exe
firefox.exe
Firefox
chrome.exe
Chrome
%s\%s
Download.com Installer
1, 1, 0, 4
Copyright (C) 2014 Download.com
CnetInstaller.exe

82.scr_2412:

%Xw;=~
.COU$L7
KERNEL32.DLL
)KERNEL32.dll
)USER32.dll
)ADVAPI32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
)SHELL32.dll
ShellExecuteExA
ShellExecuteA
)WSOCK32.dll
)MPR.dll
)SHLWAPI.dll
)RPCRT4.dll
)COMCTL32.dll
)ntdll.dll
)MSVCRT.dll
_acmdln
EPSShSS
sysdrv32.sys
\sysdrv32.sys
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Portuguese
\\%s\%s
onQhurlmT
PRIVMSG
s.start
s.stop
%s %s
%s\%s
dnsapi.dll
-;58<,;0
.text
h.rdata
H.data
.rsrc
B.reloc
VhTcpZWP
hTcpZV
hTcpZVS
hTcpZ
VhTcpZWS
tcpip.sys
b:\driver_new\i386\tcpz-x86.pdb
KeDelayExecutionThread
ntoskrnl.exe
HAL.dll
Microsoft Windows0
Microsoft Windows
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
x"Œ
4 5. /."/6"7
: ;<=>"?
!9I%f
.uL2/
p/j/%c
Windows NT Remote Printers
Impresoras remotas Windows NT
Impresoras remotas de Windows NT
Stampanti remote di Windows NT
Imprimantes distantes pour Windows NT
Impr. remotas Windows NT
Impressoras remotas do Windows NT
Imp. remotas do Windows NT
\DosDevices\TCPZ-X86D
\Device\TCPZ-X86D
Windows Tcpip.sys Patcher
6.0.6000.3007 built by: WinDDK
tcpz.sys
Windows (R) Server 2003 DDK driver
6.0.6000.3007

82.scr_2412_rwx_299F5000_00001000:

KERNEL32.DLL

82.scr_2412_rwx_299F9000_00015000:

)KERNEL32.dll
)USER32.dll
)ADVAPI32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
)SHELL32.dll
ShellExecuteExA
ShellExecuteA
)WSOCK32.dll
)MPR.dll
)SHLWAPI.dll
)RPCRT4.dll
)COMCTL32.dll
)ntdll.dll
)MSVCRT.dll
_acmdln
EPSShSS
sysdrv32.sys
\sysdrv32.sys
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Portuguese
\\%s\%s
onQhurlmT
PRIVMSG
s.start
s.stop
%s %s
%s\%s
dnsapi.dll
-;58<,;0
Windows NT Remote Printers
Impresoras remotas Windows NT
Impresoras remotas de Windows NT
Stampanti remote di Windows NT
Imprimantes distantes pour Windows NT
Impr. remotas Windows NT
Impressoras remotas do Windows NT
Imp. remotas do Windows NT

82.scr_2412_rwx_29A19000_00005000:

.text
h.rdata
H.data
.rsrc
B.reloc
VhTcpZWP
hTcpZV
hTcpZVS
hTcpZ
VhTcpZWS
tcpip.sys
b:\driver_new\i386\tcpz-x86.pdb
KeDelayExecutionThread
ntoskrnl.exe
HAL.dll
Microsoft Windows0
Microsoft Windows
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
\DosDevices\TCPZ-X86D
\Device\TCPZ-X86D
Windows Tcpip.sys Patcher
6.0.6000.3007 built by: WinDDK
tcpz.sys
Windows (R) Server 2003 DDK driver
6.0.6000.3007

62.scr_2604:

%Xw;=~
.COU$L7
KERNEL32.DLL
)KERNEL32.dll
)USER32.dll
)ADVAPI32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
)SHELL32.dll
ShellExecuteExA
ShellExecuteA
)WSOCK32.dll
)MPR.dll
)SHLWAPI.dll
)RPCRT4.dll
)COMCTL32.dll
)ntdll.dll
)MSVCRT.dll
_acmdln
EPSShSS
sysdrv32.sys
\sysdrv32.sys
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Portuguese
\\%s\%s
onQhurlmT
PRIVMSG
s.start
s.stop
%s %s
%s\%s
dnsapi.dll
-;58<,;0
.text
h.rdata
H.data
.rsrc
B.reloc
VhTcpZWP
hTcpZV
hTcpZVS
hTcpZ
VhTcpZWS
tcpip.sys
b:\driver_new\i386\tcpz-x86.pdb
KeDelayExecutionThread
ntoskrnl.exe
HAL.dll
Microsoft Windows0
Microsoft Windows
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
x"Œ
4 5. /."/6"7
: ;<=>"?
!9I%f
.uL2/
p/j/%c
Windows NT Remote Printers
Impresoras remotas Windows NT
Impresoras remotas de Windows NT
Stampanti remote di Windows NT
Imprimantes distantes pour Windows NT
Impr. remotas Windows NT
Impressoras remotas do Windows NT
Imp. remotas do Windows NT
\DosDevices\TCPZ-X86D
\Device\TCPZ-X86D
Windows Tcpip.sys Patcher
6.0.6000.3007 built by: WinDDK
tcpz.sys
Windows (R) Server 2003 DDK driver
6.0.6000.3007

82.scr_2412_rwx_29AA4000_0050A000:

x"Œ

82.scr_2412_rwx_29FB5000_00007000:

4 5. /."/6"7
: ;<=>"?

62.scr_2604_rwx_299F5000_00001000:

KERNEL32.DLL

62.scr_2604_rwx_299F9000_00015000:

)KERNEL32.dll
)USER32.dll
)ADVAPI32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
)SHELL32.dll
ShellExecuteExA
ShellExecuteA
)WSOCK32.dll
)MPR.dll
)SHLWAPI.dll
)RPCRT4.dll
)COMCTL32.dll
)ntdll.dll
)MSVCRT.dll
_acmdln
EPSShSS
sysdrv32.sys
\sysdrv32.sys
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Portuguese
\\%s\%s
onQhurlmT
PRIVMSG
s.start
s.stop
%s %s
%s\%s
dnsapi.dll
-;58<,;0
Windows NT Remote Printers
Impresoras remotas Windows NT
Impresoras remotas de Windows NT
Stampanti remote di Windows NT
Imprimantes distantes pour Windows NT
Impr. remotas Windows NT
Impressoras remotas do Windows NT
Imp. remotas do Windows NT

62.scr_2604_rwx_29A19000_00005000:

.text
h.rdata
H.data
.rsrc
B.reloc
VhTcpZWP
hTcpZV
hTcpZVS
hTcpZ
VhTcpZWS
tcpip.sys
b:\driver_new\i386\tcpz-x86.pdb
KeDelayExecutionThread
ntoskrnl.exe
HAL.dll
Microsoft Windows0
Microsoft Windows
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
\DosDevices\TCPZ-X86D
\Device\TCPZ-X86D
Windows Tcpip.sys Patcher
6.0.6000.3007 built by: WinDDK
tcpz.sys
Windows (R) Server 2003 DDK driver
6.0.6000.3007

62.scr_2604_rwx_29AA4000_0050A000:

x"Œ

62.scr_2604_rwx_29FB5000_00007000:

4 5. /."/6"7
: ;<=>"?


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    22.scr:404
    svhost.exe:1012
    netsh.exe:1756
    netsh.exe:348

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\system\svhost.exe (46100 bytes)
    %System%\drivers\sysdrv32.sys (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\check-icon.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressbar-left.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish.zip (1176 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\index.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\topleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\topright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\topleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\topright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressbar-right.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\index.html (1256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\download-logo.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\bottomright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\grey-btn.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome.zip (941 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressfilled-left.png (992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\topright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\propccleaner.zip (1960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\download-logo.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\av.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\installer-bg.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\green-btn.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\resume-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\installer-bg.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\script.js (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\grey-btn.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\stop-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\check-icon.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\bottomleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\installer-bg.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation.zip (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\bottomleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\topleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\bottomright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\topright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\styles.css (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\index.html (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\green-btn.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\styles.css (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\script.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\windows-32x32.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\bottomright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\installer-bg.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\bg.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\index.html (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\grey-btn.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\grey-btn.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\script.js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\grey-btn.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\installer-bg.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\script.js (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\bottomright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\bottomleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\windows-32x32.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\styles.css (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25.zip (1960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\download-logo.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\windows-32x32.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\windows-32x32.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\bottomright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Common\jquery.min.js (6984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\bottomleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KLUJGDAJ\iconimg_283791[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\topleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Spigot25\img\check-icon.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\windows-32x32.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\img\download-logo.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\pause-button.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\script.js (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\bottomleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\topright.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\green-btn.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\progressfilled-right.png (996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\index.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\topleft.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Common\json3.min.js (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Common\stats.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Finish\styles.css (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Installation\img\green-btn.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\img\green-btn.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\ProPCCleaner\img\download-logo.png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{98016173-0C2B-4C7D-8875-452CC447306E}\Welcome\styles.css (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\ILKN6TC9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss7E.tmp (2491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\5UVVXIDV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\2EEALLZ0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\CnetInstaller-75761429.exe (54176 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\5UVVXIDV\CnetInstaller[1] (54176 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\nsRandom.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KLUJGDAJ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi7F.tmp\inetca.dll (784 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WSVCHO" = "%WinDir%\system\svhost.exe"

  6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now