Trojan.GenericKD.3126638_032557d265

by malwarelabrobot on April 4th, 2016 in Malware Descriptions.

Trojan.Win32.Reconyc.fhkt (Kaspersky), Trojan.GenericKD.3126638 (B) (Emsisoft), Trojan.GenericKD.3126638 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 032557d265db6b8ff63dd143ff56f431
SHA1: 111695ad75fb86fc3b46d153e95fc986ae8789ab
SHA256: a163af1a1ac0a0f254c2dd7815d16b69b70b2b96a464fb24234014a8fcf043d7
SSDeep: 12288:sveGRx nqZ5K4XNIECwWqKRUO8k6AQPe UkxogdrGUjpO o: x nqHTaEu2uSxzrGK6
Size: 733912 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Risomuri
Created at: 2016-03-26 08:13:13
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2964
%original file name%.exe:140
%original file name%.exe:2868
%original file name%.exe:1940
%original file name%.exe:3344
%original file name%.exe:2632
%original file name%.exe:2192
%original file name%.exe:3436
%original file name%.exe:2532
%original file name%.exe:1088

The Trojan injects its code into the following process(es):

%original file name%.exe:1060
%original file name%.exe:348

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Geo.dat (35 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Logs\03-04-2016 (265 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (22 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (533 bytes)
%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (10882 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (117 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 41 08 EC E2 46 67 61 30 0A EF 8E 10 F9 B4 B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A6 A3 E7 9E 94 69 51 B9 89 4F 3D 71 58 BC 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C E5 81 00 17 AE B0 26 D6 92 8C BB 2C 58 7C A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\032557d265db6b8ff63dd143ff56f431\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 1E 61 2D DF 21 27 05 7F 83 01 59 4F 17 51 85"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\032557d265db6b8ff63dd143ff56f431\DEBUG]
"Trace Level"

The process %original file name%.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 1F AE 38 75 F8 EC F7 7B 4C 9D 6C 65 82 D1 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:3344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 61 AF 8A 5C DF F2 AC 69 B1 8B B0 A7 9D DF 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 57 26 29 F8 0A 68 38 8D 32 66 13 27 54 F9 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 59 ED 89 9A 67 7B 2B C1 8E E3 C3 BA B9 C6 79"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 39 B2 7B 87 D4 8E CD 70 8F 9B 8B 11 A9 3D 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 3B BE 7F 10 43 FD 24 FB 7C 8D 03 4B 27 AE CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 11 B0 21 6B 1E 1B 7D E7 95 16 62 65 C1 2D C2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 EC 16 44 C8 34 E2 F5 9C 08 AA F8 AB 9D D4 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe"

Dropped PE files

MD5 File path
aaa698721f488b181bc0f0afc5da126a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp1.tmp
aaa698721f488b181bc0f0afc5da126a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.tmp
aaa698721f488b181bc0f0afc5da126a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp3.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: CD Projekt Red
Product Name: The Witcher 3
Product Version: 3.0.0
Legal Copyright: Copyright (c) 2012 CD Projekt Red
Legal Trademarks:
Original Filename: fdsfkdlsfksdkf.exe
Internal Name: fdsfkdlsfksdkf.exe
File Version: 3.0.0
File Description: The Witcher 3
Comments: The Witcher 3
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 598116 602112 4.21618 405552ddc5911d3f058e7a0fa2d1bc55
.rsrc 614400 106632 110592 3.18543 48a36826c5939c2ff1e849dc95bd5e43
.reloc 729088 12 4096 0.011373 62450b79009feb7de610244f5909301a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl
hxxp://e6845.dscb1.akamaiedge.net/sv.crl
hxxp://iptrackeronline.com/
hxxp://sv.symcb.com/sv.crl 23.43.133.163
hxxp://www.iptrackeronline.com/ 108.174.156.115
hxxp://s1.symcb.com/pca3-g5.crl 23.43.133.163
crackers.zapto.org 81.30.156.52


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Host: VVV.iptrackeronline.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 03 Apr 2016 09:19:42 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.5.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
1edd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN
" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft
-com:vml">.<head>..<meta name="viewport" content="width=de
vice-width" />..<meta name="google-site-verification" content="C
yeqoD4FJhDmQx8oZ3yZY1-4utytwBE97dvSqELW5UQ" />.<meta name="msval
idate.01" content="6F8096A65FE90197E73B42CDE4CC4938" />..<meta h
ttp-equiv="Content-Type" content="text/html; charset=utf-8" />.<
meta http-equiv="Content-Language" content="en-us">.<meta name="
description" content="ipTRACKERonline is the Swiss Army Knife of IP Ad
dress Tracking. From email header analysis to IP geolocation this is t
he only IP tracking website to use." />...<meta name="keywords" 
content="ip tracker, ip tracker online, track ip, email header analysi
s, email header analyzer, headers, email header analyser, analyze emai
l header, analyze email headers, email header analysis tool, mail head
er analyzer, e-mail header analyzer, ip track, track ip addresses, ema
il headers, email header, trace ip address, find ip" />...<meta 
name="historic" content="Geo Location, geomarketing, Geo Marketing, DN
S tools, my ip ,ip, address, ,DNS Monitoring, Network Tools, my, what,
 is, find, get, show, locate, geolocation, change, location, how, do, 
ip address, proxy, server, anonymous, hide, conceal, stealth, surf, we
b, anonymizer, anonymize, changer, privacy, geolocation, geolocate
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: s1.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "1721969e732bcfdda4d85c16390eba70:1458842597"
Last-Modified: Thu, 24 Mar 2016 17:40:05 GMT
Date: Sun, 03 Apr 2016 09:19:33 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..160322000000Z..160630235959Z0...*.H.............
.2.Z.....J..;.~^.....N.3..g .......'....s.c.5...?.2...Q./#`...y..;.i..
..?I.{......:5.....|5..b.......,:.H .Y.....nN..;.^..y..d5.....L.;o...l
...i...p.......)~..s..<y..#...U4..\.hQJo{QS....p<.X....D........
.....q$.p....k...I?U....Q2.j>......`..?....I...>.t.#HTTP/1.1 200
 OK..Server: Apache..ETag: "1721969e732bcfdda4d85c16390eba70:145884259
7"..Last-Modified: Thu, 24 Mar 2016 17:40:05 GMT..Date: Sun, 03 Apr 20
16 09:19:33 GMT..Content-Length: 533..Connection: keep-alive..Content-
Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2
006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Cla
ss 3 Public Primary Certification Authority - G5..160322000000Z..16063
0235959Z0...*.H..............2.Z.....J..;.~^.....N.3..g .......'....s.
c.5...?.2...Q./#`...y..;.i....?I.{......:5.....|5..b.......,:.H .Y....
.nN..;.^..y..d5.....L.;o...l...i...p.......)~..s..<y..#...U4..\.hQJ
o{QS....p<.X....D.............q$.p....k...I?U....Q2.j>......`..?
....I...>.t.#..
<<< skipped >>>


GET /sv.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: sv.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "f717e180578e12aba5a79158890368b8:1459632799"
Last-Modified: Sat, 02 Apr 2016 21:01:18 GMT
Date: Sun, 03 Apr 2016 09:19:33 GMT
Content-Length: 22563
Connection: keep-alive
Content-Type: application/pkix-crl
0.X.0.W....0...*.H........0.1.0...U....US1.0...U....Symantec Corporati
on1.0...U....Symantec Trust Network100...U...'Symantec Class 3 SHA256 
Code Signing CA..160402210118Z..160416210118Z0.V 0!...M.h .{m.&...C...
.150827201412Z0!...\..N.....F.E..*..150818144018Z0!...o. .z..%5.O.W...
.150306094921Z0!.....p...3...!.!....150720000000Z0!.......7.cA...).`..
.151023214351Z0!....627.*[P.....[...160323133021Z0!....~_..N.W..f.1...
.150309185437Z0!.......w.....-Z.....150925144610Z0!......)-.5....Y....
.150420152841Z0!.... ...E...H] .....150324162430Z0!........pj.B....w..
.151109044625Z0!....0|..C`.3k....H..151109173817Z0!...A5.j..F.e....o4.
.150717171629Z0!...z..3vr.I..!.CW...151008143454Z0!...}I...jR.y.....x.
.150708140159Z0!....!..m.?.AN.......150623233015Z0!.......5.p...x..#..
[email protected]!...........m.......
.150427234712Z0!........6....&N.....151201011214Z0!...up..*..Di...;...
.151105201340Z0!.....44.41.$...[....160120143003Z0!..../G..g.......x..
.150306012430Z0!..........y..n"%.\..150615101331Z0!....a....D.....tB..
.150804133623Z0!...i....U..a:...Ll..150112095207Z0!....!........Z..A..
.150505104631Z0!.......='.N..c..A...160318172858Z0!...;.u..17Oz."5M.l.
.160223081528Z0!...As.......l..O....150520202423Z0!...A.{.t5...5.7..|.
.151203234419Z0!....0{...'..V.S ....150210000000Z0!....xs.._..0D...P..
.160309172942Z0!.....3..s.S.`..G....151114045946Z0!...H...n...w.(.....
.160317150133Z0!...v.~3} ......;....150907144307Z0!...............h.A.
.150902053702Z0!.....<[email protected]
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1060:

.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
%dZ?"
 (%%D
}.vDl7
M%xP5O
}.gfF
%4S{\
.rT-"d
*8 %S
hE.%D
m.zkPq
J#%CG8,
\j.ns~'
3.37.3
.KDFQ"
.ynn'
5-8.UR~<,
.Sb[<
u$.lR
HS%CN
vV%Ct
.UkSI
.Ff:@
f22.ggw`
s8%S&
uq.bm
kz}{%f>
.NMm.
AI.PW
4cD%u
K7`i3.Gs
A|Qd.FUl
(.fsr
v2.0.50727
server.exe
Microsoft.VisualBasic
server.Resources.resources
Microsoft.VisualBasic.ApplicationServices
.ctor
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
System.Diagnostics
m_MyWebServicesObjectProvider
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
WebServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
SevenZip.Compression.LZMA
System.Resources
System.IO.Compression
System.IO
System.Reflection
GetExecutingAssembly
System.Collections.Generic
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
1.0.0.0
_CorExeMain
mscoree.dll
data.dat
lzma.dat

%original file name%.exe_1060_rwx_00400000_00052000:

.text
`.rsrc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
%dZ?"
 (%%D
}.vDl7
M%xP5O
}.gfF
%4S{\
.rT-"d
*8 %S
hE.%D
m.zkPq
J#%CG8,
\j.ns~'
3.37.3
.KDFQ"
.ynn'
5-8.UR~<,
.Sb[<
u$.lR
HS%CN
vV%Ct
.UkSI
.Ff:@
f22.ggw`
s8%S&
uq.bm
kz}{%f>
.NMm.
AI.PW
4cD%u
K7`i3.Gs
A|Qd.FUl
(.fsr
v2.0.50727
server.exe
Microsoft.VisualBasic
server.Resources.resources
Microsoft.VisualBasic.ApplicationServices
.ctor
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
System.Diagnostics
m_MyWebServicesObjectProvider
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
WebServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
SevenZip.Compression.LZMA
System.Resources
System.IO.Compression
System.IO
System.Reflection
GetExecutingAssembly
System.Collections.Generic
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
1.0.0.0
_CorExeMain
mscoree.dll
data.dat
lzma.dat

%original file name%.exe_1060_rwx_00B90000_0000E000:

:y`.Ayh/Ay

%original file name%.exe_1060_rwx_00BD0000_00005000:

.yXPRV

%original file name%.exe_1060_rwx_675A6000_00003000:

.Qg<-Qg
*Rg`.Rg|)RgL Rg


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2964
    %original file name%.exe:140
    %original file name%.exe:2868
    %original file name%.exe:1940
    %original file name%.exe:3344
    %original file name%.exe:2632
    %original file name%.exe:2192
    %original file name%.exe:3436
    %original file name%.exe:2532
    %original file name%.exe:1088

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe (5441 bytes)
    %Documents and Settings%\%current user%\Application Data\Imminent\Geo.dat (35 bytes)
    %Documents and Settings%\%current user%\Application Data\Imminent\Logs\03-04-2016 (265 bytes)
    %System%\wbem\Logs\wbemprox.log (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (22 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (12 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (533 bytes)
    %Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (10882 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (117 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now