Trojan.NSIS.StartPage_2414a4c523

by malwarelabrobot on December 24th, 2013 in Malware Descriptions.

Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 2414a4c523e354583db56ebc4af196b0
SHA1: 730884c3e55659bb4aa135373a2a6333fac99f0c
SHA256: f82439ae1c5fe2f524d80d92767856f0a610b70a0798d7048973833169062bd8
SSDeep: 6144:oPB6WgJSeBZyt8H ilr E06 xvKUptV5LJ2XD kwkavGfK:YrgJSe2cRF EWyEv5LJAD Qa fK
Size: 266646 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-07 00:42:05
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

TQAWM.exe:584
ipconfig.exe:4012
%original file name%.exe:2620
I_FreeCodecs.exe:2708

The Trojan injects its code into the following process(es):

ntvdm.exe:3024

File activity

The process TQAWM.exe:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\NetworkService\IETldCache\index.dat (16 bytes)
%System%\config\systemprofile\iexplore.exe (5 bytes)
%System%\drivers\etc\hosts (1 bytes)

The process ntvdm.exe:3024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
%WinDir%\Tasks\DLQIHDEQC.job (4 bytes)
%Documents and Settings%\NetworkService\IETldCache\index.dat (2756 bytes)
%WinDir%\Prefetch\TQAWM.EXE-18003656.pf (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\index.dat (4 bytes)
%WinDir%\AppPatch (4 bytes)
%WinDir%\Temp\scs3.tmp (33872 bytes)
%Documents and Settings%\NetworkService\LOCAL SETTINGS (4 bytes)
%System%\wbem\Repository\FS (4 bytes)
%WinDir% (536 bytes)
C:\$Directory (7360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (1425 bytes)
D:\ (4 bytes)
%System%\config\systemprofile (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\All Users\DOCUMENTS (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (10540 bytes)
%Documents and Settings%\NETWORKSERVICE (4 bytes)
%Program Files%\Wireshark (96 bytes)
%System%\config (4 bytes)
%System%\wbem (96 bytes)
%System%\drivers (480 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%WinDir%\Temp\scs4.tmp (10145 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
%Documents and Settings%\NetworkService\Cookies\index.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\scs4.tmp (0 bytes)
%WinDir%\Temp\scs3.tmp (0 bytes)

The process %original file name%.exe:2620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\I_FreeCodecs.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (6450 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg1.tmp (0 bytes)

The process I_FreeCodecs.exe:2708 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\DLQIHDEQC.job (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\TQAWM.exe (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~unins5078.bat (49 bytes)

Registry activity

The process TQAWM.exe:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionLow" = "393300864"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheLimit" = "8192"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"StaleIETldCache" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"ipconfig.exe" = "IP Configuration Utility"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheOptions" = "9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"
"Personal" = ""

"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%\config\systemprofile]
"iexplore.exe" = "iexplore"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 01 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePath" = "%USERPROFILE%\IETldCache"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionHigh" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionHigh" = "524288"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\NetworkService\Local Settings\History"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionLow" = "8"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 BF 61 7A 17 D6 C4 5B 0D 53 42 98 5B 63 75 A1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePrefix" = "ietld:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheRepair" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation]
"TLDUpdates" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process ipconfig.exe:4012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 9E B3 AE 45 BA 3B 3E DD 9C A4 25 D1 95 F8 39"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process %original file name%.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process I_FreeCodecs.exe:2708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 5E 2F 95 54 99 7E 49 56 37 AC 94 47 F2 26 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\pfxyyoknu]
"PAPRPHG" = "96 95 24 54 B4 07 99 56 47 8E 51 1F AB 77 80 43"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\pfxyyoknu]
"PAPRPHG" = "96 95 24 54 B4 07 99 56 47 8E 51 1F AB 77 80 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\I_FreeCodecs.exe,"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://imagehut4.cn/update/utu.dat (ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 10) , Malicious) 65.19.157.228


HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1003 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 thepiratebay.org
127.0.0.1 www.thepiratebay.org
127.0.0.1 mininova.org
127.0.0.1 www.mininova.org
127.0.0.1 forum.mininova.org
127.0.0.1 blog.mininova.org
127.0.0.1 suprbay.org
127.0.0.1 www.suprbay.org


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TQAWM.exe:584
    ipconfig.exe:4012
    %original file name%.exe:2620
    I_FreeCodecs.exe:2708

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\NetworkService\IETldCache\index.dat (16 bytes)
    %System%\config\systemprofile\iexplore.exe (5 bytes)
    %System%\drivers\etc\hosts (1 bytes)
    %WinDir%\Tasks\DLQIHDEQC.job (4 bytes)
    %WinDir%\Prefetch\TQAWM.EXE-18003656.pf (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
    %WinDir%\WinSxS (12 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\index.dat (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    %WinDir%\Temp\scs3.tmp (33872 bytes)
    %Documents and Settings%\NetworkService\LOCAL SETTINGS (4 bytes)
    %System%\wbem\Repository\FS (4 bytes)
    C:\$Directory (7360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (1425 bytes)
    D:\ (4 bytes)
    %WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
    %Program Files% (4 bytes)
    %Documents and Settings%\All Users\DOCUMENTS (4 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (10540 bytes)
    %Documents and Settings%\NETWORKSERVICE (4 bytes)
    %Program Files%\Wireshark (96 bytes)
    %WinDir%\Temp\scs4.tmp (10145 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
    %Documents and Settings%\NetworkService\Cookies\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\I_FreeCodecs.exe (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\TQAWM.exe (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~unins5078.bat (49 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now