Trojan-PSW.Win32.Zbot.4_4b30ed79ea

by malwarelabrobot on April 10th, 2014 in Malware Descriptions.

Trojan.GenericKD.1629120 (BitDefender), TrojanDownloader:Win32/Upatre.A (Microsoft), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.DownLoader9.53534 (DrWeb), Trojan.GenericKD.1629120 (B) (Emsisoft), PWSZbot-FCI!4B30ED79EA4B (McAfee), Trojan.Zbot (Symantec), Trojan.GenericKD.1629120 (FSecure), Zbot.GTM (AVG), Win32:Malware-gen (Avast), TROJ_GEN.RFFFOC0D314 (TrendMicro), Trojan.GenericKD.1629120 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4b30ed79ea4bfc274234c625d26de65b
SHA1: ba2b51e5fdfefef6dc897871f298f60c82553e16
SHA256: 27c86e710d25cae2963b175f807063fb4a2b256e64f3b77413de983efff1ec34
SSDeep: 384:GjKAEwiFIFnEkLOknqem5VxT/O5mhZKECSJx7BWx3LGLFkfHB6:GiwiFknEVMqnpi5m6pSJx7BWx3LGLFD
Size: 25734 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-04-02 00:13:21
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

update.exe:836
winsec.exe:1860
%original file name%.exe:1000

The Trojan-PSW injects its code into the following process(es):

iksefe.exe:164
Explorer.EXE:1680

File activity

The process update.exe:836 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54007 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (160247 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54007 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winsec.exe (1168384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (148115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (148115 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49082 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\0104AUm[1].exe (1168384 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)

The process winsec.exe:1860 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KLK4478.bat (175 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Viga (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Viga\iksefe.exe (1291264 bytes)

The process iksefe.exe:164 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user% (28672 bytes)
%System%\drivers\f1ca7.sys (60416 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (34304 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (126976 bytes)

The process %original file name%.exe:1000 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\update.exe (25816 bytes)

Registry activity

The process update.exe:836 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 D4 74 DE 57"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"WinSec.exe" = "winsec"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 E6 3A B9 39 FC EC F4 35 07 48 F8 A0 0C 80 A1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25"

The process winsec.exe:1860 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 26 D2 FF 3F 8F 8E 1C C1 64 E1 04 85 A1 F3 F1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process iksefe.exe:164 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A DC A1 3E 51 71 8C B5 C8 0B B6 19 E1 D5 AE B9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Ugpakybini]
"111eie9j" = "4E C1 C3 65 D3 10 E0 33 A7 65 DC 33 0B E4"

The process %original file name%.exe:1000 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 D7 EC 0A 21 1B B5 B7 75 3F 2A 93 47 67 E7 9F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"update.exe" = "update"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
0c7d5a4f4d8b30a979b4e9fa9e3e4fa2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\update.exe
25ecdffa169bec23946f99782c5455d8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\0104AUm[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\Drivers\51ed07c5ac4ddc69.sys" the Trojan-PSW controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\Drivers\51ed07c5ac4ddc69.sys" the Trojan-PSW controls operations with a system registry by installing the registry notifier.
The Trojan-PSW installs the following kernel-mode hooks:

ZwOpenProcess
ZwOpenThread

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 5034 5120 4.52259 e3e46e2bc40e11a07bd815398468c4c0
.rdata 12288 1432 1536 3.48439 45f9fa2865e0a557458acb00bbd84926
.data 16384 5868 6144 3.90967 33f08f9c5e59f69290556055f01220dd
.rsrc 24576 11456 11776 3.21886 9a50ca40021db616858395732214a9ab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 7
d38bde5c7320241ea1c83af716fe79df
e320551800cc8f5042d5167e5adcecc3
f71b594fdec1033c4c3edc69a1df8651
44ec62a94a25803d92600adec4e7ea5e
1c1f24aeb49bbdc679ad75a3d5025ecb
b57927a865b351519becf47ad3b418b7
6a1e1754f210d2fc1be28568afc2da3f

URLs

URL IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
www.download.windowsupdate.com 184.84.243.97
partners-gs.com 94.23.146.92


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=12776
Date: Wed, 09 Apr 2014 15:09:42 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
1401CF3DB40B609892....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT
Accept-Ranges: bytes
ETag: "0b96c77303ecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 54007
Cache-Control: max-age=12433
Date: Wed, 09 Apr 2014 15:09:42 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
MSCF............,...................I.................lDxa .authroot.s
tl......8..CK...<T...g.v!M.d..f.%d..}K..5..F..d'K......%K..%...!..=
.k..........{=/....{g.~..........<.....h..b...8..Ep.x.....G. .....p
q..``a.i|"n|8...!..gv...: I........!...%$....;PBHA.....!A....L...'...:
..0...I....fD"N#...._..?....E..m..1\.$...{P....:......../...\YB.m:....
.dE.....)...V....$....Dn:....0E..S."...o..q.....K...I..K...(x%....>
A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.
@....x"....T..H...<.CQ..H.M.K.".H....`.....!.G....AF\.{...V..LCy.i 
y..Q.'..M...bE.%..<...nG.3..\K.t..ah...5Z~.h...8..@.).... ....X...v
..,.-.M..u.......Z"..U...0:O%..}.(t............=R.......[b...z.....8..
)........M|..g..L.a...>....[.E&..{..|..t...[t..B......./[..&.L`.w..
..[L..ZW.... ."....<...I.G\.H[:...B.B.qT... ..(....: U....(.J.....?
._..'..Hp..o.B......!......bj.G.u^.%\r..b...*7.[nO..S...b.l@jn. .Hb...
M.....9.....8.='...)\.....M.#.M......L.Jh.../..G.!\.Y....&.....P^...,.
.U..3...W...._...0..?*...KZ....fM...8.6U..aG.a.......~....?.N. .3.....
,>.rH..*O..E..T0.......?i...k.T.'>".....E....%SK.v..8...t.:...].
E.K2....u..../i.t.9....2N..QI ..h..t..Ad....0.........*...R......|....
..7A:bP. n:.......Fk.[q....]D.......3.0.)...G]..?4.o...p......?...3...
[email protected]#.n\.-....p.T..G............4.......:H....2..9.|.`~0GL.=....u.y.
..L0iL.....A....^[email protected]#.T...{.......P.....[..j....
.i.%[email protected].@......]%..g.1..3Z6^<
;!.Q...m......9....l..x.....$7..[.....L........L....F*....D.U.'...
<<< skipped >>>
iksefe.exe_164_rwx_00990000_00001000:

kernel32.dll

iksefe.exe_164_rwx_00A20000_00006000:

PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
\\.\NtSecureSys
ntdll.dll
svchost.exe
EUDC\%d
KeDelayExecutionThread
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
msvcrt.dll

iksefe.exe_164_rwx_01030000_0006D000:

.text
`.data
.idata
@.reloc
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
\\.\NtSecureSys
ntdll.dll
svchost.exe
EUDC\%d
KeDelayExecutionThread
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
|F\V.NdV.G
|F\V.NdV.Y
r~O%S
~2'.CEYE
=.LL1{
1P2f"h{.Cw
dqZ%dLZDd-Zfd
hCV.hZVLh5V[h
0123456789
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
http://www.google.com/
http://www.bing.com/
6<2<<13{
2$ /!#"*
1,&51&6 6&
,&75(167(
 -,$# 722
aulbbiwslxpvvphxnjij.biz
RegDeleteKeyExW
gdiplus.dll
GdiplusShutdown
REPORT
HTTP/1.1
m9.td
t.Ht$HHt
w%fkN
L$$
zcÁ
MsgWaitForMultipleObjects
GetKeyboardState
CryptGetKeyParam
CryptImportKey
CryptDestroyKey
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
PathIsURLW
UrlUnescapeA
SHLWAPI.dll
ShellExecuteW
Secur32.dll
ole32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
IPHLPAPI.DLL
VERSION.dll
5 5$5(5,5054585<5
6 6$6(6,6064686<6@6
9!9%9)9-9195999=9
0!0*0.030:0
5m6
shell32.dll
kernel32.dll
"%s" %s
/c "%s"
urlmon.dll
\StringFileInfo\xx\%s
Wadvapi32.dll
cabinet.dll
rapport
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
%Documents and Settings%\%current user%\Local Settings\Temp
%Documents and Settings%\%current user%\Local Settings\Application Data
Global\{6D2DABD3-6C4A-40B1-99CD-5691B9DB7583}

Explorer.EXE_1680_rwx_01EC0000_0006D000:

.text
`.data
.idata
@.reloc
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
\\.\NtSecureSys
ntdll.dll
svchost.exe
EUDC\%d
KeDelayExecutionThread
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
RegCloseKey
RegFlushKey
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
|F\V.NdV.G
|F\V.NdV.Y
r~O%S
~2'.CEYE
=.LL1{
1P2f"h{.Cw
dqZ%dLZDd-Zfd
hCV.hZVLh5V[h
0123456789
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
http://www.google.com/
http://www.bing.com/
6<2<<13{
2$ /!#"*
1,&51&6 6&
,&75(167(
 -,$# 722
aulbbiwslxpvvphxnjij.biz
RegDeleteKeyExW
gdiplus.dll
GdiplusShutdown
REPORT
HTTP/1.1
m9.td
t.Ht$HHt
w%fkN
L$$
zcÁ
MsgWaitForMultipleObjects
GetKeyboardState
CryptGetKeyParam
CryptImportKey
CryptDestroyKey
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
PathIsURLW
UrlUnescapeA
SHLWAPI.dll
ShellExecuteW
Secur32.dll
ole32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
InternetCrackUrlA
HttpOpenRequestA
HttpEndRequestA
HttpAddRequestHeadersA
WININET.dll
OLEAUT32.dll
NETAPI32.dll
IPHLPAPI.DLL
VERSION.dll
5 5$5(5,5054585<5
6 6$6(6,6064686<6@6
9!9%9)9-9195999=9
0!0*0.030:0
5m6
shell32.dll
kernel32.dll
"%s" %s
/c "%s"
urlmon.dll
\StringFileInfo\xx\%s
Wadvapi32.dll
cabinet.dll
rapport
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
%Documents and Settings%\%current user%\Local Settings\Temp
%Documents and Settings%\%current user%\Local Settings\Application Data
Global\{6D2DABD3-6C4A-40B1-99CD-5691B9DB7583}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    update.exe:836
    winsec.exe:1860
    %original file name%.exe:1000

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (54007 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (160247 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54007 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winsec.exe (1168384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (148115 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (148115 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49082 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\0104AUm[1].exe (1168384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KLK4478.bat (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Viga (4096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Viga\iksefe.exe (1291264 bytes)
    %System%\drivers\f1ca7.sys (60416 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (34304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\update.exe (25816 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now