Trojan-PSW.Win32.Zbot_c7287e4422

by malwarelabrobot on December 9th, 2014 in Malware Descriptions.

Trojan.Win32.Buzus.vwbo (Kaspersky), Trojan-PSW.Win32.Zbot.6.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR, TrojanPSWZbot.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c7287e4422871dc4acfce32a2458fc5b
SHA1: 685e8277768bf6d529fb7eab47dd433f0679bfca
SHA256: c1cf5eb6e4991d2a9bab8b240a02a551354a31f811d47ea451f911a2fb38e535
SSDeep: 6144:0lu5m7JSwimyjqVQe2JdwmzyRUC0Tq70vv0c:0YEJSLOVivwiIN6Em9
Size: 222745 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Bunndle, Inc.
Created at: 2014-05-11 23:03:52
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

awury.exe:1312
awury.exe:516
%original file name%.exe:2824
%original file name%.exe:188

The Trojan-PSW injects its code into the following process(es):

infos.exe:2808
Explorer.EXE:1948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process infos.exe:2808 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Windows Movie Maker.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\install.lnk (325 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\DRM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XIJ0P23\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Spades.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Set Program Access and Defaults.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SKDVNS35\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\backup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\target.lnk (458 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (498 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Services.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Calculator.lnk (1 bytes)
%Documents and Settings%\All Users\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\f3460226658fbb23ea3dca1a1a87079d.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\%current user%\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (125 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Reversi.lnk (886 bytes)
%Documents and Settings%\%current user%\Templates\excel4.xls (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\manifest.txt (3 bytes)
%Documents and Settings%\Default User\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49634LEN\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Pinball.lnk (858 bytes)
%Documents and Settings%\%current user%\Recent\2b6200d46c1082edec8ab31bb817a5d0.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (428 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Windows Genuine Advantage\Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\powerpnt.ppt (12 bytes)
%Documents and Settings%\%current user%\Recent\keys.lnk (420 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Outlook Express.lnk (711 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander.lnk (533 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\K9HEIEIK\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt (561 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\WordPad.lnk (852 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk (1 bytes)
%Documents and Settings%\Default User\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\71NENNCD.txt (319 bytes)
%Documents and Settings%\%current user%\Favorites\Links\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Microsoft PowerPoint Viewer .lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Protect\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\651992aa60dd3d5383d4d53b5a674ad3.lnk (827 bytes)
%Documents and Settings%\All Users\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (6 bytes)
C:\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (788 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Update.lnk (1 bytes)
%Documents and Settings%\%current user%\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander Help.lnk (533 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\%current user%\PrivacIE\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (776 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (114 bytes)
%Documents and Settings%\LocalService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXI7GPA3\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Desktop\Adobe Reader 9.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk (886 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\Images.lnk (558 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk (533 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\e3e988e157cdf6b58472dd7196f054b9.lnk (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists\000BB706\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware vCenter Converter Standalone\db\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt (880 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt (372 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Ynid\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\9f21b82663666fd739702d12a15aa4bb.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (4299 bytes)
%Documents and Settings%\%current user%\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Address Book.lnk (747 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Security Center.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Freecell.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (4593 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Hearts.lnk (886 bytes)
%Documents and Settings%\All Users\Application Data\VMware\hostd\stats\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (6 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\Logs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\Sample Music.lnk (611 bytes)
%Documents and Settings%\%current user%\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\GHISLER\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
%Documents and Settings%\Default User\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\7b47b513a4408f2a72d11c60b579db33.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9xYOG5dWL0R72l4.exe (601 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\Sample Pictures.lnk (641 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\RDELF3AZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\All Users\Start Menu\Windows Catalog.lnk (371 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
%Documents and Settings%\%current user%\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.0.1.lnk (653 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt (7 bytes)
%Documents and Settings%\Default User\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk (759 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (6 bytes)
%Documents and Settings%\%current user%\IETldCache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\20ae805884e31ea72fe481068a7642ee.lnk (827 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (166 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O097NFF5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9CVH8W1K\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (6 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Workstation\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\sandbox.lnk (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\843341fbbc85ced379158380effb462f.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Checkers.lnk (886 bytes)
%Documents and Settings%\All Users\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\80bb0a4c115ca5309baaf4c85017869e.lnk (493 bytes)
%Documents and Settings%\All Users\Documents\My Videos\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Favorites\Microsoft Websites\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GO93GVHZ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Hearts.lnk (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Activate Windows.lnk (1 bytes)
%Documents and Settings%\All Users\Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Paint.lnk (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Desktop\Total Commander.lnk (521 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword.doc (4 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\AU\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Solitaire.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Package Manager.lnk (592 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (997 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\release.lnk (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark Program Directory.lnk (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9IVK92Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Templates\winword2.doc (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
%Documents and Settings%\%current user%\Recent\vmsc.lnk (314 bytes)
%Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (6 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\html.lnk (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmpf0d43a8c\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WinPcap\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Sun\Java\Java Update\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
%Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\gtk-2.0\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\34e13727ac83abe7e32f4dc4eba26a8f.lnk (827 bytes)
%Documents and Settings%\%current user%\Recent\eb79f14b01c7b5dc6be43942f75a1623.lnk (827 bytes)
%Documents and Settings%\%current user%\Templates\sndrec.wav (31 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\18298\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Critic.lnk (588 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\start VM Statistics Logging.lnk (648 bytes)
%Documents and Settings%\NetworkService\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games\Minesweeper.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OCWZCA9\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\LocalService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1.lnk (647 bytes)
%Documents and Settings%\%current user%\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (6 bytes)
%Documents and Settings%\%current user%\My Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SJC9ZI9Z\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Documentation.lnk (596 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (6 bytes)
%Documents and Settings%\%current user%\Recent\vmsc (2).lnk (403 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\My Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Recent\1045c4f76e09604f49eefd8501bfee0e.lnk (827 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (6 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Network\Connections\Pbk\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (142 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Windows Messenger.lnk (582 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Identities\{6855BFC2-9E4A-4896-A11D-74388FBABDC2}\Microsoft\Outlook Express\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\VMware\SSL\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (5 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MSN.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk (1 bytes)

The process awury.exe:516 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB6.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (2392 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (0 bytes)

The process %original file name%.exe:2824 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp1904682b.bat (177 bytes)
%Documents and Settings%\%current user%\Application Data\Suyzos\awury.exe (222 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB3.tmp (8996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (2392 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB2.tmp (0 bytes)

Registry activity

The process infos.exe:2808 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 7C 00 D6 2E DE 6C 87 60 33 B5 E0 0F 68 F8 5B"

[HKCR\NNANSSVPASHMXRT\shell\open\command]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"

[HKCR\.CryptoLocker2015CryptoWal]
"(Default)" = "NNANSSVPASHMXRT"

[HKCR\NNANSSVPASHMXRT]
"(Default)" = "CRYPTED!"

[HKCR\NNANSSVPASHMXRT\DefaultIcon]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe,0"

[HKCU\Software\Microsoft\Focoy]
"Cano" = "EE B0 DB 91 4A 07 BA 72 C5 3F 5E 37 2B 08 DD 40"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmeter" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"

The process awury.exe:1312 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 EF 36 7E E4 D2 E0 7C 03 1C 95 DE AD 42 3F 9E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process awury.exe:516 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 3D 11 89 13 7B E5 8B FE 48 D8 0E 1E E2 FB C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:2824 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 1A DF FF 52 07 EE BA 1E 84 5F 04 C5 AA 13 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:188 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F B4 FB 50 2C B0 2F 12 5B 31 33 FA 9A A8 1A C9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
eb9950f1438d8896f1fc3ca0a0a78777 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Suyzos\awury.exe
e8f3f8e61e61d2aebddee870a2138dc2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\9xYOG5dWL0R72l4.exe
e8f3f8e61e61d2aebddee870a2138dc2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmpf0d43a8c\infos.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExW
HttpSendRequestExA
InternetReadFileExA
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
InternetCloseHandle
HttpQueryInfoA
InternetReadFile

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

SetCursorPos
DefMDIChildProcA
DefFrameProcA
DefDlgProcA
GetClipboardData
DefMDIChildProcW
DefFrameProcW
GetUpdateRgn
RegisterClassA
GetDCEx
ReleaseCapture
SetCapture
DefWindowProcA
CallWindowProcA
GetUpdateRect
PeekMessageA
CallWindowProcW
GetMessagePos
GetCursorPos
EndPaint
BeginPaint
DefWindowProcW
RegisterClassExA
GetMessageA
DefDlgProcW
SwitchDesktop
OpenInputDesktop
RegisterClassExW
RegisterClassW
GetCapture
PeekMessageW
GetMessageW
GetWindowDC
TranslateMessage
GetDC
ReleaseDC

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSASend
send
closesocket

The Trojan-PSW installs the following user-mode hooks in kernel32.dll:

GetFileAttributesExW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

Company Name: TrueCrypt Foundation
Product Name: TrueCrypt
Product Version: 7.1.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.1.0
File Description: TrueCrypt Setup
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25046 25088 4.51043 a436e6a5ee718deeb0af89624d941715
.rdata 32768 5216 5632 3.42794 9b909cc04ca8fa423df16432e48f502c
.data 40960 176056 1536 2.69571 f6e758c86da20cc0ec6efc2daea8d45a
.ndata 217088 65536 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 282624 7288 7680 2.81916 77a127e8424957d702582f9bd02074eb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan-PSW connects to the servers at the folowing location(s):

infos.exe_2808:

.text
`.rdata
@.data
.rsrc
Wh%u@
user32.dll
GetProcessHeap
GetWindowsDirectoryA
kernel32.dll
ShellExecuteA
shell32.dll
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
advapi32.dll
shlwapi.dll
gdi32.dll
comctl32.dll
HOW TO DECRYPT FILES.txt
Password is incorrect!
To decrypt files, please enter correct password!
Entered password is correct. Press OK to start decrypting of files. Dont close window and wait until message "Files have been decrypted successfully!" appears.
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
explorer.exe
Password:
C:\Perl\html\lib\SQL\Dialects\ANSI.html
t.html
n.html
ars.html
.html
s.html
3BDF2F}.dat
rd.lnk
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmpf0d43a8c\infos.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe
C:\Perl\html\lib\SQL\Dialects\ANSI.html.CryptoLocker2015CryptoWal
C:\Perl\html\lib\SQL\Dialects\HOW TO DECRYPT FILES.txt
FILES.txt
S.txt
ES.txt
YPT FILES.txt
TO DECRYPT FILES.txt
RYPT FILES.txt
T FILES.txt
ILES.txt
%WinDir%\explorer.exe
2009:03:12 13:48:18
2008:03:24 16:41:53
(7),01444
'9=82<.342
:R%fxf
[XXf'.Ie
.tMCP
.ZDS5
.OBiF
*.zip
*.rar
*.tar
*.gzip
*.jpg
*.jpeg
*.psd
*.cdr
*.dwg
*.max
*.bmp
*.gif
*.png
*.doc
*.docx
*.xls
*.xlsx
*.ppt
*.pptx
*.txt
*.pdf
*.djvu
*.htm
*.html
*.mdb
*.cer
*.pfx
*.kwm
*.pwm
*.mdf
*.dbf
*.odt
*.vob
*.ifo
*.lnk
*.torrent
*.mov
*.mpeg
*.mpg
*.flv
*.avi
*.mp4
*.wmv
*.divx
*.mkv
*.mp3
*.wav
*.flac
*.ape
*.wma
*.ac3
*.ods
*.odp
*.odm
*.odb
*.docm
*.wps
*.xlsm
*.xlsb
*.xlk
*.pptm
*.accdb
*wallet*.dat
Cryptolocker Modefications CryptoWal 2015 Your important files Encryption produces on this computer: photos, videos, documents, etc. Here is a complete list in practic of encrypted files, and you can personally verify this.
Just after payment specify ONLY the Bitcoin Address. Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive your product code activation. Price How 1 Hamburger EASY Piza ON YOUR BRAIN After You Make Payment Your System Files Automaticaly Decrypt Start! Question Where You Buy Bitcoins? 1. We Reccommendation individual Specific Fast To You localbitcoins.com and Here Read Where Bitcoins Market 2. Visit Bitcoin.org

infos.exe_2808_rwx_00130000_00027000:

.text
`.data
.reloc
hXXp://VVV.google.com/webhp
PR_OpenTCPSocket
k.cim
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
: ;2*8.>
3.#70!2)
x#m`a`cmddt-
6 !26!1'1
7"52),,>
;<)?$*%,
71.(5;4=
(203,2$0
/?./,5 <
:>(<<44=3%
8%/<8/?)?/
%/><!8?>!
HTTP/1.1
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://
hXXps://
HTTP/1.
SSSh,4
GetProcessHeap
KERNEL32.dll
SetKeyboardState
ExitWindowsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
GetKeyboardState
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
PathIsURLW
UrlUnescapeA
SHDeleteKeyW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
TUSSHO#
6 6&6/656{6
cGlobal\XXX
nspr4.dll
nss3.dll
SysShadow
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
:\Documents and Settings\"%CurrentUserName%"\Application Data\Ynid\kyuz.ani
%Documents and Settings%\%current user%\Application Data\Ynid
kyuz.ani
Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}
%Documents and Settings%\%current user%\Application Data
{F557F597-C018-8259-8350-35ECEA6ED5DB}
lobal\{632C47B3-723C-1422-8350-35ECEA6ED5DB}

Explorer.EXE_1948_rwx_01100000_00027000:

.text
`.data
.reloc
hXXp://VVV.google.com/webhp
PR_OpenTCPSocket
k.cim
gdiplus.dll
GdiplusShutdown
ole32.dll
gdi32.dll
: ;2*8.>
3.#70!2)
x#m`a`cmddt-
6 !26!1'1
7"52),,>
;<)?$*%,
71.(5;4=
(203,2$0
/?./,5 <
:>(<<44=3%
8%/<8/?)?/
%/><!8?>!
HTTP/1.1
userenv.dll
del "%s"
if exist "%s" goto d
del /F "%s"
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)
urlmon.dll
cabinet.dll
hXXp://
hXXps://
HTTP/1.
SSSh,4
GetProcessHeap
KERNEL32.dll
SetKeyboardState
ExitWindowsEx
MsgWaitForMultipleObjects
MapVirtualKeyW
GetKeyboardState
OpenWindowStationW
GetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetProcessWindowStation
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
PathIsURLW
UrlUnescapeA
SHDeleteKeyW
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
Secur32.dll
SetViewportOrgEx
GDI32.dll
WS2_32.dll
PFXImportCertStore
CertDeleteCertificateFromStore
CertOpenSystemStoreW
CertCloseStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
PFXExportCertStoreEx
CRYPT32.dll
HttpSendRequestExA
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpSendRequestA
InternetCrackUrlA
HttpOpenRequestA
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
HttpAddRequestHeadersW
WININET.dll
OLEAUT32.dll
NETAPI32.dll
6 6&6/656{6
cGlobal\XXX
nspr4.dll
nss3.dll
SysShadow
kernel32.dll
"%s" %s
/c "%s"
%sx.%s
%sx
%Documents and Settings%\%current user%\Application Data\Ynid\kyuz.ani
%Documents and Settings%\%current user%\Application Data\Ynid
kyuz.ani
Global\{632C47B2-723D-1422-8350-35ECEA6ED5DB}
%Documents and Settings%\%current user%\Application Data
{F557F597-C018-8259-8350-35ECEA6ED5DB}
Global\{632C47B3-723C-1422-8350-35ECEA6ED5DB}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    awury.exe:1312
    awury.exe:516
    %original file name%.exe:2824
    %original file name%.exe:188

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\All Users\Start Menu\Programs\Windows Movie Maker.lnk (759 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Component Services.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (6 bytes)
    %Documents and Settings%\%current user%\Recent\install.lnk (325 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Spider Solitaire.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Templates\powerpnt.ppt (12 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\hostd\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\excel4.xls (1 bytes)
    %Documents and Settings%\All Users\DRM\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Suyzos\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Favorites\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8XIJ0P23\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Spades.lnk (886 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Set Program Access and Defaults.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SKDVNS35\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\hostd\backup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\target.lnk (458 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (498 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Services.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Calculator.lnk (1 bytes)
    %Documents and Settings%\All Users\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\f3460226658fbb23ea3dca1a1a87079d.lnk (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\sndrec.wav (31 bytes)
    %Documents and Settings%\%current user%\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt (125 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\Accessibility Wizard.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Reversi.lnk (886 bytes)
    %Documents and Settings%\%current user%\Templates\excel4.xls (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\manifest.txt (3 bytes)
    %Documents and Settings%\Default User\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\49634LEN\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Adobe Reader 9.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Pinball.lnk (858 bytes)
    %Documents and Settings%\%current user%\Recent\2b6200d46c1082edec8ab31bb817a5d0.lnk (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice2003.txt (428 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Local Security Policy.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Windows Genuine Advantage\Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\powerpnt.ppt (12 bytes)
    %Documents and Settings%\%current user%\Recent\keys.lnk (420 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\System Information.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Outlook Express.lnk (711 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Performance.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander.lnk (533 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\K9HEIEIK\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt (561 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\WordPad.lnk (852 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (806 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Address Book\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Computer Management.lnk (1 bytes)
    %Documents and Settings%\Default User\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (6 bytes)
    %Documents and Settings%\%current user%\Cookies\71NENNCD.txt (319 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Microsoft PowerPoint Viewer .lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Protect\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Defragmenter.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\651992aa60dd3d5383d4d53b5a674ad3.lnk (827 bytes)
    %Documents and Settings%\All Users\Desktop\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (6 bytes)
    C:\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Wireshark.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\32\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\New Connection Wizard.lnk (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
    %Documents and Settings%\%current user%\NetHood\SandboxOutput on Super File Server (192.168.1.163)\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (788 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\excel.xls (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Windows Update.lnk (1 bytes)
    %Documents and Settings%\%current user%\Templates\winword2.doc (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Total Commander Help.lnk (533 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
    %Documents and Settings%\%current user%\PrivacIE\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Internet Explorer.lnk (776 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\brndlog.txt (114 bytes)
    %Documents and Settings%\LocalService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Color\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SXI7GPA3\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Desktop\Adobe Reader 9.lnk (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Notepad.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Backgammon.lnk (886 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\Images.lnk (558 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Total Commander\Uninstall or Repair Total Commander.lnk (533 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\e3e988e157cdf6b58472dd7196f054b9.lnk (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists\000BB706\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\Themes\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware vCenter Converter Standalone\db\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt (880 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt (372 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Acrobat\9.0\Replicate\Security\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Ynid\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\History.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Volume Control.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\9f21b82663666fd739702d12a15aa4bb.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (4299 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Address Book.lnk (747 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Security Center.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Freecell.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (4593 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Hearts.lnk (886 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\hostd\stats\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\HTML Help\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (6 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Windows Media\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\Logs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\Sample Music.lnk (611 bytes)
    %Documents and Settings%\%current user%\Templates\winword.doc (4 bytes)
    %Documents and Settings%\%current user%\Application Data\GHISLER\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk (1 bytes)
    %Documents and Settings%\Default User\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\7b47b513a4408f2a72d11c60b579db33.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9xYOG5dWL0R72l4.exe (601 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\Sample Pictures.lnk (641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\RDELF3AZ\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
    %Documents and Settings%\All Users\Start Menu\Windows Catalog.lnk (371 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Tour Windows XP.lnk (1 bytes)
    %Documents and Settings%\%current user%\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\Uninstall WinPcap 4.0.1.lnk (653 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt (7 bytes)
    %Documents and Settings%\Default User\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HyperTerminal.lnk (759 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (6 bytes)
    %Documents and Settings%\%current user%\IETldCache\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\20ae805884e31ea72fe481068a7642ee.lnk (827 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (166 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O097NFF5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9CVH8W1K\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Workstation\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Remote Assistance.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\sandbox.lnk (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\VMware\VMware vCenter Converter Standalone Client\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\843341fbbc85ced379158380effb462f.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Internet Checkers.lnk (886 bytes)
    %Documents and Settings%\All Users\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\My Documents\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools\Event Viewer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\80bb0a4c115ca5309baaf4c85017869e.lnk (493 bytes)
    %Documents and Settings%\All Users\Documents\My Videos\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Favorites\Microsoft Websites\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\GO93GVHZ\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\SendTo\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Hearts.lnk (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Activate Windows.lnk (1 bytes)
    %Documents and Settings%\All Users\Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Paint.lnk (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Accessibility\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Desktop\Total Commander.lnk (521 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\winword.doc (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\AU\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Solitaire.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\brndlog.txt (10 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Package Manager.lnk (592 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt (997 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\release.lnk (540 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark Program Directory.lnk (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O9IVK92Z\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Templates\winword2.doc (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Synchronize.lnk (1 bytes)
    %Documents and Settings%\%current user%\Recent\vmsc.lnk (314 bytes)
    %Documents and Settings%\Default User\Local Settings\Application Data\Microsoft\Media Player\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (6 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk (359 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\html.lnk (399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmpf0d43a8c\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WinPcap\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Sun\Java\Java Update\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Entertainment\Windows Media Player.lnk (777 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\gtk-2.0\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\34e13727ac83abe7e32f4dc4eba26a8f.lnk (827 bytes)
    %Documents and Settings%\%current user%\Recent\eb79f14b01c7b5dc6be43942f75a1623.lnk (827 bytes)
    %Documents and Settings%\%current user%\Templates\sndrec.wav (31 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\18298\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Perl Critic.lnk (588 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\VMware\VMware Tools\start VM Statistics Logging.lnk (648 bytes)
    %Documents and Settings%\NetworkService\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games\Minesweeper.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0OCWZCA9\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\1.lnk (647 bytes)
    %Documents and Settings%\%current user%\Templates\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (6 bytes)
    %Documents and Settings%\%current user%\My Documents\My Pictures\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds Cache\SJC9ZI9Z\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Wireshark\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\System Tools\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0\JavaScripts\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\NetworkService\Local Settings\Application Data\Microsoft\Windows\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\ActivePerl 5.16.2 Build 1602\Documentation.lnk (596 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (6 bytes)
    %Documents and Settings%\%current user%\Recent\vmsc (2).lnk (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Updater6\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Network\Downloader\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Connections.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Wireshark\Wireshark.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Command Prompt.lnk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\History\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\My Documents\My Music\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Recent\1045c4f76e09604f49eefd8501bfee0e.lnk (827 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (6 bytes)
    %Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Application Data\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Network\Connections\Pbk\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Character Map.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (142 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Windows Messenger.lnk (582 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (28 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Identities\{6855BFC2-9E4A-4896-A11D-74388FBABDC2}\Microsoft\Outlook Express\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\Sound Recorder.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\VMware\SSL\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Cookies\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Windows Media Player.lnk (765 bytes)
    %Documents and Settings%\%current user%\Templates\excel.xls (5 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment\HOW TO DECRYPT FILES.txt (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\MSN.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Network Setup Wizard.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications\Wireless Network Setup Wizard.lnk (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools\Backup.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB6.tmp (8996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\echopraxia\killikinick.eau (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nssB7.tmp\killikinick.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1904682b.bat (177 bytes)
    %Documents and Settings%\%current user%\Application Data\Suyzos\awury.exe (222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsfB3.tmp (8996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsyB4.tmp\killikinick.dll (2392 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Alcmeter" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\9xYOG5dWL0R72l4.exe"

  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now