Trojan.Win32.IEDummy_27b9d7b037

by malwarelabrobot on August 14th, 2013 in Malware Descriptions.

Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Virus.Win32.Zbot!IK (Emsisoft), Trojan.Win32.IEDummy.FD, GenericInjector.YR, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 27b9d7b0370d2c2579d486fda9d10a72
SHA1: b709875f9d8e6cb8e360a1480cb3a378ad3d9c14
SHA256: 075dac8fdabea244d194bea4f20909236968c175f1a05c19eb7bfcf9c2398827
SSDeep: 6144:Ar82LJOUN5ME7sWpv/BECVmKKYw0lWa/i/qeDVvM:Ar82NNnMADpBNAKXwcD7eDq
Size: 283012 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-30 03:27:34


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

27b9d7b0370d2c2579d486fda9d10a72mgr.exe:604
ckxqffnw.exe:220
27b9d7b0370d2c2579d486fda9d10a72.exe:444

The Trojan injects its code into the following process(es):

iexplore.exe:1552
iexplore.exe:1776
iexplore.exe:424
iexplore.exe:1636

File activity

The process 27b9d7b0370d2c2579d486fda9d10a72mgr.exe:604 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~TM2.tmp (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM1.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ckxqffnw.exe (41 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~TM2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ckxqffnw.exe (0 bytes)

The process ckxqffnw.exe:220 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rqbdgaea.sys (14 bytes)
%System%\wbem\Logs\wmiprov.log (4 bytes)
%System%\wbem\Logs\wbemcore.log (344 bytes)
%WinDir%\WinSxS (96 bytes)
\Device\Harddisk0\DR0 (216675 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (3361 bytes)
C:\$Directory (2008 bytes)
%WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%System%\wbem (1152 bytes)
%WinDir%\AppPatch (4 bytes)
%System% (11168 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rqbdgaea.sys (0 bytes)

The process 27b9d7b0370d2c2579d486fda9d10a72.exe:444 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

C:\27b9d7b0370d2c2579d486fda9d10a72mgr.exe (179 bytes)

The process iexplore.exe:1776 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\cyljsdca\kfdvddln.exe (673 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\kfdvddln.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~TM4.tmp (1513871 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\lgdnecqm.log (96 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~TM4.tmp (0 bytes)
%Program Files%\cyljsdca\px3.tmp (0 bytes)

The process iexplore.exe:1636 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

C:\Perl\html\lib\B.html (4529 bytes)
C:\Perl\html\bin\ptardiff.html (4430 bytes)
C:\Perl\html\bin\ap-user-guide.html (4093 bytes)
C:\Perl\html\lib\DB.html (5597 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Report.html (5447 bytes)
C:\Perl\html\lib\ActiveState\OSType.html (4430 bytes)
C:\Perl\html\blank.html (4154 bytes)
C:\Perl\html\lib\B\Concise.html (4437 bytes)
C:\Perl\html\lib\Class\MOP\Method\Wrapped.html (2898 bytes)
C:\Perl\eg\PerlEx\bm.htm (3954 bytes)
C:\Perl\html\lib\arybase.html (4445 bytes)
C:\Perl\html\lib\CGI\Pretty.html (3497 bytes)
C:\Perl\html\lib\ActiveState\Browser.html (3657 bytes)
C:\Perl\html\lib\AutoSplit.html (4287 bytes)
C:\Perl\eg\PerlEx\benchmarks.htm (3588 bytes)
C:\Perl\html\lib\DBD\Gofer\Policy\Base.html (3552 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq4.html (5034 bytes)
C:\Perl\html\lib\Class\Accessor\Fast.html (4077 bytes)
C:\Perl\html\lib\ActiveState\CPAN.html (4792 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Fetch.html (4088 bytes)
C:\Perl\eg\PerlEx\benchtop.htm (2775 bytes)
C:\Perl\html\lib\ActivePerl\PPM\Client.html (4567 bytes)
C:\Perl\html\lib\Compress\Raw\Bzip2.html (3761 bytes)
C:\Perl\html\lib\ActiveState\Config\INI.html (3884 bytes)
C:\Perl\html\lib\Data\Dump\Trace.html (4453 bytes)
C:\Perl\html\lib\Class\Load\XS.html (4943 bytes)
C:\Perl\html\install.html (5390 bytes)
C:\Perl\html\bin\podchecker.html (4454 bytes)
C:\Perl\html\lib\Compress\Zlib.html (3307 bytes)
C:\Perl\html\lib\CGI\Push.html (5693 bytes)
C:\Perl\html\bin\xsubpp.html (3620 bytes)
C:\Perl\html\lib\CGI\Switch.html (3247 bytes)
C:\Perl\html\lib\Date\Calc\Object.html (3697 bytes)
C:\Perl\html\lib\AutoLoader.html (5435 bytes)
C:\Perl\html\lib\CPANPLUS\Module.html (5021 bytes)
C:\Perl\html\lib\CPANPLUS\Shell\Default.html (3143 bytes)
C:\Perl\html\lib\CPANPLUS\Selfupdate.html (5459 bytes)
C:\Perl\html\lib\Class\MOP\Attribute.html (5032 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Source.html (5489 bytes)
C:\Perl\html\lib\CPANPLUS\Dist\MM.html (4418 bytes)
C:\Perl\html\lib\ActiveState\Run.html (4951 bytes)
C:\Perl\html\lib\Archive\Extract.html (3067 bytes)
C:\Perl\html\bin\nytprofcg.html (3941 bytes)
C:\Perl\html\bin\pod2usage.html (3785 bytes)
C:\Perl\html\bin\corelist.html (3548 bytes)
C:\Perl\html\lib\CPAN\Meta\Prereqs.html (4899 bytes)
C:\Perl\html\bin\ap-iis-config.html (3786 bytes)
C:\Perl\html\lib\bigint.html (3269 bytes)
C:\Perl\eg\PerlEx\blank.htm (5503 bytes)
C:\Perl\html\lib\CGI\Apache.html (3518 bytes)
C:\Perl\html\bin\zipdetails.html (2803 bytes)
C:\Perl\html\faq\ActivePerl-faq1.html (5189 bytes)
C:\Perl\html\lib\CPAN\Meta\YAML.html (3615 bytes)
C:\Perl\html\lib\DBD\Gofer\Policy\rush.html (3035 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Utils.html (4314 bytes)
C:\Perl\html\lib\base.html (3380 bytes)
C:\Perl\html\lib\Class\MOP\Method\Meta.html (4217 bytes)
C:\Perl\html\lib\B\Xref.html (4698 bytes)
C:\Perl\html\lib\Class\Load.html (4774 bytes)
C:\Perl\html\bin\psed.html (4681 bytes)
C:\Perl\html\bin\perlglob.html (5250 bytes)
C:\Perl\html\lib\CPANPLUS\Module\Fake.html (3782 bytes)
C:\Perl\html\lib\blib.html (3602 bytes)
C:\Perl\html\lib\ActiveState\Version.html (4242 bytes)
C:\Perl\html\lib\ActivePerl\PPM\RepoPackage.html (3421 bytes)
C:\Perl\html\bin\pl2bat.html (5631 bytes)
C:\Perl\html\lib\Algorithm\DiffOld.html (3698 bytes)
C:\Perl\html\lib\Class\MOP\Method\Constructor.html (5469 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Search.html (4187 bytes)
C:\Perl\html\lib\CPAN\API\HOWTO.html (4643 bytes)
C:\Perl\eg\IEExamples\plhello.htm (4936 bytes)
C:\Perl\html\lib\Data\Dumper.html (4677 bytes)
C:\Perl\html\lib\B\Showlex.html (4169 bytes)
C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\Remote.html (2836 bytes)
C:\Perl\html\lib\Carp.html (5504 bytes)
C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\HOWTO.html (3660 bytes)
C:\Perl\html\bin\pwhich.html (4396 bytes)
C:\Perl\html\lib\Bundle\DBD\Pg.html (4138 bytes)
C:\Perl\html\lib\DBD\Oracle\Object.html (4081 bytes)
C:\Perl\html\lib\CPAN.html (3416 bytes)
C:\Perl\html\lib\DBD\File\Developers.html (4983 bytes)
C:\Perl\html\lib\App\Prove\State.html (4548 bytes)
C:\Perl\html\bin\instmodsh.html (2783 bytes)
C:\Perl\html\lib\CPAN\Distroprefs.html (4911 bytes)
C:\Perl\html\lib\CPAN\Meta.html (3273 bytes)
C:\Perl\html\lib\CPANPLUS\Dist\Build\Constants.html (3984 bytes)
C:\Perl\html\lib\DBD\Gofer\Transport\null.html (2929 bytes)
C:\Perl\html\lib\CPANPLUS\Backend.html (4000 bytes)
C:\Perl\html\lib\CGI\Carp.html (4113 bytes)
C:\Perl\html\lib\ActiveState\Indenter.html (4466 bytes)
C:\Perl\html\bin\enc2xs.html (4531 bytes)
C:\Perl\html\lib\Class\MOP\MiniTrait.html (4467 bytes)
C:\Perl\html\lib\Archive\Zip.html (2773 bytes)
C:\Perl\html\lib\B\Debug.html (4123 bytes)
C:\Perl\html\lib\CPANPLUS\Shell.html (5070 bytes)
C:\Perl\html\lib\CPAN\Kwalify.html (3968 bytes)
C:\Perl\html\lib\CPAN\Debug.html (3234 bytes)
C:\Perl\html\lib\ActivePerl\DocTools\Pod.html (4991 bytes)
C:\Perl\html\lib\bignum.html (4855 bytes)
C:\Perl\html\Components\Descriptions.html (4449 bytes)
C:\Perl\html\lib\Data\Dump\Filtered.html (4867 bytes)
C:\Perl\html\lib\Benchmark.html (2568 bytes)
C:\Perl\html\lib\ActivePerl\PPM\Profile.html (3339 bytes)
C:\Perl\html\bin\h2xs.html (4651 bytes)
C:\Perl\html\bin\lwp-download.html (3719 bytes)
C:\Perl\html\lib\Archive\Tar.html (6165 bytes)
C:\Perl\html\bin\cpan2dist.html (3497 bytes)
C:\Perl\html\lib\Class\C3\next.html (3780 bytes)
C:\Perl\html\lib\DBD\ODBC\TO_DO.html (2399 bytes)
C:\Perl\html\lib\CPANPLUS\Dist\Autobundle.html (4065 bytes)
C:\Perl\html\activeperl.html (4402 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\lzma.dll (2334 bytes)
C:\Perl\html\bin\h2ph.html (4677 bytes)
C:\Perl\html\bin\nytprofmerge.html (5049 bytes)
C:\Perl\html\lib\CPAN\Tarzip.html (3176 bytes)
C:\Perl\html\lib\CPAN\Meta\Feature.html (4253 bytes)
C:\Perl\html\bin\pod2latex.html (4296 bytes)
C:\Perl\html\lib\B\Lint.html (4788 bytes)
C:\Perl\html\lib\ActivePerl\PPM\PPD.html (4664 bytes)
C:\Perl\html\lib\DBD\ODBC\Changes.html (2564 bytes)
C:\Perl\html\bin\perlcritic-gui.html (3453 bytes)
C:\Perl\html\bin\lwp-mirror.html (3847 bytes)
C:\Perl\html\lib\DBD\Gofer.html (4483 bytes)
C:\Perl\html\bin\tkx-ed.html (3634 bytes)
C:\Perl\html\lib\Class\MOP.html (4123 bytes)
C:\Perl\html\lib\Archive\Zip\FAQ.html (2461 bytes)
C:\Perl\html\bin\podselect.html (3835 bytes)
C:\Perl\eg\IEExamples\index.htm (4275 bytes)
C:\Perl\html\lib\ActiveState\StopWatch.html (3636 bytes)
C:\Perl\html\lib\ActivePerl\PPM\Package.html (4856 bytes)
C:\Perl\html\lib\CPANPLUS\Backend\RV.html (4688 bytes)
C:\Perl\html\lib\CPAN\HandleConfig.html (3983 bytes)
C:\Perl\html\lib\DBD\Gofer\Transport\pipeone.html (4254 bytes)
C:\Perl\html\lib\CPAN\Meta\Validator.html (2597 bytes)
C:\Perl\html\Components\Windows\PerlScript.html (4683 bytes)
C:\Perl\html\lib\CPANPLUS\Dist\Build.html (3053 bytes)
C:\Perl\html\lib\DBD\File.html (4821 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq8.html (5695 bytes)
C:\Perl\html\lib\DBD\Oracle\GetInfo.html (4069 bytes)
C:\Perl\html\lib\CPAN\FirstTime.html (3211 bytes)
C:\Perl\html\lib\Class\C3.html (4588 bytes)
C:\Perl\html\lib\CPANPLUS\FAQ.html (3594 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq7.html (4719 bytes)
C:\Perl\html\bin\mech-dump.html (3411 bytes)
C:\Perl\html\bin\pstruct.html (4924 bytes)
C:\Perl\html\bin\json_pp.html (4071 bytes)
C:\Perl\html\lib\CPANPLUS\Module\Checksums.html (2829 bytes)
C:\Perl\html\lib\CPAN\Queue.html (3332 bytes)
C:\Perl\html\Components\Windows\PerlISAPI.html (3706 bytes)
C:\Perl\html\lib\CPAN\Meta\Spec.html (4490 bytes)
C:\Perl\html\bin\dbiproxy.html (5723 bytes)
C:\Perl\html\bin\pl2pm.html (4309 bytes)
C:\Perl\html\lib\Class\MOP\Mixin\HasAttributes.html (3953 bytes)
C:\Perl\html\lib\Class\MOP\Module.html (4591 bytes)
C:\Perl\html\bin\s2p.html (4503 bytes)
C:\Perl\html\lib\DBD\CSV.html (4472 bytes)
C:\Perl\html\lib\autodie\hints.html (4642 bytes)
C:\Perl\html\lib\Algorithm\Diff.html (3010 bytes)
C:\Perl\html\lib\DBD\DBM.html (4062 bytes)
C:\Perl\html\bin\perlthanks.html (5217 bytes)
C:\Perl\html\lib\ActivePerl.html (4576 bytes)
C:\Perl\html\lib\autodie\exception.html (5175 bytes)
C:\Perl\html\bin\ptar.html (2232 bytes)
C:\Perl\html\bin\nytprofhtml.html (5431 bytes)
C:\Perl\html\lib\CPANPLUS\Configure.html (4505 bytes)
C:\Perl\html\lib\Class\MOP\Mixin.html (4278 bytes)
C:\Perl\html\lib\Class\MOP\Class\Immutable\Trait.html (3288 bytes)
C:\Perl\html\lib\ActiveState\Table.html (4856 bytes)
C:\Perl\html\lib\ActiveState\Duration.html (3958 bytes)
C:\Perl\html\lib\ActiveState\DateTime.html (4145 bytes)
C:\Perl\html\lib\Bundle\DBI.html (2573 bytes)
C:\Perl\html\lib\ActiveState\PerlCritic\UserProfile.html (4119 bytes)
C:\Perl\html\lib\CGI\Fast.html (3527 bytes)
C:\Perl\html\lib\DBD\ODBC.html (5111 bytes)
C:\Perl\html\lib\CPANPLUS\Dist.html (4853 bytes)
C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\CustomSource.html (3922 bytes)
C:\Perl\html\lib\B\Terse.html (4344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ckxqffnw.exe (2776 bytes)
C:\Perl\html\lib\Bit\Vector\Overload.html (3972 bytes)
C:\Perl\html\lib\ActiveState\DiskUsage.html (4591 bytes)
C:\Perl\html\lib\DBD\File\HowTo.html (5219 bytes)
C:\Perl\html\lib\CPAN\Mirrors.html (4914 bytes)
C:\Perl\bin\PerlMsg.dll (2761 bytes)
C:\Perl\html\lib\ActivePerl\PPM\InstallArea.html (4682 bytes)
C:\Perl\html\bin\libnetcfg.html (4251 bytes)
C:\Perl\html\bin\ppm.html (2453 bytes)
C:\Perl\html\lib\CGI\Cookie.html (2540 bytes)
C:\Perl\html\lib\Class\MOP\Object.html (3882 bytes)
C:\Perl\html\lib\CPAN\Version.html (3812 bytes)
C:\Perl\html\lib\ActiveState\Scineplex.html (5045 bytes)
C:\Perl\html\lib\DBD\Gofer\Transport\stream.html (3460 bytes)
C:\Perl\html\lib\ActiveState\Bytes.html (2279 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq10.html (5018 bytes)
C:\Perl\html\lib\Class\MOP\Method\Inlined.html (2999 bytes)
C:\Perl\html\lib\CGI.html (3499 bytes)
C:\Perl\html\lib\constant.html (3713 bytes)
C:\Perl\html\lib\CORE.html (4337 bytes)
C:\Perl\html\lib\Class\Accessor.html (5297 bytes)
C:\Perl\html\bin\dbilogstrip.html (3415 bytes)
C:\Perl\html\bin\lwp-request.html (3199 bytes)
C:\Perl\html\faq\ActivePerl-faq.html (3164 bytes)
C:\Perl\html\lib\CPANPLUS\Shell\Classic.html (2587 bytes)
C:\Perl\html\lib\autodie\exception\system.html (2944 bytes)
C:\Perl\html\lib\autouse.html (5159 bytes)
C:\Perl\html\bin\splain.html (6861 bytes)
C:\Perl\html\lib\Date\Calendar\Year.html (4202 bytes)
C:\Perl\html\bin\pod2html.html (2964 bytes)
C:\Perl\html\lib\CPANPLUS\Error.html (5474 bytes)
C:\Perl\html\lib\Class\MOP\Mixin\AttributeCore.html (4435 bytes)
C:\Perl\html\bin\prove.html (5576 bytes)
C:\Perl\html\bin\nytprofcsv.html (5047 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq9.html (3983 bytes)
C:\Perl\html\lib\Class\Accessor\Faster.html (3186 bytes)
C:\Perl\html\bin\find2perl.html (5647 bytes)
C:\Perl\html\lib\CPAN\Meta\History.html (3740 bytes)
C:\Perl\html\lib\Archive\Tar\File.html (5184 bytes)
C:\Perl\html\lib\App\Prove.html (4912 bytes)
C:\Perl\html\Copyright.html (4284 bytes)
C:\Perl\html\bin\cpan.html (4327 bytes)
C:\Perl\eg\aspSamples\index.htm (4773 bytes)
C:\Perl\html\lib\Data\OptList.html (4058 bytes)
C:\Perl\eg\IEExamples\plmouse.htm (3445 bytes)
C:\Perl\html\lib\Class\MOP\Method\Overload.html (3898 bytes)
C:\Perl\html\lib\DBD\Gofer\Transport\corostream.html (3079 bytes)
C:\Perl\html\lib\Config\Extensions.html (4592 bytes)
C:\Perl\html\lib\ActiveState\Path.html (4578 bytes)
C:\Perl\html\bin\cpanp.html (4731 bytes)
C:\Perl\html\lib\CPANPLUS\Hacking.html (3338 bytes)
C:\Perl\html\lib\Config\Tiny.html (4763 bytes)
C:\Perl\html\lib\Class\MOP\Instance.html (4394 bytes)
C:\Perl\html\lib\Class\Struct.html (5576 bytes)
C:\Perl\html\lib\Attribute\Handlers.html (5063 bytes)
C:\Perl\html\lib\ActivePerl\Config.html (3929 bytes)
C:\Perl\html\lib\ActiveState\Win32\Shell.html (4292 bytes)
C:\Perl\html\bin\perlbug.html (5233 bytes)
C:\Perl\html\lib\App\Prove\State\Result.html (4024 bytes)
C:\Perl\html\lib\ActiveState\RelocateTree.html (4356 bytes)
C:\Perl\html\bin\shasum.html (4090 bytes)
C:\Perl\html\bin\config_data.html (4366 bytes)
C:\Perl\html\bin\piconv.html (3803 bytes)
C:\Perl\html\faq\ActivePerl-faq3.html (3405 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq12.html (2245 bytes)
C:\Perl\html\lib\Class\MOP\Method.html (5088 bytes)
C:\Perl\html\lib\Compress\Raw\Zlib.html (4041 bytes)
C:\Perl\html\lib\Bit\Vector.html (5783 bytes)
C:\Perl\html\lib\Data\Dump.html (4582 bytes)
C:\Perl\html\lib\DBD\ODBC\FAQ.html (3998 bytes)
C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\Source.html (4840 bytes)
C:\Perl\html\lib\Carp\Clan.html (4203 bytes)
C:\Perl\html\lib\Bit\Vector\String.html (5805 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq6.html (5051 bytes)
C:\Perl\html\lib\App\Prove\State\Result\Test.html (4919 bytes)
C:\Perl\html\bin\dbiprof.html (4746 bytes)
C:\Perl\html\lib\Date\Calendar.html (4775 bytes)
C:\Perl\html\bin\runperl.html (3505 bytes)
C:\Perl\html\lib\Cwd.html (4655 bytes)
C:\Perl\html\lib\Class\MOP\Package.html (4620 bytes)
C:\Perl\html\lib\ActiveState\ModInfo.html (3711 bytes)
C:\Perl\html\Components\Windows\PerlEz.html (5890 bytes)
C:\Perl\eg\IEExamples\plwelcome.htm (4551 bytes)
C:\Perl\html\lib\Class\MOP\Deprecated.html (4001 bytes)
C:\Perl\html\lib\Bundle\DBD\CSV.html (4176 bytes)
C:\Perl\html\lib\CPANPLUS\Config\HomeEnv.html (4191 bytes)
C:\Perl\html\lib\bytes.html (4376 bytes)
C:\Perl\html\lib\Class\MOP\Method\Accessor.html (3748 bytes)
C:\Perl\html\bin\reloc_perl.html (4375 bytes)
C:\Perl\html\lib\B\Keywords.html (4574 bytes)
C:\Perl\html\lib\Date\Calc.html (5029 bytes)
C:\Perl\html\lib\CPAN\Meta\Converter.html (3778 bytes)
C:\Perl\html\bin\exetype.html (2185 bytes)
C:\Perl\html\lib\autodie.html (4784 bytes)
C:\Perl\html\lib\ActiveState\Tkx\TextSyntaxTags.html (4257 bytes)
C:\Perl\html\lib\Date\Calc\PP.html (3729 bytes)
C:\Perl\html\lib\ActiveState\Color.html (3302 bytes)
C:\Perl\eg\PerlEx\benchmain.htm (3658 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq5.html (4918 bytes)
C:\Perl\html\lib\Archive\Zip\Tree.html (5275 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Extract.html (3257 bytes)
C:\Perl\html\lib\B\Deparse.html (4672 bytes)
C:\Perl\html\lib\DBD\Gofer\Transport\Base.html (4019 bytes)
C:\Perl\html\lib\CPANPLUS\Internals.html (4426 bytes)
C:\Perl\html\lib\Class\MOP\Mixin\HasMethods.html (3770 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Source\SQLite.html (3362 bytes)
C:\Perl\html\lib\CGI\Util.html (3629 bytes)
C:\Perl\html\lib\attributes.html (2864 bytes)
C:\Perl\html\lib\CPANPLUS\Internals\Source\Memory.html (4426 bytes)
C:\Perl\html\lib\Class\MOP\Class.html (5785 bytes)
C:\Perl\html\bin\lwp-dump.html (3909 bytes)
C:\Perl\html\lib\charnames.html (4810 bytes)
C:\Perl\html\bin\c2ph.html (4668 bytes)
C:\Perl\html\lib\Class\MOP\Method\Generated.html (3610 bytes)
C:\Perl\html\bin\ptargrep.html (2269 bytes)
C:\Perl\html\lib\Config.html (2186 bytes)
C:\Perl\html\lib\CPANPLUS\Config.html (5436 bytes)
C:\Perl\html\lib\DBD\Gofer\Policy\pedantic.html (4265 bytes)
C:\Perl\html\lib\ActivePerl\PPM\Arch.html (3468 bytes)
C:\Perl\html\bin\ap-update-html.html (4426 bytes)
C:\Perl\html\bin\pod2text.html (3904 bytes)
C:\Perl\html\lib\Class\Data\Inheritable.html (4525 bytes)
C:\Perl\html\bin\perlivp.html (5469 bytes)
C:\Perl\html\lib\CPANPLUS\Module\Author.html (4327 bytes)
C:\Perl\html\lib\App\Cpan.html (6383 bytes)
C:\Perl\html\lib\CPANPLUS\Dist\Sample.html (3840 bytes)
C:\Perl\html\index.html (2913 bytes)
C:\Perl\html\lib\Date\Calendar\Profiles.html (5217 bytes)
C:\Perl\html\lib\ActiveState\Prompt.html (3706 bytes)
C:\Perl\html\lib\DBD\File\Roadmap.html (4660 bytes)
C:\Perl\html\lib\CPANPLUS\Dist\Base.html (4501 bytes)
C:\Perl\html\faq\ActivePerl-faq2.html (4754 bytes)
C:\Perl\html\lib\CPANPLUS.html (5225 bytes)
C:\Perl\html\lib\DBD\Gofer\Policy\classic.html (2902 bytes)
C:\Perl\html\bin\pod2man.html (3499 bytes)
C:\Perl\html\lib\bigrat.html (2179 bytes)
C:\Perl\html\lib\ActiveState\Handy.html (4416 bytes)
C:\Perl\html\lib\CPANPLUS\Module\Author\Fake.html (3101 bytes)
C:\Perl\html\faq\Windows\ActivePerl-Winfaq2.html (3706 bytes)
C:\Perl\html\changes.html (4132 bytes)
C:\Perl\html\lib\B\Lint\Debug.html (3554 bytes)
C:\Perl\html\lib\Archive\Zip\MemberRead.html (5310 bytes)
C:\Perl\html\lib\AnyDBM_File.html (4391 bytes)
C:\Perl\html\lib\Clone.html (4323 bytes)
C:\Perl\html\lib\ActiveState\Menu.html (4410 bytes)
C:\Perl\html\lib\Algorithm\C3.html (4882 bytes)
C:\Perl\eg\IEExamples\plcalc.htm (4661 bytes)
C:\Perl\html\bin\perlcritic.html (5433 bytes)
C:\Perl\html\lib\CPAN\Meta\Requirements.html (5197 bytes)
C:\Perl\html\lib\CPAN\Nox.html (3488 bytes)

Registry activity

The process 27b9d7b0370d2c2579d486fda9d10a72mgr.exe:604 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 F2 7E 22 38 42 BD 97 CF C0 53 BB 53 0E B9 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ckxqffnw.exe" = "ckxqffnw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process ckxqffnw.exe:220 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 B8 42 C9 9F 4A CA 24 8E 7F 5A 8E D4 66 96 5F"

The process 27b9d7b0370d2c2579d486fda9d10a72.exe:444 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Apple Computer, Inc.\QuickTime\QuickTimeUpdateInProgress]
"QuickTimeUpdateCompletion" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Update Completion 0" = "c:\27b9d7b0370d2c2579d486fda9d10a72.exe -atboottime QuickTime Update Completion 0"

The process iexplore.exe:1552 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F1 EB D2 25 65 19 E1 AA 8B FB A5 23 46 EC 69"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process iexplore.exe:1776 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 E1 7F 16 B5 D5 5B CE 42 D6 E4 46 DA AB DD DB"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,,%Program Files%\cyljsdca\kfdvddln.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]

The process iexplore.exe:424 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 0B 3B C8 53 8A D1 12 AF 91 0C 36 42 4E 8D 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process iexplore.exe:1636 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 23 EC 0E B3 83 A1 77 73 DD F1 76 CC 24 8F 55"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1201" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1201" = "0"

Network activity (URLs)

URL IP
caswerdoomers.com 69.43.161.174
xopierhooter.com 69.43.161.180
google.com 24.200.237.99
zaertuoderkaxk.com 69.164.203.105
redor-moffies.com 69.164.203.105


Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwCreateKey
ZwOpenKey

The Trojan installs the following user-mode hooks in USER32.dll:

TranslateMessage

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSASendTo
WSARecvFrom
WSASend
recv
WSARecv
send
closesocket
recvfrom
sendto

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    27b9d7b0370d2c2579d486fda9d10a72mgr.exe:604
    ckxqffnw.exe:220
    27b9d7b0370d2c2579d486fda9d10a72.exe:444

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\~TM2.tmp (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~TM1.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ckxqffnw.exe (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rqbdgaea.sys (14 bytes)
    %System%\wbem\Logs\wmiprov.log (4 bytes)
    %System%\wbem\Logs\wbemcore.log (344 bytes)
    %WinDir%\WinSxS (96 bytes)
    \Device\Harddisk0\DR0 (216675 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %Documents and Settings%\All Users (4 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (3361 bytes)
    C:\$Directory (2008 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7ac.dat (4 bytes)
    %WinDir%\AppPatch (4 bytes)
    C:\27b9d7b0370d2c2579d486fda9d10a72mgr.exe (179 bytes)
    %Program Files%\cyljsdca\kfdvddln.exe (673 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\kfdvddln.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~TM4.tmp (1513871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\lgdnecqm.log (96 bytes)
    C:\Perl\html\lib\B.html (4529 bytes)
    C:\Perl\html\bin\ptardiff.html (4430 bytes)
    C:\Perl\html\bin\ap-user-guide.html (4093 bytes)
    C:\Perl\html\lib\DB.html (5597 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Report.html (5447 bytes)
    C:\Perl\html\lib\ActiveState\OSType.html (4430 bytes)
    C:\Perl\html\blank.html (4154 bytes)
    C:\Perl\html\lib\B\Concise.html (4437 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Wrapped.html (2898 bytes)
    C:\Perl\eg\PerlEx\bm.htm (3954 bytes)
    C:\Perl\html\lib\arybase.html (4445 bytes)
    C:\Perl\html\lib\CGI\Pretty.html (3497 bytes)
    C:\Perl\html\lib\ActiveState\Browser.html (3657 bytes)
    C:\Perl\html\lib\AutoSplit.html (4287 bytes)
    C:\Perl\eg\PerlEx\benchmarks.htm (3588 bytes)
    C:\Perl\html\lib\DBD\Gofer\Policy\Base.html (3552 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq4.html (5034 bytes)
    C:\Perl\html\lib\Class\Accessor\Fast.html (4077 bytes)
    C:\Perl\html\lib\ActiveState\CPAN.html (4792 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Fetch.html (4088 bytes)
    C:\Perl\eg\PerlEx\benchtop.htm (2775 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\Client.html (4567 bytes)
    C:\Perl\html\lib\Compress\Raw\Bzip2.html (3761 bytes)
    C:\Perl\html\lib\ActiveState\Config\INI.html (3884 bytes)
    C:\Perl\html\lib\Data\Dump\Trace.html (4453 bytes)
    C:\Perl\html\lib\Class\Load\XS.html (4943 bytes)
    C:\Perl\html\install.html (5390 bytes)
    C:\Perl\html\bin\podchecker.html (4454 bytes)
    C:\Perl\html\lib\Compress\Zlib.html (3307 bytes)
    C:\Perl\html\lib\CGI\Push.html (5693 bytes)
    C:\Perl\html\bin\xsubpp.html (3620 bytes)
    C:\Perl\html\lib\CGI\Switch.html (3247 bytes)
    C:\Perl\html\lib\Date\Calc\Object.html (3697 bytes)
    C:\Perl\html\lib\AutoLoader.html (5435 bytes)
    C:\Perl\html\lib\CPANPLUS\Module.html (5021 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell\Default.html (3143 bytes)
    C:\Perl\html\lib\CPANPLUS\Selfupdate.html (5459 bytes)
    C:\Perl\html\lib\Class\MOP\Attribute.html (5032 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Source.html (5489 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist\MM.html (4418 bytes)
    C:\Perl\html\lib\ActiveState\Run.html (4951 bytes)
    C:\Perl\html\lib\Archive\Extract.html (3067 bytes)
    C:\Perl\html\bin\nytprofcg.html (3941 bytes)
    C:\Perl\html\bin\pod2usage.html (3785 bytes)
    C:\Perl\html\bin\corelist.html (3548 bytes)
    C:\Perl\html\lib\CPAN\Meta\Prereqs.html (4899 bytes)
    C:\Perl\html\bin\ap-iis-config.html (3786 bytes)
    C:\Perl\html\lib\bigint.html (3269 bytes)
    C:\Perl\eg\PerlEx\blank.htm (5503 bytes)
    C:\Perl\html\lib\CGI\Apache.html (3518 bytes)
    C:\Perl\html\bin\zipdetails.html (2803 bytes)
    C:\Perl\html\faq\ActivePerl-faq1.html (5189 bytes)
    C:\Perl\html\lib\CPAN\Meta\YAML.html (3615 bytes)
    C:\Perl\html\lib\DBD\Gofer\Policy\rush.html (3035 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Utils.html (4314 bytes)
    C:\Perl\html\lib\base.html (3380 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Meta.html (4217 bytes)
    C:\Perl\html\lib\B\Xref.html (4698 bytes)
    C:\Perl\html\lib\Class\Load.html (4774 bytes)
    C:\Perl\html\bin\psed.html (4681 bytes)
    C:\Perl\html\bin\perlglob.html (5250 bytes)
    C:\Perl\html\lib\CPANPLUS\Module\Fake.html (3782 bytes)
    C:\Perl\html\lib\blib.html (3602 bytes)
    C:\Perl\html\lib\ActiveState\Version.html (4242 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\RepoPackage.html (3421 bytes)
    C:\Perl\html\bin\pl2bat.html (5631 bytes)
    C:\Perl\html\lib\Algorithm\DiffOld.html (3698 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Constructor.html (5469 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Search.html (4187 bytes)
    C:\Perl\html\lib\CPAN\API\HOWTO.html (4643 bytes)
    C:\Perl\eg\IEExamples\plhello.htm (4936 bytes)
    C:\Perl\html\lib\Data\Dumper.html (4677 bytes)
    C:\Perl\html\lib\B\Showlex.html (4169 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\Remote.html (2836 bytes)
    C:\Perl\html\lib\Carp.html (5504 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\HOWTO.html (3660 bytes)
    C:\Perl\html\bin\pwhich.html (4396 bytes)
    C:\Perl\html\lib\Bundle\DBD\Pg.html (4138 bytes)
    C:\Perl\html\lib\DBD\Oracle\Object.html (4081 bytes)
    C:\Perl\html\lib\CPAN.html (3416 bytes)
    C:\Perl\html\lib\DBD\File\Developers.html (4983 bytes)
    C:\Perl\html\lib\App\Prove\State.html (4548 bytes)
    C:\Perl\html\bin\instmodsh.html (2783 bytes)
    C:\Perl\html\lib\CPAN\Distroprefs.html (4911 bytes)
    C:\Perl\html\lib\CPAN\Meta.html (3273 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist\Build\Constants.html (3984 bytes)
    C:\Perl\html\lib\DBD\Gofer\Transport\null.html (2929 bytes)
    C:\Perl\html\lib\CPANPLUS\Backend.html (4000 bytes)
    C:\Perl\html\lib\CGI\Carp.html (4113 bytes)
    C:\Perl\html\lib\ActiveState\Indenter.html (4466 bytes)
    C:\Perl\html\bin\enc2xs.html (4531 bytes)
    C:\Perl\html\lib\Class\MOP\MiniTrait.html (4467 bytes)
    C:\Perl\html\lib\Archive\Zip.html (2773 bytes)
    C:\Perl\html\lib\B\Debug.html (4123 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell.html (5070 bytes)
    C:\Perl\html\lib\CPAN\Kwalify.html (3968 bytes)
    C:\Perl\html\lib\CPAN\Debug.html (3234 bytes)
    C:\Perl\html\lib\ActivePerl\DocTools\Pod.html (4991 bytes)
    C:\Perl\html\lib\bignum.html (4855 bytes)
    C:\Perl\html\Components\Descriptions.html (4449 bytes)
    C:\Perl\html\lib\Data\Dump\Filtered.html (4867 bytes)
    C:\Perl\html\lib\Benchmark.html (2568 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\Profile.html (3339 bytes)
    C:\Perl\html\bin\h2xs.html (4651 bytes)
    C:\Perl\html\bin\lwp-download.html (3719 bytes)
    C:\Perl\html\lib\Archive\Tar.html (6165 bytes)
    C:\Perl\html\bin\cpan2dist.html (3497 bytes)
    C:\Perl\html\lib\Class\C3\next.html (3780 bytes)
    C:\Perl\html\lib\DBD\ODBC\TO_DO.html (2399 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist\Autobundle.html (4065 bytes)
    C:\Perl\html\activeperl.html (4402 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0_18\lzma.dll (2334 bytes)
    C:\Perl\html\bin\h2ph.html (4677 bytes)
    C:\Perl\html\bin\nytprofmerge.html (5049 bytes)
    C:\Perl\html\lib\CPAN\Tarzip.html (3176 bytes)
    C:\Perl\html\lib\CPAN\Meta\Feature.html (4253 bytes)
    C:\Perl\html\bin\pod2latex.html (4296 bytes)
    C:\Perl\html\lib\B\Lint.html (4788 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\PPD.html (4664 bytes)
    C:\Perl\html\lib\DBD\ODBC\Changes.html (2564 bytes)
    C:\Perl\html\bin\perlcritic-gui.html (3453 bytes)
    C:\Perl\html\bin\lwp-mirror.html (3847 bytes)
    C:\Perl\html\lib\DBD\Gofer.html (4483 bytes)
    C:\Perl\html\bin\tkx-ed.html (3634 bytes)
    C:\Perl\html\lib\Class\MOP.html (4123 bytes)
    C:\Perl\html\lib\Archive\Zip\FAQ.html (2461 bytes)
    C:\Perl\html\bin\podselect.html (3835 bytes)
    C:\Perl\eg\IEExamples\index.htm (4275 bytes)
    C:\Perl\html\lib\ActiveState\StopWatch.html (3636 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\Package.html (4856 bytes)
    C:\Perl\html\lib\CPANPLUS\Backend\RV.html (4688 bytes)
    C:\Perl\html\lib\CPAN\HandleConfig.html (3983 bytes)
    C:\Perl\html\lib\DBD\Gofer\Transport\pipeone.html (4254 bytes)
    C:\Perl\html\lib\CPAN\Meta\Validator.html (2597 bytes)
    C:\Perl\html\Components\Windows\PerlScript.html (4683 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist\Build.html (3053 bytes)
    C:\Perl\html\lib\DBD\File.html (4821 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq8.html (5695 bytes)
    C:\Perl\html\lib\DBD\Oracle\GetInfo.html (4069 bytes)
    C:\Perl\html\lib\CPAN\FirstTime.html (3211 bytes)
    C:\Perl\html\lib\Class\C3.html (4588 bytes)
    C:\Perl\html\lib\CPANPLUS\FAQ.html (3594 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq7.html (4719 bytes)
    C:\Perl\html\bin\mech-dump.html (3411 bytes)
    C:\Perl\html\bin\pstruct.html (4924 bytes)
    C:\Perl\html\bin\json_pp.html (4071 bytes)
    C:\Perl\html\lib\CPANPLUS\Module\Checksums.html (2829 bytes)
    C:\Perl\html\lib\CPAN\Queue.html (3332 bytes)
    C:\Perl\html\Components\Windows\PerlISAPI.html (3706 bytes)
    C:\Perl\html\lib\CPAN\Meta\Spec.html (4490 bytes)
    C:\Perl\html\bin\dbiproxy.html (5723 bytes)
    C:\Perl\html\bin\pl2pm.html (4309 bytes)
    C:\Perl\html\lib\Class\MOP\Mixin\HasAttributes.html (3953 bytes)
    C:\Perl\html\lib\Class\MOP\Module.html (4591 bytes)
    C:\Perl\html\bin\s2p.html (4503 bytes)
    C:\Perl\html\lib\DBD\CSV.html (4472 bytes)
    C:\Perl\html\lib\autodie\hints.html (4642 bytes)
    C:\Perl\html\lib\Algorithm\Diff.html (3010 bytes)
    C:\Perl\html\lib\DBD\DBM.html (4062 bytes)
    C:\Perl\html\bin\perlthanks.html (5217 bytes)
    C:\Perl\html\lib\ActivePerl.html (4576 bytes)
    C:\Perl\html\lib\autodie\exception.html (5175 bytes)
    C:\Perl\html\bin\ptar.html (2232 bytes)
    C:\Perl\html\bin\nytprofhtml.html (5431 bytes)
    C:\Perl\html\lib\CPANPLUS\Configure.html (4505 bytes)
    C:\Perl\html\lib\Class\MOP\Mixin.html (4278 bytes)
    C:\Perl\html\lib\Class\MOP\Class\Immutable\Trait.html (3288 bytes)
    C:\Perl\html\lib\ActiveState\Table.html (4856 bytes)
    C:\Perl\html\lib\ActiveState\Duration.html (3958 bytes)
    C:\Perl\html\lib\ActiveState\DateTime.html (4145 bytes)
    C:\Perl\html\lib\Bundle\DBI.html (2573 bytes)
    C:\Perl\html\lib\ActiveState\PerlCritic\UserProfile.html (4119 bytes)
    C:\Perl\html\lib\CGI\Fast.html (3527 bytes)
    C:\Perl\html\lib\DBD\ODBC.html (5111 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist.html (4853 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\CustomSource.html (3922 bytes)
    C:\Perl\html\lib\B\Terse.html (4344 bytes)
    C:\Perl\html\lib\Bit\Vector\Overload.html (3972 bytes)
    C:\Perl\html\lib\ActiveState\DiskUsage.html (4591 bytes)
    C:\Perl\html\lib\DBD\File\HowTo.html (5219 bytes)
    C:\Perl\html\lib\CPAN\Mirrors.html (4914 bytes)
    C:\Perl\bin\PerlMsg.dll (2761 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\InstallArea.html (4682 bytes)
    C:\Perl\html\bin\libnetcfg.html (4251 bytes)
    C:\Perl\html\bin\ppm.html (2453 bytes)
    C:\Perl\html\lib\CGI\Cookie.html (2540 bytes)
    C:\Perl\html\lib\Class\MOP\Object.html (3882 bytes)
    C:\Perl\html\lib\CPAN\Version.html (3812 bytes)
    C:\Perl\html\lib\ActiveState\Scineplex.html (5045 bytes)
    C:\Perl\html\lib\DBD\Gofer\Transport\stream.html (3460 bytes)
    C:\Perl\html\lib\ActiveState\Bytes.html (2279 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq10.html (5018 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Inlined.html (2999 bytes)
    C:\Perl\html\lib\CGI.html (3499 bytes)
    C:\Perl\html\lib\constant.html (3713 bytes)
    C:\Perl\html\lib\CORE.html (4337 bytes)
    C:\Perl\html\lib\Class\Accessor.html (5297 bytes)
    C:\Perl\html\bin\dbilogstrip.html (3415 bytes)
    C:\Perl\html\bin\lwp-request.html (3199 bytes)
    C:\Perl\html\faq\ActivePerl-faq.html (3164 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell\Classic.html (2587 bytes)
    C:\Perl\html\lib\autodie\exception\system.html (2944 bytes)
    C:\Perl\html\lib\autouse.html (5159 bytes)
    C:\Perl\html\bin\splain.html (6861 bytes)
    C:\Perl\html\lib\Date\Calendar\Year.html (4202 bytes)
    C:\Perl\html\bin\pod2html.html (2964 bytes)
    C:\Perl\html\lib\CPANPLUS\Error.html (5474 bytes)
    C:\Perl\html\lib\Class\MOP\Mixin\AttributeCore.html (4435 bytes)
    C:\Perl\html\bin\prove.html (5576 bytes)
    C:\Perl\html\bin\nytprofcsv.html (5047 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq9.html (3983 bytes)
    C:\Perl\html\lib\Class\Accessor\Faster.html (3186 bytes)
    C:\Perl\html\bin\find2perl.html (5647 bytes)
    C:\Perl\html\lib\CPAN\Meta\History.html (3740 bytes)
    C:\Perl\html\lib\Archive\Tar\File.html (5184 bytes)
    C:\Perl\html\lib\App\Prove.html (4912 bytes)
    C:\Perl\html\Copyright.html (4284 bytes)
    C:\Perl\html\bin\cpan.html (4327 bytes)
    C:\Perl\eg\aspSamples\index.htm (4773 bytes)
    C:\Perl\html\lib\Data\OptList.html (4058 bytes)
    C:\Perl\eg\IEExamples\plmouse.htm (3445 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Overload.html (3898 bytes)
    C:\Perl\html\lib\DBD\Gofer\Transport\corostream.html (3079 bytes)
    C:\Perl\html\lib\Config\Extensions.html (4592 bytes)
    C:\Perl\html\lib\ActiveState\Path.html (4578 bytes)
    C:\Perl\html\bin\cpanp.html (4731 bytes)
    C:\Perl\html\lib\CPANPLUS\Hacking.html (3338 bytes)
    C:\Perl\html\lib\Config\Tiny.html (4763 bytes)
    C:\Perl\html\lib\Class\MOP\Instance.html (4394 bytes)
    C:\Perl\html\lib\Class\Struct.html (5576 bytes)
    C:\Perl\html\lib\Attribute\Handlers.html (5063 bytes)
    C:\Perl\html\lib\ActivePerl\Config.html (3929 bytes)
    C:\Perl\html\lib\ActiveState\Win32\Shell.html (4292 bytes)
    C:\Perl\html\bin\perlbug.html (5233 bytes)
    C:\Perl\html\lib\App\Prove\State\Result.html (4024 bytes)
    C:\Perl\html\lib\ActiveState\RelocateTree.html (4356 bytes)
    C:\Perl\html\bin\shasum.html (4090 bytes)
    C:\Perl\html\bin\config_data.html (4366 bytes)
    C:\Perl\html\bin\piconv.html (3803 bytes)
    C:\Perl\html\faq\ActivePerl-faq3.html (3405 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq12.html (2245 bytes)
    C:\Perl\html\lib\Class\MOP\Method.html (5088 bytes)
    C:\Perl\html\lib\Compress\Raw\Zlib.html (4041 bytes)
    C:\Perl\html\lib\Bit\Vector.html (5783 bytes)
    C:\Perl\html\lib\Data\Dump.html (4582 bytes)
    C:\Perl\html\lib\DBD\ODBC\FAQ.html (3998 bytes)
    C:\Perl\html\lib\CPANPLUS\Shell\Default\Plugins\Source.html (4840 bytes)
    C:\Perl\html\lib\Carp\Clan.html (4203 bytes)
    C:\Perl\html\lib\Bit\Vector\String.html (5805 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq6.html (5051 bytes)
    C:\Perl\html\lib\App\Prove\State\Result\Test.html (4919 bytes)
    C:\Perl\html\bin\dbiprof.html (4746 bytes)
    C:\Perl\html\lib\Date\Calendar.html (4775 bytes)
    C:\Perl\html\bin\runperl.html (3505 bytes)
    C:\Perl\html\lib\Cwd.html (4655 bytes)
    C:\Perl\html\lib\Class\MOP\Package.html (4620 bytes)
    C:\Perl\html\lib\ActiveState\ModInfo.html (3711 bytes)
    C:\Perl\html\Components\Windows\PerlEz.html (5890 bytes)
    C:\Perl\eg\IEExamples\plwelcome.htm (4551 bytes)
    C:\Perl\html\lib\Class\MOP\Deprecated.html (4001 bytes)
    C:\Perl\html\lib\Bundle\DBD\CSV.html (4176 bytes)
    C:\Perl\html\lib\CPANPLUS\Config\HomeEnv.html (4191 bytes)
    C:\Perl\html\lib\bytes.html (4376 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Accessor.html (3748 bytes)
    C:\Perl\html\bin\reloc_perl.html (4375 bytes)
    C:\Perl\html\lib\B\Keywords.html (4574 bytes)
    C:\Perl\html\lib\Date\Calc.html (5029 bytes)
    C:\Perl\html\lib\CPAN\Meta\Converter.html (3778 bytes)
    C:\Perl\html\bin\exetype.html (2185 bytes)
    C:\Perl\html\lib\autodie.html (4784 bytes)
    C:\Perl\html\lib\ActiveState\Tkx\TextSyntaxTags.html (4257 bytes)
    C:\Perl\html\lib\Date\Calc\PP.html (3729 bytes)
    C:\Perl\html\lib\ActiveState\Color.html (3302 bytes)
    C:\Perl\eg\PerlEx\benchmain.htm (3658 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq5.html (4918 bytes)
    C:\Perl\html\lib\Archive\Zip\Tree.html (5275 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Extract.html (3257 bytes)
    C:\Perl\html\lib\B\Deparse.html (4672 bytes)
    C:\Perl\html\lib\DBD\Gofer\Transport\Base.html (4019 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals.html (4426 bytes)
    C:\Perl\html\lib\Class\MOP\Mixin\HasMethods.html (3770 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Source\SQLite.html (3362 bytes)
    C:\Perl\html\lib\CGI\Util.html (3629 bytes)
    C:\Perl\html\lib\attributes.html (2864 bytes)
    C:\Perl\html\lib\CPANPLUS\Internals\Source\Memory.html (4426 bytes)
    C:\Perl\html\lib\Class\MOP\Class.html (5785 bytes)
    C:\Perl\html\bin\lwp-dump.html (3909 bytes)
    C:\Perl\html\lib\charnames.html (4810 bytes)
    C:\Perl\html\bin\c2ph.html (4668 bytes)
    C:\Perl\html\lib\Class\MOP\Method\Generated.html (3610 bytes)
    C:\Perl\html\bin\ptargrep.html (2269 bytes)
    C:\Perl\html\lib\Config.html (2186 bytes)
    C:\Perl\html\lib\CPANPLUS\Config.html (5436 bytes)
    C:\Perl\html\lib\DBD\Gofer\Policy\pedantic.html (4265 bytes)
    C:\Perl\html\lib\ActivePerl\PPM\Arch.html (3468 bytes)
    C:\Perl\html\bin\ap-update-html.html (4426 bytes)
    C:\Perl\html\bin\pod2text.html (3904 bytes)
    C:\Perl\html\lib\Class\Data\Inheritable.html (4525 bytes)
    C:\Perl\html\bin\perlivp.html (5469 bytes)
    C:\Perl\html\lib\CPANPLUS\Module\Author.html (4327 bytes)
    C:\Perl\html\lib\App\Cpan.html (6383 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist\Sample.html (3840 bytes)
    C:\Perl\html\index.html (2913 bytes)
    C:\Perl\html\lib\Date\Calendar\Profiles.html (5217 bytes)
    C:\Perl\html\lib\ActiveState\Prompt.html (3706 bytes)
    C:\Perl\html\lib\DBD\File\Roadmap.html (4660 bytes)
    C:\Perl\html\lib\CPANPLUS\Dist\Base.html (4501 bytes)
    C:\Perl\html\faq\ActivePerl-faq2.html (4754 bytes)
    C:\Perl\html\lib\CPANPLUS.html (5225 bytes)
    C:\Perl\html\lib\DBD\Gofer\Policy\classic.html (2902 bytes)
    C:\Perl\html\bin\pod2man.html (3499 bytes)
    C:\Perl\html\lib\bigrat.html (2179 bytes)
    C:\Perl\html\lib\ActiveState\Handy.html (4416 bytes)
    C:\Perl\html\lib\CPANPLUS\Module\Author\Fake.html (3101 bytes)
    C:\Perl\html\faq\Windows\ActivePerl-Winfaq2.html (3706 bytes)
    C:\Perl\html\changes.html (4132 bytes)
    C:\Perl\html\lib\B\Lint\Debug.html (3554 bytes)
    C:\Perl\html\lib\Archive\Zip\MemberRead.html (5310 bytes)
    C:\Perl\html\lib\AnyDBM_File.html (4391 bytes)
    C:\Perl\html\lib\Clone.html (4323 bytes)
    C:\Perl\html\lib\ActiveState\Menu.html (4410 bytes)
    C:\Perl\html\lib\Algorithm\C3.html (4882 bytes)
    C:\Perl\eg\IEExamples\plcalc.htm (4661 bytes)
    C:\Perl\html\bin\perlcritic.html (5433 bytes)
    C:\Perl\html\lib\CPAN\Meta\Requirements.html (5197 bytes)
    C:\Perl\html\lib\CPAN\Nox.html (3488 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Update Completion 0" = "c:\27b9d7b0370d2c2579d486fda9d10a72.exe -atboottime QuickTime Update Completion 0"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now