Trojan.Win32.IEDummy_6400726880
Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 64007268807cd34ec31fe52734108309
SHA1: 7c4ccf83c175397fb02fc0712b55d7b3e5cffbd4
SHA256: 8aa6d9796f14155614f7afbcd1c5c6054be0dfd57a2b3d8df7db72e102556f80
SSDeep: 6144:l5ix2QL82wIWxttUuIy3EPouLKTmjPJ8rfeCSTB246nVsk2 rP:/ix2k0t UEwuLKTmjiKCg246npx rP
Size: 456682 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-07 10:46:10
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
50314.exe:240
BTIcon.exe:480
64007268807cd34:136
Reader_sl.exe:1064
wuauclt.exe:344
%original file name%.exe:912
4ffb9.tmp:460
upd890.exe:548
regsvr32.exe:664
jusched.exe:1056
The Trojan injects its code into the following process(es):
No processes have been created.
File activity
The process 50314.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings% (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\post[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%System%\version.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONMVGNKL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\config\SOFTWARE.LOG (12486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%System%\drivers\00b60331.sys (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GDH.dll (119 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (768 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%System%\drivers\7c1d36b7.sys (28 bytes)
%System%\vorsion.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0ZM1ETI3\desktop.ini (67 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q63M61A0\desktop.ini (67 bytes)
C:\PROGRAM FILES (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (7122 bytes)
C:\$Directory (268 bytes)
%System%\config (8 bytes)
%System%\wbem (1152 bytes)
%System%\drivers (32 bytes)
%System%\kerogod.dll (9606 bytes)
%System%\config\software (5467 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hroghX.dll (119 bytes)
%System% (7984 bytes)
%Documents and Settings%\%current user%\Cookies (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\post[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%System%\drivers\7c1d36b7.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process BTIcon.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Favorites\¿¬°á\¼ÂÄ¡¹ÙÀ̹Ì.url (95 bytes)
%Documents and Settings%\%current user%\Favorites\¼ÂÄ¡¹ÙÀ̹Ì - ³»°¡ ¸¸µé¾î°¡´Â °Ë»öÇü ºÃ·Î±×.url (95 bytes)
%Documents and Settings%\%current user%\Desktop\¼ÂÄ¡¹ÙÀ̹Ì.url (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0ZM1ETI3\alive[1].htm (25 bytes)
%WinDir%\searchbyme.ico (158104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONMVGNKL\searchbyme[1].ico (158104 bytes)
The process 64007268807cd34:136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\4ffb9.tmp (2321 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\upd890.exe (111712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\c_updater[1].exe (111712 bytes)
The process 4ffb9.tmp:460 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\50314.exe (1613 bytes)
C:\%original file name%.exe (114 bytes)
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process upd890.exe:548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\BTIcon.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1410\BTIcon.exe (363040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q63M61A0\c_exe[1].exe (363040 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1410\BTIcon.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1410 (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process 50314.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4ffb9.tmp, , \??\%System%\rhqh8YhB, \??\%System%\rhqh8YhB"
[HKCR\CLSID\HOOK_ID]
"name" = "50314.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 C9 C9 40 FF 48 80 4E 76 9C F9 C6 8D 97 00 73"
[HKCR\CLSID\SYS_DLL]
"name" = "GDH.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process BTIcon.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 06 4B B6 D6 25 76 F4 78 F1 AB A9 3E 53 86 FB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\BTIcon]
"sidebar_loaddate" = "2-3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\BTIcon]
"ext" = "A25BD2DA31FC4EB545CA0A57C0378AE69534BA358E28D49EF84D0F3A0FC9B57808681CF36A54C4236E4280942B2394A76D46CC50BD0E6C810E156D81273B5F13EA5457624C068F950D2A2F61EDD50D3440F5B4F1F590F51783548CB0D6584C89BD32FF9ED99C08379FFAB98C91FB82C482C0404069369CEEA4F0AB1F05E1651DAAE13177C9ABDD7A27792DFBF8B9C7209D9527999891A6E66B28A7F68FA532FB9FA8004CADF8486F1B6BF55A451CEF4F696683FD5906AFD0DA6E2BC618FD06F4E6FFCF6368089C7E437CFF3532E7CE76652991A1843F4F0A8DA6807EBCFF18F7AAD7A622C4D7A3EFED035E158E079679B075D5644CF1DA835C3D419DC41454D212846B7E2761BFB7F2C4873995CDC05876F956B2A8D5F681B9AAB77D37309C93F75577AFD44BEB548E0DFF9E315A069A6A6B900D28D06D442BC18CFFDB45B1CB856C5318B43D584FF3011477D32B396DA9DD3EA2E8E7F8F5B12CCC18747E0DA30F389F3A57E20094E327BC2065B8D71777DB924C6A0DAE7ECD21C10757B3809A5B0BC78860E8DC596118988410D4498BA6F8116376DA1C71EEB69BF83FF7265CE8569B5D8628CC2A108C2E2E7502CA4873F03CB7BB3CB9543A76F98B4F18CAE31591C6E0435F7102720B722C7360B33A1F3CA339A2DA51AA5FD63CEA6A36B360F3E584D4F1562953"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\BTIcon]
"prvcot" = "A25BD2D62FC7DB9EF2B2848E99FEDF5A967EF80F69C44AC8B8E93EB0F8C1FB74A32AF0FC0F21F08A4842D65F6FF9812E5C93CC89AD69781A37EF5290183D83D2073E993900041D880D193672E7C8F4E802666BF25D9BE613EC338AF2858A8A919916C3AF8F9BEDDE6FF97087FCC333C51B92AC60404371372771A46196BD86DED7F1574DF07D55B0E9A5AE51C8F1952A44A614CDC652A806A598DCA0FDE27B05A9A23206EF04049A12B6D285CB9605A099C3D598F87D1617C2620BBD91CB031DFE367B813FE2A2B465BF030FD2C21213828783F2974F49642F5FA27060D2ED525D68144E05777F3F2321DF1C64B2C49FF21B99BDAD86068C314116E6E4E51FA3BBD14B0E166FA065EE61BC4AD3BB83ED3DAE512CAD9CAE8B90F9E8869F7DC4F7BA32A1D16E4E22373C1C959BC87B6A08209BAD1A4F017D085EC32F018C003F328B583BEAD77E201194D6F1BFC147D12BF430375C2F9BB5F5B189D0CEBFAA05F7B5E1C69B39C6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon]
"upd890.exe" = "upd890"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 89 3F CA 67 18 72 80 8E 08 39 5C B1 D3 47 6A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 4ffb9.tmp:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4ffb9.tmp,"
The process upd890.exe:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\BTIcon]
"updater_loaddate" = "2-3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\BTIcon]
"cot" = "A25BD2D62FC7DB9EF2B2848E99FEDF5A967EF80F69C44AC8B8E93EB0F8C1FB74A32AF0FC0F21F08A4842D65F6FF9812E5C93CC89AD69781A37EF5290183D83D2073E993900041D880D193672E7C8F4E802666BF25D9BE613EC338AF2858A8A919916C3AF8F9BEDDE6FF97087FCC333C51B92AC60404371372771A46196BD86DED7F1574DF07D55B0E9A5AE51C8F1952A44A614CDC652A806A598DCA0FDE27B05A9A23206EF04049A12B6D285CB9605A099C3D598F87D1617C2620BBD91CB031DFE367B813FE2A2B465BF030FD2C21213828783F2974F49642F5FA27060D2ED525D68144E05777F3F2321DF1C64B2C49FF21B99BDAD86068C314116E6E4E51FA3BBD14B0E166FA065EE61BC4AD3BB83ED3DAE512CAD9CAE8B90F9E8869F7DC4F7BA32A1D16E4E22373C1C959BC87B6A08209BAD1A4F017D085EC32F4EC809BC7B9241EEAF487E201194930220C303660D3545DAB040B158945D5EC0639A1208"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon]
"BTIcon.exe" = "MFC ì‘ìš© 프로그램"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E F2 21 FE 96 C9 F4 23 A2 DB 4E 76 05 A8 68 64"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BTIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\BTIcon.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BTIconu" = "%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\BTIcon_updater.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKCU\Software\Microsoft\BTIcon]
"prvcot"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process regsvr32.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE BC 40 43 C6 E7 AB F3 89 7B 6A 07 35 F0 05 1F"
[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\kerogod.dll"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"
[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\kerogod.dll"
[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"
[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"
[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://www.g.daum.net/ |  |
| hxxp://218.149.84.44/files2.php?client= | |
| hxxp://218.149.84.44/files/pav2/c_exe.exe | |
| hxxp://211.110.214.22/log_progress.php?client=&action=install&target=1 | |
| hxxp://211.110.214.22/log_progress.php?client=&action=load&target=0 | |
| hxxp://lb1.www.ms.akadns.net/ |  |
| hxxp://218.149.84.44/alive.php?client= | |
| hxxp://218.149.84.44/config.php?client= | |
| hxxp://218.149.84.44/cls.php?client= | |
| hxxp://211.110.214.22/log_progress.php?client=&action=load&target=1 | |
| hxxp://218.149.84.44/ext.php?client= | |
| hxxp://218.149.84.44/fdwn/icon/searchbyme.ico | |
| www.daum.net |  211.244.82.108 |
| www.microsoft.com | 1.103.192.54 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\00b60331.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:
ZwCreateFile
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
50314.exe:240
BTIcon.exe:480
64007268807cd34:136
wuauclt.exe:344
%original file name%.exe:912
4ffb9.tmp:460
upd890.exe:548
regsvr32.exe:664 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings% (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\post[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%System%\version.dll (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONMVGNKL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\config\SOFTWARE.LOG (12486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%System%\drivers\00b60331.sys (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GDH.dll (119 bytes)
%WinDir%\REGISTRATION (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%System%\drivers\7c1d36b7.sys (28 bytes)
%System%\vorsion.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0ZM1ETI3\desktop.ini (67 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q63M61A0\desktop.ini (67 bytes)
C:\PROGRAM FILES (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (7122 bytes)
C:\$Directory (268 bytes)
%System%\kerogod.dll (9606 bytes)
%System%\config\software (5467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hroghX.dll (119 bytes)
%Documents and Settings%\%current user%\Cookies (8 bytes)
%Documents and Settings%\%current user%\Favorites\¿¬°á\¼ÂÄ¡¹ÙÀ̹Ì.url (95 bytes)
%Documents and Settings%\%current user%\Favorites\¼ÂÄ¡¹ÙÀ̹Ì - ³»°¡ ¸¸µé¾î°¡´Â °Ë»öÇü ºÃ·Î±×.url (95 bytes)
%Documents and Settings%\%current user%\Desktop\¼ÂÄ¡¹ÙÀ̹Ì.url (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0ZM1ETI3\alive[1].htm (25 bytes)
%WinDir%\searchbyme.ico (158104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONMVGNKL\searchbyme[1].ico (158104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4ffb9.tmp (2321 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\upd890.exe (111712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01EP0NBD\c_updater[1].exe (111712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\50314.exe (1613 bytes)
C:\%original file name%.exe (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\BTIcon.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1410\BTIcon.exe (363040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q63M61A0\c_exe[1].exe (363040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BTIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\BTIcon.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BTIconu" = "%Documents and Settings%\%current user%\Local Settings\Application Data\BTIcon\BTIcon_updater.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
