Trojan.Win32.IEDummy_ba7ec74191

by malwarelabrobot on July 1st, 2014 in Malware Descriptions.

Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ba7ec741916acf6265a8a48c89c19261
SHA1: e6198cf787aec26d72c05c1ea1d1ff077f47ec5b
SHA256: c792c886022b78e123676ee96cfd8dd8135db31f64a828cc6df0fffc28b4f7db
SSDeep: 196608:8qmHbnswxJohAk7W1E5l8WQeUEQ8d9J6PooTzdvcErRdvdmFfL9pQf8JBtWej:yohA5y5ODeFQ8d9w3zdVXlmFBLxWW
Size: 12138496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-16 13:50:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsjA.exe:440
%original file name%.exe:1088
regsvr32.exe:176
regsvr32.exe:884
PWRISOVM.EXE:388
Setup.exe:432
SPIdentifier.exe:224
nss6.tmp.exe:1256

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nsjA.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\SPtool.dll (49229 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\inetc.dll (0 bytes)

The process %original file name%.exe:1088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (758 bytes)
%Program Files%\Common Files\Setup.exe (43956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwdqkkj (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (47161 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Program Files%\Common Files\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwdqkkj (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process Setup.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Virtual Drive Manager.lnk (1 bytes)
%Program Files%\PowerISO\Readme.txt (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\Uninstall PowerISO.lnk (1 bytes)
%Program Files%\PowerISO\PowerISO.chm (15536 bytes)
%Program Files%\PowerISO\Lang\Slovak.lng (1856 bytes)
%Program Files%\PowerISO\License.txt (3 bytes)
%Program Files%\PowerISO\Lang\Urdu(Pakistan).lng (1856 bytes)
%Program Files%\PowerISO\Lang\Lithuanian.lng (1552 bytes)
%Documents and Settings%\All Users\Desktop\PowerISO.lnk (682 bytes)
%Program Files%\PowerISO\Lang\TradChinese.lng (784 bytes)
%Program Files%\PowerISO\Lang\Norsk.lng (1552 bytes)
%Program Files%\PowerISO\Lang\italian.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Ukrainian.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (288986 bytes)
%Program Files%\PowerISO\libFLAC.dll (5520 bytes)
%Program Files%\PowerISO\PowerISO.exe (85410 bytes)
%Program Files%\PowerISO\Lang\Malay.lng (1856 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Help.lnk (1 bytes)
%Program Files%\PowerISO\Lang\Indonesian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Swedish.lng (1856 bytes)
%Program Files%\PowerISO\lame_enc.dll (9320 bytes)
%Program Files%\PowerISO\Lang\Japanese.lng (784 bytes)
%Program Files%\PowerISO\Lang\Hungarian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Vietnamese.lng (1552 bytes)
%Program Files%\PowerISO\Lang\czech.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Greek.lng (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\System.dll (11 bytes)
%Program Files%\PowerISO\Lang\Slovenian.lng (784 bytes)
%Program Files%\PowerISO\Lang\German.lng (1856 bytes)
%Program Files%\PowerISO\Lang\SimpChinese.lng (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp.exe (85410 bytes)
%Program Files%\PowerISO\Lang\Bosnian.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\InstOpt.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
%Program Files%\PowerISO\Lang\Thai.lng (1552 bytes)
%System%\drivers\scdemu.sys (3616 bytes)
%Program Files%\PowerISO\Lang\Korean.lng (1552 bytes)
%Program Files%\PowerISO\PWRISOSH.DLL (6360 bytes)
%Program Files%\PowerISO\piso.exe (11 bytes)
%Program Files%\PowerISO\PWRISOVM.EXE (12024 bytes)
%Program Files%\PowerISO\Lang\Farsi.lng (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
%Program Files%\PowerISO\uninstall.exe (2571 bytes)
%Program Files%\PowerISO\Lang\Portuguese(Brazil).lng (1856 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO.lnk (1 bytes)
%Program Files%\PowerISO\Lang\Dutch.lng (1856 bytes)
%Program Files%\PowerISO\Lang\danish.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Russian.lng (784 bytes)
%Program Files%\PowerISO\Lang\Spanish.lng (1856 bytes)
%Program Files%\PowerISO\Lang\french.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Armenian.lng (1552 bytes)
%Program Files%\PowerISO\History.txt (7 bytes)
%Program Files%\PowerISO\Lang\Azerbaijani.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Belarusian.lng (1856 bytes)
%Program Files%\PowerISO\MACDll.dll (6584 bytes)
%Program Files%\PowerISO\Lang\Serbian(cyrl).lng (1552 bytes)
%Program Files%\PowerISO\Lang\Arabic.lng (1552 bytes)
%Program Files%\PowerISO\Lang\Bulgarian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Polish.lng (1552 bytes)
%Program Files%\PowerISO\Lang\croatian.lng (1856 bytes)
%Program Files%\PowerISO\Lang\kazakh.lng (1856 bytes)
%Program Files%\PowerISO\Lang\Turkish.lng (1552 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\InstOpt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp (0 bytes)

The process SPIdentifier.exe:224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjA.exe (64797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp (2820 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjA.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (0 bytes)

The process nss6.tmp.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PowerISO_Setup.txt (2 bytes)

Registry activity

The process nsjA.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 74 5F 33 53 C9 8D D2 56 D5 73 65 9E 55 B2 AB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 37 F5 08 42 B5 13 E1 15 B6 62 E3 69 57 D3 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\PowerISO]
"CheckUpgrade" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\PowerISO]
"Language" = "1055"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\PowerISO]
"User" = "00 16 53 6F 6C 69 64 53 68 61 72 65 20 50 72 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files]
"setup.exe" = "PowerISO Setup"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regsvr32.exe:176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 D9 8F 2A 65 FC 4A 5C 78 41 16 EE 7A 17 2D B5"

[HKCR\*\shellex\ContextMenuHandlers\PowerISO]
"(Default)" = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

[HKCR\Directory\shellex\ContextMenuHandlers\PowerISO]
"(Default)" = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

[HKCR\Folder\shellex\ContextMenuHandlers\PowerISO]
"(Default)" = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"

[HKCR\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}]
"(Default)" = "PowerISO"

[HKCR\CLSID\{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}\InProcServer32]
"(Default)" = "%Program Files%\PowerISO\PWRISOSH.DLL"
"ThreadingModel" = "Apartment"

The process regsvr32.exe:884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 BB B7 2D 60 0E BC AB 57 C8 A0 56 8E 4A C6 A2"

The process PWRISOVM.EXE:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 4A F4 1B 88 42 5C F5 01 AE 54 24 57 0C 0E D0"

The process Setup.exe:432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\PowerISO]
"ShellIntegration" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\.dmg]
"(Default)" = ""

[HKCR\.bin]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\PowerISO]
"CheckUpgrade" = "0"

[HKCR\.cue]
"(Default)" = "PowerISO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"UninstallString" = "%Program Files%\PowerISO\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\.iso]
"(Default)" = "PowerISO"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\PowerISO]
"TbInstallFlag2" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\PowerISO]
"PWRISOVM.EXE" = "PowerISO Virtual Drive Manager"

[HKCR\.gi]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\PowerISO\SCDEmu]
"DiskCount" = "1"

[HKCR\PowerISO\DefaultIcon]
"(Default)" = "%Program Files%\PowerISO\PowerISO.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"NoModify" = "1"

[HKCR\.flp]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"Publisher" = "Power Software Ltd"

[HKCR\.daa]
"(Default)" = "PowerISO"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\PowerISO\SCDEmu]
"Flags" = "5"

[HKCR\.cif]
"(Default)" = ""

[HKCU\Software\PowerISO]
"Install_Dir" = "%Program Files%\PowerISO"

[HKCR\.lcd]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 E7 4A EE 39 CA 24 F3 F0 52 4E 33 37 5F AB 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\PowerISO]
"Install_Dir" = "%Program Files%\PowerISO"

[HKCR\.fcd]
"(Default)" = ""

[HKCR\.ashdisc]
"(Default)" = ""

[HKCU\Software\PowerISO]
"ConduitFlag" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"DisplayVersion" = "5.9"
"VersionMajor" = "5"

[HKCR\.cdi]
"(Default)" = ""

[HKCR\PowerISO]
"(Default)" = "PowerISO File"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"DisplayIcon" = "%Program Files%\PowerISO\PowerISO.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\.ncd]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\.vcd]
"(Default)" = ""

[HKCR\.mds]
"(Default)" = ""

[HKCU\Software\PowerISO]
"TbInstallFlag" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"NoRepair" = "1"

[HKCR\.pxi]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\SCDEmu]
"ErrorControl" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\.c2d]
"(Default)" = ""

[HKCR\PowerISO\shell\open\command]
"(Default)" = "%Program Files%\PowerISO\PowerISO.exe %1"

[HKCR\.p01]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"DisplayName" = "PowerISO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\.b5i]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\PowerISO]
"TbShowFlag" = "2"

[HKCR\.uif]
"(Default)" = "PowerISO"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\.bwi]
"(Default)" = ""

[HKLM\System\CurrentControlSet\Services\SCDEmu]
"Type" = "1"

[HKCR\.bif]
"(Default)" = ""

[HKCR\.img]
"(Default)" = "PowerISO"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCR\.ima]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\.pdi]
"(Default)" = ""

[HKCU\Software\PowerISO]
"Language" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"VersionMinor" = "9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PowerISO]
"InstallLocation" = "%Program Files%\PowerISO"

[HKCR\.mdf]
"(Default)" = ""

[HKCR\.isz]
"(Default)" = "PowerISO"

[HKCR\.wim]
"(Default)" = ""

[HKCR\.nrg]
"(Default)" = ""

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE" = "%Program Files%\PowerISO\PWRISOVM.EXE -startup"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\SCDEmu]
"Start" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCR\.bin\PersistentHandler]
[HKCR\.bin]

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SCDEmuApp.exe"

The process SPIdentifier.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst9.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 79 BE 20 DF 1C 51 53 DF B1 EE D9 36 3E 38 0B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nss6.tmp.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 AF 2F AC B7 8F 75 84 58 28 E9 2A 05 D1 3A 3E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
73554f3944811c0c4b393826943be2ca c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SPIdentifier.exe
92a80f5eb8fb3b821175a031b3d0b976 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss6.tmp.exe
9fb9d49c2db7edd1084ab765d619f5c6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\sp-downloader.exe
d96290ac80c0696023d8a2378bd89efa c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe
30ae564b315b18be68d4975a083939d5 c:\Program Files\PowerISO\MACDll.dll
acd1def89e513fef4ba1a29bcad78c91 c:\Program Files\PowerISO\PWRISOSH.DLL
3dde61df866b70543a953c77765d8edc c:\Program Files\PowerISO\PWRISOVM.EXE
92a80f5eb8fb3b821175a031b3d0b976 c:\Program Files\PowerISO\PowerISO.exe
b415d99733681b7ebd6f0cb923adc27b c:\Program Files\PowerISO\lame_enc.dll
ebbc719e881f2311d352ade3b5e48aee c:\Program Files\PowerISO\libFLAC.dll
24e825fbf90999b564c24d676c299a72 c:\Program Files\PowerISO\piso.exe
c622d80e6d183fdd0e405163e29dfcc0 c:\Program Files\PowerISO\uninstall.exe
61fa09e5fc13b46d5e5495165aa38dc2 c:\WINDOWS\system32\drivers\scdemu.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SolidShare Ekibi
Product Name: PowerISO
Product Version: 5.9.0.0
Legal Copyright: (c) 2014 By Progressive
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.9.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 12316672 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 12320768 352256 349696 5.49668 f1fc5eb83665ca22e19f7b03630415c1
.rsrc 12673024 11788288 11787776 5.54311 0bc1ac9b4fb5a766ac45af07654202df

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6337.g.akamaiedge.net/spidentifier/SPIdentifierImpl.exe
hxxp://poweriso.com/getip.php
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://poweriso.com/thankyou.htm
hxxp://poweriso.com/images/thank-you-bg.gif
hxxp://poweriso.com/images/thank-you-bg1.gif
hxxp://www-google-analytics.l.google.com/ga.js
hxxp://poweriso.com/images/blank.gif
hxxp://poweriso.com/images/thank-you-logo.gif
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=320095788&utmhn=www.poweriso.com&utmcs=windows-1252&utmsr=1024x768&utmvp=1004x615&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Thank you for installing PowerISO!&utmhid=1155959389&utmr=-&utmp=/thankyou.htm&utmht=1404105600036&utmac=UA-26195659-1&utmcc=__utma=12986422.1178804117.1404105600.1404105600.1404105600.1;+__utmz=12986422.1404105600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~
hxxp://poweriso.com/images/check.gif
hxxp://www.poweriso.com/images/check.gif 66.39.117.230
hxxp://www.google-analytics.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=320095788&utmhn=www.poweriso.com&utmcs=windows-1252&utmsr=1024x768&utmvp=1004x615&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Thank you for installing PowerISO!&utmhid=1155959389&utmr=-&utmp=/thankyou.htm&utmht=1404105600036&utmac=UA-26195659-1&utmcc=__utma=12986422.1178804117.1404105600.1404105600.1404105600.1;+__utmz=12986422.1404105600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ 173.194.113.192
hxxp://www.poweriso.com/images/thank-you-logo.gif 66.39.117.230
hxxp://www.poweriso.com/images/thank-you-bg.gif 66.39.117.230
hxxp://www.poweriso.com/images/blank.gif 66.39.117.230
hxxp://www.poweriso.com/thankyou.htm 66.39.117.230
hxxp://www.google-analytics.com/ga.js 173.194.113.192
hxxp://sp-storage.conduit-services.com/spidentifier/SPIdentifierImpl.exe 23.215.122.68
hxxp://www.poweriso.com/images/thank-you-bg1.gif 66.39.117.230
hxxp://www.poweriso.com/getip.php 66.39.117.230
hxxp://sp-installer.conduit-data.com/ 54.235.66.89


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /thankyou.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:19:59 GMT
Server: Apache/2.2.27
Last-Modified: Thu, 22 Mar 2012 05:28:07 GMT
ETag: "116d-4bbce2c41a7c0"
Accept-Ranges: bytes
Content-Length: 4461
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<meta http-equiv=Content-Type content="t
ext/html; charset=windows-1252">.<meta content="PowerISO" name=d
escription>.<meta content="Microsoft FrontPage 4.0" name="GENERA
TOR">.<meta content="FrontPage.Editor.Document" name="ProgId">
;.<title>Thank you for installing PowerISO!</title>..<S
TYLE type=text/css>P {FONT-SIZE: 9pt; FONT-FAMILY: "Arial"}.B {.FON
T-SIZE: 9pt; FONT-FAMILY: "Arial"}.A:link {FONT-SIZE: 9pt; FONT-FAMILY
: "Arial"; TEXT-DECORATION: none}.A:visited {FONT-SIZE: 9pt; FONT-FAMI
LY: "Arial"; TEXT-DECORATION: none}.A:active {FONT-SIZE: 9pt; FONT-FAM
ILY: "Arial"; TEXT-DECORATION: none}.A:hover {FONT-SIZE: 9pt; FONT-FAM
ILY: "Arial"; TEXT-DECORATION: none}.</STYLE>..</head>..&l
t;body topMargin=0 bgcolor="#808080" leftmargin="0" background="images
/thank-you-bg1.gif">..<table align="center" border="0" cellpaddi
ng="0" cellspacing="0" width="614" height="154" background="images/tha
nk-you-bg.gif">..<tr><td width="100%" height="141"><
p align="center"> </td></tr>..<td width="604" h
eight="392">..<table align="center" border="0" cellpadding="0" c
ellspacing="0" width="585" height="12">.  <tr><td width="5
35" height="64" colspan="4"><p align="center"><b><fo
nt color="#FFFFFF" size="5">Thank you for installing PowerISO!</
font></b></td></tr>.  <tr><td width="535
" bgcolor="#FFFFFF" height="1" colspan="4"> </td><
<<< skipped >>>

GET /images/thank-you-bg.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Thu, 22 Mar 2012 04:05:37 GMT
ETag: "2e5d-4bbcd0536a640"
Accept-Ranges: bytes
Content-Length: 11869
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF89ah.&..........c..`..]............................................
...Z...........D..C........a..........................................
......o..p..o.!u..r."v..q..o..p..o.#w. t.5.....-..U..&z.H...........1.
.... .....A..O..`..b..[.....\..0..e..C..(}.)}.~..'{.$x.%y.K..F..2...s.
>..=../..6..4..<..*..E.....,...q.7.........s....;...........h...
..r..)[email protected]..{..&z. t.7..^.....Y...n..t.9.. ....
.(|..q.'{.V.....%x.N..J.....G..B.....X..R..S...r.......?..=..:..4..3..
I..1../..,........l........x.....u..Q..n........z........F............
......................................................................
......................................................................
............................................................z.........
.................!.......,....h.&........H......*\......#J.H.....3j...
... C..8....(S.\[email protected].*].....P.J.JU%..X.j.
.....`...K....h..].....p...K....x............L...... ^......#..A.....3
k.......C..M.....S.^......c..M.....s.................. _.......K.N....
..k...........O......._.........O..............ZG....h...&....6....F(.
..Vh...f....v... .(..$.h..(....,....0.(#.-.h..8....<....@.)..D.i..H
&...L6...PF)..TVi..Xf...\v...`.)..d.i..h....l....E. ..t.i..x....|.....
.*....j...&....6....F*...Vj...f....v.....z....j...............*....j..
............ ....z...&....6....F ...Vk...f....v..... ....k............
.. ....k..............,....l...'....7....G,...Wl...g.n%.w... .,..$.l..
(....,....0.,..4.l..8....<[email protected]'...L7...PG-..TWm..Xg.
<<< skipped >>>

GET /images/thank-you-logo.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Fri, 16 Mar 2012 10:56:08 GMT
ETag: "512a-4bb5a0e49a200"
Accept-Ranges: bytes
Content-Length: 20778
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/gif
GIF89a0.U.....f.r........l.....a..[...../@Lf........ ....bI..C.....1..
.....vU...................K............x.......7......................
...........=......................."..x...............................
....}.. .........................,...............7....q.........&....T
.....8..........................%...G..........^.........V.....)......
.................................. ...w..g.......b......P..........8..
....J....................:.......................[..Z........f.......4
....................................(....................D..M.........
..........6}..j.....-....................1.....M........m.......Y.....
...................$..|..............S..o....u.....M......t...........
[email protected].......... ...............F...../..=y.....
....C;.....!.......,....0.U........H......*\.0...$"[email protected]...$.
. ..... .|....Y..U.Y.....r....'[email protected]..!....1&L...k.z[
.D.....*?N..Rb...T.)..E../....../.$J.......3|..(.......I...re~.3k...r.
..!?n...i..Rk..z....>|..d.]._....i..f.J..B......n... W.Z.R.*#j.S...
`..hQ.D....J.....n..Y!..Y-..L..EI)#%..xec.o.eP.E......%....6....:x....
....y.R~...AJ...SL4...N>.5.xB}..RNe..uQ]5AV..0.Y.-.U...e.Z......l.B
..}...*.%.`..F.l.........h.x..g..i..gvf...y..b....k8....~...n....p..u\
rQ..\W.E'.UQa...L)5.w..E^y<.g"M....J..t_~ 5..F6d......P....*....z`.
.b..GW...I(.."K/.W.z....x/*...M.c]U.b.c.`}.\.@........\[email protected]....
..6Xa.....>x.%h.m........`.FZ.q..Z.v..gmz..[o..&......r......U[.u.n
..wEUj)P.iz.{1y.i.'...H......VT....-..D?8a..........H...jK/.(.L...
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 263
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"SPidentifier", "environment":"",  "machine_ID":"HOBCTMHJRTJGD8Y1M4RW8ILGSWFTKX5IX/EAFIKGEAD MYIWJKOIXSWGHN8FWICHX0NAMR4ZBCORZD7UDJJKEG", "result": "success", "failure_reason": "clean_machine", "SP_version": "", "carrier_ID": "", "carrier_type": ""}
HTTP/1.1 202 Accepted
Date: Mon, 30 Jun 2014 05:20:21 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive



GET /getip.php HTTP/1.1
User-Agent: PowerISO(v5.1)
Accept: */*
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Date: Mon, 30 Jun 2014 05:19:50 GMT
Server: Apache/2.2.27
Content-Length: 207
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ge
tip.php was not found on this server.</p>.</body></html
>...



GET /ga.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 01:16:59 GMT
Expires: Mon, 30 Jun 2014 13:16:59 GMT
Last-Modified: Tue, 17 Jun 2014 01:05:58 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15810
Age: 14580
Cache-Control: public, max-age=43200
Alternate-Protocol: 80:quic
...........}kW.:..w~....c...pk..f..-mii..%...e9..q.........$[NB.s.Y...
......h43v..Pd.d.z..|..y ."........(..a.B........1..Tf..K.L2....~...ep
...&y....MS...t9.....&..2... .Q.N.(o....8..q..L.!...a..0...$.pX..N&..a
. ..zB:l.8c9.p.....;l..x.$c.]BP\.....B...&..*pz.H.~......g...Ap..!....
K......V;l.H.....V.a.....s.$p....5.39...a.a7P'9.b.[H>N.$..A..... ..
^..;h.h...2l_......w9..d.@.`...N.....|....%.d.%........{.....&.A.I..:.
...F.;..c..{P*..~..JzP.Kl...F..y.U8(&.......}[email protected]. u.Y...!..R
.h.F..`./>5...*{P..(..:A.}..v.} ..u...k......w\..d....he.q..U.u..yE
..J.Re.....Y.2!.J.a..i^R....p..LG4.d.6U..........E..%..5.kz<....[..
!2o.tV.V.....|..p7o..?N&..].o>.|...../..a.\...vL3].._....q.....C.].
JG..\.[9...hp....w.Y^1..>..`..Q..!w0.U..}x.;^.......w.I............
....R..aQ2R..<..%....A%|.E...j...L..j..\.\.D.<.g....^Y)...L.*D..
......2....-..%F.T..j..,F...C.....m_.$..2..2.g...B.{.....\c......*5..c
..J.{@...Q.....j..........E..Z...#>.....>...g{...t.....i1..Yk..@
m..v.Cf..)..7.....(.......$\.S.......>......a..r..N. ........o;>
...A..>...U...J'.....X....B.q..E....()..3. .... A".uss.;.......W...
..k-..zF.\`Qp?........\d..a..A.1....5......Z.H...M"tf.GM. .X[.YU...T..
_.lH......n@=1.5N....?Z...V>&."..Q$.....&.sS..Kq....].UySz=..3..$."
....".'.Iar\Y.WVt\....;[email protected])2!..xD7...T..Di.
v.RC`.m.8.\....J....h..uss.....p..)..O3.W....5....k...y.`^ ....&1..f".
.D.w.}.;D:d.F....p#... ......d...T..iU7n.;-hh..T..^P....U.....>...T
..m.^..fM....>..>d..Q..!....P1......7L...[.........;.>_W.
<<< skipped >>>

GET /__utm.gif?utmwv=5.5.3&utms=1&utmn=320095788&utmhn=VVV.poweriso.com&utmcs=windows-1252&utmsr=1024x768&utmvp=1004x615&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=11.6 r602&utmdt=Thank you for installing PowerISO!&utmhid=1155959389&utmr=-&utmp=/thankyou.htm&utmht=1404105600036&utmac=UA-26195659-1&utmcc=__utma=12986422.1178804117.1404105600.1404105600.1404105600.1;+__utmz=12986422.1404105600.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=q~ HTTP/1.1


Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.google-analytics.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Expires: Wed, 19 Apr 2000 11:43:00 GMT
Last-Modified: Wed, 21 Jan 2004 19:51:30 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Date: Fri, 20 Jun 2014 03:06:21 GMT
Server: Golfe2
Content-Length: 35
Age: 872019
Cache-Control: private, no-cache, no-cache=Set-Cookie, proxy-revalidate
Alternate-Protocol: 80:quic
GIF89a.............,...........D..;..



GET /images/thank-you-bg1.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Fri, 16 Mar 2012 13:24:43 GMT
ETag: "41d-4bb5c21a9bcc0"
Accept-Ranges: bytes
Content-Length: 1053
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/gif
GIF89a..............p..o..o.....q..p..r...."v..o.#w.!u..o.R......../..
F..G..J..'{.$x....%y.9..b..&z....{.....?.. t....1...n.0..H..B.....7..\
..... ........7.................;...t..s.8.....x.....r........O..:..^.
.......E..)~.5.. ...q./..,..&z.......-..[..V..A.....K..M..)}.(|..s.(}.
h..3..,..`.. [email protected]..............=..~.....X.....>..e.....4...
..S..U..Y...........I.....*............q.C..=..%x....n..Q..u..1.....4.
.l.....2.....'{.<..................................................
......................................................................
......................................................................
......................................................................
......................................................................
.................!.......,............I,X0.......8 ....|. @.....]B4h.@
.....dX.a.. X...s...-Nz`.........1d$...84......5 .D9.....&.T.B...A....
.F...A.l`..P ..tx8......v............f...R.D.....=..4A..B.;s:[email protected]
c&..s...B..M.....S.^......c..M.....s...........N...... _.......K.N....
..k..= .;....


GET /images/blank.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Thu, 22 Mar 2012 04:07:32 GMT
ETag: "2e-4bbcd0c116900"
Accept-Ranges: bytes
Content-Length: 46
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: image/gif
GIF89a.............!.......,.................;....


GET /images/check.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.poweriso.com/thankyou.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.poweriso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 05:20:00 GMT
Server: Apache/2.2.27
Last-Modified: Fri, 16 Mar 2012 12:31:29 GMT
ETag: "410-4bb5b63492a40"
Accept-Ranges: bytes
Content-Length: 1040
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: image/gif
GIF89a......................s.[q.1...r.[.............................Y
|.>x.Y{.6..G{.Z..Yu.^w._v.[.....y..Es.Z..O..L.....N...........A..U.
.S......r.Y..B...r.Xs.E..Rv.9..=...t.Z..Nt.W.....K..i..p.....V..f..T..
....t.Vp.4..9x.`..}v.Z.....a.....Lt.0..Q..Sx.3v.R.....b..o..x}.V..}..X
..[.....f..D..Y..U..W...s.W..Gt.8...v.Y..`..K..s........Z..o..up.0o./.
.X..Nr./..?..B.........p.2w.\.....zv.?......y.=q.F..R......u.1z.>u.
4r.J..O..E........Lo..................................................
......................................................................
......................................................................
......................................................................
......................................................................
.................!.......,...............H......*\.P!.....T......$.$.F
E...4.t0%..-.jd.....=-.`..q..@DP.."2...flH(..a.....l.C..0o6 A.aG.6x.4.
..G.9^..I.... !.....E.@\.(.....'{...3cI.<...A ....Zx`@........)4.L.
[email protected]!.F.......... ^.......".1..!..:..)...L.......\.......;.
.



GET /spidentifier/SPIdentifierImpl.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-storage.conduit-services.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Last-Modified: Mon, 30 Jun 2014 08:19:50 GMT
Accept-Ranges: bytes
ETag: "f1bee9ba81a83e5496295efa26529c47"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 1115264
Cache-Control: private, max-age=900
Expires: Mon, 30 Jun 2014 05:34:50 GMT
Date: Mon, 30 Jun 2014 05:19:50 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
[email protected]............@.
................................h.....................................
..............0...........`... .......................................
.....................................................text....g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]................................
...rsrc...0...........................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







PWRISOVM.EXE_388:




.Rich
.text
`.rdata
@.data
.rsrc
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CCmdTarget
COMCTL32.DLL
CNotSupportedException
user32.dll
gdi32.dll
kernel32.dll
advapi32.dll
RegCreateKeyExW
shell32.dll
ShellExecuteExW
RegOpenKeyExW
RegDeleteKeyW
comdlg32.dll
winspool.drv
SetWindowsHookExW
RegOpenKeyW
msvfw32.dll
sensapi.dll
oledlg.dll
oleacc.dll
secur32.dll
avicap32.dll
winmm.dll
rasapi32.dll
mpr.dll
version.dll
unicows.dll
security.dll
ntdll.dll
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
EnumWindows
UnhookWindowsHookEx
GetKeyState
USER32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SetWindowsHookExA
unicows.dll not found!
.PAVCObject@@
.PAVCException@@
.PAVCSimpleException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
zcÁ
windows
KERNEL32.DLL
D*.umim
888g*  X(((P...RBBB`ccc
www.|||a
commctrl_DragListMsg
MSWHEEL_ROLLMSG
\\.\SCDEmuDev%d
Drive %d
The drive letter [%C:] is already in use. PowerISO will use [%C:] for this drive.
\\.\%c:
\Device\SCDEmu\SCDEmuCd%u
\\.\ :
%s (Error Code = %x, %x)
\\.\SCDEmuDev0
PowerISO Virtual Drive requires Windows 2000/XP or above operating systems.
Drive [%c:]
%d Drives
Unmount Drive [%c:]
Mount Image to Drive [%c:]
mount "%s" %C:
-ii1 -vunmount %d
PWRISOVM.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C\DefaultIcon
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C
\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\%C\DefaultIcon
Software\Microsoft\Windows\CurrentVersion\Run\
\Lang\*.lng
\PowerISO.chm::/Overview.htm
-evt %s
%s\PowerISO.exe -ii1 -hwnd %s
PE_xx
%s (%s)
*.isz
*.uif
*.bif
*.dmg
*.vcd
*.fcd
*.pxi
*.ncd
*.nrg
*.pdi
*.cif
*.cdi
*.img
*.lcd
*.bwi;*.b5i
*.ashdisc
*.mdf;*.mds
*.bin;*.cue
*.daa
*.iso
*.iso;*.daa;*.bin;*.cue;*.mdf;*.mds;*.ashdisc;*.bwi;*.b5i;*.lcd;*.img;*.cdi;*.cif;*.p01;*.pdi;*.nrg;*.ncd;*.pxi;*.gi;*.fcd;*.vcd;*.c2d;*.dmg;*.bif;*.uif;*.isz
\PowerISO.exe
http://www.poweriso.com
http://www.poweriso.com/order.htm
PowerISO.exe
http://www.winarchiver.com
%Program Files%\PowerISO\PWRISOVM.EXE
5, 9, 0, 0
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.

iexplore.exe_1936:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    nsjA.exe:440
    %original file name%.exe:1088
    regsvr32.exe:176
    regsvr32.exe:884
    PWRISOVM.EXE:388
    Setup.exe:432
    SPIdentifier.exe:224
    nss6.tmp.exe:1256
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\inetc.dll (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxC.tmp\SPtool.dll (49229 bytes)
    %Program Files%\SearchProtect\Main\rep\SystemRepository.dat (590 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (758 bytes)
    %Program Files%\Common Files\Setup.exe (43956 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iwdqkkj (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (47161 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Virtual Drive Manager.lnk (1 bytes)
    %Program Files%\PowerISO\Readme.txt (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\PowerISO\Uninstall PowerISO.lnk (1 bytes)
    %Program Files%\PowerISO\PowerISO.chm (15536 bytes)
    %Program Files%\PowerISO\Lang\Slovak.lng (1856 bytes)
    %Program Files%\PowerISO\License.txt (3 bytes)
    %Program Files%\PowerISO\Lang\Urdu(Pakistan).lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Lithuanian.lng (1552 bytes)
    %Documents and Settings%\All Users\Desktop\PowerISO.lnk (682 bytes)
    %Program Files%\PowerISO\Lang\TradChinese.lng (784 bytes)
    %Program Files%\PowerISO\Lang\Norsk.lng (1552 bytes)
    %Program Files%\PowerISO\Lang\italian.lng (1552 bytes)
    %Program Files%\PowerISO\Lang\Ukrainian.lng (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (288986 bytes)
    %Program Files%\PowerISO\libFLAC.dll (5520 bytes)
    %Program Files%\PowerISO\PowerISO.exe (85410 bytes)
    %Program Files%\PowerISO\Lang\Malay.lng (1856 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO Help.lnk (1 bytes)
    %Program Files%\PowerISO\Lang\Indonesian.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Swedish.lng (1856 bytes)
    %Program Files%\PowerISO\lame_enc.dll (9320 bytes)
    %Program Files%\PowerISO\Lang\Japanese.lng (784 bytes)
    %Program Files%\PowerISO\Lang\Hungarian.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Vietnamese.lng (1552 bytes)
    %Program Files%\PowerISO\Lang\czech.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Greek.lng (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\System.dll (11 bytes)
    %Program Files%\PowerISO\Lang\Slovenian.lng (784 bytes)
    %Program Files%\PowerISO\Lang\German.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\SimpChinese.lng (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss6.tmp.exe (85410 bytes)
    %Program Files%\PowerISO\Lang\Bosnian.lng (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\InstOpt.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sp-downloader.exe (2392 bytes)
    %Program Files%\PowerISO\Lang\Thai.lng (1552 bytes)
    %System%\drivers\scdemu.sys (3616 bytes)
    %Program Files%\PowerISO\Lang\Korean.lng (1552 bytes)
    %Program Files%\PowerISO\PWRISOSH.DLL (6360 bytes)
    %Program Files%\PowerISO\piso.exe (11 bytes)
    %Program Files%\PowerISO\PWRISOVM.EXE (12024 bytes)
    %Program Files%\PowerISO\Lang\Farsi.lng (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SPIdentifier.exe (1856 bytes)
    %Program Files%\PowerISO\uninstall.exe (2571 bytes)
    %Program Files%\PowerISO\Lang\Portuguese(Brazil).lng (1856 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\PowerISO\PowerISO.lnk (1 bytes)
    %Program Files%\PowerISO\Lang\Dutch.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\danish.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Russian.lng (784 bytes)
    %Program Files%\PowerISO\Lang\Spanish.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\french.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Armenian.lng (1552 bytes)
    %Program Files%\PowerISO\History.txt (7 bytes)
    %Program Files%\PowerISO\Lang\Azerbaijani.lng (1552 bytes)
    %Program Files%\PowerISO\Lang\Belarusian.lng (1856 bytes)
    %Program Files%\PowerISO\MACDll.dll (6584 bytes)
    %Program Files%\PowerISO\Lang\Serbian(cyrl).lng (1552 bytes)
    %Program Files%\PowerISO\Lang\Arabic.lng (1552 bytes)
    %Program Files%\PowerISO\Lang\Bulgarian.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Polish.lng (1552 bytes)
    %Program Files%\PowerISO\Lang\croatian.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\kazakh.lng (1856 bytes)
    %Program Files%\PowerISO\Lang\Turkish.lng (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\SPIdentifierImpl[1].exe (64797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst9.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjA.exe (64797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp (2820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PowerISO_Setup.txt (2 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PWRISOVM.EXE" = "%Program Files%\PowerISO\PWRISOVM.EXE -startup"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now