Trojan.Win32.IEDummy_d9ab9d8eb2

by malwarelabrobot on January 15th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.IEDummy.FD, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: d9ab9d8eb2d22a3f7c963ad85820e3e8
SHA1: 51498939c35de888b276b7d9d8c50f0a2b743982
SHA256: 973dd8be122f30dc55dee68ab3181de4e4300978c7378c5dfb27cf51f336d67f
SSDeep: 12288:Of/FKd0qjZnE72HITZuge0t UEwuLKTmjiKCg246npx rP:OHLq9nE72HITfe0TEwGWKCg2QP
Size: 710634 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-07 10:46:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

4e5d8.tmp:1648
%original file name%.exe:452
%original file name%.exe:1480
4e80a.exe:1324
Reader_sl.exe:1064
wuauclt.exe:344
regsvr32.exe:368
jusched.exe:1056

The Trojan injects its code into the following process(es):

iexplore.exe:1796

File activity

The process 4e5d8.tmp:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4e80a.exe (1613 bytes)
C:\%original file name%.exe (1649 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4e5d8.tmp (4545 bytes)

The process %original file name%.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Favorites\¿¬°á\¼­Ä¡¹ÙÀ̹Ì.url (95 bytes)
%Documents and Settings%\%current user%\Favorites\¼­Ä¡¹ÙÀÌ¹Ì - ³»°¡ ¸¸µé¾î°¡´Â °Ë»öÇü ºí·Î±×.url (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\alive[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\searchbyme[1].ico (158104 bytes)
%Documents and Settings%\%current user%\Desktop\¼­Ä¡¹ÙÀ̹Ì.url (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\lua[1].htm (23957 bytes)
%WinDir%\searchbyme.ico (158104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\cnf[1].htm (5068 bytes)

The process 4e80a.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
C:\ (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
%System%\version.dll (58 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Ut2DbehHu.dll (119 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\post[1].htm (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
%System%\config\SOFTWARE.LOG (12486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FA7B8U8a.dll (119 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
%System%\drivers\00b60331.sys (72 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\drivers (32 bytes)
%WinDir% (192 bytes)
%System%\drivers\7c1d36b7.sys (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\desktop.ini (67 bytes)
%Program Files%\Java\jre6\bin (196 bytes)
%System%\vorsion.dll (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (8657 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Program Files%\Wireshark (16 bytes)
C:\$Directory (1736 bytes)
%System%\wbem (1152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\desktop.ini (67 bytes)
%Program Files%\Wireshark\snmp\mibs (32 bytes)
%System%\kerogod.dll (9606 bytes)
%System%\config\software (5467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\desktop.ini (67 bytes)
%Documents and Settings%\%current user% (4 bytes)
%System% (8840 bytes)
%Documents and Settings%\%current user%\Cookies (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%System%\drivers\7c1d36b7.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\post[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process iexplore.exe:1796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\R95x72[2].png (1986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\txt_todaypost[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\btn_bf[1].gif (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\default_img7[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\bg_footer[1].gif (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\ad_ico[1].gif (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\R95x72[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\btn_nx[1].gif (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\R95x72[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\logo[1].gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\20140114b_12_1_351[1].jpg (21957 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\default_img12[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\txt_gallery[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\bg_header1[1].gif (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\txt_hottag[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\default_img8[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\C2O3ODK0MTATQ0JGNEMZNUITMC05NJAUANBN[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\logo2[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\btn_more[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\R95x72[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\search[1].htm (5579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\search[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\jquery[1].js (38896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\main[1].css (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\external[1] (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\txt_footer2_1[1].gif (667 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\txt_footer4[1].gif (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\txt_footer3[1].gif (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\tab_bg[1].jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\search[1].css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\sub[1].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\hotblog_bg[1].gif (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\blog.candyfind[1].htm (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\default_img14[1].jpg (964 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process 4e5d8.tmp:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4e5d8.tmp,"

The process %original file name%.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 CD FB CE F9 AE CF A1 B2 AE C9 AA 1B 80 FC 80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\BTIcon]
"sidebar_loaddate" = "1-14"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\BTIcon]
"ext" = "A25BD2DA31FC4EB545CA0A57C0378AE69534BA358E28D49EF84D0F3A0FC9B57808681CF36A54C4236E4280942B2394A76D46CC50BD0E6C810E156D81273B5F13EA5457624C068F950D2A2F61EDD50D3440F5B4F1F590F51783548CB0D6584C89BD32FF9ED99C08379FFAB98C91FB82C482C0404069369CEEA4F0AB1F05E1651DAAE13177C9ABDD7A27792DFBF8B9C7209D9527999891A6E66B28A7F68FA532FB9FA8004CADF8486F1B6BF55A451CEF4F696683FD5906AFD0DA6E2BC618FD06F4E6FFCF6368089C7E437CFF3532E7CE76652991A1843F4F0A8DA6807EBCFF18F7AAD7A622C4D7A3EFED035E158E079679B075D5644CF1DA835C3D419DC41454D212846B7E2761BFB7F2C4873995CDC05876F956B2A8D5F681B9AAB77D37309C93F75577AFD44BEB548E0DFF9E315A069A6A6B900D28D06D442BC18CFFDB45B1CB856C5318B43D584FF3011477D32B396DA9DD3EA2E8E7F8F5B12CCC18747E0DA30F389F3A57E20094E327BC2065B8D71777DB924C6A0DAE7ECD21C10757B3809A5B0BC78860E8DC596118988410D4498BA6F8116376DA1C71EEB69BF83FF7265CE8569B5D8628CC2A108C2E2E7502CA4873F03CB7BB3CB9543A76F98B4F18CAE31591C6E0435F7102720B722C7360B33A1F3CA339A2DA51AA5FD63CEA6A36B360F3E584D4F1562953"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 4e80a.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4e5d8.tmp, , \??\%System%\He7u, \??\%System%\He7u"

[HKCR\CLSID\HOOK_ID]
"name" = "4e80a.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 62 60 E5 F5 4F A4 C6 69 25 67 EB 37 7C 7C CF"

[HKCR\CLSID\SYS_DLL]
"name" = "Ut2DbehHu.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process iexplore.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\iexplore]
"Time" = "DE 07 01 00 02 00 0E 00 05 00 33 00 22 00 D8 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Type" = "4"
"Count" = "10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links]
"Order" = "08 00 00 00 02 00 00 00 00 02 00 00 01 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011420140115]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Type" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
"MRUListEx" = "01 00 00 00 00 00 00 00 03 00 00 00 02 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU]
"NodeSlots" = "02 02 02 02 02 02 02 02 02 02"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Internet Explorer\Toolbar]
"Locked" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011420140115]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore]
"Time" = "DE 07 01 00 02 00 0E 00 05 00 33 00 23 00 42 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011420140115]
"CachePrefix" = ":2014011420140115:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Count" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\iexplore]
"Type" = "3"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Window_Placement" = "2C 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011420140115]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore]
"Time" = "DE 07 01 00 02 00 0E 00 05 00 33 00 23 00 42 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\iexplore]
"Count" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 72 A8 D4 51 96 11 08 A2 63 3E AE BD 46 26 69"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011420140115]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014011420140115\"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\IEHelper.IEHlprObj\CurVer]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\0\win32]
"(Default)" = "%System%\kerogod.dll"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\ProgID]
"(Default)" = "IEHelper.IEHlprObj.1"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}]
"(Default)" = "IEHlprObj Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\IEHelper.IEHlprObj]
"(Default)" = "IEHlprObj Class"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\InprocServer32]
"(Default)" = "%System%\kerogod.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\IEHelper.IEHlprObj\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKCR\IEHelper.IEHlprObj.1]
"(Default)" = "IEHlprObj Class"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\IEHelper.IEHlprObj.1\CLSID]
"(Default)" = "{DAF9F01C-30F0-4A52-AF52-E236961977F4}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 27 53 31 A8 5E 7E BF 3F FB 50 57 CA C8 71 83"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}]
"(Default)" = "IIEHlprObj"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCR\TypeLib\{D42047D9-38C2-4FD1-8337-F69C8F835A30}\1.0]
"(Default)" = "IEHelper 1.0 Type Library"

[HKCR\Interface\{C0BEBABF-1785-4075-8C4D-8FEE7833D3CD}\TypeLib]
"(Default)" = "{D42047D9-38C2-4FD1-8337-F69C8F835A30}"

[HKCR\CLSID\{DAF9F01C-30F0-4A52-AF52-E236961977F4}\VersionIndependentProgID]
"(Default)" = "IEHelper.IEHlprObj"

Network activity (URLs)

URL IP
hxxp://lb1.www.ms.akadns.net/
hxxp://m.batangicon.net/alive.php?client= 218.149.84.44
hxxp://m.batangicon.net/config.php?client=
hxxp://m.batangicon.net/cls.php?client=
hxxp://c.batangicon.net/log_progress.php?client=&action=load&target=1 211.110.214.22
hxxp://m.batangicon.net/ext.php?client=
hxxp://m.batangicon.net/fdwn/icon/searchbyme.ico
hxxp://m.batangicon.net/lua.php
hxxp://m.batangicon.net/inf_c.php?k=19
hxxp://m.batangicon.net/inf_d.php?k=19
www.microsoft.com 1.103.192.54


HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\00b60331.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

ZwCreateFile

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    4e5d8.tmp:1648
    %original file name%.exe:452
    %original file name%.exe:1480
    4e80a.exe:1324
    wuauclt.exe:344
    regsvr32.exe:368

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\4e80a.exe (1613 bytes)
    C:\%original file name%.exe (1649 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4e5d8.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Favorites\¿¬°á\¼­Ä¡¹ÙÀ̹Ì.url (95 bytes)
    %Documents and Settings%\%current user%\Favorites\¼­Ä¡¹ÙÀÌ¹Ì - ³»°¡ ¸¸µé¾î°¡´Â °Ë»öÇü ºí·Î±×.url (95 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\alive[1].htm (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\searchbyme[1].ico (158104 bytes)
    %Documents and Settings%\%current user%\Desktop\¼­Ä¡¹ÙÀ̹Ì.url (95 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\lua[1].htm (23957 bytes)
    %WinDir%\searchbyme.ico (158104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\cnf[1].htm (5068 bytes)
    %System%\wbem\Logs (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\D1.zip (18 bytes)
    %System%\version.dll (58 bytes)
    %WinDir%\WinSxS (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Ut2DbehHu.dll (119 bytes)
    %WinDir%\AppPatch (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\post[1].htm (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\B1.zip (19 bytes)
    %System%\config\SOFTWARE.LOG (12486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FA7B8U8a.dll (119 bytes)
    %WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\A1.zip (19 bytes)
    %System%\drivers\00b60331.sys (72 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %System%\drivers\7c1d36b7.sys (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\desktop.ini (67 bytes)
    %Program Files%\Java\jre6\bin (196 bytes)
    %System%\vorsion.dll (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ahnmove.bat (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
    %WinDir%\SoftwareDistribution (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C1.zip (18 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (8657 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %Program Files%\Wireshark (16 bytes)
    C:\$Directory (1736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\desktop.ini (67 bytes)
    %Program Files%\Wireshark\snmp\mibs (32 bytes)
    %System%\kerogod.dll (9606 bytes)
    %System%\config\software (5467 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies (8 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\R95x72[2].png (1986 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\txt_todaypost[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\btn_bf[1].gif (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\default_img7[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\bg_footer[1].gif (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\ad_ico[1].gif (866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\R95x72[1].png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\btn_nx[1].gif (330 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\R95x72[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\logo[1].gif (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\20140114b_12_1_351[1].jpg (21957 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\default_img12[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\txt_gallery[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\bg_header1[1].gif (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\txt_hottag[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\default_img8[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\C2O3ODK0MTATQ0JGNEMZNUITMC05NJAUANBN[1].jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\logo2[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\btn_more[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\R95x72[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\search[1].htm (5579 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\search[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\jquery[1].js (38896 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\main[1].css (1417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\external[1] (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C25GY98O\txt_footer2_1[1].gif (667 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\txt_footer4[1].gif (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\txt_footer3[1].gif (466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\tab_bg[1].jpg (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\search[1].css (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8N4TA9KX\sub[1].css (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\hotblog_bg[1].gif (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IRQZI34P\blog.candyfind[1].htm (542 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CH4CALPG\default_img14[1].jpg (964 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now