Trojan.Win32.Swrort.3_2b140f9d8c

by malwarelabrobot on December 25th, 2015 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2b140f9d8cd365bf8522a5118d0b06ef
SHA1: 500604921e29e49301d1971a684e38791997b52f
SHA256: dd09ed45b658c0e639bb45198d9e9793797ac90a0203b35c323490ee476879c7
SSDeep: 1536:6pgpHzb9dZVX9fHMvG0D3XJcMsA84TbE/ rN5hsak32SDO:4gXdZt9P6D3XJcMle r9/SDO
Size: 57392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

zcengine.exe:1284
zcengine.exe:1208
zcengine.exe:684
sc.exe:536
sc.exe:1632
poz.exe:2584
SchTasks.exe:2660
%original file name%.exe:944
setupfs_1123.exe:1940
zengine.exe:2036
zengine.exe:1968

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process zcengine.exe:1284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zcengine.log (434 bytes)

The process zcengine.exe:1208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\zcengine.log (83902 bytes)
%WinDir%\Temp\CertsIE.dat (12284 bytes)
%System%\zcengineOff.ini (784 bytes)
%System%\zcengine.ini (872 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\CertsIE.dat (0 bytes)

The process zcengine.exe:684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zcengine.log (759 bytes)

The process %original file name%.exe:944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\setupfs_1123.exe (332214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\setupfs_4435[1].exe (332214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JMRO554\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SVMBSZ6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ns3.tmp (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj1.tmp (0 bytes)
C:\setupfs_1123.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ns3.tmp (0 bytes)

The process setupfs_1123.exe:1940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\QuickSearch\zcinstaller.exe (5896 bytes)
%Program Files%\QuickSearch\uninstall.exe (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsE.tmp (6 bytes)
%Program Files%\QuickSearch\AZDLL64.exe (3704 bytes)
%Program Files%\QuickSearch\zcengine.dll (9984 bytes)
%Program Files%\QuickSearch\zcwfp64.sys (1552 bytes)
%Program Files%\QuickSearch\spw3016.exe (1856 bytes)
%Program Files%\QuickSearch\slite.exe (16288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\GetVersion.dll (6 bytes)
%Program Files%\QuickSearch\nssutil3.dll (5064 bytes)
%Program Files%\QuickSearch\ssl3.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns8.tmp (6 bytes)
%Program Files%\QuickSearch\out.txt (52 bytes)
%Program Files%\QuickSearch\libnspr4.dll (11048 bytes)
C:\END (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsC.tmp (6 bytes)
%Program Files%\QuickSearch\libplds4.dll (1552 bytes)
%Program Files%\QuickSearch\softokn3.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\inetc.dll (784 bytes)
%Program Files%\QuickSearch\poz.exe (4080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\pwgen.dll (784 bytes)
%Program Files%\QuickSearch\zcengine64.dll (11728 bytes)
%Program Files%\QuickSearch\zengine64.exe (9664 bytes)
%Program Files%\QuickSearch\zcwfp.sys (1552 bytes)
%Program Files%\QuickSearch\zengine.ini (116 bytes)
%Program Files%\QuickSearch\nssckbi.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsD.tmp (6 bytes)
%Program Files%\QuickSearch\zcengine.tlb (1856 bytes)
%Program Files%\QuickSearch\zengine.exe (17395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsExec.dll (6 bytes)
%Program Files%\QuickSearch\freebl3.dll (11152 bytes)
%Program Files%\QuickSearch\smime3.dll (5064 bytes)
%Program Files%\QuickSearch\AZDLL64.dll (5184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (235157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsA.tmp (6 bytes)
%Program Files%\QuickSearch\libplc4.dll (1552 bytes)
%Program Files%\QuickSearch\zcenginecert.dll (6056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\ext[1].htm (2 bytes)
%Program Files%\QuickSearch\sqlite3.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns9.tmp (6 bytes)
%Program Files%\QuickSearch\nss3.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsB.tmp (6 bytes)
%Program Files%\QuickSearch\zcengine.exe (72529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
%Program Files%\QuickSearch\nssdbm3.dll (6360 bytes)
%Program Files%\QuickSearch\AZDLL.dll (3744 bytes)

The Trojan deletes the following file(s):

%Program Files%\QuickSearch\0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns8.tmp (0 bytes)
%Program Files%\QuickSearch\poz.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\pwgen.dll (0 bytes)
%Program Files%\QuickSearch\out.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\GetVersion.dll (0 bytes)

The process zengine.exe:2036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lengine.ini.log (895 bytes)

The process zengine.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\zcengine.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lengine.ini.log (11803 bytes)

Registry activity

The process zcengine.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AE F5 45 0D A5 CB 8C 66 38 B8 4E FA CA 4C 21"

The process zcengine.exe:1208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 90 B3 E6 8E 9A 26 02 B4 D6 06 4B 42 4F A5 6F"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6A6D0BE08DB130A0C56954B3C6E49ABC012AD569]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 6A 6D 0B E0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"6A6D0BE08DB130A0C56954B3C6E49ABC012AD569"

The process zcengine.exe:684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\zcengineLib.DataTable.1\CLSID]
"(Default)" = "{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}"

[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\zcengineLib.DataTableFields.1]
"(Default)" = "DataTableFields Class"

[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}]
"(Default)" = "IReadOnlyManager"

[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\zcengineLib.ReadOnlyManager\CurVer]
"(Default)" = "zcengineLib.ReadOnlyManager.1"

[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}]
"(Default)" = "DataTable Class"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\zcengine]
"(Default)" = "service"

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"LocalService" = "zcengine"

[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}]
"(Default)" = "IDataTable"

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"kp1" = "0"

[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}]
"(Default)" = "DataTableFields Class"

[HKCR\zcengineLib.ReadOnlyManager.1]
"(Default)" = "ReadOnlyManager Class"

[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\zcengineLib.LSPLogic\CLSID]
"(Default)" = "{4D4D0357-0376-4656-A040-65AC089E84A2}"

[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.LSPLogic\CurVer]
"(Default)" = "zcengineLib.LSPLogic.1"

[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}]
"(Default)" = "DataContainer Class"

[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\zcengineLib.LSPLogic]
"(Default)" = "LSPLogic Class"

[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\ProgID]
"(Default)" = "zcengineLib.DataTableFields.1"

[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"ServiceParameters" = "-Service"

[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\TypeLib]
"Version" = "1.0"

[HKCR\zcengineLib.WFPController.1\CLSID]
"(Default)" = "{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}"

[HKCR\zcengineLib.WFPController]
"(Default)" = "WFPController Class"

[HKCR\zcengineLib.WFPController.1]
"(Default)" = "WFPController Class"

[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"
"(Default)" = "DataTableHolder Class"

[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\ProgID]
"(Default)" = "zcengineLib.DataContainer.1"

[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0\HELPDIR]
"(Default)" = "%Program Files%\QuickSearch"

[HKCR\zcengineLib.DataContainer.1\CLSID]
"(Default)" = "{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}"

[HKCR\zcengineLib.DataController\CurVer]
"(Default)" = "zcengineLib.DataController.1"

[HKCR\zcengineLib.DataContainer]
"(Default)" = "DataContainer Class"

[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataController"

[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}]
"(Default)" = "IParentalControl"

[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\zcengineLib.ReadOnlyManager]
"(Default)" = "ReadOnlyManager Class"

[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataContainer"

[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.DataTableHolder\CurVer]
"(Default)" = "zcengineLib.DataTableHolder.1"

[HKCR\zcengineLib.LSPLogic.1\CLSID]
"(Default)" = "{4D4D0357-0376-4656-A040-65AC089E84A2}"

[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}]
"(Default)" = "IParentalControlController"

[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\ProgID]
"(Default)" = "zcengineLib.DataTableHolder.1"

[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}]
"(Default)" = "IDataStatistics"

[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\TypeLib]
"Version" = "1.0"

[HKCR\zcengineLib.ReadOnlyManager\CLSID]
"(Default)" = "{F1BC674D-15D8-46C5-AC51-12AB16D67616}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 72 5F 2A 23 46 C2 F6 E8 A6 41 79 16 3D 5A DF"

[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}]
"(Default)" = "LSPLogic Class"

[HKCR\AppID\zcengine.EXE]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\zcengineLib.DataTable.1]
"(Default)" = "DataTable Class"

[HKCR\zcengineLib.DataContainer\CLSID]
"(Default)" = "{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}"

[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\ProgID]
"(Default)" = "zcengineLib.LSPLogic.1"

[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\zcengineLib.DataTableFields]
"(Default)" = "DataTableFields Class"

[HKCR\zcengineLib.DataController]
"(Default)" = "DataController Class"

[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}]
"(Default)" = "IDataTableFields"

[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\zcengineLib.DataTableHolder\CLSID]
"(Default)" = "{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}"

[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\zcengineLib.ReadOnlyManager.1\CLSID]
"(Default)" = "{F1BC674D-15D8-46C5-AC51-12AB16D67616}"

[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\ProgID]
"(Default)" = "zcengineLib.ReadOnlyManager.1"

[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}]
"(Default)" = "IWatchDog"

[HKCR\zcengineLib.WFPController\CLSID]
"(Default)" = "{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}"

[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.DataController.1\CLSID]
"(Default)" = "{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}"

[HKCR\Interface\{F7971E81-FC71-4659-8CCE-C903576E0924}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.DataContainer.1]
"(Default)" = "DataContainer Class"

[HKCR\Interface\{C0A7C2B3-86D6-42AF-8221-79C9E4AD50BA}]
"(Default)" = "IDataContainer"

[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"InstallingUser" = "eABwADkAXABhAGQAbQAAAA=="

[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}]
"(Default)" = "WFPController Class"

[HKCR\Interface\{00E3D575-A24C-4BBC-A708-BCDB8BBCA6C7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\zcengineLib.DataTableHolder.1\CLSID]
"(Default)" = "{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}"

[HKCR\zcengineLib.DataTableFields.1\CLSID]
"(Default)" = "{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}"

[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataTableHolder"

[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0]
"(Default)" = "acengine 1.0 Type Library"

[HKCR\CLSID\{9ECCDEFC-1C26-4BB3-B6DF-252672D9FFFA}\LocalServer32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.exe"

[HKCR\zcengineLib.DataTableFields\CurVer]
"(Default)" = "zcengineLib.DataTableFields.1"

[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\ProgID]
"(Default)" = "zcengineLib.DataController.1"

[HKCR\Interface\{074DCA49-F6A1-417F-B79E-D5E3ADC30330}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.DataTable\CurVer]
"(Default)" = "zcengineLib.DataTable.1"

[HKCR\zcengineLib.LSPLogic.1]
"(Default)" = "LSPLogic Class"

[HKCR\zcengineLib.DataTable\CLSID]
"(Default)" = "{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}"

[HKCR\zcengineLib.DataTableFields\CLSID]
"(Default)" = "{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}"

[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}]
"(Default)" = "ISSHController"

[HKCR\Interface\{6ED1EF08-DFF4-4252-8986-691D06C54131}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{024BF4C8-B53D-45B9-957F-D3BA9655FF39}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\ProgID]
"(Default)" = "zcengineLib.WFPController.1"

[HKCR\CLSID\{3A8E009B-E66D-4016-87CF-EC57FA9A4BC1}\VersionIndependentProgID]
"(Default)" = "zcengineLib.WFPController"

[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4D4D0357-0376-4656-A040-65AC089E84A2}\VersionIndependentProgID]
"(Default)" = "zcengineLib.LSPLogic"

[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}]
"(Default)" = "DataController Class"

[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}]
"(Default)" = "IWFPController"

[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\ProgID]
"(Default)" = "zcengineLib.DataTable.1"

[HKCR\Interface\{3323765B-5B83-4406-841E-473DBA4B8F29}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"(Default)" = "zcengine"

[HKCR\zcengineLib.DataContainer\CurVer]
"(Default)" = "zcengineLib.DataContainer.1"

[HKCR\zcengineLib.DataTableHolder]
"(Default)" = "DataTableHolder Class"

[HKCR\CLSID\{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\TypeLib\{029AF757-A988-4BDD-A744-A4C7BCEBB011}\1.0\0\win32]
"(Default)" = "%Program Files%\QuickSearch\zcengine.tlb"

[HKCR\Interface\{389562C4-59D9-40C4-966E-28DA91725FFE}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.DataController\CLSID]
"(Default)" = "{89E46EA6-2F87-4D79-8FFA-8B264F93F54A}"

[HKCR\Interface\{3F8D3B31-AEB8-4ED7-8B05-5556068D6B54}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{F2FB003D-07C7-4E4D-80E3-00B49468A6F4}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\zcengineLib.DataTable]
"(Default)" = "DataTable Class"

[HKCR\zcengineLib.DataTableHolder.1]
"(Default)" = "DataTableHolder Class"

[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}]
"(Default)" = "IDataController"

[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}]
"AppID" = "{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}"

[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}]
"(Default)" = "ReadOnlyManager Class"

[HKCR\zcengineLib.DataController.1]
"(Default)" = "DataController Class"

[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{83E07061-02D1-41EC-8751-BB176B823C38}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{34EBA76A-E745-4B18-96C9-2B8E2BA8B246}\TypeLib]
"(Default)" = "{029AF757-A988-4BDD-A744-A4C7BCEBB011}"

[HKCR\Interface\{9F0948E7-227A-4F1B-9849-2D8912F185A7}]
"(Default)" = "ILSPLogic"

[HKCR\Interface\{A471A4AA-5C18-429F-81BF-6C760941DB74}]
"(Default)" = "IDataTableHolder"

[HKCR\zcengineLib.WFPController\CurVer]
"(Default)" = "zcengineLib.WFPController.1"

[HKCR\CLSID\{F811C371-1DC7-4E2F-8676-D96B85BE4AF1}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataTable"

[HKCR\CLSID\{F1BC674D-15D8-46C5-AC51-12AB16D67616}\VersionIndependentProgID]
"(Default)" = "zcengineLib.ReadOnlyManager"

[HKCR\CLSID\{6D5AF218-5F7E-40E0-B49D-54FFAFE2001A}\VersionIndependentProgID]
"(Default)" = "zcengineLib.DataTableFields"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"KomodiaParameters1"

[HKLM\System\CurrentControlSet\Services\zcengine]
"NoCom"

[HKCR\AppID\{9F2949D6-977B-4B61-B513-0C2EE52C2B4F}]
"LocalService"

The process sc.exe:536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 04 82 B7 92 63 72 C6 41 24 8E 6A 3F 4B A8 75"

The process sc.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 45 47 BC DE 32 84 8E FB 3F 1E E5 FC 79 BE B6"

The process poz.exe:2584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 7E C3 76 49 73 55 48 04 75 5A D8 1A 20 8B 77"

The process SchTasks.exe:2660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 E9 A0 99 A4 C8 B0 66 DE A3 AB C4 68 A9 81 FF"

The process %original file name%.exe:944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 5E B5 93 5A 0B 89 BE 37 1D 3E 1E 66 D4 90 B2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setupfs_1123.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\QuickSearch\Components]
"Main" = "1"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp\nsProcess.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\QuickSearch]
"ver" = "3.0.1.6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\QuickSearch]
"Path" = "%Program Files%\QuickSearch"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\QuickSearch]
"affid" = "1123"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 14 18 EC A8 35 42 F0 AA AD 94 1B D9 C0 05 77"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\QuickSearch]
"UID" = "75ED9567AA584C8EA8EA3CAD7C47AB03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process zengine.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 31 90 BE D7 17 48 A3 88 C4 CD 54 6A C5 49 D4"

The process zengine.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA B4 90 46 CB 76 80 2E D4 D2 4C 4A D6 96 05 14"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Num_Catalog_Entries" = "14"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "12"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
"PackedCatalogItem" = "43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1021"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000C]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000B]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000E]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\0000000D]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]

Dropped PE files

MD5 File path
05450face243b3a7472407b999b03a72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw6.tmp\nsProcess.dll
227edfeeac94d640320bab9ba86c0196 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\setupfs_4435[1].exe
f4ce39b055fd011a17f71d09baef2ef8 c:\Program Files\QuickSearch\AZDLL.dll
cff77090b485bb16093678614b578820 c:\Program Files\QuickSearch\AZDLL64.dll
f32ab5cb40ff403b0576ffc9cae61caf c:\Program Files\QuickSearch\AZDLL64.exe
87ec6937769621f29736e4358077c8cd c:\Program Files\QuickSearch\freebl3.dll
74485152d7f2c06fe413f48c7da4ff33 c:\Program Files\QuickSearch\libnspr4.dll
08bacf2967fd8ea468c69f6e8d31b914 c:\Program Files\QuickSearch\libplc4.dll
56c1c79274ef5728b1f50986a5a8f22e c:\Program Files\QuickSearch\libplds4.dll
9721a913f9a997a62c532d72ed3e7b8d c:\Program Files\QuickSearch\nss3.dll
ba406d87af2f892c1b59628899fbcb10 c:\Program Files\QuickSearch\nssckbi.dll
56c619b8135d1fbe8386800020fe7696 c:\Program Files\QuickSearch\nssdbm3.dll
08b59a1793e8cd6fb085271650f8b5d0 c:\Program Files\QuickSearch\nssutil3.dll
8d03b10f0dced524a88a3ff4b370f50d c:\Program Files\QuickSearch\slite.exe
88f553be556ae62c59b3a3fbea81987e c:\Program Files\QuickSearch\smime3.dll
5ecb1c6033d08a9277df748f6272d6a2 c:\Program Files\QuickSearch\softokn3.dll
6cba9fe251b78db6ae8c46f851244141 c:\Program Files\QuickSearch\spw3016.exe
18a54a743d683a0dc40c65155d108608 c:\Program Files\QuickSearch\sqlite3.dll
bf203215a99a7b24f0481003e91ffa65 c:\Program Files\QuickSearch\ssl3.dll
8de2f3879c867dbfde7780d5b849c223 c:\Program Files\QuickSearch\uninstall.exe
1894e3fb9c90fa3a238076f28839eadd c:\Program Files\QuickSearch\zcengine.dll
7bf0de4c88daf2dbbb99d26cba6e0042 c:\Program Files\QuickSearch\zcengine.exe
f539a593f3a793b659f84236b7ac14c7 c:\Program Files\QuickSearch\zcengine64.dll
f10d05a6264e55443a96b311f2da003d c:\Program Files\QuickSearch\zcenginecert.dll
a187767d9b561e9864ebd0faec8e1eac c:\Program Files\QuickSearch\zcinstaller.exe
04dfc579947f4b98944d0c117bed393f c:\Program Files\QuickSearch\zcwfp.sys
69dc57b6a37a50328c8980cc5021d7dc c:\Program Files\QuickSearch\zcwfp64.sys
39adb8287d5ca0ae1059b9665624af43 c:\Program Files\QuickSearch\zengine.exe
dd45f06354ebd07fda123cf0c880e91e c:\Program Files\QuickSearch\zengine64.exe
1894e3fb9c90fa3a238076f28839eadd c:\WINDOWS\system32\zcengine.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 2528 2560 3.12457 af5f0ea142ea650416afc03d4547aebc

Dropped from:

3117f416905582f23f49d25c1be8c5a6

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 23
8c788790039d11a28836711e355ba31e
5b0d5015e3c9a03e64c30c14d6708e1a
c437f1ccca1a26838185203812fc7e40
17fac347497d4b7fdd2d1e5a7ed819d1
00e1fb6179a9f410ee536197ea6d226f
b5d995c48e9978cdd729b465ad2fb685
3246158dce46d9aac1908157cf6da56f
ca7e3b01164d376114b1f6a73915a743
4fe0909222050513238c67bd5fe51e93
7eda2ff995cacf43200cddb1acfe27b1
29bd205e8d1f66443cdc79b4c7bdc699
3fff1791278f0c7414a725119560a20a
a0616f00cb5758884772c13ed254b2ed
cc4df2465ca491bd3210e36a2f5beb2d
5e9153abe724a97e7f0cb29e4789037a
9d1fca8d24f89f05d6fde1e6eafc809b
b0176387691021265d1b0db042e3dd0d
59204a1103f2da8ba1d139e96c843855
1b73c20c425f423292a3d268ca2f4edb
ba3b71aa8286f21167a18939ee1a8fc3
56a312073eb7514321a08371447bcb61
8f5db7331d5524c9356cde639daca71b
9734aef2aded89bb408f17d66cb94570

URLs

URL IP
hxxp://www.flowsurf.net/setupfs_1123.exe 82.165.149.116
hxxp://www.flowsurf.net/setupfs_4435.exe 82.165.149.116
hxxp://www.kljlkjasdasdlmkmmk23443.com/s.php?i=a344e2cc15dfd82af6579b66c543039d&a=1 46.101.48.130


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

GET /setupfs_1123.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.flowsurf.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 24 Dec 2015 06:44:30 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: hXXp://VVV.flowsurf.net/setupfs_4435.exe
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>......


GET /setupfs_4435.exe HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.flowsurf.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Dec 2015 06:44:30 GMT
Content-Type: application/octet-stream
Content-Length: 5355188
Last-Modified: Mon, 07 Dec 2015 20:54:29 GMT
Connection: keep-alive
ETag: "5665f205-51b6b4"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................p...............................................s.
......`...............................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected]... [email protected]
rc........`.......v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

zcengine.exe_1208:

.text
`.rdata
@.data
.idata
.rsrc
@.reloc
l.dlf
xSSSh
FTPjKS
FtPj;S
C.PjRV
03319CCE-99CA-442D-B70F-1BB522848CE0
B74DEAEF-B834-486D-86EE-BB151FC7A989
F4C04932-3E63-4f27-BDDD-BB22870A181A
GetProcessWindowStation
operator
portuguese-brazilian
c:\dev\OutSourcing\KinnerLake\Spoofer\PCProxyWin\Release\PCProxyWin.pdb
%Program Files%\QuickSearch\zcengine.exe
KERNEL32.dll
GetProcessHeap
GetCPInfo
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
!4.42474
= =<=@=`=
mscoree.dll
KERNEL32.DLL
ADVAPI32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
zcengine.exe
3.0.0.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    zcengine.exe:1284
    zcengine.exe:1208
    zcengine.exe:684
    sc.exe:536
    sc.exe:1632
    poz.exe:2584
    SchTasks.exe:2660
    %original file name%.exe:944
    setupfs_1123.exe:1940
    zengine.exe:2036
    zengine.exe:1968

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\zcengine.log (434 bytes)
    %WinDir%\Temp\zcengine.log (83902 bytes)
    %WinDir%\Temp\CertsIE.dat (12284 bytes)
    %System%\zcengineOff.ini (784 bytes)
    %System%\zcengine.ini (872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\setupfs_1123.exe (332214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\setupfs_4435[1].exe (332214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JMRO554\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\UAC.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01M9AVQ1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SVMBSZ6F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\ns3.tmp (6 bytes)
    %Program Files%\QuickSearch\zcinstaller.exe (5896 bytes)
    %Program Files%\QuickSearch\uninstall.exe (1793 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsE.tmp (6 bytes)
    %Program Files%\QuickSearch\AZDLL64.exe (3704 bytes)
    %Program Files%\QuickSearch\zcengine.dll (9984 bytes)
    %Program Files%\QuickSearch\zcwfp64.sys (1552 bytes)
    %Program Files%\QuickSearch\spw3016.exe (1856 bytes)
    %Program Files%\QuickSearch\slite.exe (16288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\GetVersion.dll (6 bytes)
    %Program Files%\QuickSearch\nssutil3.dll (5064 bytes)
    %Program Files%\QuickSearch\ssl3.dll (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns7.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns8.tmp (6 bytes)
    %Program Files%\QuickSearch\out.txt (52 bytes)
    %Program Files%\QuickSearch\libnspr4.dll (11048 bytes)
    C:\END (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsC.tmp (6 bytes)
    %Program Files%\QuickSearch\libplds4.dll (1552 bytes)
    %Program Files%\QuickSearch\softokn3.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\inetc.dll (784 bytes)
    %Program Files%\QuickSearch\poz.exe (4080 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\pwgen.dll (784 bytes)
    %Program Files%\QuickSearch\zcengine64.dll (11728 bytes)
    %Program Files%\QuickSearch\zengine64.exe (9664 bytes)
    %Program Files%\QuickSearch\zcwfp.sys (1552 bytes)
    %Program Files%\QuickSearch\zengine.ini (116 bytes)
    %Program Files%\QuickSearch\nssckbi.dll (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsD.tmp (6 bytes)
    %Program Files%\QuickSearch\zcengine.tlb (1856 bytes)
    %Program Files%\QuickSearch\zengine.exe (17395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsExec.dll (6 bytes)
    %Program Files%\QuickSearch\freebl3.dll (11152 bytes)
    %Program Files%\QuickSearch\smime3.dll (5064 bytes)
    %Program Files%\QuickSearch\AZDLL64.dll (5184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (235157 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsProcess.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsA.tmp (6 bytes)
    %Program Files%\QuickSearch\libplc4.dll (1552 bytes)
    %Program Files%\QuickSearch\zcenginecert.dll (6056 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I9SFMNGD\ext[1].htm (2 bytes)
    %Program Files%\QuickSearch\sqlite3.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\ns9.tmp (6 bytes)
    %Program Files%\QuickSearch\nss3.dll (29256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\nsB.tmp (6 bytes)
    %Program Files%\QuickSearch\zcengine.exe (72529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp\System.dll (11 bytes)
    %Program Files%\QuickSearch\nssdbm3.dll (6360 bytes)
    %Program Files%\QuickSearch\AZDLL.dll (3744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lengine.ini.log (895 bytes)
    %System%\zcengine.dll (1281 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now