ZeroAccess_0412d082bf

by malwarelabrobot on December 24th, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0412d082bf67dcce374758bfd571fd4b
SHA1: d2ee614a21d08579e29c46bdffbb8b28e7c6cc2a
SHA256: 66ea8a2f64296054579939c22bf82ae2dd31e7b18c172401d23f8b464c7f57f0
SSDeep: 49152:Ji0bIMuJRKsBFzl44J1uC0dTO1Psqe/VIgU:kFJosBFzRJ5
Size: 2555904 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-01 00:27:07
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

AdobeARMHelper.exe:1612
AdobeARM.exe:396
%original file name%.exe:1328

The Trojan injects its code into the following process(es):

lWEUMcgA.exe:2016
UOYUAYsk.exe:600
uyoUsggM.exe:700

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process AdobeARMHelper.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.log (503 bytes)

The process AdobeARM.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ArmUI.ini (185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.log (1065 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ArmUI.ini (0 bytes)

The process uyoUsggM.exe:700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\YuogIoUc\xssa.exe (16191 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (16582 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Zcgy.exe (16395 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\IYMa.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEIK.exe (16371 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FoUM.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooom.exe (16448 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LkkC.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WMUM.exe (14755 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SgAU.exe (16730 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15278 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XMkq.exe (15954 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mAso.exe (46067 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooYS.exe (17396 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZUgu.exe (16354 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SoUQ.exe (16379 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (45817 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TckQ.exe (16436 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dwMs.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\PAgu.exe (17145 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQIu.exe (15332 bytes)
%Documents and Settings%\%current user%\YuogIoUc\loou.exe (16383 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XwEy.exe (16428 bytes)
C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
C:\totalcmd\TcUsbRun.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WQQC.exe (23365 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQgA.exe (16399 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYsw.exe (15344 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kYAS.exe (16424 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sAwS.exe (14726 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VkEQ.exe (16366 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yIQI.exe (15938 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sMQw.exe (16746 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iAEs.exe (15035 bytes)
%Documents and Settings%\%current user%\YuogIoUc\CYMo.exe (18411 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Qgoe.exe (16763 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kIwY.exe (16061 bytes)
%Documents and Settings%\%current user%\YuogIoUc\NMcG.exe (16048 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qswo.exe (16430 bytes)
%Documents and Settings%\%current user%\YuogIoUc\pkAi.exe (16387 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BcMG.exe (16420 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (16582 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BEAw.exe (16330 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQQC.exe (18379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zAAY.exe (16383 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HsYG.exe (15982 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (15799 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgMy.exe (16407 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcwa.exe (18354 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcgI.exe (16444 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYUC.exe (16730 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MwEM.exe (16015 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15506 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dkoy.exe (15828 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Jgwg.exe (16403 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JsoQ.exe (20152 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15278 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsIw.exe (16391 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15799 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SQwk.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eUgg.exe (17196 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JYIQ.exe (16379 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qwIk.exe (16350 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UwEc.exe (17359 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dgco.exe (16925 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RIsI.exe (36846 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nsMS.exe (14554 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sEkA.exe (16081 bytes)
%Documents and Settings%\%current user%\YuogIoUc\foYI.exe (14742 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HoEu.exe (17130 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BMAO.exe (15974 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17627 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
%Documents and Settings%\All Users\KAYc.txt (55978 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kwwY.exe (15950 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vsYS.exe (15496 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15506 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\YuogIoUc\xssa.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Zcgy.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\IYMa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vEIK.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\FoUM.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooom.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\LkkC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WMUM.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SgAU.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\wYUC.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\mAso.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ooYS.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\ZUgu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SoUQ.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\NMcG.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dwMs.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\PAgu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQIu.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XwEy.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\WQQC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\gQgA.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MYsw.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kYAS.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sAwS.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\VkEQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\yIQI.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\MwEM.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\TckQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sMQw.exe (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iAEs.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\CYMo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Qgoe.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qswo.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\pkAi.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BcMG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BEAw.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\iQQC.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\zAAY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\sEkA.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dkoy.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\EgMy.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcwa.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\loou.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\vsYS.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\XMkq.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HsYG.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Jgwg.exe (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JsoQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\dsIw.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\SQwk.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\eUgg.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\JYIQ.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\qwIk.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\UwEc.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\RIsI.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\nsMS.exe (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\HoEu.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\BMAO.exe (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kwwY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\jcgI.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\Dgco.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\kIwY.exe (0 bytes)
%Documents and Settings%\%current user%\YuogIoUc\foYI.exe (0 bytes)

The process %original file name%.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
%Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14803 bytes)
%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AdobeARMHelper.exe (1634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dWscgEwY.bat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dWscgEwY.bat (0 bytes)

Registry activity

The process AdobeARMHelper.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B F7 25 BB 2A D8 2A ED B4 55 E7 27 21 04 BF FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
"iCanExit" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
"iCanExit"

The process AdobeARM.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 E4 54 1C 0C 30 C2 B2 A1 F8 7B 2E E7 C0 C0 59"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Adobe\Adobe ARM\1.0\ARM]
"iLastSvcSuccess"

[HKCU\Software\Adobe\Adobe ARM\1.0\ARM]
"iNotify"

The process lWEUMcgA.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 BC 61 80 4E 31 F4 E0 30 DA 93 90 63 61 E2 01"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

The process UOYUAYsk.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 03 CE 55 94 EE 54 0C 54 8B D2 7B 0F ED 0A 0F"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

The process uyoUsggM.exe:700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 84 10 4A CB 43 3F 95 3B 9B 40 A0 7A B9 09 C6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"

The process %original file name%.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 82 BB 80 50 8D E4 DA 16 18 F5 3C A2 21 B6 22"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

Dropped PE files

MD5 File path
a3b6be5e3fcbc030e49ebb501f3b5258 c:\Documents and Settings\All Users\AUUoUgAI\UOYUAYsk.exe
5aaff46755273301096219d56f74430a c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
9f5e05cc601bdd66b9c7cd3d1dca6c28 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
551a04109ef2637cc1957670e986201c c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
ca645dcde349db2b3b4219ed69d70bef c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
21aded81738c449ffc0e62d0efdd9a4c c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
8e59e8e8b6f1a197f664a52a52752bb5 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
13026542aa880884ff9fc3470c2bcacd c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
00c5991b3d66ebe5c7a6e9b75a025f8d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
b6e76b386e58bf22710698bd007c116f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
eff266eae0a1aa996bdb4a5adac5dbd6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
0a664bc1200d677b9c082de06ec01e08 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
cda2f6a17bf73d8c22f6c5f38a8250eb c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
1e3fb37482589cf77897dbfb9d2bed76 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
e6f511aedfd6af9a07395cc36bf5b683 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
63bad564da735b1ce06959531d66ea82 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
76034a3f80a2169b99a65034486c1e12 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
ee07ffd7d1d9f8f9b01dc4d88164f422 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
8bd30c0d1b2d666c0a31c72d37c9d5ad c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
21b756962cf88f374dbc20a3d4d5babe c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
26d16490c1fcd8fb219fa0b34bb52385 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
cf61287b9338e7a7656c0e617b281403 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
c4e524fdd677b386ed23282837446149 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
e706e0b7020df309c626b37bc269b72d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
493ea372b890d04d55af7d33e96049f0 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
2e47b37b934b882874c959588249f75b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
fbbe87dfb825ed1be767304f01daab36 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
d3878d78c8b24ccc9fe74605fbc11233 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
3af0323e21c8fc46cecbc6386850cd80 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
33fb3d18a61d412dd2622f8be4ebbf01 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
f041fd1c376bae6f8c5e5efd6c3ffbaa c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
4a5f2fc00097176516047f45f4f5b142 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
7d9d4b8991ab32f2b8dbe80a9eb55bab c:\Documents and Settings\All Users\NSIsgYEw\lWEUMcgA.exe
88f161f0976b37f3ff0edf9fffc93837 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\AdobeARMHelper.exe
d31a08baf3d00ba5ff327b7104d61a47 c:\Documents and Settings\"%CurrentUserName%"\YuogIoUc\uyoUsggM.exe
b7adf6998a934e7ecad20851511c9571 c:\Perl\eg\IEExamples\ie_animated.gif.exe
982bd6812d3917598913acfd861b8d64 c:\Perl\eg\IEExamples\psbwlogo.gif.exe
dd767f25805a7cf89788956c5d875032 c:\Perl\eg\aspSamples\ASbanner.gif.exe
66e74e332b610b9446904159eb9e00ef c:\Perl\eg\aspSamples\Main_Banner.gif.exe
e95633a2fa4525bb29c92a409fc92d8b c:\Perl\eg\aspSamples\psbwlogo.gif.exe
31a5c865f8e6d0e905b2a97bb39de37a c:\Perl\html\images\AS_logo.gif.exe
74f18e12347d1a81427b800de42927a7 c:\Perl\html\images\PerlCritic_run.png.exe
6f211a61982e9d77c8939d692367ab4f c:\Perl\html\images\aslogo.gif.exe
16b31f9bec6edb732d1d78964edc9d81 c:\Perl\html\images\ppm_gui.png.exe
73f5dd6501aab4e1f819eae0b85d7999 c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
808deab36854ac494cb24ca34e4b7bad c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
7c44205bf45acd94610dc7a2f043e952 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
c0a19fa5bb6943ffb7cae6142239a192 c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
9d9ae6c1168f0cc32445417c59e65562 c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
f6c46a594d15cbdbaa67e504454a1568 c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
25d4bcb56cde6b8d22116480552728bb c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
a93b96c44ebab73087528261e5162b70 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
44474b2a7401b84f5603d19d5c7e1f02 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
871faad61eed7c45b08a71ab24021bc1 c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
f98eda11062f41c74a7c4573947ed35b c:\Perl\lib\Mozilla\CA\cacert.pem.exe
716d842d4d6c251aa22fe86e115f93a3 c:\totalcmd\TCMADMIN.EXE.exe
ea84f93599363aa6f78c379a04668a56 c:\totalcmd\TCMDX32.EXE.exe
4825eb7fc6c31c180e3195f2ec80422f c:\totalcmd\TCUNINST.EXE.exe
eff7a5517bcaf9f1b31dbead37dfc5ea c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1114112 1114112 5.19191 6ce628eeb2d5e2f25764d12b6e2f6600
.rdata 1118208 8192 10240 0.143865 049a9ea5d87c84662715ac687aebb74a
.data 1126400 1425408 1425408 4.08022 00329234eb7678fa576d9b0dbb1e464f
.rsrc 2551808 4608 4608 3.32253 80dfbd00c9dcb8f55b3a54b44887762f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://google.com/ 173.194.71.139


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    AdobeARMHelper.exe:1612
    AdobeARM.exe:396
    %original file name%.exe:1328

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\AdobeARM.log (503 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ArmUI.ini (185 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\xssa.exe (16191 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (16582 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Zcgy.exe (16395 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (22336 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\IYMa.exe (16407 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\vEIK.exe (16371 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\FoUM.exe (16379 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\ooom.exe (16448 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\LkkC.exe (16350 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\WMUM.exe (14755 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\SgAU.exe (16730 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (15278 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (15799 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\XMkq.exe (15954 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\mAso.exe (46067 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\ooYS.exe (17396 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\ZUgu.exe (16354 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\SoUQ.exe (16379 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (45817 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\TckQ.exe (16436 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (15799 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\dwMs.exe (16330 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\PAgu.exe (17145 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\gQIu.exe (15332 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\loou.exe (16383 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (15799 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (15278 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (16158 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\XwEy.exe (16428 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (15506 bytes)
    C:\totalcmd\TcUsbRun.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\WQQC.exe (23365 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\gQgA.exe (16399 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\MYsw.exe (15344 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\kYAS.exe (16424 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\sAwS.exe (14726 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\VkEQ.exe (16366 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\yIQI.exe (15938 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (15278 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (15799 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\sMQw.exe (16746 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\iAEs.exe (15035 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\CYMo.exe (18411 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Qgoe.exe (16763 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\kIwY.exe (16061 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\NMcG.exe (16048 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\qswo.exe (16430 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\pkAi.exe (16387 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\BcMG.exe (16420 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (16582 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\BEAw.exe (16330 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\iQQC.exe (18379 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\zAAY.exe (16383 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (15799 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\HsYG.exe (15982 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (15799 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\EgMy.exe (16407 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\jcwa.exe (18354 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\jcgI.exe (16444 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\wYUC.exe (16730 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\MwEM.exe (16015 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Dkoy.exe (15828 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Jgwg.exe (16403 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\JsoQ.exe (20152 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (15278 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\dsIw.exe (16391 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (15799 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\SQwk.exe (16379 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\eUgg.exe (17196 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\JYIQ.exe (16379 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\qwIk.exe (16350 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\UwEc.exe (17359 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\Dgco.exe (16925 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (16158 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\RIsI.exe (36846 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\nsMS.exe (14554 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\sEkA.exe (16081 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\foYI.exe (14742 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\HoEu.exe (17130 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\BMAO.exe (15974 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (17627 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (20504 bytes)
    %Documents and Settings%\All Users\KAYc.txt (55978 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\kwwY.exe (15950 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\vsYS.exe (15496 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (15506 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (15506 bytes)
    %Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe (14803 bytes)
    %Documents and Settings%\All Users\NSIsgYEw\lWEUMcgA.exe (14803 bytes)
    %Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe (14803 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AdobeARMHelper.exe (1634 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dWscgEwY.bat (4 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UOYUAYsk.exe" = "%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "uyoUsggM.exe" = "%Documents and Settings%\%current user%\YuogIoUc\uyoUsggM.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\AUUoUgAI\UOYUAYsk.exe,"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now