Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 08575283f07432e26b260d64cc625090
SHA1: 70ddd1df57f47630328b4d9f029e1f5c78986706
SHA256: b531ee46014cd48be20bdcf477d18f01fb322fb766628a9875b9553fbcd37abc
SSDeep: 6144:te34pDRKRJ tyY2wstYDuUUjHPTDX kbIc0z:fE4tyftBSXz
Size: 264977 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
FlashPlayerUpdateService.exe:468
7z.exe:1452
okozodesktop.exe:2016
vcredist_x86.exe:376
mscorsvw.exe:1912
%original file name%.exe:588
OkozoDesktopInstaller.exe:596
install_flash_player.exe:1656
preinstaller.exe:1160
preinstaller.exe:1064
Setup.exe:1352
The Trojan injects its code into the following process(es):
okozodesktop.exe:464
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process FlashPlayerUpdateService.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)
The process 7z.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.swf (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\struct.xml (240 bytes)
The process okozodesktop.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-lines-ps3-125x125.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vzO464.d (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\BGg464.d (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\light-speed-125x125.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\tRS464.d (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-spider-125x125.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-fish-125x125.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\tree-frog-125x125.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\dfl464.d (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\lm-white-125x125.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-dog-125x125.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ycW464.d (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\AB-Multi-125x125.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\falling-leaves-125x125.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\live-fish-125x125.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Yys464.d (1682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\server_struct.xml (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xGg464.d (1382 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\glow-clock-bp-125x125.png (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\aem464.d (1772 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fKw464.d (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\NlY464.d (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\ml-rainbow-125x125.png (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\3d-digital-clock-125x125.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\version.xml (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-red-125x125.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-ants-125x125.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\pqc464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\iVe464.d (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\mm-grey-125x125.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\pink-speakers-125x125.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\mTs464.d (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-pb-125x125.png (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ifX464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vcr464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\aBowman-hamster-125x125.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\yVR464.d (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-turtles-125x125.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.464 (1644 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Dqn464.d (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xCs464.d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\wxu464.d (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\currentwallpapers.ini (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fnf464.d (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PER464.d (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\joystick-car-125x125.png (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-penguins-125x125.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\nPR464.d (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-flies-125x125.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\world-sunlight-map-v2-125x125.png (10 bytes)
%Documents and Settings%\All Users\Application Data\boost_interprocess\20140803032607.187000\okozo_desktop_message_queue (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PJk464.d (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Uhg464.d (16 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\currentwallpapers.ini.qHp464 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\version.xml (0 bytes)
The process okozodesktop.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\boost_interprocess\20140803032607.187000\okozo_desktop_message_queue (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\local_struct.xml (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.2016 (1206 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\166\Starry Night.aesswf (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.aesswf (676 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\166\Starry Night.aesswf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\166 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.swf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\struct.xml (0 bytes)
The process vcredist_x86.exe:376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\327de45119f65652f4eba1 (4 bytes)
C:\327de45119f65652f4eba1\1031\SetupResources.dll (680 bytes)
C:\327de45119f65652f4eba1\SetupEngine.dll (12353 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate8.ico (894 bytes)
C:\327de45119f65652f4eba1\1041\eula.rtf (119 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqMet.ico (1 bytes)
C:\327de45119f65652f4eba1\1049\eula.rtf (471 bytes)
C:\327de45119f65652f4eba1\1042\eula.rtf (907 bytes)
C:\327de45119f65652f4eba1\1036\eula.rtf (8 bytes)
C:\327de45119f65652f4eba1\1028\LocalizedData.xml (514 bytes)
C:\327de45119f65652f4eba1\1031\eula.rtf (10 bytes)
C:\327de45119f65652f4eba1\header.bmp (7 bytes)
C:\327de45119f65652f4eba1\vc_red.cab (61610 bytes)
C:\327de45119f65652f4eba1\sqmapi.dll (2385 bytes)
C:\327de45119f65652f4eba1\1033\SetupResources.dll (16 bytes)
C:\327de45119f65652f4eba1\1040\SetupResources.dll (537 bytes)
C:\327de45119f65652f4eba1\2052\LocalizedData.xml (164 bytes)
C:\327de45119f65652f4eba1\watermark.bmp (6023 bytes)
C:\327de45119f65652f4eba1\1033\LocalizedData.xml (1591 bytes)
C:\327de45119f65652f4eba1\1042\SetupResources.dll (14 bytes)
C:\327de45119f65652f4eba1\vc_red.msi (2653 bytes)
C:\327de45119f65652f4eba1\DisplayIcon.ico (1877 bytes)
C:\327de45119f65652f4eba1\Graphics (4 bytes)
C:\327de45119f65652f4eba1\SetupUi.dll (4564 bytes)
C:\327de45119f65652f4eba1\$shtdwn$.req (788 bytes)
C:\327de45119f65652f4eba1\1049\SetupResources.dll (17 bytes)
C:\327de45119f65652f4eba1\1028\SetupResources.dll (396 bytes)
C:\327de45119f65652f4eba1\3082\eula.rtf (389 bytes)
C:\327de45119f65652f4eba1\1036\SetupResources.dll (736 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate5.ico (894 bytes)
C:\327de45119f65652f4eba1\1028\eula.rtf (16 bytes)
C:\327de45119f65652f4eba1\1040\eula.rtf (9 bytes)
C:\327de45119f65652f4eba1\UiInfo.xml (2006 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate2.ico (894 bytes)
C:\327de45119f65652f4eba1\2052\eula.rtf (16 bytes)
C:\327de45119f65652f4eba1\DHtmlHeader.html (16 bytes)
C:\327de45119f65652f4eba1\Graphics\Save.ico (79 bytes)
C:\327de45119f65652f4eba1\ParameterInfo.xml (200 bytes)
C:\327de45119f65652f4eba1\1031\LocalizedData.xml (199 bytes)
C:\327de45119f65652f4eba1\2052\SetupResources.dll (33 bytes)
C:\327de45119f65652f4eba1\3082\LocalizedData.xml (541 bytes)
C:\327de45119f65652f4eba1\1033\eula.rtf (7 bytes)
C:\327de45119f65652f4eba1\Strings.xml (14 bytes)
C:\327de45119f65652f4eba1\Graphics\Print.ico (1 bytes)
C:\327de45119f65652f4eba1\1040\LocalizedData.xml (568 bytes)
C:\327de45119f65652f4eba1\Setup.exe (932 bytes)
C:\327de45119f65652f4eba1\Graphics\Setup.ico (728 bytes)
C:\327de45119f65652f4eba1\Graphics\stop.ico (10 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate3.ico (894 bytes)
C:\327de45119f65652f4eba1\1036\LocalizedData.xml (255 bytes)
C:\327de45119f65652f4eba1\1041\LocalizedData.xml (670 bytes)
C:\327de45119f65652f4eba1\SetupUi.xsd (556 bytes)
C:\327de45119f65652f4eba1\1049\LocalizedData.xml (139 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqNotMet.ico (1 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate4.ico (894 bytes)
C:\327de45119f65652f4eba1\Graphics\warn.ico (10 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate7.ico (894 bytes)
C:\327de45119f65652f4eba1\1041\SetupResources.dll (15 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate1.ico (894 bytes)
C:\327de45119f65652f4eba1\1042\LocalizedData.xml (102 bytes)
C:\327de45119f65652f4eba1\3082\SetupResources.dll (41 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate6.ico (894 bytes)
C:\327de45119f65652f4eba1\SplashScreen.bmp (1049 bytes)
The Trojan deletes the following file(s):
C:\327de45119f65652f4eba1 (0 bytes)
C:\327de45119f65652f4eba1\1031\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\SetupEngine.dll (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate8.ico (0 bytes)
C:\327de45119f65652f4eba1\1041\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1033 (0 bytes)
C:\327de45119f65652f4eba1\2052 (0 bytes)
C:\327de45119f65652f4eba1\1031 (0 bytes)
C:\327de45119f65652f4eba1\1049\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1042\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1036\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqMet.ico (0 bytes)
C:\327de45119f65652f4eba1\1031\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1028 (0 bytes)
C:\327de45119f65652f4eba1\header.bmp (0 bytes)
C:\327de45119f65652f4eba1\3082\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\sqmapi.dll (0 bytes)
C:\327de45119f65652f4eba1\1033\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\watermark.bmp (0 bytes)
C:\327de45119f65652f4eba1\1028\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Setup.ico (0 bytes)
C:\327de45119f65652f4eba1\1041\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate4.ico (0 bytes)
C:\_663500_ (0 bytes)
C:\327de45119f65652f4eba1\Setup.exe (0 bytes)
C:\327de45119f65652f4eba1\1042\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\vc_red.msi (0 bytes)
C:\327de45119f65652f4eba1\DisplayIcon.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics (0 bytes)
C:\327de45119f65652f4eba1\Strings.xml (0 bytes)
C:\327de45119f65652f4eba1\1049\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\3082\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1036\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate5.ico (0 bytes)
C:\327de45119f65652f4eba1\3082 (0 bytes)
C:\327de45119f65652f4eba1\1028\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1040\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\UiInfo.xml (0 bytes)
C:\327de45119f65652f4eba1\1040\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\1031\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\1036 (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Print.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Save.ico (0 bytes)
C:\327de45119f65652f4eba1\ParameterInfo.xml (0 bytes)
C:\327de45119f65652f4eba1\2052\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\2052\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\vc_red.cab (0 bytes)
C:\327de45119f65652f4eba1\1033\eula.rtf (0 bytes)
C:\327de45119f65652f4eba1\1040\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\DHtmlHeader.html (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate2.ico (0 bytes)
C:\327de45119f65652f4eba1\SetupUi.dll (0 bytes)
C:\327de45119f65652f4eba1\2052\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\stop.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate3.ico (0 bytes)
C:\327de45119f65652f4eba1\1036\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\1028\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\SetupUi.xsd (0 bytes)
C:\327de45119f65652f4eba1\1049\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\SysReqNotMet.ico (0 bytes)
C:\327de45119f65652f4eba1\1033\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\Graphics\warn.ico (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate7.ico (0 bytes)
C:\327de45119f65652f4eba1\1042 (0 bytes)
C:\327de45119f65652f4eba1\1040 (0 bytes)
C:\327de45119f65652f4eba1\1041\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\1049 (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate1.ico (0 bytes)
C:\327de45119f65652f4eba1\1041 (0 bytes)
C:\327de45119f65652f4eba1\1042\LocalizedData.xml (0 bytes)
C:\327de45119f65652f4eba1\3082\SetupResources.dll (0 bytes)
C:\327de45119f65652f4eba1\Graphics\Rotate6.ico (0 bytes)
C:\327de45119f65652f4eba1\SplashScreen.bmp (0 bytes)
The process %original file name%.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ip.xml (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\version.xml (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OkozoDesktopInstaller.exe (821835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tick.bmp (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp.okozo (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\country.xml (227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cross.bmp (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\XML.dll (2005 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ip.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\version.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OkozoDesktopInstaller.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\temp.okozo (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\country.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\XML.dll (0 bytes)
The process OkozoDesktopInstaller.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\close.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\preinstaller.exe (5494 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\libglog.dll (3631 bytes)
%Documents and Settings%\%current user%\Desktop\Okozo Desktop.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Close Okozo Desktop.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\desk3DHook.dll (20685 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\server_struct.xml (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtWebKit4.dll (275351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\D3DX9_43.dll (50358 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtCore4.dll (50901 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.dll (28789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\server_struct[1].xml (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtGui4.dll (180886 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtNetwork4.dll (24858 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtXml4.dll (11311 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\crypter.dll (2800 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\Uninstall.exe (1334 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\iistaskpanel.dll (14083 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Okozo Desktop.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#Security\FlashPlayerTrust\okozodesktop.cfg (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe (3941 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktop.exe (24420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\Okozo Intro\Okozo Intro.aesswf (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.exe (3688 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Uninstall Okozo Desktop.lnk (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\System.dll (0 bytes)
The process install_flash_player.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\Macromed\Flash\FlashInstall.log (2 bytes)
%System%\Macromed\Flash\flashplayer.xpt (856 bytes)
%System%\FlashPlayerApp.exe (3772 bytes)
%System%\Macromed\Flash\plugin.vch (7972 bytes)
%System%\Macromed\Flash\FlashPlayerUpdateService.exe (262 bytes)
%System%\FlashPlayerCPLApp.cpl (71 bytes)
%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll (126514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB}\fpb.tmp (1793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708}\fpb.tmp (3924 bytes)
%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe (3924 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB}\fpb.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708}\fpb.tmp (0 bytes)
The process preinstaller.exe:1160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb8C.tmp (0 bytes)
The process preinstaller.exe:1064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\install_flash_player[1].exe (1232953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcredist_x86.exe (323259 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\UAC.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install_flash_player.exe (1232953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vcredist_x86[1].exe (323259 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\UAC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\System.dll (0 bytes)
The process Setup.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup_20140803 (1172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030.html (136546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030-MSI_vc_red.msi.txt (152863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp.html (26876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI85.tmp.html (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Setup_20140803_041031452.html (52962 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\HFI84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI87.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp (0 bytes)
Registry activity
The process FlashPlayerUpdateService.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 EC E0 0D 6F C6 92 C8 1B 9A B8 D9 0A 0F E3 D5"
[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"
The process 7z.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C A9 8B 9F 22 AE 4E EB F9 C9 82 F7 2C 37 D4 EF"
The process okozodesktop.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 FD DE A8 90 BB 72 2D 52 A3 B1 11 E8 73 C3 A7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "okozodesktop.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process okozodesktop.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 1D 8A 98 98 5C DC 02 46 45 5E DB 1A 4A 7D 95"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "okozodesktop.exe"
The process vcredist_x86.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 2B 62 84 D3 77 39 43 6C F5 01 4D 6C 5A 39 2A"
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
The process %original file name%.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 E9 A0 2C D7 42 80 00 B5 0E B0 43 DB 8D 03 CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk7F.tmp\XML.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop]
"okozodesktoplauncher.exe" = "okozodesktoplauncher"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process OkozoDesktopInstaller.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd1\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe wallpapers"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Classes\Directory\Background\shell\OkozoContext]
"ExtendedSubCommandsKey" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Classes\Okozo.Wall\shell]
"(Default)" = "open"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd2]
"MUIVerb" = "Exit"
[HKCU\Software\Classes\.okozo]
"(Default)" = "Okozo.Wall"
[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd1]
"Icon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\OkozoApp]
"AppGUID" = "{2290B09B-D2C9-C147-8E50-0C01669D41AD}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Okozo]
"Start Menu Folder" = "Okozo Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"NoRepair" = "1"
[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd2]
"Icon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,5"
[HKCU\Software\Classes\Directory\Background\shell\OkozoContext]
"Icon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"
"MUIVerb" = "Okozo Desktop"
[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd2\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe exit"
[HKCU\Software\Classes\Directory\Background\shell\OkozoContext]
"Position" = "bottom"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Classes\.okozo\Okozo.Wall\ShellNew]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"Publisher" = "Okozo"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"DisplayVersion" = "3.0.2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 7E 94 73 4A F1 DE 9E FC 6B 06 49 1C 19 72 9A"
[HKCU\Software\Classes\Okozo.Wall\shell\open\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Classes\Okozo.Wall\shell\open]
"(Default)" = "&Open"
[HKCU\Software\Classes\DesktopBackground\OkozoContextMenus\shell\cmd1]
"MUIVerb" = "Wallpapers"
[HKCU\Software\Classes\.okozo]
"Progid" = "Okozo.Wall"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"Launchee" = "okozodesktop.exe"
"EstimatedSize" = "30962"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller]
"DisplayName" = "Okozo Desktop"
"Launcher" = "okozodesktoplauncher.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\Directory\Background\shell\OkozoContext\command]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Classes\Okozo.Wall\DefaultIcon]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe,0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Okozo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process install_flash_player.exe:1656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"Version" = "14.0.0.145"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Description" = "Adobe® Flash® Player 14.0.0.145 Plugin"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerPlugin_14_0_0_145.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"ProductName" = "Adobe® Flash® Player 14.0.0.145 Plugin"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"vendor" = "Adobe Systems Incorporated"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"EstimatedSize" = "6144"
[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"XPTPath" = "%System%\Macromed\Flash\flashplayer.xpt"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"NoRepair" = "1"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"PlayerPath" = "%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"URLInfoAbout" = "http://www.adobe.com"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_145_Plugin.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"RequiresIESysFile" = "4.70.0.1155"
"DisplayName" = "Adobe Flash Player 14 Plugin"
[HKCU\Software\Macromedia\FlashPlayer]
"FlashPlayerVersion" = "14.0.0.145~installVector=1"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "install_flash_player.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"DisplayIcon" = "%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"UninstallerPath" = "%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe"
[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Version" = "14.0.0.145"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"
"Publisher" = "Adobe Systems Incorporated"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 35 B5 CD 46 65 77 7F 3F BB 95 40 A9 C1 46 AE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"UninstallString" = "%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe -maintain plugin"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_14_0_0_145_pepper.exe]
"DisableExceptionChainValidation" = "0"
[HKLM\SOFTWARE\MozillaPlugins\@adobe.com/FlashPlayer]
"Path" = "%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"DisplayVersion" = "14.0.0.145"
"NoModify" = "1"
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\{2CA4F306-B280-4ab2-B5E1-1DFA3583F046}\%System%]
"FlashPlayerCPLApp.cpl" = "10"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPluginReleaseType]
"Release" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"VersionMajor" = "14"
[HKLM\SOFTWARE\Macromedia\FlashPlayerPlugin]
"isScriptDebugger" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]
"VersionMinor" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Macromedia\FlashPlayer]
"ConflictingProcs"
"RerunInUIMode"
The process preinstaller.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 B8 05 19 D4 46 9C 10 FB CA 96 F6 8A 5E 44 BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process preinstaller.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE F5 28 2F C2 24 F4 B5 DF 7A AF 17 85 83 9A 90"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Setup.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 26 74 7C 6A EA 41 FD C7 2C D2 CB 82 27 B5 1B"
Dropped PE files
| MD5 | File path |
|---|---|
| 04ad4b80880b32c94be8d0886482c774 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.dll |
| a51d90f2f9394f5ea0a3acae3bd2b219 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.exe |
| 86e39e9161c3d930d93822f1563c280d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\D3DX9_43.dll |
| d61b9b5358e9fc3b22b4bce083aace92 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtCore4.dll |
| 7a2829da1f1f4112d984a13bc71b95f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtGui4.dll |
| 91ecdb5de396a4a61cd1bbb974a8b00f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtNetwork4.dll |
| c9d99a6276c39cbb3c4ce53a6b82dc61 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtWebKit4.dll |
| aedf5459d4f0caa8600a6c6f80886927 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\QtXml4.dll |
| 99bcba3b01c9c4eb1710d65f95f57391 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\Uninstall.exe |
| 5bf5e85ff3133b887f68b8aca05f9686 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\crypter.dll |
| 515bf9c52032c51c187e202ef4a96485 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\desk3DHook.dll |
| 45b961a4e06118cf6752d02af46d52e7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\iistaskpanel.dll |
| 298c6bf1f7b7f6ea8a71a40efd8b1b35 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\libglog.dll |
| 05447e2379a4e99c045bc81bea396a99 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktop.exe |
| 6b3d35910ae5a3afb4bfdf807a3ea536 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe |
| 81fe82a562bc47c0c80d4ea44162a916 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Okozo\Okozo Desktop\preinstaller.exe |
| 668931e57a0d0a3c10225442d2672653 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\install_flash_player.exe |
| 42df1fbaa87567adf2b4050805a1a545 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk7F.tmp\XML.dll |
| cede02d7af62449a2c38c49abecc0cd3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\vcredist_x86.exe |
| 668931e57a0d0a3c10225442d2672653 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\install_flash_player[1].exe |
| cede02d7af62449a2c38c49abecc0cd3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vcredist_x86[1].exe |
| 1fc6060e2b7da45e4e9fb7f3e75adc0a | c:\Program Files\Common Files\Microsoft Shared\VC\msdia100.dll |
| c8bc9a2dc599f1a52dc6b42fdd47b01e | c:\WINDOWS\system32\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe |
| 4390ccd3790f8d9c427c0c29590c62d7 | c:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll |
| 00d2c06a552f782c1f16acf77db765a5 | c:\WINDOWS\system32\atl100.dll |
| a807596cb3cb377a1a687c9734d67a37 | c:\WINDOWS\system32\mfc100.dll |
| f7e75862299194c1b9103f7742ea7b25 | c:\WINDOWS\system32\mfc100chs.dll |
| 8280a96d8b44abbfe8a22f19eaf9ec0d | c:\WINDOWS\system32\mfc100cht.dll |
| 4af4b6e8a4d185b75122773562d25975 | c:\WINDOWS\system32\mfc100deu.dll |
| f908fe45f8fe9e0d4cbe65f9ff5df6da | c:\WINDOWS\system32\mfc100enu.dll |
| 9328256796efad2ac9632fd9a76eed95 | c:\WINDOWS\system32\mfc100esn.dll |
| ecaf994dbdde7409a4c2270cda8177a6 | c:\WINDOWS\system32\mfc100fra.dll |
| d460f47453e2e186a981e1eb0dc7f6c9 | c:\WINDOWS\system32\mfc100ita.dll |
| bf7b39a609b1c84a888158bbe6cadc3b | c:\WINDOWS\system32\mfc100jpn.dll |
| 17f28e88c2006eb6447fb31f25d7d937 | c:\WINDOWS\system32\mfc100kor.dll |
| e25790e6e0612b621c8ea80206036672 | c:\WINDOWS\system32\mfc100rus.dll |
| f32077df74efd435a1dcdf415e189df1 | c:\WINDOWS\system32\mfc100u.dll |
| dfae4207ce3f2b3b88dabc6a7c73c450 | c:\WINDOWS\system32\mfcm100.dll |
| 0b6c9e162b102f7b819e61a80257ca92 | c:\WINDOWS\system32\mfcm100u.dll |
| e3c817f7fe44cc870ecdbcbc3ea36132 | c:\WINDOWS\system32\msvcp100.dll |
| bf38660a9125935658cfa3e53fdc7d65 | c:\WINDOWS\system32\msvcr100.dll |
| a7e63d69f1d55a3662907ecd48b345ca | c:\WINDOWS\system32\vcomp100.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 45056 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 237568 | 120912 | 121344 | 5.16132 | 8d7ba821362fd8e0bf9a56e9c6f17766 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 7
7c29401e7faa1c87c2496a51f7d45071
64de58073ada9e8de1cd1513d656bc50
b46d615e85361ceba4211059a5337a80
0a0aca89c3064b40f78badadeb32c56b
2f6f0f18e2785229ed675312329ecd88
7cfe8cf4f2a765dd13758697bebcc6b7
00f33fcbb73c1f1e5e61c0e6665860bf
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a74.dscg10.akamai.net/version.xml | |
| hxxp://okozo.com/wp-content/plugins/download-monitor/download.php?id=290 | |
| hxxp://a74.dscg10.akamai.net/okozodesktop-3.0.2-x86.exe | |
| hxxp://a74.dscg10.akamai.net/server_struct.xml | |
| hxxp://a74.dscg10.akamai.net/vcredist_x86.exe | |
| hxxp://a1363.g.akamai.net/pki/crl/products/tspca.crl | |
| hxxp://e891.p.akamaiedge.net/pub/flashplayer/current/support/install_flash_player.exe | |
| hxxp://checkip.dyndns.com/ | |
| hxxp://api.ipinfodb.com/v3/ip-country/?key=82bb81cf4feda76515b25af41fbfd382a120c83c48d47e3b19d8ceb4a65e5642&format=xml&ip="%local server IP%" | |
| hxxp://okozo.com/updates/software/installation.html?utm_source=okozodesktop-3.0.2&utm_medium=okozodesktop&utm_campaign=0 | |
| hxxp://www-google-analytics.l.google.com/ga.js | |
| hxxp://a82.dscg10.akamai.net/3d-digital-clock-125x125.png | |
| hxxp://a82.dscg10.akamai.net/AB-Multi-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abstract-background-pb-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abstract-background-red-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abowman-dog-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abowman-fish-125x125.png | |
| hxxp://a82.dscg10.akamai.net/aBowman-hamster-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abowman-penguins-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abowman-spider-125x125.png | |
| hxxp://a82.dscg10.akamai.net/tree-frog-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abstract-lines-ps3-125x125.png | |
| hxxp://a82.dscg10.akamai.net/falling-leaves-125x125.png | |
| hxxp://a82.dscg10.akamai.net/glow-clock-bp-125x125.png | |
| hxxp://a82.dscg10.akamai.net/interactive-ants-125x125.png | |
| hxxp://a82.dscg10.akamai.net/interactive-flies-125x125.png | |
| hxxp://a82.dscg10.akamai.net/joystick-car-125x125.png | |
| hxxp://a82.dscg10.akamai.net/lm-white-125x125.png | |
| hxxp://a82.dscg10.akamai.net/light-speed-125x125.png | |
| hxxp://a82.dscg10.akamai.net/live-fish-125x125.png | |
| hxxp://a82.dscg10.akamai.net/mm-grey-125x125.png | |
| hxxp://a82.dscg10.akamai.net/ml-rainbow-125x125.png | |
| hxxp://a82.dscg10.akamai.net/pink-speakers-125x125.png | |
| hxxp://a82.dscg10.akamai.net/world-sunlight-map-v2-125x125.png | |
| hxxp://a82.dscg10.akamai.net/abowman-turtles-125x125.png | |
| hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=1&utmn=2046495618&utmhn=okozo.com&utmcs=ISO-8859-1&utmsr=1024x768&utmvp=640x480&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=14.0 r0&utmhid=1905301063&utmr=-&utmp=/updates/software/installation.html?utm_source=okozodesktop-3.0.2&utm_medium=okozodesktop&utm_campaign=0&utmht=1407028256140&utmac=UA-20094791-1&utmcc=__utma=149491368.505603269.1407028256.1407028256.1407028256.1;+__utmz=149491368.1407028256.1.1.utmcsr=okozodesktop-3.0.2|utmccn=0|utmcmd=okozodesktop;&utmu=q~ | |
| hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.5.3&utms=2&utmn=1764794223&utmhn=okozo.com&utmt=event&utme=5(Install*Wallpapers*InstallCore)&utmcs=ISO-8859-1&utmsr=1024x768&utmvp=640x480&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=14.0 r0&utmhid=1905301063&utmr=-&utmp=/updates/software/installation.html?utm_source=okozodesktop-3.0.2&utm_medium=okozodesktop&utm_campaign=0&utmht=1407028256150&utmac=UA-20094791-1&utmcc=__utma=149491368.505603269.1407028256.1407028256.1407028256.1;+__utmz=149491368.1407028256.1.1.utmcsr=okozodesktop-3.0.2|utmccn=0|utmcmd=okozodesktop;&utmu=6~ |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
okozodesktoplauncher.exe_660:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
C:\Users\alex\Documents\toby.b\okozo-desktop\trunk\okozo\Win32\Release\OkozoDesktopLauncher.pdb
C:\Users\alex\Documents\toby.b\okozo-desktop\trunk\okozo\Win32\Release\OkozoDesktopLauncher.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
GetCPInfo
GetCPInfo
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
9$9(9,9094989<9><pre>:(:/:4:8:<:><pre>:&;,;0;4;8;</pre><pre>mscoree.dll</pre><pre>@KERNEL32.DLL</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>WUSER32.DLL</pre><pre>preinstaller.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}</pre><pre>Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe</pre><b>okozodesktop.exe_464:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>u.Wh4</pre><pre>tgHtGHt%S</pre><pre>RSSSh</pre><pre>Antdll.dll</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>Boost.Interprocess: Dead reference on non-Phoenix singleton of type</pre><pre>..\common\messageretranslator\messageretranslator.cpp</pre><pre>7z.cpp</pre><pre>7z.exe</pre><pre>animation.cpp</pre><pre>*.exe</pre><pre>config.exe</pre><pre>animationmanager.cpp</pre><pre>application.cpp</pre><pre>http://okozo.com/updates/software/installation.html?utm_source=okozodesktop-%1&utm_medium=okozodesktop&utm_campaign=0</pre><pre>.okozo</pre><pre>2downloadSucceed(const QUrl&)</pre><pre>SSL error: %s</pre><pre>downloadmanager.cpp</pre><pre>filehelper.cpp</pre><pre>1g.AW}</pre><pre>K%U0~</pre><pre>dE.Hpw$</pre><pre>.ocb&</pre><pre>q3(.Vf</pre><pre>-e%f?$8</pre><pre>!q'.eB"</pre><pre>tEXtXML:com.adobe.xmp</pre><pre><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"></rdf:RDF></pre><pre>xmlns:xap="http://ns.adobe.com/xap/1.0/"></pre><pre>xmlns:dc="http://purl.org/dc/elements/1.1/"></pre><pre>2009 ParaType Ltd. All rights reserved.PT SansRegularParaTypeLtd: PT Sans: 2009PT SansVersion 1.000PTSans-RegularPT Sans is a trademark of the ParaType Ltd.ParaType LtdA.Korolkova, O.Umpeleva, V.YefimovPT Sans is a type family of universal use. It consists of 8 styles: regular and bold weights with corresponding italics form a standard computer font family; two narrow styles (regular and bold) are intended for documents that require tight set; two caption styles (regular and bold) are for texts of small point sizes. The design combines traditional conservative appearance with modern trends of humanistic sans serif and characterized by enhanced legibility. These features beside conventional use in business applications and printed stuff made the fonts quite useable for direction and guide signs, schemes, screens of information kiosks and other objects of urban visual communications.</pre><pre>The fonts next to standard Latin and Cyrillic character sets contain signs of title languages of the national republics of Russian Federation and support the most of the languages of neighboring countries. The fonts were developed and released by ParaType in 2009 with financial support from Federal Agency of Print and Mass Communications of Russian Federation. Design - Alexandra Korolkova with assistance of Olga Umpeleva and supervision of Vladimir Yefimov.http://www.paratype.comhttp://www.paratype.com/help/designers/Copyright</pre><pre>http://www.paratype.ruPT Sans</pre><pre>0000000000</pre><pre>%FRX#Y</pre><pre>%F hadRX#e</pre><pre>%FRX#</pre><pre>%F jadRX#</pre><pre>$$ !*$$#</pre><pre>)!$ .0!)</pre><pre>%%!" $%$</pre><pre>*!%!/1"*</pre><pre>%%"",%&$</pre><pre> "&!02#*</pre><pre>3532654& </pre><pre>3254&5432</pre><pre>3254&'&5432</pre><pre>#"'354&#"</pre><pre>#7#737#7373</pre><pre>]0174632</pre><pre>0174632</pre><pre>]72654&#</pre><pre>32676454.</pre><pre>*@5./5".:</pre><pre>#"&5467#</pre><pre>U&X ._N1.Lb4</pre><pre>#"&54632</pre><pre>0174Ȏ=</pre><pre>1U-2p3%F(,</pre><pre>g3%F(,</pre><pre>32654&#"</pre><pre>9--::--9</pre><pre>#"&74632</pre><pre>36454&#"</pre><pre>%4!& && </pre><pre>!7G%ö!</pre><pre>US*,._N1.Lb4</pre><pre>#%&."[7 ;</pre><pre>#"&5467'#</pre><pre>#"&5467#"&5</pre><pre><5><pre>*1,/'3/ </pre><pre>.TxJNyT </pre><pre>mPö#</pre><pre>@OZ.NvQ)</pre><pre>'#"&54673</pre><pre>iTJ.PP </pre><pre>#"&'52654&/</pre><pre>#"&54675.</pre><pre>#"&'4632</pre><pre>#"&'#73&45<</pre><pre>5G&W .YE*,HZ.</pre><pre>>S|E# pI;`C$%D_:>_B"</pre><pre>#7#537#(</pre><pre><27285536><pre>%0 *$/-&</pre><pre>#5354632</pre><pre>.null</pre><pre>uni0498.alt</pre><pre>uni0499.alt</pre><pre>uni04AA.alt02</pre><pre>uni04AB.alt02</pre><pre>afii10055.alt</pre><pre>afii10103.alt</pre><pre>uni0492.alt</pre><pre>uni0493.alt</pre><pre>uni04AA.alt</pre><pre>uni04AB.alt</pre><pre>one.numerator</pre><pre>fraction.alt</pre><pre>l.var</pre><pre>.aalt</pre><pre>.ordn</pre><pre>-http://crl.thawte.com/ThawteCodeSigningCA.crl0</pre><pre>http://ocsp.thawte.com0</pre><pre>Certification Services Division1!0</pre><pre>premium-server@thawte.com0</pre><pre>/http://crl.thawte.com/ThawtePremiumServerCA.crl0</pre><pre>http://ocsp.verisign.com0</pre><pre>"http://crl.verisign.com/tss-ca.crl0</pre><pre>Thawte Certification1</pre><pre>0http://crl.verisign.com/ThawteTimestampingCA.crl0</pre><pre>http://www.paratype.com0</pre><pre>/..fpss</pre><pre>(5A.DY</pre><pre>D.Nf0</pre><pre>-YYk}</pre><pre>.FGG)</pre><pre>Ò%U</pre><pre>installedanimationxmlreader.cpp</pre><pre>Windows 7</pre><pre>Windows Vista</pre><pre>Windows 2003</pre><pre>Windows XP</pre><pre>main.cpp</pre><pre>Log dir %s created</pre><pre>http://okozo.com/download/</pre><pre>http://okozo.com/help/</pre><pre>1httpResponseFinished(QNetworkReply*)</pre><pre>1onVersionFileReceived(const QUrl&)</pre><pre>1onWallpaperReceived(const QUrl&)</pre><pre>1onContentLoaded(const QUrl&)</pre><pre>httpResponseFinished with error:</pre><pre>mainwindow.cpp</pre><pre>Error on Configure button click, cannot find a config.exe for</pre><pre>http://okozo.com/updates/software/installation.html?utm_source=okozodesktop-%1&utm_medium=wallpaper&utm_campaign=%2</pre><pre>:/resources/Okozo_Logo.png</pre><pre>:/resources/okozo_small_logo.png</pre><pre>:/resources/mainwindowicon.png</pre><pre>:/resources/settingsicon.png</pre><pre>:/resources/heart.png</pre><pre>:/resources/tick.png</pre><pre>:/resources/PT_Sans.ttf</pre><pre>:/resources/styles.qss</pre><pre>:/resources/settingsbutton.png</pre><pre>:/resources/helpbutton.png</pre><pre>:/resources/monitorbutton.png</pre><pre>:/resources/sortbybutton.png</pre><pre>:/resources/searchbuttonicon.png</pre><pre>previewwidget.cpp</pre><pre>downloadSucceed(QUrl)</pre><pre>urlString</pre><pre>onContentLoaded(QUrl)</pre><pre>onWallpaperReceived(QUrl)</pre><pre>onVersionFileReceived(QUrl)</pre><pre>httpResponseFinished(QNetworkReply*)</pre><pre>selectedanimations.cpp</pre><pre>Unexpected key '</pre><pre>currentwallpapers.ini</pre><pre>serialization\animationxmlserializer.cpp</pre><pre>server_struct.xml</pre><pre>local_struct.xml</pre><pre>version.xml</pre><pre>http://c95272.r72.cf3.rackcdn.com/server_struct.xml</pre><pre>http://c95272.r72.cf3.rackcdn.com/version.xml</pre><pre>Okozo Intro/Okozo Intro.swf</pre><pre>Could not query for key value for disabled monitors, error:</pre><pre>settings.cpp</pre><pre>Could not find launcher data in UninstallKey</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\OkozoInstaller</pre><pre>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>s6//bd@Yxc{Ljo{ H;X5W]s.YSok.rSejf@z[Yr2XxX3}Tx~h-*Q9M!37H$GYW^5</pre><pre>wallpaperinstaller.cpp</pre><pre>Animation id is not a number in struct.xml</pre><pre>Animation name is empty in struct.xml</pre><pre>Could not read the installed animation data from struct.xml</pre><pre>struct.xml</pre><pre>Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag</pre><pre>boost thread: trying joining itself</pre><pre>crypter.dll</pre><pre>?keyPressEvent@iisIconLabel@@MAEXPAVQKeyEvent@@@Z</pre><pre>iistaskpanel.dll</pre><pre>??0QNetworkRequest@@QAE@ABVQUrl@@@Z</pre><pre>?metaData@QNetworkDiskCache@@UAE?AVQNetworkCacheMetaData@@ABVQUrl@@@Z</pre><pre>?data@QNetworkDiskCache@@UAEPAVQIODevice@@ABVQUrl@@@Z</pre><pre>?remove@QNetworkDiskCache@@UAE_NABVQUrl@@@Z</pre><pre>?url@QNetworkReply@@QBE?AVQUrl@@XZ</pre><pre>QtNetwork4.dll</pre><pre>?load@QWebView@@QAEXABVQUrl@@@Z</pre><pre>?setAttribute@QWebSettings@@QAEXW4WebAttribute@1@_N@Z</pre><pre>?settings@QWebView@@QBEPAVQWebSettings@@XZ</pre><pre>??0QWebView@@QAE@PAVQWidget@@@Z</pre><pre>?metaObject@QWebView@@UBEPBUQMetaObject@@XZ</pre><pre>?qt_metacast@QWebView@@UAEPAXPBD@Z</pre><pre>?qt_metacall@QWebView@@UAEHW4Call@QMetaObject@@HPAPAX@Z</pre><pre>?event@QWebView@@UAE_NPAVQEvent@@@Z</pre><pre>?sizeHint@QWebView@@UBE?AVQSize@@XZ</pre><pre>?mousePressEvent@QWebView@@MAEXPAVQMouseEvent@@@Z</pre><pre>?mouseReleaseEvent@QWebView@@MAEXPAVQMouseEvent@@@Z</pre><pre>?mouseDoubleClickEvent@QWebView@@MAEXPAVQMouseEvent@@@Z</pre><pre>?mouseMoveEvent@QWebView@@MAEXPAVQMouseEvent@@@Z</pre><pre>?wheelEvent@QWebView@@MAEXPAVQWheelEvent@@@Z</pre><pre>?keyPressEvent@QWebView@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyReleaseEvent@QWebView@@MAEXPAVQKeyEvent@@@Z</pre><pre>?focusInEvent@QWebView@@MAEXPAVQFocusEvent@@@Z</pre><pre>?focusOutEvent@QWebView@@MAEXPAVQFocusEvent@@@Z</pre><pre>?paintEvent@QWebView@@MAEXPAVQPaintEvent@@@Z</pre><pre>?resizeEvent@QWebView@@MAEXPAVQResizeEvent@@@Z</pre><pre>?contextMenuEvent@QWebView@@MAEXPAVQContextMenuEvent@@@Z</pre><pre>?dragEnterEvent@QWebView@@MAEXPAVQDragEnterEvent@@@Z</pre><pre>?dragMoveEvent@QWebView@@MAEXPAVQDragMoveEvent@@@Z</pre><pre>?dragLeaveEvent@QWebView@@MAEXPAVQDragLeaveEvent@@@Z</pre><pre>?dropEvent@QWebView@@MAEXPAVQDropEvent@@@Z</pre><pre>?changeEvent@QWebView@@MAEXPAVQEvent@@@Z</pre><pre>?inputMethodEvent@QWebView@@MAEXPAVQInputMethodEvent@@@Z</pre><pre>?inputMethodQuery@QWebView@@UBE?AVQVariant@@W4InputMethodQuery@Qt@@@Z</pre><pre>?focusNextPrevChild@QWebView@@MAE_N_N@Z</pre><pre>?createWindow@QWebView@@MAEPAV1@W4WebWindowType@QWebPage@@@Z</pre><pre>??1QWebView@@UAE@XZ</pre><pre>?networkAccessManager@QWebPage@@QBEPAVQNetworkAccessManager@@XZ</pre><pre>?page@QWebView@@QBEPAVQWebPage@@XZ</pre><pre>QtWebKit4.dll</pre><pre>;?winEvent@QWidget@@MAE_NPAUtagMSG@@PAJ@Z</pre><pre>?keyPressEvent@QPushButton@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyReleaseEvent@QAbstractButton@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyPressEvent@QLabel@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyReleaseEvent@QWidget@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyPressEvent@QComboBox@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyReleaseEvent@QComboBox@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyPressEvent@QWidget@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyPressEvent@QLineEdit@@MAEXPAVQKeyEvent@@@Z</pre><pre>?exec@QApplication@@SAHXZ</pre><pre>!?openUrl@QDesktopServices@@SA_NABVQUrl@@@Z</pre><pre>?keyPressEvent@QAbstractScrollArea@@MAEXPAVQKeyEvent@@@Z</pre><pre>2;?viewportEvent@QAbstractScrollArea@@MAE_NPAVQEvent@@@Z</pre><pre>j1?setWindowState@QWidget@@QAEXV?$QFlags@W4WindowState@Qt@@@@@Z</pre><pre>??1QKeySequence@@QAE@XZ</pre><pre>?addAction@QMenu@@QAEPAVQAction@@ABVQString@@PBVQObject@@PBDABVQKeySequence@@@Z</pre><pre>??0QKeySequence@@QAE@W4StandardKey@0@@Z</pre><pre>?keyPressEvent@QMenu@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyPressEvent@QAbstractButton@@MAEXPAVQKeyEvent@@@Z</pre><pre>?keyPressEvent@QDialog@@MAEXPAVQKeyEvent@@@Z</pre><pre>??0QPen@@QAE@ABVQBrush@@NW4PenStyle@Qt@@W4PenCapStyle@3@W4PenJoinStyle@3@@Z</pre><pre>QtGui4.dll</pre><pre>?winEventFilter@QCoreApplication@@UAE_NPAUtagMSG@@PAJ@Z</pre><pre>??1QUrl@@QAE@XZ</pre><pre>??0QUrl@@QAE@ABVQString@@@Z</pre><pre>?toString@QUrl@@QBE?AVQString@@V?$QFlags@W4FormattingOption@QUrl@@@@@Z</pre><pre>?hasShrunk@QHashData@@QAEXXZ</pre><pre>?setUrl@QUrl@@QAEXABVQString@@@Z</pre><pre>?resolved@QUrl@@QBE?AV1@ABV1@@Z</pre><pre>?toUrl@QVariant@@QBE?AVQUrl@@XZ</pre><pre>?toEncoded@QUrl@@QBE?AVQByteArray@@V?$QFlags@W4FormattingOption@QUrl@@@@@Z</pre><pre>?QStringList_join@QtPrivate@@YA?AVQString@@PBVQStringList@@ABV2@@Z</pre><pre>?windowsVersion@QSysInfo@@SA?AW4WinVersion@1@XZ</pre><pre>?path@QUrl@@QBE?AVQString@@XZ</pre><pre>??0QUrl@@QAE@ABV0@@Z</pre><pre>?childKeys@QSettings@@QBE?AVQStringList@@XZ</pre><pre>QtCore4.dll</pre><pre>desk3DHook.dll</pre><pre>libglog.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>MSVCP100.dll</pre><pre>MSVCR100.dll</pre><pre>_amsg_exit</pre><pre>_acmdln</pre><pre>_crt_debugger_hook</pre><pre>.?AUwindows_bootstamp@ipcdetail@interprocess@boost@@</pre><pre>.?AVQWebView@@</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" publicKeyToken="6595b64144ccf1df" language="*" processorArchitecture="*"></assemblyIdentity></pre><pre>6i6D6_6p6</pre><pre>:":(:/:@:[:</pre><pre>7 8:8@8{8</pre><pre>6 6$6(6,6064686<6><pre>? ?$?(?,?0?4?8?<?php</pre><pre>0 0$0(0,0004080<0@0</pre><pre>? ?$?(?,?0?4?</pre><pre>2 2$2(2,20242</pre><pre>> >(>0>8></pre><pre>=$=,=8=\=|=</pre><pre>Win32_OperatingSystem</pre><pre>http://www.paratype.ru</pre><pre>%&%6%F%V%</pre><pre>#$%&'()* ,-./0123456789:;<=</pre><pre>%-%-%-%-</pre><pre>*" #($,$</pre><pre>''-''- -('/'' '''')-</pre><pre>*,-,-,-&*</pre><pre>,-,-,-,-</pre><pre>Okozo_Logo.png</pre><pre>gsettingsicon.png</pre><pre>helpbutton.png</pre><pre>PT_Sans.ttf</pre><pre>monitorbutton.png</pre><pre>'searchbuttonicon.png</pre><pre>mainwindowicon.png</pre><pre>styles.qss</pre><pre>'heart.png</pre><pre>tick.png</pre><pre>okozo_small_logo.png</pre><pre>settingsbutton.png</pre><pre>Gsortbybutton.png</pre><pre>eLocal\{ADBB3568-7F3C-11E1-B580-840D4824019C}</pre></div><div class="blog_tab" id="tab3"><p><strong class="font_20"><span style="font-size:medium;">Remove it with Ad-Aware</span></strong></p><ol><li>Click (<a href="http://lavasoft.com/thankyou.php?internal=true&inter=encyclopedia"><span style="color: #0000ff;">here</span></a>) to download and install Ad-Aware Free Antivirus.</li><li>Update the definition files.</li><li>Run a full scan of your computer.</li></ol><p><strong class="font_20"><span style="font-size:medium;">Manual removal*</span></strong></p><ol><li>Terminate malicious process(es) (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-end-a-process-with-the-task-manager"><span style="color: #0000ff;">How to End a Process With the Task Manager</span></a>):<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">FlashPlayerUpdateService.exe:468<br>7z.exe:1452<br>okozodesktop.exe:2016<br>vcredist_x86.exe:376<br>mscorsvw.exe:1912<br>%original file name%.exe:588<br>OkozoDesktopInstaller.exe:596<br>install_flash_player.exe:1656<br>preinstaller.exe:1160<br>preinstaller.exe:1064<br>Setup.exe:1352<br></p></li><li>Delete the original Trojan file.<br></li><li>Delete or disinfect the following files created/modified by the Trojan:<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">%WinDir%\Tasks\Adobe Flash Player Updater.job (830 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.swf (13 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\struct.xml (240 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-lines-ps3-125x125.png (4 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vzO464.d (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\BGg464.d (3 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\light-speed-125x125.png (2 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\tRS464.d (10 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-spider-125x125.png (4 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-fish-125x125.png (5 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\tree-frog-125x125.png (6 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\dfl464.d (296 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\lm-white-125x125.png (7 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-dog-125x125.png (6 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ycW464.d (8 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\AB-Multi-125x125.png (25 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\falling-leaves-125x125.png (9 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\live-fish-125x125.png (13 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Yys464.d (1682 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\server_struct.xml (95 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xGg464.d (1382 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\glow-clock-bp-125x125.png (10 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\aem464.d (1772 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fKw464.d (4 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\NlY464.d (6 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\ml-rainbow-125x125.png (37 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\3d-digital-clock-125x125.png (4 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\version.xml (256 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-red-125x125.png (15 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-ants-125x125.png (9 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\pqc464.d (5 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\iVe464.d (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\mm-grey-125x125.png (2 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\pink-speakers-125x125.png (7 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\mTs464.d (3 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abstract-background-pb-125x125.png (38 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\ifX464.d (5 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\vcr464.d (5 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\aBowman-hamster-125x125.png (8 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\yVR464.d (14 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-turtles-125x125.png (5 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.464 (1644 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Dqn464.d (6 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\xCs464.d (9 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\wxu464.d (5 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\currentwallpapers.ini (16 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\fnf464.d (9 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PER464.d (10 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\joystick-car-125x125.png (23 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\abowman-penguins-125x125.png (2 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\nPR464.d (2 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\interactive-flies-125x125.png (9 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\images\world-sunlight-map-v2-125x125.png (10 bytes)<br>%Documents and Settings%\All Users\Application Data\boost_interprocess\20140803032607.187000\okozo_desktop_message_queue (2144 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\PJk464.d (8 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\cache\prepared\Uhg464.d (16 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\local_struct.xml (707 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\logs\okozo-desktop-20140803-041052.2016 (1206 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\166\Starry Night.aesswf (13 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\Okozo\{c56081c1-8a07-4c1e-a477-5386c901b706}\Animations\Starry Night\Starry Night.aesswf (676 bytes)<br>C:\327de45119f65652f4eba1 (4 bytes)<br>C:\327de45119f65652f4eba1\1031\SetupResources.dll (680 bytes)<br>C:\327de45119f65652f4eba1\SetupEngine.dll (12353 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate8.ico (894 bytes)<br>C:\327de45119f65652f4eba1\1041\eula.rtf (119 bytes)<br>C:\327de45119f65652f4eba1\Graphics\SysReqMet.ico (1 bytes)<br>C:\327de45119f65652f4eba1\1049\eula.rtf (471 bytes)<br>C:\327de45119f65652f4eba1\1042\eula.rtf (907 bytes)<br>C:\327de45119f65652f4eba1\1036\eula.rtf (8 bytes)<br>C:\327de45119f65652f4eba1\1028\LocalizedData.xml (514 bytes)<br>C:\327de45119f65652f4eba1\1031\eula.rtf (10 bytes)<br>C:\327de45119f65652f4eba1\header.bmp (7 bytes)<br>C:\327de45119f65652f4eba1\vc_red.cab (61610 bytes)<br>C:\327de45119f65652f4eba1\sqmapi.dll (2385 bytes)<br>C:\327de45119f65652f4eba1\1033\SetupResources.dll (16 bytes)<br>C:\327de45119f65652f4eba1\1040\SetupResources.dll (537 bytes)<br>C:\327de45119f65652f4eba1\2052\LocalizedData.xml (164 bytes)<br>C:\327de45119f65652f4eba1\watermark.bmp (6023 bytes)<br>C:\327de45119f65652f4eba1\1033\LocalizedData.xml (1591 bytes)<br>C:\327de45119f65652f4eba1\1042\SetupResources.dll (14 bytes)<br>C:\327de45119f65652f4eba1\vc_red.msi (2653 bytes)<br>C:\327de45119f65652f4eba1\DisplayIcon.ico (1877 bytes)<br>C:\327de45119f65652f4eba1\SetupUi.dll (4564 bytes)<br>C:\327de45119f65652f4eba1\$shtdwn$.req (788 bytes)<br>C:\327de45119f65652f4eba1\1049\SetupResources.dll (17 bytes)<br>C:\327de45119f65652f4eba1\1028\SetupResources.dll (396 bytes)<br>C:\327de45119f65652f4eba1\3082\eula.rtf (389 bytes)<br>C:\327de45119f65652f4eba1\1036\SetupResources.dll (736 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate5.ico (894 bytes)<br>C:\327de45119f65652f4eba1\1028\eula.rtf (16 bytes)<br>C:\327de45119f65652f4eba1\1040\eula.rtf (9 bytes)<br>C:\327de45119f65652f4eba1\UiInfo.xml (2006 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate2.ico (894 bytes)<br>C:\327de45119f65652f4eba1\2052\eula.rtf (16 bytes)<br>C:\327de45119f65652f4eba1\DHtmlHeader.html (16 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Save.ico (79 bytes)<br>C:\327de45119f65652f4eba1\ParameterInfo.xml (200 bytes)<br>C:\327de45119f65652f4eba1\1031\LocalizedData.xml (199 bytes)<br>C:\327de45119f65652f4eba1\2052\SetupResources.dll (33 bytes)<br>C:\327de45119f65652f4eba1\3082\LocalizedData.xml (541 bytes)<br>C:\327de45119f65652f4eba1\1033\eula.rtf (7 bytes)<br>C:\327de45119f65652f4eba1\Strings.xml (14 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Print.ico (1 bytes)<br>C:\327de45119f65652f4eba1\1040\LocalizedData.xml (568 bytes)<br>C:\327de45119f65652f4eba1\Setup.exe (932 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Setup.ico (728 bytes)<br>C:\327de45119f65652f4eba1\Graphics\stop.ico (10 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate3.ico (894 bytes)<br>C:\327de45119f65652f4eba1\1036\LocalizedData.xml (255 bytes)<br>C:\327de45119f65652f4eba1\1041\LocalizedData.xml (670 bytes)<br>C:\327de45119f65652f4eba1\SetupUi.xsd (556 bytes)<br>C:\327de45119f65652f4eba1\1049\LocalizedData.xml (139 bytes)<br>C:\327de45119f65652f4eba1\Graphics\SysReqNotMet.ico (1 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate4.ico (894 bytes)<br>C:\327de45119f65652f4eba1\Graphics\warn.ico (10 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate7.ico (894 bytes)<br>C:\327de45119f65652f4eba1\1041\SetupResources.dll (15 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate1.ico (894 bytes)<br>C:\327de45119f65652f4eba1\1042\LocalizedData.xml (102 bytes)<br>C:\327de45119f65652f4eba1\3082\SetupResources.dll (41 bytes)<br>C:\327de45119f65652f4eba1\Graphics\Rotate6.ico (894 bytes)<br>C:\327de45119f65652f4eba1\SplashScreen.bmp (1049 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\ip.xml (105 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\NSISdl.dll (14 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\version.xml (256 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\OkozoDesktopInstaller.exe (821835 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\Tick.bmp (774 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\temp.okozo (14 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\country.xml (227 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\Cross.bmp (630 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\System.dll (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsk7F.tmp\XML.dll (2005 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\close.ico (15 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\preinstaller.exe (5494 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\libglog.dll (3631 bytes)<br>%Documents and Settings%\%current user%\Desktop\Okozo Desktop.lnk (1 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\System.dll (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)<br>%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Close Okozo Desktop.lnk (2 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\desk3DHook.dll (20685 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtWebKit4.dll (275351 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsr81.tmp\inetc.dll (20 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\D3DX9_43.dll (50358 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtCore4.dll (50901 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.dll (28789 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\server_struct[1].xml (6984 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtGui4.dll (180886 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtNetwork4.dll (24858 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\QtXml4.dll (11311 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\crypter.dll (2800 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\Uninstall.exe (1334 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\iistaskpanel.dll (14083 bytes)<br>%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Okozo Desktop.lnk (1 bytes)<br>%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#Security\FlashPlayerTrust\okozodesktop.cfg (80 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe (3941 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktop.exe (24420 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Animations\Okozo Intro\Okozo Intro.aesswf (2104 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\7z\7z.exe (3688 bytes)<br>%Documents and Settings%\%current user%\Start Menu\Programs\Okozo Desktop\Uninstall Okozo Desktop.lnk (1 bytes)<br>%System%\Macromed\Flash\FlashInstall.log (2 bytes)<br>%System%\Macromed\Flash\flashplayer.xpt (856 bytes)<br>%System%\FlashPlayerApp.exe (3772 bytes)<br>%System%\Macromed\Flash\plugin.vch (7972 bytes)<br>%System%\Macromed\Flash\FlashPlayerUpdateService.exe (262 bytes)<br>%System%\FlashPlayerCPLApp.cpl (71 bytes)<br>%System%\Macromed\Flash\NPSWF32_14_0_0_145.dll (126514 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\{C3D5EAD4-A6E1-4DC3-BF9F-454636F414EB}\fpb.tmp (1793 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\{04C4385B-F9C4-48F6-B083-944072D1B708}\fpb.tmp (3924 bytes)<br>%System%\Macromed\Flash\FlashUtil32_14_0_0_145_Plugin.exe (3924 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsr8D.tmp\System.dll (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\install_flash_player[1].exe (1232953 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\System.dll (11 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\vcredist_x86.exe (323259 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\UAC.dll (13 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\install_flash_player.exe (1232953 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\nsl83.tmp\inetc.dll (20 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vcredist_x86[1].exe (323259 bytes)<br>%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)<br>%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)<br>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup_20140803 (1172 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030.html (136546 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\Microsoft Visual C 2010 x86 Redistributable Setup_20140803_041032030-MSI_vc_red.msi.txt (152863 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\HFI88.tmp.html (26876 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\HFI85.tmp.html (22 bytes)<br>%Documents and Settings%\%current user%\Local Settings\Temp\Setup_20140803_041031452.html (52962 bytes)</p></li><li>Delete the following value(s) in the autorun key (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-work-with-the-system-registry"><span style="color: #0000ff;">How to Work with System Registry</span></a>):<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]<br>"Okozo" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Okozo\Okozo Desktop\okozodesktoplauncher.exe"</p></li><li>Clean the Temporary Internet Files folder, which may contain infected files (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-clean-the-temporary-internet-files-folder"><span style="color: #0000ff;">How to clean Temporary Internet Files folder</span></a>).<br></li><li>Reboot the computer.<br></li></ol>*Manual removal may cause unexpected system behaviour and should be performed at your own risk.</div></di?></pre></6></pre></27285536></pre></pre></5></pre></:></pre></9>