Skip to main content

Backdoor.Win32.PcClient_51af40e6f7


Trojan-Dropper.Win32.Sysn.ycg (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 51af40e6f7e68dd62f9ca474831f010d

SHA1: 8b94c6a043e4ef3adc4a4c2df345fe6267479bcf

SHA256: 4db73c8742ef2f8ba15cbe2e835b90d4c6e90d0a196bf739f6ce77f43ac23d62

SSDeep: 24576:z8ydwqiycH2hmaDpurWf2kePZhzt2fdUVy/Pkhlz jqK0zp9dZwTSs7IwTiU/iAv:pSyc2or9zhhzt9IXkhAO9dZQSeI6/D

Size: 1535488 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2013-02-17 09:00:50

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

rundll32.exe:1756
%original file name%.exe:1568

The Backdoor injects its code into the following process(es):

Setup.exe:504

File activity

The process Setup.exe:504 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (338 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\settings.dat.new (69 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar.benc.new (65 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\dll_optimizerpro[1].jpg (2409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp.new (66 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BunndleOfferManager.dll (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\offers[1].json (2888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar_offer.benc (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\Bunndle.log (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\BunndleOfferManager-B70F552C-5BCA-4F12-B55A-E90B05EFF175.dll (25104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\i_temp.temp (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\impression[1].png (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\impression[1].png (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt8.tmp.new (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\idlimage.temp (292 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\offconfig.temp (2135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADKAppsOfferManager.dll (102 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\9d1627c087e30ee6fe8c9cce3c77e841_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (109 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.27534.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp.27587.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\impression[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\idlimage.temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\offers[1].json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\i_temp.temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\impression[1].png (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\offconfig.temp (0 bytes)

The process %original file name%.exe:1568 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PROTEG~1.EXE (8211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup.exe (17426 bytes)

Registry activity

The process Setup.exe:504 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "8862592471"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1]
"(Default)" = "131473"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus]
"(Default)" = "0"

[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"

[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\BunndleOfferManager.dll"

[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID]
"(Default)" = "Bunndle.BunndleOfferManager"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\BitTorrent\BitTorrent]
"OfferAccepted" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"

[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}]
"(Default)" = "IInstallScriptHelper"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Bunndle.BunndleOfferManager]
"(Default)" = "BunndleOfferManager Class"

[HKCR\Bunndle.BunndleOfferManager.1]
"(Default)" = "BunndleOfferManager Class"

[HKCR\Bunndle.BunndleOfferManager.1\CLSID]
"(Default)" = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}"

[HKCU\Software\BitTorrent\BitTorrent]
"OfferProvider" = ""

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\BunndleOfferManager.dll"

[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}]
"(Default)" = "IBunndleOfferManager2"

[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}]
"AppId" = "{2C9E6EB4-45BD-4855-A0C2-4614D4C49DBA}"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}]
"(Default)" = "BunndleOfferManager Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 12 84 EE 4D A9 BC 54 77 C9 78 FF 0A 82 9E 45"

[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 63 66 4B 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}]
"(Default)" = "IBunndleOfferManager"

[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0]
"(Default)" = "BunndleOfferManager 1.0 Type Library"

[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID]
"(Default)" = "Bunndle.BunndleOfferManager.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\BitTorrent\BitTorrent]
"OfferViaCAU" = "0"

[HKCU\Software\BitTorrent\BitTorrent]
"OfferName" = ""

[HKCR\Bunndle.BunndleOfferManager\CurVer]
"(Default)" = "Bunndle.BunndleOfferManager.1"

[HKCR\Bunndle.BunndleOfferManager\CLSID]
"(Default)" = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}"

[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

The process rundll32.exe:1756 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 9C A3 78 9A EF 0A C7 7B 01 BB 0E 31 BD 8A 2C"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 91 DE 06 25"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

The process %original file name%.exe:1568 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B2 48 7C FF 48 A3 E8 18 98 26 87 6F DB 2C 7A"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Network activity (URLs)

URL IP
hxxp://67.215.246.204/updatestats.php?cl=BitTorrent&v=251884864&h=NvuqiU4fXS7mHeKm&k=&ip=2&dns=31&con=31&dl=484&dlurl=http://ll.download3.utorrent.com/offers/bt-conduit-20130311.bmp&svp=4&pid=504&sz=66022&bin=bmp


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    rundll32.exe:1756
    %original file name%.exe:1568

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (338 bytes)
    %Documents and Settings%\%current user%\Application Data\BitTorrent\settings.dat.new (69 bytes)
    %Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar.benc.new (65 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\dll_optimizerpro[1].jpg (2409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp.new (66 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BunndleOfferManager.dll (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\offers[1].json (2888 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar_offer.benc (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\Bunndle.log (1989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.new (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\BunndleOfferManager-B70F552C-5BCA-4F12-B55A-E90B05EFF175.dll (25104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\i_temp.temp (218 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\impression[1].png (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\impression[1].png (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\utt8.tmp.new (65 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\idlimage.temp (292 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\offconfig.temp (2135 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ADKAppsOfferManager.dll (102 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\9d1627c087e30ee6fe8c9cce3c77e841_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PROTEG~1.EXE (8211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup.exe (17426 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps