Trojan-Dropper.Win32.Sysn.ycg (Kaspersky), Backdoor.Win32.PcClient.FD, Trojan.Win32.Swrort.3.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 51af40e6f7e68dd62f9ca474831f010d
SHA1: 8b94c6a043e4ef3adc4a4c2df345fe6267479bcf
SHA256: 4db73c8742ef2f8ba15cbe2e835b90d4c6e90d0a196bf739f6ce77f43ac23d62
SSDeep: 24576:z8ydwqiycH2hmaDpurWf2kePZhzt2fdUVy/Pkhlz jqK0zp9dZwTSs7IwTiU/iAv:pSyc2or9zhhzt9IXkhAO9dZQSeI6/D
Size: 1535488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-17 09:00:50
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
rundll32.exe:1756
%original file name%.exe:1568
The Backdoor injects its code into the following process(es):
Setup.exe:504
File activity
The process Setup.exe:504 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (338 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\settings.dat.new (69 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar.benc.new (65 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\dll_optimizerpro[1].jpg (2409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp.new (66 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BunndleOfferManager.dll (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\offers[1].json (2888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar_offer.benc (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\Bunndle.log (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\BunndleOfferManager-B70F552C-5BCA-4F12-B55A-E90B05EFF175.dll (25104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\i_temp.temp (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\impression[1].png (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\impression[1].png (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt8.tmp.new (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\idlimage.temp (292 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\offconfig.temp (2135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADKAppsOfferManager.dll (102 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\9d1627c087e30ee6fe8c9cce3c77e841_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (109 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.27534.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp.27587.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\impression[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\idlimage.temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\offers[1].json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\i_temp.temp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\impression[1].png (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\offconfig.temp (0 bytes)
The process %original file name%.exe:1568 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PROTEG~1.EXE (8211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup.exe (17426 bytes)
Registry activity
The process Setup.exe:504 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "8862592471"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus\1]
"(Default)" = "131473"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\MiscStatus]
"(Default)" = "0"
[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"
[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\BunndleOfferManager.dll"
[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\VersionIndependentProgID]
"(Default)" = "Bunndle.BunndleOfferManager"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\BitTorrent\BitTorrent]
"OfferAccepted" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"
[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}]
"(Default)" = "IInstallScriptHelper"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\Bunndle.BunndleOfferManager]
"(Default)" = "BunndleOfferManager Class"
[HKCR\Bunndle.BunndleOfferManager.1]
"(Default)" = "BunndleOfferManager Class"
[HKCR\Bunndle.BunndleOfferManager.1\CLSID]
"(Default)" = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}"
[HKCU\Software\BitTorrent\BitTorrent]
"OfferProvider" = ""
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\BunndleOfferManager.dll"
[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}]
"(Default)" = "IBunndleOfferManager2"
[HKCR\Interface\{4C47163B-0755-4FBD-B805-F446558A34BB}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}]
"AppId" = "{2C9E6EB4-45BD-4855-A0C2-4614D4C49DBA}"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}]
"(Default)" = "BunndleOfferManager Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 12 84 EE 4D A9 BC 54 77 C9 78 FF 0A 82 9E 45"
[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 63 66 4B 08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\Interface\{68A77467-3411-4C5A-BDCA-7B0233097FFB}\TypeLib]
"(Default)" = "{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}]
"(Default)" = "IBunndleOfferManager"
[HKCR\TypeLib\{BE75CD6E-0AC6-4D57-ACDD-48FD1ADB7711}\1.0]
"(Default)" = "BunndleOfferManager 1.0 Type Library"
[HKCR\CLSID\{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}\ProgID]
"(Default)" = "Bunndle.BunndleOfferManager.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\BitTorrent\BitTorrent]
"OfferViaCAU" = "0"
[HKCU\Software\BitTorrent\BitTorrent]
"OfferName" = ""
[HKCR\Bunndle.BunndleOfferManager\CurVer]
"(Default)" = "Bunndle.BunndleOfferManager.1"
[HKCR\Bunndle.BunndleOfferManager\CLSID]
"(Default)" = "{FA6DC595-39EE-45E6-BC91-1E4D385ABB11}"
[HKCR\Interface\{253B2114-DE9E-42A9-9C73-533E24FC788E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"
The process rundll32.exe:1756 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 9C A3 78 9A EF 0A C7 7B 01 BB 0E 31 BD 8A 2C"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 91 DE 06 25"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"
The process %original file name%.exe:1568 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B2 48 7C FF 48 A3 E8 18 98 26 87 6F DB 2C 7A"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Network activity (URLs)
URL | IP |
---|---|
hxxp://67.215.246.204/updatestats.php?cl=BitTorrent&v=251884864&h=NvuqiU4fXS7mHeKm&k=&ip=2&dns=31&con=31&dl=484&dlurl=http://ll.download3.utorrent.com/offers/bt-conduit-20130311.bmp&svp=4&pid=504&sz=66022&bin=bmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
rundll32.exe:1756
%original file name%.exe:1568 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[1].txt (338 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\settings.dat.new (69 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar.benc.new (65 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\dll_optimizerpro[1].jpg (2409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt9.tmp.new (66 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BunndleOfferManager.dll (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\offers[1].json (2888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\BitTorrent\toolbar_offer.benc (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\Bunndle.log (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt1.tmp.new (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Bunndle\BunndleOfferManager-B70F552C-5BCA-4F12-B55A-E90B05EFF175.dll (25104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\i_temp.temp (218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\impression[1].png (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\impression[1].png (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\utt8.tmp.new (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar3.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\idlimage.temp (292 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@localhost[2].txt (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\offconfig.temp (2135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab2.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ADKAppsOfferManager.dll (102 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\9d1627c087e30ee6fe8c9cce3c77e841_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PROTEG~1.EXE (8211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Setup.exe (17426 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.