Trojan-Downloader.Win32.Agent.hdnh (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-PSW.Win32.Zbot.4.FD, mzpefinder_pcap_file.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8aa2ac76201abef058b903decb580313
SHA1: 8f19ae3c1ee2561d64699d68120ad2a4fc105f6f
SHA256: d604b19bd91d7a1a28c84e62975543e1cdddec0c8e0ccae26815e9f5270a89f2
SSDeep: 384:UMp3HU08dJlM1jpj0Z3g 4tdmuJc1PbJK:UEHUblMVZ3kJK
Size: 20160 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2013-09-03 16:59:47
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
8aa2ac76201abef058b903decb580313.exe:848
zfbttcb.exe:736
cietim.exe:1860
zvbvfndd.exe:340
The Trojan-PSW injects its code into the following process(es):
oKnUAf.exe:1616
File activity
The process oKnUAf.exe:1616 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@facebook[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\budbad[1].htm (213 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\precisionsolutionsky[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\golfpark-moossee[1].htm (1248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\boundbydesign[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\e-shuukyaku[1].htm (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (307 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\christybarry[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spiti[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@choice-select[1].txt (204 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (197 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[2].txt (344 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@re-wakefield.co[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\altonhousehotel[1].htm (38 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[2].txt (342 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.servico-ind[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hpp-services[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (60 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\cath4choice[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\qejacysgabom.exe (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (21092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\floridadoubled[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gjk.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\boundbydesign[1].htm (10 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\momonophoto[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\budbad[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\precisionsolutionsky[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\e-shuukyaku[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\christybarry[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\home[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\slcago[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\timeturkey[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\easyformations[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spiti[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\cath4choice[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\floridadoubled[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gjk.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hpp-services[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\boundbydesign[1].htm (0 bytes)
The process 8aa2ac76201abef058b903decb580313.exe:848 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\zfbttcb.exe (20 bytes)
The process zfbttcb.exe:736 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\rhk[1].exe (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zvbvfndd.exe (1685 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
The process cietim.exe:1860 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6268 bytes)
The process zvbvfndd.exe:340 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FHI9B2C.bat (179 bytes)
%Documents and Settings%\%current user%\Application Data\Anzuu\cietim.exe (2725 bytes)
Registry activity
The process oKnUAf.exe:1616 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"qejacysgabomzap" = "9C 74 4C 24 FB 47 1F F6 CE A6 7E 56 2E 79 51 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "35 99 71 49 21 6C 44 1C F3 CB A3 7B 53 2B 03 4E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 67 28 D4 68 7C 7D 5E 5A B4 69 00 4F B0 C1 A1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qejacysgabom" = "%Documents and Settings%\%current user%\qejacysgabom.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process 8aa2ac76201abef058b903decb580313.exe:848 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F9 A3 C4 CE 1C 33 76 0E CB 47 9A D0 95 57 B0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"zfbttcb.exe" = "zfbttcb"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The process zfbttcb.exe:736 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 E4 A8 18 AB B6 94 D6 AF 7A 67 6F 5C 14 1F 6F"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"zvbvfndd.exe" = "Substance Practicehad"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process cietim.exe:1860 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 92 A1 AF 9E 56 4D C7 9D 9F 0F B1 08 7E 8B F8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Byymyjitjemi]
"184bibd6" = "BeTh0UT/9HM="
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process zvbvfndd.exe:340 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 16 42 EE 0B A8 B5 27 69 6E 7B 62 62 55 BF DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://www.solutics.ch/oKnUAf.exe | 88.198.26.38 |
| hxxp://precisionsolutionsky.com/ | 64.34.168.92 |
| hxxp://sullyfrance.com/ | 216.8.179.30 |
| hxxp://screaminpeach.com/ | 108.162.203.235 |
| hxxp://christybarry.com/ | 66.49.139.143 |
| hxxp://courtney.ca/ | 67.223.102.97 |
| hxxp://e-shuukyaku.com/ | 211.13.204.89 |
| hxxp://toddpipe.com/ | 173.247.243.173 |
| hxxp://jacksonsallamerican.com/ | 50.63.202.20 |
| hxxp://celebikalip.com.tr/ | 212.58.6.80 |
| hxxp://colourprint.nl/ | 91.233.105.63 |
| hxxp://stepnet.de/ | 91.250.116.6 |
| hxxp://mandi-man.com/ | 210.172.144.61 |
| hxxp://dbcomponents.com/ | 66.147.244.241 |
| hxxp://macgregor.co.kr/ | 112.175.11.240 |
| hxxp://sarahdavid.com/ | 69.167.173.15 |
| hxxp://brijindia.com/ | 67.18.185.98 |
| hxxp://ezmedi.com/ | 218.150.78.243 |
| hxxp://sarahdavid.com/index.html | |
| hxxp://www.choice-select.com/ | |
| hxxp://austriansurfing.at/ | 85.13.136.86 |
| hxxp://gjk.com.pl/ | 193.239.44.106 |
| hxxp://hifuken.com/ | 49.212.198.76 |
| hxxp://tss.org/ | 209.200.238.15 |
| hxxp://bethisraelcenter.org/ | 204.213.246.4 |
| hxxp://freepatentauction.com/ | 213.186.33.4 |
| hxxp://wkhk.net/ | 203.189.104.242 |
| hxxp://brookfarm.com.au/ | 116.251.204.207 |
| hxxp://iaiglobal.or.id/ | 49.50.8.93 |
| hxxp://arquiteturadigital.com/ | 208.113.187.143 |
| hxxp://churchclothes.com/ | 97.74.42.79 |
| hxxp://hostphd.com.br/ | 162.211.86.65 |
| hxxp://timeturkey.com/ | 174.123.154.194 |
| hxxp://eurasia.it/ | 54.229.116.65 |
| hxxp://gamblingonlinemagazine.com/ | 198.1.90.242 |
| hxxp://hpp-services.com/ | 69.27.112.3 |
| hxxp://iaiglobal.or.id/v02 | |
| hxxp://fraser-high.school.nz/ | 210.48.67.144 |
| hxxp://servico-ind.com/ | 85.159.56.120 |
| hxxp://arckepesajandek.hu/ | 5.56.32.1 |
| hxxp://mastergrp-spb.ru/ | 188.127.245.103 |
| hxxp://servico-ind.com/index.asp | |
| hxxp://iaiglobal.or.id/v02/ | |
| hxxp://wsipowerontheweb.com/ | 173.245.60.194 |
| hxxp://boundbydesign.com/ | 64.13.250.94 |
| hxxp://d4drmedia.com/ | 208.70.247.105 |
| hxxp://area72aa.org/ | 199.19.85.86 |
| hxxp://appelfarm.org/ | 108.162.206.115 |
| hxxp://schiedel.it/ | 217.145.99.26 |
| hxxp://spiti.org/ | 212.67.194.161 |
| hxxp://xing-group.com/ | 59.106.167.61 |
| hxxp://egao.net/ | 121.83.133.146 |
| hxxp://steelpennygames.com/ | 54.227.239.237 |
| hxxp://korta-sa.com/ | 91.200.116.10 |
| hxxp://impex.com.pl/ | 188.252.27.130 |
| hxxp://kvadratoff.ru/ | 188.93.212.32 |
| hxxp://slcago.org/ | 97.74.80.192 |
| hxxp://pcpeds.com/ | 216.122.144.146 |
| hxxp://budbad.com/ | 144.76.86.115 |
| hxxp://paintball.be/ | 213.186.33.19 |
| hxxp://vanguardpkg.com/ | 184.168.201.1 |
| hxxp://ans-service.com/ | 67.227.252.139 |
| hxxp://golfpark-moossee.ch/ | 80.74.142.135 |
| hxxp://midwestga.com/ | 108.175.148.57 |
| hxxp://xuanxiao.com/ | 116.251.205.115 |
| hxxp://mibsga.com/ | |
| hxxp://adultlivechat.us/ | 74.119.145.130 |
| hxxp://tutuji-saitama.com/ | 124.108.33.192 |
| hxxp://cath4choice.org/ | 76.12.228.8 |
| hxxp://agence-des-druides.com/ | 91.121.36.162 |
| hxxp://aethora.com/ | 67.207.143.253 |
| hxxp://coopsupermarkt.nl/ | 213.247.43.95 |
| hxxp://easyformations.net/ | 88.208.216.219 |
| hxxp://doctsf.com/ | 213.186.33.17 |
| hxxp://momonophoto.com/ | 203.189.105.136 |
| hxxp://solutioncorp.com/ | 66.111.53.120 |
| hxxp://sgprinting.ca/ | 184.107.236.2 |
| hxxp://acmepacificrepairs.com/ | 69.198.129.78 |
| hxxp://childscope.com/ | 173.203.121.238 |
| altonhousehotel.com | 78.129.226.106 |
| championsisters.com | 50.116.66.142 |
| jointpower-log.com | 61.172.246.56 |
| hoodriver.org | 205.186.183.163 |
| www.patentauction.com | 213.186.33.4 |
| www.iaiglobal.or.id | 49.50.8.93 |
| chocolatecovers.com | 127.0.0.1 |
| www.hpp-services.com | 69.27.112.3 |
| bukaschool.cz | 93.185.102.124 |
| link-list-uk.com | 91.109.14.224 |
| in1.smtp.messagingengine.com | 66.111.4.70 |
| tollefsondesign.com | 192.168.0.1 |
| domusretreat.com | 50.57.31.161 |
| floridadoubled.com | 64.59.81.104 |
| ibcd.com.br | 192.168.0.1 |
| heritageplaceky.com | 199.34.229.100 |
| menolinx.com | 103.8.127.205 |
| sd-jida.com.tw | 220.130.45.139 |
| mxs.mail.ru | 94.100.176.20 |
| tenpole.com | 127.0.0.1 |
| norakuroya.com | 175.45.136.72 |
| www.screaminpeach.com | 108.162.204.235 |
| smtp.mail.yahoo.com | 98.138.105.21 |
| itre.org | 199.7.108.125 |
| menyayu.com | 62.109.28.222 |
| choice-select.com | 176.74.176.179 |
| www.servico-ind.com | 85.159.56.120 |
| bgfleming.com | 208.36.53.135 |
| gmail-smtp-in.l.google.com | 74.125.142.27 |
| floresta.org | 209.114.38.138 |
| ondaon.com.br | 206.222.17.3 |
| www.childscope.com | 173.203.121.238 |
| perc.ca | 69.89.31.118 |
| 1-dream.net | 210.172.144.247 |
| alt4.gmail-smtp-in.l.google.com | 173.194.65.27 |
| fnadisplay.com | 94.23.0.52 |
| rivhsa.org | 69.61.104.168 |
| osouji-school.com | 211.13.204.89 |
| netify.de | 87.106.66.125 |
| lois-jewellery.com | 213.165.89.8 |
| upsilon89.com | 62.193.227.35 |
| nadalada.net | 216.99.222.235 |
| sanwaseiki.com | 182.48.49.38 |
| singtech.com.sg | 103.9.101.151 |
| greenshore.com | 68.169.60.245 |
| www.wkhk.net | 203.189.104.242 |
| islandsticker.com | 216.117.162.218 |
| nazcapictures.com | 69.0.211.58 |
| mekapro.ch | 213.239.199.42 |
| womanshealthchoice.com | 46.30.8.183 |
| oceanpowermarine.com.au | 202.87.24.152 |
| winnstone.com | 174.121.8.8 |
| stageup.net | 115.146.8.231 |
| www.golfpark-moossee.ch | 80.74.142.135 |
| www.facebook.com | 31.13.65.1 |
| www.gamblingonlinemagazine.com | 198.1.90.242 |
| www.mibsga.com | 173.201.232.241 |
| fitedi.com.br | 187.45.210.124 |
| santilli-law.com | 173.199.169.56 |
| re-wakefield.co.uk | 108.162.193.186 |
| bredainternet.nl | 127.0.0.1 |
| trenpalau.com | 217.149.1.49 |
| nd-evenementiel.com | 79.98.23.30 |
| temsanmakina.com | 85.153.48.91 |
| www.sarahdavid.com | 69.167.173.15 |
| mail7.digitalwaves.co.nz | 127.0.0.1 |
| entegre.com.tr | 31.207.87.45 |
| didonatospa.com | 217.64.194.122 |
| smtp.live.com | 65.55.96.11 |
| theautospas.com | 216.70.109.220 |
| www.momonophoto.com | 203.189.105.136 |
| nichedictionary.com | Unresolvable |
| xn--22c6bfh8abch1g1b0ap6a9vxa.com | Unresolvable |
| x-cellcommunications.de | Unresolvable |
| audio-direkt.net | Unresolvable |
| toutenmeuse.com | Unresolvable |
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
8aa2ac76201abef058b903decb580313.exe:848
zfbttcb.exe:736
cietim.exe:1860
zvbvfndd.exe:340 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[2].txt (301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\index[1].htm (13 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@facebook[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\budbad[1].htm (213 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@area72aa[1].txt (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\precisionsolutionsky[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\golfpark-moossee[1].htm (1248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\boundbydesign[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\e-shuukyaku[1].htm (18 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wsipowerontheweb[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\momonophoto[1].htm (19 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (307 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\christybarry[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\home[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\spiti[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\timeturkey[1].htm (32 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@choice-select[1].txt (204 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (197 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[2].txt (344 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (881 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@re-wakefield.co[1].txt (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\brijindia[1].htm (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\altonhousehotel[1].htm (38 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[2].txt (342 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.servico-ind[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hpp-services[1].htm (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\churchclothes[1].htm (60 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\mibsga[1].htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\cath4choice[1].htm (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\hostphd.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\easyformations[1].htm (19 bytes)
%Documents and Settings%\%current user%\qejacysgabom.exe (49 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (21092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\floridadoubled[1].htm (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gjk.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\boundbydesign[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zfbttcb.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\rhk[1].exe (1685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zvbvfndd.exe (1685 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FHI9B2C.bat (179 bytes)
%Documents and Settings%\%current user%\Application Data\Anzuu\cietim.exe (2725 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"qejacysgabom" = "%Documents and Settings%\%current user%\qejacysgabom.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.