HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Kryptik.ake (v) (VIPRE), Trojan-PWS.Win32.Zbot!IK (Emsisoft), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ebbc5b822f1a708680efc412873ed7a7
SHA1: da15c6c2ab874351bfe40e051f80fbc25173c4cb
SHA256: 755ac5d9aae0d7ca904020c59082468d03c64a283d99893ea539a52ed7125a32
SSDeep: 6144:x XL1/BuzrDXP3PHBfP3HLp3PHYrBZkC8sdDYrVbX4srR8Ipg8u0DS5gioqXCq2m:x 715uzrD/3PHBfP3HLp3PH0BZIbXdrC
Size: 303616 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2003-11-14 01:15:40
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
ebbc5b822f1a708680efc412873ed7a7.exe:1464
ntvdm.exe:864
xaybdy.exe:668
The Trojan-PSW injects its code into the following process(es):
Eva.exe:1744
File activity
The process ebbc5b822f1a708680efc412873ed7a7.exe:1464 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Hyjij\xaybdy.exe (1728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWK9F.bat (171 bytes)
The process ntvdm.exe:864 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir%\Temp (960 bytes)
%WinDir%\WinSxS (12 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\Installer (196 bytes)
C:\Perl\lib\CPAN (8 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
C:\Perl\html\faq (4 bytes)
C:\Perl\lib\Encode (4 bytes)
%WinDir%\Help (248 bytes)
C:\Perl\lib\Devel (4 bytes)
%WinDir%\security (4 bytes)
C:\Perl\lib\ActiveState (4 bytes)
%Program Files%\Opera (4 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
%WinDir% (672 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
C:\Perl\lib\CORE (196 bytes)
%Program Files%\Movie Maker (4 bytes)
C:\Perl\lib\B (4 bytes)
C:\Perl\lib\ExtUtils (8 bytes)
%Program Files%\Windows NT (4 bytes)
%System% (9744 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
C:\Perl\lib\Class (4 bytes)
C:\Perl\eg\PerlEx (4 bytes)
C:\Perl\lib\auto (16 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
C:\Perl\html\lib (49 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (1052 bytes)
%WinDir%\Web (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%Program Files%\Wireshark (196 bytes)
%WinDir%\assembly (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
C:\Perl\lib\CPANPLUS (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
C:\Perl\lib\DBI (4 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\%current user%\Cookies (288 bytes)
C:\Perl\lib\DBD (4 bytes)
The Trojan-PSW deletes the following file(s):
%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)
The process xaybdy.exe:668 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6656 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6308 bytes)
The process Eva.exe:1744 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\shtandvare[1].htm (206 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@3dup[1].txt (207 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4240 bytes)
%Documents and Settings%\%current user%\hutybgutxyrh.exe (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@directtv[1].txt (190 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@grar[1].txt (132 bytes)
Registry activity
The process ebbc5b822f1a708680efc412873ed7a7.exe:1464 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 F3 00 9B F0 C9 82 CA A5 32 1C D9 B9 F1 76 BD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process xaybdy.exe:668 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 47 3E 6D B9 B9 1F 85 2B 26 C6 19 62 B2 C1 6F"
[HKCU\Software\Microsoft\Alobeqetajy]
"1ajj1a10" = "Q FDEOMCtfMBBdy0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process Eva.exe:1744 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"hutybgutxyrhzap" = "8E 66 3E 16 ED C5 9D 75 4D 25 FC D4 AC 84 5C 34"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "E3 48 20 F7 CF A7 7F 57 2F 07 DE B6 8E 66 3E 16"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 65 18 81 AA C8 60 DC 90 5F 62 FB 0F 16 6F 8D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hutybgutxyrh" = "%Documents and Settings%\%current user%\hutybgutxyrh.exe"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
Network activity (URLs)
| URL | IP | Country |
| hxxp://iwvsales.com/bc.exe | 63.143.39.130 | |
| hxxp://markphaneuf.com/Eva.exe | 216.22.26.55 | |
| hxxp://grar.com/ | 65.183.178.29 | |
| hxxp://ncable.net.au/ | 203.208.88.59 | |
| hxxp://blackplanet.com/?ptrxcz_PWcjry5CJPWdksz6DJQXelt06DKRYf | 70.42.66.70 | |
| hxxp://hawaiiantel.net/?ptrxcz_t07ELSZfmu18FMTZgov29GNTahpw3A | 64.8.70.102 | |
| hxxp://24.com/ | 41.86.110.143 | |
| hxxp://blackplanet.com/?ptrxcz_FMTahpv3AHOUbiqx4BIPVcjry5CJPW | ||
| hxxp://waupacafoundry.com/ | 71.13.131.168 | |
| hxxp://merck.com/?ptrxcz_kt07ELSZgou18FMTahov29GNUbipw3 | 155.91.16.2 | |
| hxxp://dreamwiz.com/?ptrxcz_QXdksz6DKRXelt07ELSYfmu18FMTZg | 61.111.244.129 | |
| hxxp://yahoo.co.jp/ | 203.216.243.240 | |
| hxxp://bumbleandbumble.com/?ptrxcz_KSZgmu28FMTahpv29GNUahpw3AHNUb | 170.224.105.243 | |
| hxxp://unison.ie/?ptrxcz_Wdksz6DJQXelt07DKRYfmu07ELSZgm | 217.78.15.211 | |
| hxxp://3dup.com/?ptrxcz_QYflt18FLSZgov29FMTahpw39GNUbi | 108.162.196.42 | |
| hxxp://williams.edu/?ptrxcz_elt18FMTZgov29GNUbiqx3AHOVcjry | 137.165.6.26 | |
| hxxp://grandecom.net/ | 66.90.130.6 | |
| hxxp://talktalk.net/ | 193.118.251.141 | |
| hxxp://brettlarson.com/?ptrxcz_rz7ELRYfmu18ELSZgov18FMTahov29 | 50.62.243.1 | |
| hxxp://clds.net/?ptrxcz_hpw4BHOVcjry5CJQXeksz6DKRYfmu1 | 208.47.185.65 | |
| hxxp://csrlink.net/?ptrxcz_RZfmu28FMTahpw29GNUbipw3AHOVci | 207.69.200.195 | |
| hxxp://collegeclub.com/ | 66.150.124.66 | |
| hxxp://stargate.net/?ptrxcz_pw4BHOVcjry5BIPWdksz5CJQXeltz6 | 209.166.171.92 | |
| hxxp://mail.com/ | 213.165.66.221 | |
| hxxp://cytanet.com.cy/ | 195.14.130.176 | |
| hxxp://mail.unomaha.edu/ | 137.48.1.6 | |
| hxxp://stargate.net/ | ||
| hxxp://micron.net/?ptrxcz_NYju5FQakv6GQblw7Zgov29FMTahpw | 137.201.240.85 | |
| hxxp://citigroup.com/?ptrxcz_u29GNUbiqx4AHOVcjry5CJPWdksz6D | 192.193.219.58 | |
| hxxp://shtandvare.com/ | 37.59.37.160 | |
| hxxp://lyuchta.org/ | 178.79.190.156 | |
| hxxp://lineone.net/?ptrxcz_sz7DKRYfmu18ELSZgov28FMTahpv29 | 212.74.99.30 | |
| hxxp://directtv.com/ | 147.21.176.14 | |
| hxxp://jrihealth.org/ | 208.73.210.29 | |
| hxxp://flemingc.on.ca/?ptrxcz_4CJQXelt07DKRYfmu18ELSZgov29FM | 192.197.148.244 | |
| hxxp://bluewin.ch/?ptrxcz_AHOVcjry5CJQXdksz6DKRXelt07ELR | 195.186.196.33 | |
| hxxp://markbrent.com/?ptrxcz_19GNUbipw3AHOUbiqx4BHOVcjrx4BI | 50.63.127.1 | |
| hxxp://number1.net/ | 208.73.211.199 | |
| hxxp://blackplanet.com/ | ||
| hxxp://vaxxine.com/ | 209.159.189.4 | |
| hxxp://lansdownecollege.com/ | 109.203.126.209 | |
| hxxp://markbrent.com/ | ||
| hxxp://ul.ie/?ptrxcz_3AIOVcjry5CJPWdksz6DKQXelt07EL | 188.40.16.174 | |
| hxxp://start.no/?ptrxcz_3BJPWdksz6DKQXelt07ELRYfmu18FM | 195.159.73.120 | |
| hxxp://waupacafoundry.com/?ptrxcz_08FMTahov29GNUahpw3AHNUbiqx4AH | ||
| floodcity.net | 64.186.80.70 | |
| npower.com | 85.8.204.208 | |
| nifty.com | 210.131.4.217 | |
| pba.com | 216.145.1.21 | |
| linuxmail.org | 50.22.218.215 | |
| rcn.com | 208.59.90.35 | |
| ethansalwen.com | 69.163.163.63 | |
| wp.pl | 212.77.100.101 | |
| terra.es | 208.84.244.10 | |
| uakron.edu | 130.101.217.69 | |
| in1.smtp.messagingengine.com | 66.111.4.72 | |
| cocmast.net | 108.175.168.94 | |
| naver.com | 220.95.233.172 | |
| worldonline.co.uk | 212.74.99.30 | |
| primusonline.com.au | 211.27.226.8 | |
| optonline.net | 66.54.17.31 | |
| netsync.net | 65.98.89.218 | |
| ninemsn.com.au | 202.58.48.1 | |
| mxs.mail.ru | 94.100.176.20 | |
| marchmail.com | 50.22.218.215 | |
| pchome.com.tw | 210.59.230.60 | |
| starpower.net | 207.172.157.181 | |
| idealcollectables.com | 208.106.129.24 | |
| gmail-smtp-in.l.google.com | 173.194.76.27 | |
| mail.earthlink.net | 209.86.93.206 | |
| alt4.gmail-smtp-in.l.google.com | 173.194.69.26 | |
| teknett.com | 70.34.34.93 | |
| robvivian.com | 184.168.221.54 | |
| popstar.com | 67.228.2.139 | |
| wildmail.com | 217.70.184.38 | |
| avinalarf.co.uk | 173.245.61.168 | |
| dr.com | 204.74.99.100 | |
| briansmail.com | 127.0.0.1 | |
| youtube.com | 74.125.226.197 | |
| dicksmail.com | 127.0.0.1 | |
| findlay.edu | 206.244.84.38 | |
| intelnet.net.gt | 200.6.192.206 | |
| vodafone.com | 195.232.194.11 | |
| indosat.com | 202.152.161.193 | |
| shmais.com | 141.101.127.102 | |
| uplink.net | 207.69.200.195 | |
| boardermail.com | 50.22.218.215 | |
| backpacker.com | 107.22.234.56 | |
| mail7.digitalwaves.co.nz | 127.0.0.1 | |
| birds.com | 173.203.60.104 | |
| the-wild-west.com | 1.2.3.4 |
Rootkit activity
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
DecryptMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ebbc5b822f1a708680efc412873ed7a7.exe:1464
ntvdm.exe:864
xaybdy.exe:668 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Application Data\Hyjij\xaybdy.exe (1728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWK9F.bat (171 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Program Files%\Windows Media Player (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%WinDir%\Temp (960 bytes)
%WinDir%\WinSxS (12 bytes)
%Program Files%\Internet Explorer (4 bytes)
%WinDir%\Installer (196 bytes)
C:\Perl\lib\CPAN (8 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
C:\Perl\html\faq (4 bytes)
C:\Perl\lib\Encode (4 bytes)
%WinDir%\Help (248 bytes)
C:\Perl\lib\Devel (4 bytes)
%WinDir%\security (4 bytes)
C:\Perl\lib\ActiveState (4 bytes)
%Program Files%\Opera (4 bytes)
%WinDir%\Microsoft.NET (4 bytes)
%WinDir%\REGISTRATION (4 bytes)
C:\Perl\lib\CORE (196 bytes)
%Program Files%\Movie Maker (4 bytes)
C:\Perl\lib\B (4 bytes)
C:\Perl\lib\ExtUtils (8 bytes)
%Program Files%\Windows NT (4 bytes)
%System% (9744 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
C:\Perl\lib\Class (4 bytes)
C:\Perl\eg\PerlEx (4 bytes)
C:\Perl\lib\auto (16 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
C:\Perl\html\lib (49 bytes)
%WinDir%\msagent (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\test.pml (1052 bytes)
%WinDir%\Web (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%Program Files%\Wireshark (196 bytes)
%WinDir%\assembly (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
C:\Perl\lib\CPANPLUS (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
C:\Perl\lib\DBI (4 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\%current user%\Cookies (288 bytes)
C:\Perl\lib\DBD (4 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6656 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\shtandvare[1].htm (206 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wp[1].txt (214 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@3dup[1].txt (207 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4240 bytes)
%Documents and Settings%\%current user%\hutybgutxyrh.exe (40 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@directtv[1].txt (190 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@grar[1].txt (132 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"hutybgutxyrh" = "%Documents and Settings%\%current user%\hutybgutxyrh.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.