by malwarelabrobot on March 7th, 2014 in Malware Descriptions.

Trojan.Rincux.AW (BitDefender), DDoS:Win32/Nitol.A (Microsoft), Trojan.Win32.MicroFake.pgu (Kaspersky), Trojan.Win32.Nitol.b (v) (VIPRE), Trojan.Inject1.247 (DrWeb), Trojan.Rincux.AW (B) (Emsisoft), Artemis!F7A09F3251B0 (McAfee), Trojan.Win32.MicroFake (Ikarus), Trojan.Rincux.AW (FSecure), Downloader.Generic12.VDR (AVG), Win32:Malware-gen (Avast), PE_VIRUX.R (TrendMicro), DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Technical Details
Removal Recommendations

MD5: f7a09f3251b01fe135667af3b73bdc52
SHA1: bb103f63f1c8ad480899c1a422d0e5370a686565
SHA256: ad28f76bd242f11229ff79562e44f92f5b4a4d03220166c8ca22f2676c600f78
SSDeep: 3072:fl0M2hwxyHdlDap78fw/Fh4jsCsm8N3vtWqucSvO/msxfaTMLGQ3Y:flt4wxyHdlmhOwth4A3IcSvOHp3Y
Size: 155648 bytes
File type: DLL
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-07-18 17:52:28
Analyzed on: WindowsXP SP3 32-bit


Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).


No specific payload has been found.

Process activity

The Trojan creates the following process(es):


The Trojan injects its code into the following process(es):
No processes have been created.

File activity

The process regsvr32.exe:596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (147 bytes)

The process hrl1.tmp:1536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\qusoue.exe (673 bytes)

Registry activity

The process regsvr32.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

"Seed" = "A3 69 5E 6A 35 BE FF 95 A3 51 14 33 BA 53 0C 80"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below: www.Brenz.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:



Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):


  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (147 bytes)
    %System%\qusoue.exe (673 bytes)

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): localhost
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now