Gen.Variant.Graftor.153738_911bb18446

Gen:Variant.Graftor.153738 (B) (Emsisoft), Gen:Variant.Graftor.153738 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS) Behaviour: Trojan-PSW, Tr...
Blog rating:5 out of5 with2 ratings

Gen.Variant.Graftor.153738_911bb18446

by malwarelabrobot on March 18th, 2017 in Malware Descriptions.

Gen:Variant.Graftor.153738 (B) (Emsisoft), Gen:Variant.Graftor.153738 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 911bb184460388ebad4c018604b0e486
SHA1: 7996b131d84cbb4369f1ac944c97c6c1da54f13a
SHA256: 668ad53056947e1457bdd1cce2cf033f2c90e90cbceb3adc6429cdaaa74b042b
SSDeep: 24576:hOYjPd9rheo 7a0oJTZaqdiXSp0c02uFG6dAk3CMDPFt:hndOHuTTZaqdwk0c05HGi7
Size: 1581056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-11-11 06:45:07
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1792

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\error[1].htm (801 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].gif (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017031720170318\index.dat (16 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101020161017 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016102820161029 (0 bytes)

Registry activity

The process %original file name%.exe:1792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017031720170318]
"CachePrefix" = ":2017031720170318:"
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017031720170318"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017031720170318]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017031720170318]
"CacheRepair" = "0"
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\911bb184460388ebad4c018604b0e486_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101020161017]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016102820161029]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ????(????) v1.1
Product Version: 1.1.10.6
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.10.6
File Description: ???????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 531499 532480 4.53705 f60170d00c60fb69792a366f576f91e7
.rdata 536576 950624 954368 5.39818 e19103ae201afbd3748829c49313511e
.data 1490944 247498 65536 3.54406 f1966f08d09d59e61d6375a7e6db6976
.rsrc 1740800 22804 24576 3.73558 a249c7f547ae594640bbce1523b84375

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://im2.n.shifen.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4
hxxp://im2.n.shifen.com/search/error.html
hxxp://im2.n.shifen.com/search/img/logo.gif
hxxp://im.baidu.com/search/img/logo.gif 123.125.114.169
hxxp://hi.baidu.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 123.125.114.169
hxxp://im.baidu.com/search/error.html 123.125.114.169


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: hi.baidu.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Date: Thu, 16 Mar 2017 23:30:25 GMT
Server: Apache
Location: hXXp://im.baidu.com/search/error.html
Content-Length: 221
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a
href="hXXp://im.baidu.com/search/error.html">here</a>.</p&
gt;.</body></html>.HTTP/1.1 302 Found..Date: Thu, 16 Mar 2
017 23:30:25 GMT..Server: Apache..Location: hXXp://im.baidu.com/search
/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type
: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DT
D HTML 2.0//EN">.<html><head>.<title>302 Found<
;/title>.</head><body>.<h1>Found</h1>.<p
>The document has moved <a href="hXXp://im.baidu.com/search/erro
r.html">here</a>.</p>.</body></html>...


GET /ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: hi.baidu.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Thu, 16 Mar 2017 23:30:22 GMT
Server: Apache
Location: hXXp://im.baidu.com/search/error.html
Content-Length: 221
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a
href="hXXp://im.baidu.com/search/error.html">here</a>.</p&
gt;.</body></html>.HTTP/1.1 302 Found..Date: Thu, 16 Mar 2
017 23:30:22 GMT..Server: Apache..Location: hXXp://im.baidu.com/search
/error.html..Content-Length: 221..Connection: Keep-Alive..Content-Type
: text/html; charset=iso-8859-1..<!DOCTYPE HTML PUBLIC "-//IETF//DT
D HTML 2.0//EN">.<html><head>.<title>302 Found<
;/title>.</head><body>.<h1>Found</h1>.<p
>The document has moved <a href="hXXp://im.baidu.com/search/erro
r.html">here</a>.</p>.</body></html>...


GET /search/error.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: im.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 23:30:26 GMT
Server: Apache
Last-Modified: Mon, 07 Dec 2015 10:58:52 GMT
ETag: "a92"
Accept-Ranges: bytes
Content-Length: 2706
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<title>....--..............</title
>..<META http-equiv=content-type content="text/html; charset=gb2
312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></
HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE:
14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12
px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; col
or: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink
=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.
<table width=650 border=0 align="center">. <tr height=60>
. <td width=139 valign="top" height="66"><a href="hXXps://
VVV.baidu.com"><img src="img/logo.gif" border="0"></a>&
lt;/td>. <td valign="bottom" width="100%">. <table
width="100%" border="0" cellpadding="0" cellspacing="0">. &
lt;tr bgcolor="#e5ecf9">. <td height="24"> <
b class="p1">..............</b></td>. <td h
eight="24" class="p2">. <div align="right"><a
href="hXXps://VVV.baidu.com">........</a>  </div>
</td>. </tr>. <tr>. <td he
ight="20" class="p2" colspan="2"></td>. </tr>.
</table></td>. </tr>.</table>.<br>.&l
t;table width=650 border=0 align="center" cellpadding=8 cellspacing=0&
gt;. <tr> . <td align=center><div align="left"

<<< skipped >>>

GET /search/error.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: im.baidu.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 23:30:25 GMT
Server: Apache
Last-Modified: Mon, 07 Dec 2015 10:58:51 GMT
ETag: "a92"
Accept-Ranges: bytes
Content-Length: 2706
Connection: Keep-Alive
Content-Type: text/html
<html>.<head>..<title>....--..............</title
>..<META http-equiv=content-type content="text/html; charset=gb2
312">.<META content="MSHTML 6.00.2462.0" name=GENERATOR></
HEAD>.</head>.<style type="text/css">..p1 {..FONT-SIZE:
14px; LINE-HEIGHT: 24px; FONT-FAMILY: "....".}...f12 {..FONT-SIZE: 12
px; LINE-HEIGHT: 20px.}..p2 {..FONT-SIZE: 14px; LINE-HEIGHT: 24px; col
or: #333333.}.</style>.<body text=#000000 vLink=#0033cc aLink
=#800080 link=#0033cc bgColor=#ffffff .topMargin=0>.<center>.
<table width=650 border=0 align="center">. <tr height=60>
. <td width=139 valign="top" height="66"><a href="hXXps://
VVV.baidu.com"><img src="img/logo.gif" border="0"></a>&
lt;/td>. <td valign="bottom" width="100%">. <table
width="100%" border="0" cellpadding="0" cellspacing="0">. &
lt;tr bgcolor="#e5ecf9">. <td height="24"> <
b class="p1">..............</b></td>. <td h
eight="24" class="p2">. <div align="right"><a
href="hXXps://VVV.baidu.com">........</a>  </div>
</td>. </tr>. <tr>. <td he
ight="20" class="p2" colspan="2"></td>. </tr>.
</table></td>. </tr>.</table>.<br>.&l
t;table width=650 border=0 align="center" cellpadding=8 cellspacing=0&
gt;. <tr> . <td align=center><div align="left"

<<< skipped >>>

GET /search/img/logo.gif HTTP/1.1

Accept: */*
Referer: hXXp://im.baidu.com/search/error.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: im.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 23:30:26 GMT
Server: Apache
Last-Modified: Mon, 08 Sep 2008 08:16:39 GMT
ETag: "671"
Accept-Ranges: bytes
Content-Length: 1649
Connection: Keep-Alive
Content-Type: image/gif
GIF89a........$.....ol....QN........*..................rl.SK..........
.!.?6..A>...b[..`].....~.}....#........!.......,............'.di.h.
.l..p,...Q....D...Pe.t.....@@.....1..O..p....0.q-.E...,n.[U5r4.w(..~_2
p..y.v..|.{..........m.v.i..>..Q~.........3.tVj.......-.....".r."..
...'.]...y.....$..W_..$dj.....e........%.....O.....Y....e.,.....x!Ag..
.L.^(.x%\.I....&#.......6.....B...L.!c.3.~...........h..7.$.q&b@......
y.M..H1DPq ...P.N ..A..H `.JR.0..x~ .....h..]kU....<....m........C.
.KSa.;.....DH`hg.....J.|.l.......Y......5......2~#.GDWp..t.\.....7...[
n..4D{(.q..z$,>B.Cy........6...*...t.w..5p.[A.....H..y......%"..}R.
N.C.`..........e...Z...m.......W...V0.xr...........(..((`.J'..S.duP...
<........8....8.(.ur.....a`...z`d{.y....$i...Bh...hp...BH.U(D..P.9
..!q.P.X.8..V...\.$.[..:...A...l...Ahz%@Z:.].K.G$.B\....eAV0.z.L...M..
i...e..{I.'..~ .q%@....%1.L.H.C..&D..~........\...`.......Z..|Mr.g....
..z.a.....v...=0..'.@..!.j@H.=....V.VZ..U.e..F@..".....9._,(.@..L....]
.....d...R .....o..b ...N ..{].[..L....w;...e....l...$Q\Fk.f....68...U
...(.KB....t.N...... ..f...P.l...G...\.<.t.P..@...i..p.m2.d.i......
.nN...#|#.G.....`.........ra..VvW~$..K.d.'v...{M*...T.,...|.h.G.<&.
..k.\.9^..z. .........>....T....~..l.....B.d.~}.7Uy>y.......=F.A
...?....p.L..4.}..n...*.~............(@....., `.;A..T.......Z.X.......
T..x..n$.....nT.4>...| ......4.<...y....D0C#...."<.....@..lB.
.-.."d..f...X..Az .z3....<.....6..8,....'. ... ..fd...G...........
......P............Dp.....%.^.......M..M.:c..0....L.......%.<.P

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1792:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Bv.SCv=kAv
SkinH_EL.dll
kernel32.dll
user32.dll
UnregisterHotKey
RegisterHotKey
EnumWindows
SetWindowsHookExA
WebBrowser
hXXp://VVV.huoyan.tv/api.php#!u=
hXXp://yunbofang.400gb.com/
hXXp://hi.baidu.com/ehzbwvfkfbbcfid/item/48866a1867ae7b29d0d66dc4
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
hXXp://down.qixiu98.com:83/QXDownloader_1999_11497.exe
hXXp://down.qiyue98.net:83/tuiguang/QYDownloader_1991_5511497.exe
hXXp://VVV.iphone5tuan.com/ffdy_110_11497.exe
hXXp://d.7wgame.com/5see/5see_ta05_11497.exe
hXXp://software.wowo98.com.cn/partner_new/wowo_21_11497_pure.exe
hXXp://1413535245.huajianzhanlan.com/ndl.aspx?uid=9095&sid=11497&tid=3
A@hXXp://down2.videospeedy.com/5126setup_74_11497.exe
hXXp://software.lingxiu98.com.cn/partner_new/lingxiu_37_11497.exe
VVV.baidu.com
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
RASAPI32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%d%d%d
rundll32.exe shell32.dll,
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
(*.*)
1.1.10.6
(hXXp://VVV.eyuyan.com)

%original file name%.exe_1792_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
%fm$'N
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\error[1].htm (801 bytes)
    C:\SkinH_EL.dll (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\logo[1].gif (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017031720170318\index.dat (16 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 5 (2 votes)

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now