Trojan-PSW.Win32.Zbot.4_3ac689ccd6

by malwarelabrobot on September 26th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan-PSW.Win32.Zbot.4.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 3ac689ccd696a796dc3baf37677c80d2
SHA1: 744a3acea41768925a613002ead2d9860937906c
SHA256: ff0061d72ff7f6ba2858e2c6e2e5f6a5b751e506cee44f3d9fdcfba29d68f818
SSDeep: 6144:Xe8tgWdcbBWt/TFXxTluk5kYcG8uOoZ9G8xDsaWfwqAZ uAWJYN4x:AWdcbBQFXxTlhkfG8K9GyDs7wzsu9YN
Size: 310272 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2006-04-18 12:18:53


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan-PSW creates the following process(es):

3ac689ccd696a796dc3baf37677c80d2.exe:444
afreyc.exe:1320

The Trojan-PSW injects its code into the following process(es):

sl243.exe:368

File activity

The process sl243.exe:368 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\bocr[1].htm (14 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09UF8HUN\solutioncorp[1].htm (1991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\automa[1].htm (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\ricated[1].htm (255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09UF8HUN\altonhousehotel[1].htm (687 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (310 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\photoclubs[1].htm (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\robertmcintyre.com[1].htm (26 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (749 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@re-wakefield.co[1].txt (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\structives[1].htm (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\gjk.com[1].htm (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\hinnenwiese[1].htm (27 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[1].txt (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\trenpalau[1].htm (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@robertmcintyre.com[2].txt (374 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[2].txt (326 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\thedonaldsongroup[1].htm (9 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1102 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (325 bytes)
%Documents and Settings%\%current user%\dulbalongals.exe (48 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\shipeliteexpress[1].htm (16 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@chocolatecovers[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@robertmcintyre.com[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\easygen[1].htm (13 bytes)

The Trojan-PSW deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\bocr[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\easygen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\structives[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\hinnenwiese[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@empordalia[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\automa[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\ricated[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\trenpalau[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\gjk.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@robertmcintyre.com[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\robertmcintyre.com[1].htm (0 bytes)

The process 3ac689ccd696a796dc3baf37677c80d2.exe:444 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HOMF68.bat (172 bytes)
%Documents and Settings%\%current user%\Application Data\Ojce\afreyc.exe (1735 bytes)

The process afreyc.exe:1320 makes changes in a file system.
The Trojan-PSW creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5660 bytes)

Registry activity

The process sl243.exe:368 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"3092446134" = "DD 07 09 00 03 00 19 00 0B 00 08 00 1D 00 58 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"dulbalongalszap" = "F3 58 30 08 DF B7 8F DA B2 8A 62 3A 12 E9 C1 99"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"AppManagement" = "E5 4A 22 F9 D1 A9 81 CC A4 7C 54 2C 04 DB B3 FE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 3D D8 5A F7 A7 FC 72 CE 53 98 12 A5 58 F4 32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dulbalongals" = "%Documents and Settings%\%current user%\dulbalongals.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-PSW deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process 3ac689ccd696a796dc3baf37677c80d2.exe:444 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 B2 65 93 9B E7 55 68 23 89 5B 08 12 17 B7 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process afreyc.exe:1320 makes changes in a system registry.
The Trojan-PSW creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 89 F1 94 D8 DA C9 00 FA E6 CA 8F D9 DB 0E 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Niewinucamji]
"2a299953" = "69 92 36 C4 86 56 DE 93 56 6D 4B E6 50 E0 15 31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Network activity (URLs)

URL IP
hxxp://ftp.brickwallmgmt.com/sl243.exe 64.78.30.79
hxxp://screaminpeach.com/ 108.162.203.235
hxxp://solutioncorp.com/ 66.111.53.120
hxxp://mastergrp-spb.ru/ 188.127.245.119
hxxp://golfpark-moossee.ch/ 199.83.130.50
hxxp://chocolatecovers.com/ 190.93.240.98
hxxp://automa.it/ 62.149.203.92
hxxp://goodvaluecenter.com/ 108.162.202.140
hxxp://nuritech.com/ 210.183.236.113
hxxp://brookfarm.com.au/ 116.251.204.207
hxxp://fraser-high.school.nz/ 210.48.67.144
hxxp://pixemia.com/ 91.146.97.34
hxxp://mattiussiecologia.com/ 62.149.232.215
hxxp://bocr.cz/ 217.198.115.41
hxxp://austriansurfing.at/ 85.13.136.86
hxxp://bocr.cz/bocr
hxxp://d4drmedia.com/ 208.70.247.105
hxxp://4pipp.com/ 141.101.116.69
hxxp://bocr.cz/bocr/
hxxp://ricated.com/ 144.76.86.115
hxxp://easygen.com/ 212.84.79.16
hxxp://re-wakefield.co.uk/ 141.101.116.86
hxxp://robertmcintyre.com.au/ 199.73.58.66
hxxp://tessera.co.jp/ 202.212.212.209
hxxp://telenavis.com/ 80.245.173.163
hxxp://thedonaldsongroup.com/ 64.120.153.69
hxxp://hinnenwiese.de/ 178.254.62.133
hxxp://kamaruka.vic.edu.au/ 64.37.52.162
hxxp://digpro.se/ 89.221.250.12
hxxp://fabianonline.de/ 88.198.7.211
hxxp://empordalia.com/ 87.98.231.3
hxxp://yamamoto-sr.com/ 211.13.204.89
hxxp://fruitspot.co.za/ 41.203.18.186
hxxp://shipeliteexpress.com/ 67.59.133.211
hxxp://stepnet.de/ 91.250.116.6
hxxp://biurimex.pl/ 89.161.181.123
hxxp://tavdi.com/ 65.98.59.242
hxxp://padstow.com/ 62.233.107.131
hxxp://youjoomla.com/ 69.65.11.200
hxxp://upsilon89.com/ 151.236.48.69
hxxp://gjk.com.pl/ 193.239.44.106
hxxp://sigmametalsinc.com/ 208.113.149.173
hxxp://thesergery.com/ 202.47.95.44
hxxp://www.sigmaaero.com/ 208.113.225.142
hxxp://structives.org/ 70.32.113.95
hxxp://agence-des-druides.com/ 91.121.36.162
hxxp://buzzkillmedia.com/ 173.201.140.128
hxxp://sspackaginggroup.com/ 182.50.130.117
hxxp://perc.ca/ 69.89.31.118
hxxp://pbna.com/ 93.186.180.72
hxxp://leadershipforum.us/ 66.39.30.185
hxxp://kafrit.com/ 62.219.2.230
hxxp://theautospas.com/ 70.32.102.108
hxxp://photoclubs.com/ 209.50.251.101
hxxp://rea-soft.ru/ 185.12.94.222
hxxp://graceweb.net/ 208.97.174.44
hxxp://ctr4process.org/ 184.105.139.141
hxxp://altonhousehotel.com/ 5.159.228.226
chilledweb.com 198.57.227.105
cairoglass.com 198.1.71.63
mylee.com 198.1.110.144
aciuba.com.br 189.44.227.243
in1.smtp.messagingengine.com 66.111.4.73
www.photoclubs.com 209.50.251.101
celebikalip.com.tr 212.58.6.80
camping-perigord.com 91.121.52.174
combine.or.id 202.162.33.14
vitalur.by 178.124.130.199
workingforums.com 184.107.173.242
asrr.com.au 182.160.157.154
mxs.mail.ru 94.100.176.20
ssb.be 85.24.159.4
orion-networks.net 127.0.0.1
tenpole.com 127.0.0.1
www.screaminpeach.com 108.162.204.235
smtp.mail.yahoo.com 98.138.105.21
imagerestoration.com 199.85.212.214
ilance.net 69.72.172.93
terregada.net 178.33.11.128
areafor.com 185.2.130.31
gmail-smtp-in.l.google.com 74.125.142.27
intema-plastics.com 198.20.255.146
alt4.gmail-smtp-in.l.google.com 74.125.136.27
playtime.co.uk 91.109.15.117
trianglepc.org 192.185.20.96
arckepesajandek.hu 127.0.0.1
metrorealtorspc.com 174.143.44.46
hakkouhanbai.com 112.78.112.186
ko-minka.com 211.13.204.46
acmepacificrepairs.com 69.198.129.78
konishi-hp.com 122.219.254.148
shbrazil.com 50.23.134.43
lordproteus.org.ua 144.76.122.154
sarahdavid.com 67.225.229.185
parksandco.com 173.237.137.195
istanbullines.com 212.58.23.83
interimmarketing.nl 212.78.187.184
ism-z.com 49.212.57.56
hartmultimedia.com 196.209.216.192
a-print.net 124.217.198.105
www.solutioncorp.com 66.111.53.120
avisloans.com 72.232.240.218
rkcontrols.com 192.145.234.158
aofkampus.com 46.235.9.48
doctsf.com 213.186.33.17
os.com.ua 194.33.15.3
tpms.pl 195.242.92.3
allthelink.com 216.224.169.126
isle-karnataka.org 127.0.0.1
internationalmarble.com 206.212.241.226
trenpalau.com 217.149.1.49
ozarkimaging.com 50.63.202.32
mail7.digitalwaves.co.nz 127.0.0.1
smtp.live.com 65.55.96.11
kotobuki1965.com Unresolvable
debtrescueusa.com Unresolvable
mfha.org.uk Unresolvable


Rootkit activity

The Trojan-PSW installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan-PSW installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan-PSW installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan-PSW installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    3ac689ccd696a796dc3baf37677c80d2.exe:444
    afreyc.exe:1320

  3. Delete the original Trojan-PSW file.
  4. Delete or disinfect the following files created/modified by the Trojan-PSW:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\bocr[1].htm (14 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (233 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09UF8HUN\solutioncorp[1].htm (1991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\automa[1].htm (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\ricated[1].htm (255 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\09UF8HUN\altonhousehotel[1].htm (687 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (310 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@goodvaluecenter[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\photoclubs[1].htm (418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\robertmcintyre.com[1].htm (26 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (749 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@re-wakefield.co[1].txt (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\structives[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\gjk.com[1].htm (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\hinnenwiese[1].htm (27 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@empordalia[1].txt (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\trenpalau[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@robertmcintyre.com[2].txt (374 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@empordalia[2].txt (326 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WXMNG9M7\fraser-high.school[1].htm (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\thedonaldsongroup[1].htm (9 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[1].txt (1102 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@shipeliteexpress[2].txt (325 bytes)
    %Documents and Settings%\%current user%\dulbalongals.exe (48 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (14456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CDAF05A7\shipeliteexpress[1].htm (16 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@chocolatecovers[1].txt (237 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@robertmcintyre.com[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KTITGX01\easygen[1].htm (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HOMF68.bat (172 bytes)
    %Documents and Settings%\%current user%\Application Data\Ojce\afreyc.exe (1735 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (7080 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "dulbalongals" = "%Documents and Settings%\%current user%\dulbalongals.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.