Tracking down malware infection | Joachim De Zutter
Infected Computer #1

Infected machine was located in Bulgaria.

Anti-debugger techniques were used.

Fake antivirus installer malware:
C:\Documents and Settings\User\Local Settings\Temp\packupdate107_2121[1].exe
Identification (AVG): @EID_Id_trj|%name%=PSW.Ldpinch.ACWB|%idn%=0b28da4728866000|
Filesize: 220160
MD5: 3708ad30afcc667fba0ef52a2ba6bf04
SHA1: 9865b42a446be5f513ff97217408c855a64e3203
SHA256: 588679bf437f5237d5a489df3698666631f5d9fddd39f9adcb52c4e26d61c9fd

C:\Documents and Settings\User\winuteka.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039459.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKFR|%idn%=0b367dd99d353000|
Filesize: 118827
MD5: a1172cda513cad657ea89e7773c21c1f
SHA1: 89d0303c880419f152bdd8758822e26fc80202c0
SHA256: aa2b3c5b54725c10324b9af3cc52b12081bf4cf7238595fb941fed2b28611bc2
Tries to establish a TCP connection on port 80 with 91.195.118.56 (totalin.reverse.net)

C:\Documents and Settings\User\Local Settings\Temp\5it30wn3d.exe
C:\Documents and Settings\User\5it30wn3d.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039442.exe
Identification (AVG): @EID_Id_trj|%name%=Dropper.Generic2.PYF|%idn%=0b2ad9f76674e000|
Filesize: 53803
MD5: 4e2b14c1278ee7ea88e4ce999509299c
SHA1: 3f5ba0242a272c2a8781676a89621662c13e5f25
SHA256: 7fa18228c30c0b711d00b5a22e7dedbeee3c30c238d4bd2d6975e507c311e662
Tries to establish a TCP connection on port 80 with 91.195.118.56 (totalin.reverse.net)

C:\Documents and Settings\User\fanny3a.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039445.exe
Identification (AVG): @EID_Id_trj|%name%=Dropper.Generic2.GXN|%idn%=0b2ad9f76674e000|
Filesize: 184364
MD5: 230619b40629fe00ac146ec7c259c731
SHA1: f61bcce49f11d7a6ad61890d99b084e868164330
SHA256: e8d439adfc61e09c46df8ae573beedec7fae1b15db7be7744a05ec8aa989ce88
Tries to establish a TCP connection on port 80 with 91.195.118.56 (totalin.reverse.net)

C:\Documents and Settings\User\kakotitomeni.exe
C:\Documents and Settings\User\kba93a.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039447.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039448.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BOVG|%idn%=0b367dd99d353000|
Filesize: 151597
MD5: 576f31a803cf44b92d0b15b83b530cd2
SHA1: b8256bcf55495a58a20be3f01ef65b5654538914
SHA256: 1e69ac015fa198f39506d647527ee1f6f5e0d63fe77804e6b1effdfddf670aea
Tries to establish a TCP connection on port 80 with 91.195.118.56 (totalin.reverse.net)

C:\Documents and Settings\User\reg3n.exe
C:\Documents and Settings\User\rr4asti.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039454.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039455.exe
Identification (AVG): @EID_Id_pgm|%name%=Dialer.TFH|%idn%=065cd9c85991d000|
Filesize: 200748
MD5: 61151bafab368ec9038e60bb29fa779f
SHA1: b3d5cd6afb884d964bc2a7217edc5918a2e68a5a
SHA256: 4ffaabc7d8a01403368e15fe67d0359df86452e53c02219a75f16d360615c8e2
Tries to establish a TCP connection on port 80 with 91.195.118.56 (totalin.reverse.net)
http://www.utrace.de/?query=91.195.118.56
Totalin Communication Systems VOF, Zoetermeer (The Netherlands)

C:\Documents and Settings\User\Local Settings\Temp\Al5.exe
C:\Documents and Settings\User\Local Settings\Temp\Al8.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.UBH|%idn%=0ad999c6a7c0f000|
Filesize: 236544
MD5: 53c99b0859da079a03877ce942aceb9d
SHA1: 5cc2b5411c65640f35c8ff11385c2f82a9bc4351
SHA256: d18b06971c988f44f34f523e493f33bfe4a2bba8f31196c9b09c0f2841a2b70f
The 16 bytes at 0x3927a start with 02 62 02 f7 ...
When the 16 bytes at 0x3927a are set to 00 the checksums of the file are:
MD5: 3071f129c3ff7aba025408629a677dc5
SHA1: 77eb43729d9f7d6d4dd4ac92e53b47133cbf86ca
SHA256: ad66095944521cbb7c62500c9fd7170ef6a4ff3dbbe4f3f177ec86081aeca65e
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 195584
MD5: a8f1c9488e8e90bcd509c69fb85e21b8
SHA1: b5d35698c52c8af61392134dcee665f9b8917289
SHA256: 666e8b2c790245cc01418224a8d22ef8d45c6bd5961ab343e6ebbebb08c9b922
The file differs at every creation in the last 32 bytes, f.e.:
2C BE 00 00 80 at 0x2FBF7
...
The checksums of the first 195552 bytes of the file are:
MD5: 57b772f234f5521071a6dc2743e607ce
SHA1: 34f159889e1ee143ccc13ea81fa40f0008f9883a
SHA256: 2695dd10f849ad0de302838209a775342d65a2961af4e5f22efee8c8b831b3a6
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 5b51dff7f5995ca2dad699e45a002d20
SHA1: 80902e1520fff7b7e088eaa61c1696d6f8de6054
SHA256: d692a04199b8604c4b7b9ad90a0da857a95a838cb4b7c5dc6c30df9674378d94
Installs the service SSHNAS to be executed automatically at Windows startup
Uses rundll32.exe to execute code from sshnas21.dll
Every 15 minutes, a DNS request was performed for yourgot.com which 
resolved to 208.73.210.29, and an HTTP POST was performed on TCP port 80 
of 208.73.210.29 which sent base64 encoded data.
http://www.utrace.de/?query=208.73.210.29
Provider: Oversee.net
Region: Los Angeles (United States)

The service performs DNS queries for safarel.com, soilness.com (every 15 
minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Al9.exe
C:\Documents and Settings\User\Local Settings\Temp\Amd.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.UBH|%idn%=0ad999c6a7c0f000|
Filesize: 236544
MD5: 05b6e28e49741c58315d28ad8b819c71
SHA1: b2d026a8d3122594192a3d1a1066c21b2ae0f4d1
SHA256: 3083f1e54ffcf91e52c6634717c783e2a5108e70fc34b8dac89057d5b468ef8e
The 16 bytes at 0x3927a start with ba 3f 6e 16 ...
When the 16 bytes at 0x3927a are set to 00 the checksums of the file are:
MD5: 3071f129c3ff7aba025408629a677dc5
SHA1: 77eb43729d9f7d6d4dd4ac92e53b47133cbf86ca
SHA256: ad66095944521cbb7c62500c9fd7170ef6a4ff3dbbe4f3f177ec86081aeca65e

C:\Documents and Settings\User\Local Settings\Temp\Amg.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.UBH|%idn%=0ad999c6a7c0f000|
Filesize: 236544
MD5: 70d29e728a1cddaab90202b4de6f7dd5
SHA1: 4320aea68cef954a4c6ac3455208be7ec4c74067
SHA256: 137e3722306da0ca51ffac7883af5cabbfb979ce0e231840877fbd2aafaa92d8
The 16 bytes at 0x3927a start with 93 12 00 d7 ...
When the 16 bytes at 0x3927a are set to 00 the checksums of the file are:
MD5: 3071f129c3ff7aba025408629a677dc5
SHA1: 77eb43729d9f7d6d4dd4ac92e53b47133cbf86ca
SHA256: ad66095944521cbb7c62500c9fd7170ef6a4ff3dbbe4f3f177ec86081aeca65e

C:\Documents and Settings\User\Local Settings\Temp\Aml.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.UBH|%idn%=0ad999c6a7c0f000|
Filesize: 236544
MD5: 02e42df4df7bb365a0082a86168198c6
SHA1: 2d7e9d70a14145fd8477e9d52328745af83a8b80
SHA256: 195450bc71a3a41ef5c6038e0d4c94fcf8eed266ceb3762970f79f7cf498044d
The 16 bytes at 0x3927a start with bd 37 74 5b ...
When the 16 bytes at 0x3927a are set to 00 the checksums of the file are:
MD5: 3071f129c3ff7aba025408629a677dc5
SHA1: 77eb43729d9f7d6d4dd4ac92e53b47133cbf86ca
SHA256: ad66095944521cbb7c62500c9fd7170ef6a4ff3dbbe4f3f177ec86081aeca65e

C:\Documents and Settings\User\Local Settings\Temp\Amq.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.UBH|%idn%=0ad999c6a7c0f000|
Filesize: 236544
MD5: d16e97d81c7dc8435ef9a3467f9d2f07
SHA1: 099f605097531defa9bdf44017bfbf0f5f4dabe1
SHA256: 17d3f56fa1fb305b8989a8776ece880523de74d581385abaaabcd9913a9dc62d
The 16 bytes at 0x3927a start with a5 76 72 28 ...
When the 16 bytes at 0x3927a are set to 00 the checksums of the file are:
MD5: 3071f129c3ff7aba025408629a677dc5
SHA1: 77eb43729d9f7d6d4dd4ac92e53b47133cbf86ca
SHA256: ad66095944521cbb7c62500c9fd7170ef6a4ff3dbbe4f3f177ec86081aeca65e

C:\Documents and Settings\User\Local Settings\Temp\A2b.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: b28de56406791edd5e73498d10554024
SHA1: 4de5152b2a5d3427ac754e2b0ce4dc07bb8c1bea
SHA256: cd304a290472580fe4df4e40379ffb6110825f1baa98bfd8c9e7e5e3f1ee76c5
The 16 bytes at 0x4968 start with c5 c7 cc ee ...
When the 16 bytes at 0x4968 are set to 00 the checksums of the file are:
MD5: e45d5743030438c5e21a70249dc5a712
SHA1: aa9e4f98c165eda46a1b87313d7b97748896cdf1
SHA256: 58e808957467169e076600b2df3646444628d724bd71ea3df599509679c73c71
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
Performed an HTTP POST on TCP port 80 of 67.210.170.173 (67.210.170.173.static.tel-ott.com)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
http://www.utrace.de/?query=67.210.170.173
Network Defence Intelligence Inc.
Provider: Telecom Ottawa Limited
Region: Ottawa (Canada)

C:\Documents and Settings\User\Local Settings\Temp\Az1.exe
C:\Documents and Settings\User\Local Settings\Temp\Az4.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: a5f3b3bd416b3ed9063d90ed3c96b7a2
SHA1: 002efbac29849363e3dcb44cca62bdd656abed58
SHA256: 4a0f7b89ebce8fe8762c17449246efa30e33ab1336b1c19b4e663363d5e6a926
The 16 bytes at 0x4968 start with 5b a3 43 6b ...
When the 16 bytes at 0x4968 are set to 00 the checksums of the file are:
MD5: e45d5743030438c5e21a70249dc5a712
SHA1: aa9e4f98c165eda46a1b87313d7b97748896cdf1
SHA256: 58e808957467169e076600b2df3646444628d724bd71ea3df599509679c73c71
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Az1.exe/Az4.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Az5.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: b479e7a1f03322bb45e86672d6029d80
SHA1: 1a89493787d3a285c37a0c6879f25a54288fe1fc
SHA256: f6a645e04b6b00be465f20f436f32f08f4a102080f4dd0603e8f3c80f8d5c008
The 16 bytes at 0x4968 start with 7b 96 ea 22 ...
When the 16 bytes at 0x4968 are set to 00 the checksums of the file are:
MD5: e45d5743030438c5e21a70249dc5a712
SHA1: aa9e4f98c165eda46a1b87313d7b97748896cdf1
SHA256: 58e808957467169e076600b2df3646444628d724bd71ea3df599509679c73c71
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Az5.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Az9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: cbf0d33db846de316dd6427b8738654e
SHA1: 8285fcf037af80efd943511aa4e4a1ec936e50c9
SHA256: d0d6c2d9d67c1c0f3738cae101d91a2275eebd9c43b3c0ee84bb218d19637cfd
The 16 bytes at 0x4968 start with d5 eb 8e d3 ...
When the 16 bytes at 0x4968 are set to 00 the checksums of the file are:
MD5: e45d5743030438c5e21a70249dc5a712
SHA1: aa9e4f98c165eda46a1b87313d7b97748896cdf1
SHA256: 58e808957467169e076600b2df3646444628d724bd71ea3df599509679c73c71
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Az9.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Azz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 55703ec1875b93be8c181aa68701c04b
SHA1: d1d37d1a2046eb9b0bec60620a3bdf6c0439baf3
SHA256: d9fdc7ae32fdc3b0418b1bc4fcd90209b5206bf87f6b927a0cf7d218a6d39e43
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Azz.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A20.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.AAIQ|%idn%=0ad999c6a7c0f000|
Filesize: 169472
MD5: b267a05c3afbce9014db6159a11c76f6
SHA1: d14bfaf81ed7b421ec566fdc750bba4ec345c955
SHA256: 463a28cf5801987f3c6bf576b1d49d7784477108ceec37ea8b0fbdccd5224e7f
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...

C:\Documents and Settings\User\Local Settings\Temp\A3k.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BZY|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: e732bc40c48c452a14f012323267845b
SHA1: 4d5c1ed0da7228d8206634d3c592d7c73ab79c05
SHA256: ca40cc1a7d74171ba676b928a9e07cd87949e371f2a461054be651b43feece5c
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of A3k.exe]"

C:\Documents and Settings\User\sdak3a.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039456.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BUOA|%idn%=0b1cd9f766755000|
Filesize: 55297
MD5: 514bf9c1ea5276510189afb3217225e1
SHA1: 1520005644654a42ca3b876569096a0b77787370
SHA256: f0272a7b88accffc9a228b12027553e0ba4dffe97f166eddbb87266d03568f4b
Description: TruSurroundXT Module
Company: SRS Labs, Inc.
File Version: 2.2.7.0
Internal Name: ComTruSurroundXT
Language: English (United States)
Legal Trademarks: TruSurroundXT, Focus, TruBass, Dialog Clarity
Original File name: ComTruSurroundXT.DLL
Copyright: Copyright 2002 SRS Labs, Inc. All Rights Reserved
Threatexpert.com states:
"There was a registered attempt to establish connection with the remote host. The connection details are:

Remote Host Port Number
95.211.98.246 80"
http://www.threatexpert.com/report.aspx?md5=514bf9c1ea5276510189afb3217225e1

http://www.utrace.de/?query=95.211.98.246
LeaseWeb B.V., Amsterdam (The Netherlands)
E:\Irvin\Kershner\Lullabies.exe
C:\Irvin\Kershner\Lullabies.exe
C:\Documents and Settings\User\djaskdja.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP340\A0039419.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039444.exe
Identification (AVG): @EID_Id_vir|%name%=Worm/Generic.BKVJ|%idn%=0bf67dd99da80000|
Filesize: 397312
MD5: ebb879a32cb253ecfb6ec5fbb2815e2c
SHA1: 2da672c147539febf233eb5a38141f7bad83e750
SHA256: 7dd288889dda02e830c0881ac9769e4e3bfed8f5e8cbbffe2cf72f74738d8c6a
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Contains emulator anti-debugger checks: process terminates if the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0
indicates that the disk label contains for example "QEMU"
Copies itself to C:\Irvin\Kershner\Lullabies.exe
Creates the file: C:\Irvin\Kershner\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AE7AY1-A4G2-Z78D2-DS4X1S-4W1X3B}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AE7AY1-A4G2-Z78D2-DS4X1S-4W1X3B}]
StubPath = "c:\Irvin\Kershner\Lullabies.exe"
Performs DNS queries for:
43u8mw.dvrdns.org
metalica.selfip.com
dadsadsa.dynalias.com

C:\Documents and Settings\User\Local Settings\Temp\erase_me298396.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me294228.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me698889.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me049678.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CLVC|%idn%=0b367dd99d353000|
Filesize: 106497
MD5: 6b883dc24672f307b19a4185ad225086
SHA1: a7f91ae4b9edcc9398a044245a4b51641b2c2c17
SHA256: ec65ff9de93a5058407dd397d3dc1cc77b79a5a6c2e27194593e714ac908f47d
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Copies itself to C:\trazim_previse\od_ovih\rima.exe
Creates the file: C:\trazim_previse\od_ovih\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5T6S7-G3D24-VC3YAW-I4F2S-6AGS4}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5T6S7-G3D24-VC3YAW-I4F2S-6AGS4}]
StubPath = "c:\trazim_previse\od_ovih\rima.exe"
Contains base64 encoded data containing a PE header, DLL function names,
and the following (IRC) strings:
"\" : ", 0x03, "8,1", 0x02, 0x03, "8Coded ", 0x03, "4By ", 0x03, "8VirUs..", 0x00
";A very ancient and powerful vampire, he serves as the Hellsing Organization's most powerful operative and vampire expert and its trump card."
Performs DNS queries for:
acc7w3lv3.dvrdns.org
acc51x.blogdns.org
acc313v3n.dynalias.com

C:\Documents and Settings\User\Local Settings\Temp\erase_me344685.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me206310.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me488678.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me773862.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me785069.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me878998.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me916786.exe
C:\Documents and Settings\User\67k45m3.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039439.exe
Identification (AVG): @EID_Id_trj|%name%=Generic18.SRX|%idn%=0b367dd99d354000|
Filesize: 233473
MD5: c261ae888af274d39a2b5d00014a24d1
SHA1: 2759981ad940bc1b929c7071d4ac0927b9be3cf7
SHA256: 4460e505d4507994930e593ad6a1e2e616d05e600a0c069e7fff010a7aad27c3
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Contains emulator anti-debugger checks: process terminates if the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0
indicates that the disk label contains for example "QEMU"
Copies itself to C:\trazim_previse\od_ovih\SxK.exe
Creates the file: C:\trazim_previse\od_ovih\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4JAMH-43MKA-8MMWAY-61PLA-2KANG0}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4JAMH-43MKA-8MMWAY-61PLA-2KANG0}]
StubPath = "c:\trazim_previse\od_ovih\SxK.exe"
Contains base64 encoded data containing a PE header, DLL function names,
and the following (IRC) strings:
"\" : ", 0x03, "8,1", 0x02, 0x03, "8Coded ", 0x03, "4By ", 0x03, "8VirUs..", 0x00
";Apres la mort de sa femme, Denethor devient sombre, froid et détaché de sa famille, alors que la relation entre ses deux fils s'épanouit."
Performs DNS queries for:
acc7w3lv3.dvrdns.org
accf0ur.merseine.nu
acc313v3n.dynalias.com

C:\Documents and Settings\User\986lfk4.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039440.exe
Identification (AVG): @EID_Id_trj|%name%=Generic18.NAT|%idn%=0b367dd99d354000|
Filesize: 380928
MD5: 3b5f1474113e2865bb6add9966050cc2
SHA1: 0869d729ce2a39e15e303b0afb426de5e928c806
SHA256: eb0781d00f116dddd1fb7ff9cd282bbe1d732e2cfaac9f950a4726e128a2b27f
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Copies itself to c:\ma_e\ti_si_smece\norah.exe
Creates the file: c:\ma_e\ti_si_smece\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A2LU-E4DN3-64S2G-3VH85-2P0SC}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6A2LU-E4DN3-64S2G-3VH85-2P0SC}]
StubPath = "c:\ma_e\ti_si_smece\norah.exe"
Performs DNS queries for:
acc7w3lv3.dvrdns.org
acctf0urt33n.blogdns.org
acc313v3n.dynalias.com

C:\Documents and Settings\User\ajspat1.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039441.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me057714.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me291182.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me341392.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me899645.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me931958.exe
Identification (AVG): @EID_Id_trj|%name%=Dropper.Generic2.QIX|%idn%=0b2ad9f76674e000|
Filesize: 163841
MD5: 76c8f05de8853cee2fbd2bb3c99ba56f
SHA1: 5f2b3cf0b20572a4c332417d5ecf153ccc7169ea
SHA256: 47a2eb68dac66198fa3634a5c62c4ef6404758e1ddd06dd674c07b07ee89344b
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Copies itself to c:\moja_cura\je_najbolja\Pranjic.exe
Creates the file: c:\moja_cura\je_najbolja\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C5WNJ1Z0-DF0L-IYRP-LXME-JDF0OLOF9R}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C5WNJ1Z0-DF0L-IYRP-LXME-JDF0OLOF9R}]
StubPath = "c:\moja_cura\je_najbolja\Pranjic.exe"
Contains base64 encoded data containing a PE header, DLL function names,
and the following (IRC) strings:
"\" : ", 0x03, "8,1", 0x02, 0x03, "8Coded ", 0x03, "4By ", 0x03, "8VirUs..", 0x00
";am su bile dve krave...jedna je bila corava....hahahahahhahahhahhaahahha"
Performs DNS queries for:
accf0ur1.merseine.nu
acc7w3lv31.dvrdns.org
acc313v3n1.dynalias.com

C:\Documents and Settings\User\m0mak.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039449.exe
Identification (AVG): @EID_Id_trj|%name%=Dropper.Generic2.IXV|%idn%=0b2ad9f76674e000|
Filesize: 126977
MD5: b1b36ac70253c295cedc965eac2380bb
SHA1: 3c65d1839a38fc00328d2cfcb32e3c73d412f55e
SHA256: 8294603245117368a22dea0e3d719dc0d1862e25619ecae4ab5011d9bbbf2316
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Copies itself to c:\fish\ville\nao4ja.exe
Creates the file: c:\fish\ville\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7MPEKAD-841A3-3MAJ5-Z2LGK-MWL3Y}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7MPEKAD-841A3-3MAJ5-Z2LGK-MWL3Y}]
StubPath = "c:\fish\ville\nao4ja.exe"
Contains base64 encoded data containing a PE header, DLL function names,
and the following (IRC) strings:
"\" : ", 0x03, "8,1", 0x02, 0x03, "8Coded ", 0x03, "4By ", 0x03, "8VirUs..", 0x00
";Jason X  (2002) marked Kane Hodder's last performance as Jason as of 2009."
Performs DNS queries for:
acc7w3lv3.dvrdns.org
accn1n3.kicks-ass.net
acc313v3n.dynalias.com

C:\Documents and Settings\User\Local Settings\Temp\erase_me398126.exe
C:\Documents and Settings\User\Local Settings\Temp\erase_me785613.exe
C:\Documents and Settings\User\MrZiMSKoLuiStreS.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039450.exe
Identification (AVG): @EID_Id_trj|%name%=Dropper.Generic2.SBS|%idn%=0b2ad9f76674e000|
Filesize: 151552
MD5: 35429cf87e48fff8b8e8c48615964497
SHA1: 17e8a40ef079c0d14c9b2bf9f0ae2e3e6c03f41a
SHA256: 9a55e74881a74aecfc3331b915eb21928e28cd8797b0de0c8f32cc90d0719765
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Contains emulator anti-debugger checks: process terminates if the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0
indicates that the disk label contains for example "QEMU"
Copies itself to c:\boli_me\palac\TzK.exe
Creates the file: c:\boli_me\palac\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9L6ME-5454E-4EDXE-4E7SQ-9KJHI}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9L6ME-5454E-4EDXE-4E7SQ-9KJHI}]
StubPath = "c:\boli_me\palac\TzK.exe"
Performs DNS queries for:
accf0ur.merseine.nu

C:\Documents and Settings\User\norveska.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039451.exe
Identification (AVG): @EID_Id_vir|%name%=Worm/Generic.BGRX|%idn%=0bf67dd99da80000|
Filesize: 172033
MD5: 6d5a8cf2b5446305d26f104ff97a9bc1
SHA1: c66a203cf61cda5e84d8874ac221f18a2046101c
SHA256: 19905e0eff9550e8a374f80619c79514cbc0b6e2ad0a8b3df19877140bbdb768
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Copies itself to c:\tko_je\to_rekao\j3k5any.exe
Creates the file: c:\boli_me\palac\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4JAJF9SA-N7KSN-3NSP5-8MEAK-6MSKWA}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4JAJF9SA-N7KSN-3NSP5-8MEAK-6MSKWA}]
StubPath = "c:\tko_je\to_rekao\j3k5any.exe"
Performs DNS queries for:
accn1n3.office-on-the.net
acc313v3n.dynalias.com

C:\Documents and Settings\User\p4wqkda.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039452.exe
Identification (AVG): @EID_Id_trj|%name%=Generic18.ANSJ|%idn%=0b367dd99d354000|
Filesize: 180224
MD5: 7d1920370e4f219b3f19dd19d78d5126
SHA1: 3f6d5f7be1a12cd4708c43d088a6eba54dfa2620
SHA256: 4edeff7d23e88af1d406ab02526f514ea96c1326a3ab044a5658b573b8bd7e62
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Contains emulator anti-debugger checks: process terminates if the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0
indicates that the disk label contains for example "QEMU"
Copies itself to c:\obala_je_stvarno\puna_smeca\SwineFlu.exe
Creates the file: c:\obala_je_stvarno\puna_smeca\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D35A-V1A5Y6-1Y2A-X4AX3-HGF4D}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D35A-V1A5Y6-1Y2A-X4AX3-HGF4D}]
StubPath = "c:\obala_je_stvarno\puna_smeca\SwineFlu.exe"
Performs DNS queries for:
acc7hr33.game-server.cc

C:\Documents and Settings\User\reg5n.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039453.exe
Identification (AVG): @EID_Id_vir|%name%=Worm/VB.BCAD|%idn%=0bf6b9a000000000|
Filesize: 69633
MD5: da470f922d948fde0624c7acc5016463
SHA1: 0867764510ac4c70cda02554c7261f6f40f3c78c
SHA256: 0b216a8340b7bac5caca2c01bfdd6306b567c8708012d99610dcc491f7f625cb
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Contains emulator anti-debugger checks: process terminates if the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0
indicates that the disk label contains for example "QEMU"
Copies itself to c:\ne_smijem\stati\t1kv1c3.exe
Creates the file: c:\ne_smijem\stati\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F8HB0-E6WQ7A-S4IGS-3RAB12-O5UT7F}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9F8HB0-E6WQ7A-S4IGS-3RAB12-O5UT7F}]
StubPath = "c:\ne_smijem\stati\t1kv1c3.exe"
Performs DNS queries for:
accn1n3.isa-geek.com

C:\Documents and Settings\User\wiseka.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039458.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.UZU|%idn%=0b366eac68b00000|
Filesize: 110593
MD5: 12c4cf8d8043b75f4397d69872f7ccec
SHA1: 9845dce767764862f630c7b87c503b476df7b69a
SHA256: 373109d8d1ee57d7fe500b3549ddd42355978aab782ae130b7a52c4eb048ed4d
Appears to be programmed in Microsoft Visual Basic (MSVBVM60.DLL)
Contains emulator anti-debugger checks: process terminates if the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum\0
indicates that the disk label contains for example "QEMU"
Copies itself to c:\tata\govori\kojikuki.exe
Creates the file: c:\tata\govori\DesKTop.ini (file attribute hidden)
Filesize: 62
MD5: 7457a5df1ff47c957acf1fa000d7d9ad
SHA1: 69d2bba827fd4de0169419a0fda280252b348514
Containing:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
New registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{LYKXYNAJY-LAK4-MAK3-5KAM-2Y5D4AW42}]
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{LYKXYNAJY-LAK4-MAK3-5KAM-2Y5D4AW42}]
StubPath = "c:\tata\govori\kojikuki.exe"
Performs DNS queries for:
accf0ur.is-a-chef.com
acc316h7.dnsalias.org
acc73n.homeip.net

C:\Documents and Settings\User\stotka.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039457.exe
Identification (AVG): @EID_Id_trj|%name%=Dropper.Generic2.MFC|%idn%=0b2ad9f76674e000|
Filesize: 135169
MD5: 0c93fe89c214b4c05f7d3fcf641cb3d0
SHA1: 26b3f8b325a65b1540105f4ffc9b46efadee0b2c
SHA256: 98c0d2d1c248a2cb6763ed5292aa92b3559443344f57b1f8f4e0c2e8f0c30c9f
Copies itself to \Documents and Settings\%USERNAME%\svchost.exe
New registry values:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run}]
"Windows Msn Update 1.6" = "\Documents and Settings\" ... "\svchost.exe"

C:\Documents and Settings\User\Local Settings\Temp\Anb.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASKC|%idn%=0b3665f766b0e000|
Filesize: 236032
MD5: 3568c9be35203ae0da23f79a1d4aa45e
SHA1: 4c003e9cf30ee4a7677c334ae0b2cc5e1bdad556
SHA256: dd664fe0cc979fad257f948279b349a84b6c8767337c52736448e02966db198d
Creates the file C:\Documents and Settings\User\Local Settings\Temp\sshnas21.dll
Identification (AVG): @EID_Id_trj|%name%=Generic17.BJGL|%idn%=0b367dd99d353000|
Filesize: 193024
MD5: c137d32967d52ebed014c3334386e5d7
SHA1: f8b4fef678c83793f0703e227d1b8cc1ef1a1a44
SHA256: ed0740fa4de93b91c8639ed1b3da5615702f6b00f78d509263667932a1b52628
Installs the service SSHNAS to be executed automatically
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
Security = ...

%WINDIR%\system32\sshnas21.dll
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039496.dll
Identification (AVG): @EID_Id_trj|%name%=Generic17.BJGL|%idn%=0b367dd99d353000|
Filesize: 193024
MD5: 204faf1372b34c0df3ac183e216f5265
SHA1: 3f5128628845e5519827f5435b0fb1b78fa77ccf
SHA256: e45d7ae43a29ee01db03d26916a1ea4fa1f01e9d7dec2679d891b094624fff90

C:\Documents and Settings\User\Local Settings\Temp\Am1.exe
C:\Documents and Settings\User\Local Settings\Temp\Amz.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPFD|%idn%=0b367dd99d353000|
Filesize: 263680
MD5: 1d257224217b3b85a88c2a5a72b70cd9
SHA1: 1d14333cdf31099bb4e142cd741cee5bdf2aa875
SHA256: 5bd673741019e57d6d52a2bcf99192d57a67afbabc25447bc0637e0ea6aeee08
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 207872
MD5: fa18fe3155a75e7976a26d16b2a2aa8f
SHA1: dd0ce056eace0551aeea03c3995baf3884dafb9f
SHA256: 677bb97e5d51c28a94568f7567eea0d1427dc20bd6c18901759f0e8e2f2a6071
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Am3.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPFD|%idn%=0b367dd99d353000|
Filesize: 263680
MD5: e7fb6b58c738c8c3397db708f1eed868
SHA1: c9f9684c5b2c17fcd877a7db65459d37b008937d
SHA256: 96bece9da686cf329953a953a815d934f372893fcf8a09f044859eadfda65692

C:\Documents and Settings\User\Local Settings\Temp\Am8.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPFD|%idn%=0b367dd99d353000|
Filesize: 263680
MD5: c3bd3ca7df2226998f2a1064e93f3024
SHA1: 271b3be5edf266df45e227897a8d5f32d4d8d24d
SHA256: 44d62331a128225de8aaac4b92864c73e051e77fc8cadc892300deef9f76230b

C:\Documents and Settings\User\Local Settings\Temp\Amt.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPFD|%idn%=0b367dd99d353000|
Filesize: 263680
MD5: feb8b52bf2054d6120e9cda4c37ed5c4
SHA1: a07277c517b31128260546be1f9beb4ea03d5f60
SHA256: 3b9d02922ff247b1dbf56ee2fdac65736ea6611e13940051aa4b6e99cff933b2

C:\Documents and Settings\User\Local Settings\Temp\Amw.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPFD|%idn%=0b367dd99d353000|
Filesize: 263680
MD5: eb560e9d47627fb0c6d5cd1dd1094a27
SHA1: bc09d455ade75b95db690c9f7548dc72d417649d
SHA256: d06b37f5d208ff6e26e1ba0f876781dfdeba212a199ac8533cfb27004fb2262a

C:\Documents and Settings\User\Local Settings\Temp\Az0.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 9176e08d60961485bf5f64d39ef43db3
SHA1: 7dc91e303385abf68e4737f323b5a92ee30a08ed
SHA256: cec0ae41deff78a293f583711d02a5aabed439b6e70ec03598925b99f49bb29e
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: 4181371554ae3886a8a24ef46b470b66
SHA1: a9a83924888db484af2c45fbebae4b88cb19fbe3
SHA256: 8941efb35970303eae4b15f776eae26d9387f14faedcdde3d06d466787030276
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Azy.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 9176e08d60961485bf5f64d39ef43db3
SHA1: 7dc91e303385abf68e4737f323b5a92ee30a08ed
SHA256: cec0ae41deff78a293f583711d02a5aabed439b6e70ec03598925b99f49bb29e
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: edc48e180501646242e6ca03fe5916fa
SHA1: a437c6b60f67808f3ce90138cbf632cc4239c550
SHA256: 05cac71cbfc10fb55db81d08b10e221d18c4ed380c59ccfc9041867a15b27e3b
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Az2.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 5acb6db2a98d539278c2242005bf5b66
SHA1: 6ea2d1bd5d16076154bf325a789771aee3ff5654
SHA256: b6627ef7a7559a83c72b74d4a2af35a148a68d952f27eea9ee2c7e7fc4e05f50
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: 706ee751aa3e730234bfbccf7b920e9e
SHA1: 033c2ea08193800b2c6e8797a51c0edc085058ad
SHA256: ac54f92052dfd36fbbffc965c403305cc3f1034f66dcbc530b8b510b9449c8f0
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Az6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: bb5fb33e57e641acf2c7b83f3a7b635c
SHA1: 83eb956b8e16cda0216cf49059687b5003415162
SHA256: c438765ef82123202162e15e6063a41b0c6fc00cf54a44d87f6731eff8206b3e
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: 73fc56699b5a98cea0dde6d6518e76c3
SHA1: cae77162cf9078b8bfd43bc330c940a42612917e
SHA256: d00657b7fb5bd668718d8cb31887cdaef5e8cff04c8178249f91075ac0acadae
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Az7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 10e0779e27d56f2bc2cd1817bfefaf36
SHA1: 7fae7eb2ff2ea89a838801850d501ad2e4cc8003
SHA256: f53be651e95fcb3aaaadfe0a4328690f7009ad6332a0382eb6be55066441e428
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: bbe658f403734146fc702112c1ba20cd
SHA1: 3747500c7f7d6688b3e5a988853723a6913f96a8
SHA256: 492fd95f033aaabbb7be02dcb827afc8e6c2ad83f0aca175f1ad007a1b437737
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\A2c.exe
C:\Documents and Settings\User\Local Settings\Temp\A2e.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: b3b46a49f4181a67d4ff33fe64138028
SHA1: e219f4e3cffbd9f47a0afe6a663c22e581975e94
SHA256: 3bfc93f1678da3f43d6449c4486b55840f05077330a9b2916603f2925c1e3470

C:\Documents and Settings\User\Local Settings\Temp\Av9.exe
C:\Documents and Settings\User\Local Settings\Temp\Awc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 4f55c61725edd9ebe1516a09180ba950
SHA1: bbe1abd4f7c8f0cc6f2fce6d4a72c55e9d76e8d2
SHA256: a5119ab67d05609c01fbd68221e4bf61d88ec4421b292a17a9a8292e2f313748
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: 5caa0a10875357db30c5e33c4023b0cd
SHA1: 7c444513039db3b9fbae3d0241f0f879e3e22410
SHA256: d7d78cf39dac664b694e1c742b8e4ea6926c17c6fa06063285eb5b75432f67fc
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Aw7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 230f78e673d7f9e00b7cd987f74f2671
SHA1: 66bd8055f028550b076a92e281ae03334eae0d16
SHA256: 1d249d99ef6fbaa0e4150691563d1f2f27ef3953a45aa06a70d526d53e324c24

C:\Documents and Settings\User\Local Settings\Temp\Awj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 6eb930954e0292faf9b340cab909742a
SHA1: e661728cd18e21256e6da59ec5f5e3e848b24131
SHA256: 941decf7475b09bbc2884bd40633231227b539ff07f202f8065e450fe3d21f12

C:\Documents and Settings\User\Local Settings\Temp\Awq.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: d07f00bbbc2ac20c38eaad231bb23ae3
SHA1: 01a0fadd0f5588427e7d74aeee618de8987abfc2
SHA256: 319166f0142533a74cbc7f731b9c602777e1911a56a4d9c4aa685ad2663ef497

C:\Documents and Settings\User\Local Settings\Temp\Awt.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: cb5dd8edf45797e85b4d9c658b62d311
SHA1: 69d0424b3d6a17e218615b0a241b05661807296c
SHA256: 80ff0ae6a4381235d2a03c3702a217e663c74fdbcadb4682e4860cef75b67296

C:\Documents and Settings\User\Local Settings\Temp\Awz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 3b7ba356f97aaea6e7ae3eb27f41bc28
SHA1: 2230286bc63d6b816de63d092e75591d7aedb050
SHA256: 56f0db77194098c199ff85da16c75e383ff8516b40d324e5cf27349f38033765

C:\Documents and Settings\User\Local Settings\Temp\Ax5.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 48c09b9187fa3efb11ea0b379a5303ad
SHA1: f621394eaf7dddbe47f105460258ebd0e9a8f4b9
SHA256: 8f6bd34fd790c3461d3b2bd9bcd73c2fbc9c954ebc92f38a53335acc1f851a91

C:\Documents and Settings\User\Local Settings\Temp\Ax8.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 849b55d46e38800b4dee1b7dd27146e0
SHA1: 1f8151e3f77517d1d17e0ef3c13fbb274736088e
SHA256: adba99080bb674c13d30db3c3caa70cd2d7d59e0b4d5a2a530af0ab8c5fc06df

C:\Documents and Settings\User\Local Settings\Temp\Axa.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: d761ace5cee11f6d759bd43b6a01def7
SHA1: ebb33b1fa362088e2be8dc7380c972282afb1ef1
SHA256: 5d8dad0a151884c61d3a35d8b279618769506eb0f6d1b079885c67165766c059

C:\Documents and Settings\User\Local Settings\Temp\Axj.exe
C:\Documents and Settings\User\Local Settings\Temp\Axn.exe
C:\Documents and Settings\User\Local Settings\Temp\Axp.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 2b941433e369b2482aedb6585cf4e777
SHA1: 6d29fa8779aa228b371b982e3cab0852f4241765
SHA256: 3e402bd5452338a89743be0818e379bed4f2a5f0f3e00d46122efdf509374858

C:\Documents and Settings\User\Local Settings\Temp\Ayl.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 51ff0afed41901507a04067b6675086c
SHA1: b3fabc73678f953eb4c4234d5f31296e9dd7d0ed
SHA256: 6c503c6103023c842dec3705db1f6cd3d608615757347f92561fbd43c2bc9829

C:\Documents and Settings\User\Local Settings\Temp\Ay3.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 664e5ff46b94184fff999cf3fe83c08d
SHA1: 71a3aecc02acd96d02e74115eebf6b34dc8ae503
SHA256: defe5343653f6aed197352fe9812c53aee58bf474a3281de71e63365e415d74e

C:\Documents and Settings\User\Local Settings\Temp\Ayd.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: 8afbba2073202fbd1f0e2440416226bd
SHA1: fc42375e1f85649442f6296ceb806e724dd98732
SHA256: 51d2ec7b69ef563bdf6e0cffe492cb711aeb0ccebd4cf5a3999a7f885a5374aa

C:\Documents and Settings\User\Local Settings\Temp\Axe.exe
C:\Documents and Settings\User\Local Settings\Temp\Axf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 280576
MD5: cbcc77bd6e95755d9c35748761ed7978
SHA1: bbea8331a14449a216d1bd2644fd3e078ee16e64
SHA256: 21e2fc58fd80fce94305b97f63f10cfee36e743f319b50a0950d825b09abd6e1

C:\Documents and Settings\User\Local Settings\Temp\Axk.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPZ|%idn%=0ad999c6a7c0f000|
Filesize: 57344
MD5: 8235ab2557c0c48707f38f18c2d82907
SHA1: 21af41d18dd65cd95c29a386a13c1c127e52538d
SHA256: d10b255a676fb401dd66d6163279a43017c97e03473ca695603cede0dcc94085
(file appears to be incomplete)

C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039446.exe
C:\Documents and Settings\User\gfsa3.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BQI|%idn%=0b367998dd66e000|
Filesize: 99938
MD5: 9b3e2295e41143d6f2af36bd64b89432
SHA1: 1dfb7ed72c4a08632e2ff0467b2a200f17ac5654
SHA256: b1c36191c49c373c64f40ec07053ee1d6d0687a9a293de9835a4aeb761283ff7
(not a valid windows executable)

C:\Documents and Settings\User\Local Settings\Temp\Azc.exe
C:\Documents and Settings\User\Local Settings\Temp\Azf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTR|%idn%=0ad999c6a7c0f000|
Filesize: 266752
MD5: 192fd102a9d6f114594eb5385a53a256
SHA1: e33b911537df915b9cd5ca5bfcf34da26cd5e976
SHA256: 50e5b2809dd28fdf363075c3fdfe85e8c53f828ccce623a30df76bdfd6619242
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 220160
MD5: 9110d30171eab7dda07fe7280614634c
SHA1: df7be60cbdccdfcb95c8d4be9d71ecb9a5d54a13
SHA256: 023f61657b0f400e5d7c8c49c3283b422312b8b3d4b423550a4ca2562a355bdb
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Azh.exe
C:\Documents and Settings\User\Local Settings\Temp\Azj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTR|%idn%=0ad999c6a7c0f000|
Filesize: 266752
MD5: a6a944ad409a245b4668724f3b642b54
SHA1: de499d3271bef101e6857b049d414d823a557afc
SHA256: 68ee09d613c42d28439c240218519e9c7c4a1cd5fe90cc21344803c3ba98b6af

C:\Documents and Settings\User\Local Settings\Temp\Azo.exe
C:\Documents and Settings\User\Local Settings\Temp\Azp.exe
C:\Documents and Settings\User\Local Settings\Temp\Azr.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTR|%idn%=0ad999c6a7c0f000|
Filesize: 266752
MD5: 16d9e9295167e220cf9fa51b189d8d3f
SHA1: 9d7dadabcbbcece08fd339d8b64bc6e5120aa2be
SHA256: a42a005e13688e1b9edbf5cce77a855ebf96c5ae1e36aabb6c99072c4c5e37ca

C:\Documents and Settings\User\Local Settings\Temp\Azv.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTR|%idn%=0ad999c6a7c0f000|
Filesize: 266752
MD5: d6a74c494d2f38475508ad60ce314f8a
SHA1: d4cdede4b5fc5daab9b1cffc0d8a0a69c85b02cb
SHA256: 6ade9f083c8c197a180dfa043134a6bf18d743fc0b03328efc125f8abd0c6b04

C:\Documents and Settings\User\Local Settings\Temp\A21.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CNQN|%idn%=0b367dd99d353000|
Filesize: 225792
MD5: 7b368eb1d087e18c1f02a81406d6e510
SHA1: e0ad74a0e4d59e94727fa8c7cfd9c5791eaa6ff1
SHA256: 6ac0619c1bdfd7a2005fd1241de4042566785a65e00ad7446b4c66777a3fc0f2
The executable icon looks like the 7-zip logo ('7z')
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 166400
MD5: 885add9538bdd11d73668e59eaf336a3
SHA1: 413682563ab38aa256e98bdbe6d0cb9bc5bce03a
SHA256: 87edb8e58ceb0af8cc12b0bb78631d4262bccbf013b93426e48d54727988c4c8
Installs the service SSHNAS to be executed automatically at Windows startup
The SSHNAS service performs DNS queries for cuert.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\A2y.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.AAIS|%idn%=0ad999c6a7c0f000|
Filesize: 265216
MD5: 46f52e9a7b18c71f3a6a5acbffa7aee5
SHA1: d4842f0c8c5bc0cb6e9bfd90a6ae54f0816f932c
SHA256: da9337cd1f9f7c9fb0fffc6eb5d1b0216182a251441887cb4aa173273bd31740
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 217088
MD5: e769ff9e930b8c9e6b752b9d1bdb4c67
SHA1: e304f9b13e2a561e64af2d8f8efc92740c73d556
SHA256: 94fb296db818996d0f7f4c97fb46e95ef7af5902a6b59917e3f8f01b922d42b6
Installs the service SSHNAS to be executed automatically at Windows startup
The service performs DNS queries for cuert.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\A26.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ABEV|%idn%=0ad999c6a7c0f000|
Filesize: 303616
MD5: 195788e9acb8caac578e67c398d8ed45
SHA1: 3854b1125e49fb202ecd95229bf7cf3416d14d73
SHA256: 8ccaa675e797c7a05a68806f685993aa4cda77405a1f4b03f92fc9125eadf5c3
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 223744
MD5: ab240a35f453f87c8320d6433f5c0b0c
SHA1: f694bb35868ccb5654aeb95f94f3d5ad5ed6d3c2
SHA256: b6ebc01cf3ab826cedfc1a7a6b1e0fa80d18c88f54d9c2783052759df7b2aed0
Installs the service SSHNAS to be executed automatically at Windows startup
The SSHNAS service performs DNS queries for cuert.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\A2a.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 8986086842ad9de07105e1762b7c82af
SHA1: 97e4fa3453588a7fbfc00ce30ab78de4bb31e7c9
SHA256: 3f3b9794a54e16757ddbc4d8c54a52279c5bac06fcd4f0e6227ed96a38c7510a
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 218112
MD5: c97a760ab601c92e8adddaae7f5cfd5a
SHA1: 33047da39962458c8763dd39dafdbc086927afce
SHA256: dabbe1442cf814e2c405948c1044daf110602f2b9a649ac5bd34ef0551dcbc3a
Installs the service SSHNAS to be executed automatically at Windows startup
The SSHNAS service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\An1.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BXBT|%idn%=0b367dd99d353000|
Filesize: 261632
MD5: c3dcedfc14603bb2de8ebf90404d92dc
SHA1: d8e453dad065a0bad6c8c723e5dedf41546aeb1d
SHA256: 3e3544450f25bbecdc95ddaad9f92d1f9dda8108cbc88e5e33559eb2f5985ac3
Creates the file %WINDIR%\system32\sshnas21.dll
Filesize: 210944
MD5: f244f3825e0ef06d3baeeffcf9b5fc51
SHA1: d9d9ddcdc9c49ea1d8c11a0a7e805ad04b5acd99
SHA256: 0f6bf82f79f737ebee54cb7faee4e93cf9eb0c884598197cc7b4f18e17122d65
Installs the service SSHNAS to be executed automatically at Windows startup
The SSHNAS service performs DNS queries for ceonter.com, msdip.com (every 15 minutes)
New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
DisplayName = "SSHNAS"
ErrorControl = 0x00000000 (0)
ImagePath = "%SystemRoot%\system32\svchost.exe -k netsvcs"
ObjectName = "LocalSystem"
Start = 0x00000002 (2)
Type = 0x00000020 (32)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
Security = ...

C:\Documents and Settings\User\Local Settings\Temp\Amu.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: d609a71854643fab65f6b063b23ae1f7
SHA1: ec561400bea51eb1e4fbeb05752d79c6b3a1aff2
SHA256: dde13f2b8659cd7b9e51b00e270667cf8d166e1fc5c9ddb6183fa8eee0e0e520
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Amu.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A25.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ABES|%idn%=0ad999c6a7c0f000|
Filesize: 181760
MD5: 3bbea1497f7f39688564a591b91aa08b
SHA1: e5acd7936d33f0d6562246a1090a5a0a59ac90c1
SHA256: 0de5238632a651c01899586912554661847d54555a92ea33436fa2edcf92d9b6
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of A25.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ay9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTS|%idn%=0ad999c6a7c0f000|
Filesize: 171008
MD5: 7d58b00484f4ab11d900f4f8003883cc
SHA1: f1906116e1acf45ccddd4695fc7932a4eea84d7d
SHA256: 8de9a5ca08b3b8e50987b111483998224c79d740739eb6c317dd310d10b323e7
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ay9.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Azb.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTS|%idn%=0ad999c6a7c0f000|
Filesize: 171008
MD5: 79d1d721949f919b159c1d0e97cd027c
SHA1: f913aade74caa1e72a7b1c2bfec4594ff8cf44b8
SHA256: ebbad21df75d3df6e3ac97673bdf091091e535996a215ed5de2aeba267431ac0

C:\Documents and Settings\User\Local Settings\Temp\Aze.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTS|%idn%=0ad999c6a7c0f000|
Filesize: 171008
MD5: e5b0cc18e774bd68c60ec67d79f1612a
SHA1: 4cdc0ee51c14c2e8226d66caac058aae19fbbbe0
SHA256: 3d734bcfcac656a7fc410026a206aea1c9bbef06470f123efb168283c63484c2

C:\Documents and Settings\User\Local Settings\Temp\Azg.exe
C:\Documents and Settings\User\Local Settings\Temp\Azk.exe
C:\Documents and Settings\User\Local Settings\Temp\Azm.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTS|%idn%=0ad999c6a7c0f000|
Filesize: 171008
MD5: 636bc90513ccb91734d9e59fa85a8742
SHA1: 999ba460dd041edd7af5b10c1928cb435e6f2618
SHA256: 62f7fdd2d19374641b118039daf1be20645bc65eb20180f986c8e341c6dd44b0

C:\Documents and Settings\User\Local Settings\Temp\Azn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTS|%idn%=0ad999c6a7c0f000|
Filesize: 171008
MD5: e50c1237df5edf1de90ead77e787b90f
SHA1: 31fb8257874e80ad22696ec94469caa39b05898c
SHA256: ce1be8f2a717d4402cf4ca23476b18860ef234e6e648078904b6dcba6b1dce3c

C:\Documents and Settings\User\Local Settings\Temp\Azs.exe
C:\Documents and Settings\User\Local Settings\Temp\Azu.exe
C:\Documents and Settings\User\Local Settings\Temp\Azx.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTS|%idn%=0ad999c6a7c0f000|
Filesize: 171008
MD5: f085e4c41a5f7df85f7559260f6b45fa
SHA1: dc6464afebdc8bddbdff0dbba9c283cf07492fda
SHA256: fc68453caa1c602a4bf5cd7affdf6bf04c2f220ce63af59f2400f28bd9f04e0b

C:\Documents and Settings\User\Local Settings\Temp\Aw1.exe
C:\Documents and Settings\User\Local Settings\Temp\Aw5.exe
C:\Documents and Settings\User\Local Settings\Temp\Aw6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: c485ea7e1f6e60f94547a01cbb3cccb8
SHA1: 215db782673f8ecbcc1bd0a448b58ebd760729f9
SHA256: 3433916ebf0a119024b6e0eba983bc5faf5a7ddf2c7cda0ac658d0a04a0ee0ec

C:\Documents and Settings\User\Local Settings\Temp\Aw9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 68a895a155a382233d4752a18b724d79
SHA1: 867138fa0046f94e73e5fce271ec7faaea37c09d
SHA256: cb532211896c6c7d444d700cc7851ed2aaf04aee1aeb5f8cc79ec4077c130ac0

C:\Documents and Settings\User\Local Settings\Temp\Awb.exe
C:\Documents and Settings\User\Local Settings\Temp\Awf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 5973ba7e2c132bf76638f8d36a67e896
SHA1: cdda6ff0f1b17ac335c257823e8ad6b2cfff5761
SHA256: 4329cb23197af27ba4555d7d88bc133e73e26464858189bdbeab810033a0186e

C:\Documents and Settings\User\Local Settings\Temp\Awh.exe
C:\Documents and Settings\User\Local Settings\Temp\Awi.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 75fb93539f9371930266cbb4ba53b20d
SHA1: 47b2da7a0c0468b74b2bd42c0d86f1b813a10c8d
SHA256: 6664249014282ef2082d70e205400604dd2115904da6e4d3cff35782903b80d2

C:\Documents and Settings\User\Local Settings\Temp\Awl.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 0b355a95628300ea681147075dcaece5
SHA1: e459ccde335d70f9b0b31b33211a310957b01947
SHA256: f9769a4c1c7e0015c29eeb533bdd8bc76ddf7b8f13f06114653d7097a020eaa9

C:\Documents and Settings\User\Local Settings\Temp\Awn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: ddffed3b5f39fbf3cf1403b2be2bfadf
SHA1: 28dc00d55ae5f88515cf55a670ca1a488c689c0b
SHA256: 3d87d3174e3c45154912e827140fef5d11a569c3c556eebee05f970f106ac73d

C:\Documents and Settings\User\Local Settings\Temp\Awp.exe
C:\Documents and Settings\User\Local Settings\Temp\Aws.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: e2e8572ded81be9d1aa7995d8c351f81
SHA1: 15044762df2a227847d9babc10edd07c0f6a66cf
SHA256: dc02793920e1e93281dfb7eae896eeeee6c90bea6eaed3c564a6d709b4b8beeb

C:\Documents and Settings\User\Local Settings\Temp\Awu.exe
C:\Documents and Settings\User\Local Settings\Temp\Aww.exe
C:\Documents and Settings\User\Local Settings\Temp\Awv.exe
C:\Documents and Settings\User\Local Settings\Temp\Awy.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 0c712f145198a8aa7a6b052fa8f6adaf
SHA1: 0cbad28459d4d2cf1a255c87984ba3d72acb395b
SHA256: 23007d9b5b9de1a5b52df7ef64227ad4fcfeb2562d1e7f797fe8f280f737d5a7

C:\Documents and Settings\User\Local Settings\Temp\Ax0.exe
C:\Documents and Settings\User\Local Settings\Temp\Ax2.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 4a8c81b4b2260391a04b80baba90ba5e
SHA1: be19028e87ae99ac558067c20fd3fc1960cbc1a6
SHA256: 67659901fd8c1ffbe437ba8d4390b57e9bbf009c7ae32a765543af0d95634b7e

C:\Documents and Settings\User\Local Settings\Temp\Ax4.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 87b1dbd168961aa9f367cf47fdc62988
SHA1: 736f5a11a2008896d10049344594e8fabda7d54a
SHA256: 6efb1227c252d3ab6354f28a7aa3689c2dbf87860a2cb10b42741c90a067b20c

C:\Documents and Settings\User\Local Settings\Temp\Ax7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 3d0242bead59c0e411da0fa48d560dc8
SHA1: 97a983e79e23778577ca925c31dca900d300e511
SHA256: a050ff24a952f6959f6c1bccb4bdf0307233d321af676f2ae83e1433db9c617c

C:\Documents and Settings\User\Local Settings\Temp\Axd.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 7d0a244d1b482bc2ade6249e6f38dccd
SHA1: 5bac5f80efa0267e0916537708ac8d70f57a0729
SHA256: b277d44bbcaf99667701db4c205660adda263256848ba82091ae3ce8d5e7051b

C:\Documents and Settings\User\Local Settings\Temp\Axc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: e25e0ce26fa9147330f35cb1002f461d
SHA1: 640d08b6b3ddc8722778595e61d764b28b28d37d
SHA256: 6b932151d0e580a40993758cb40b84166ad57f09778ec0519def74f6e055074c

C:\Documents and Settings\User\Local Settings\Temp\Axh.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: c7fd6eb933b42ff22d06e53984b9f3f5
SHA1: aa1826d37bab9228b6d7469106db81e37f955dfe
SHA256: 48d405af569f510fe0c4f8d33d5e9913d141f7c8fb7dc6215ccd68cf9c271e17

C:\Documents and Settings\User\Local Settings\Temp\Axl.exe
C:\Documents and Settings\User\Local Settings\Temp\Axm.exe
C:\Documents and Settings\User\Local Settings\Temp\Axo.exe
C:\Documents and Settings\User\Local Settings\Temp\Axs.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: b8d7b5a3eee00cc5ab1da4525425a556
SHA1: ef511c878c09ab8807382c5e89dec0dbadd6ffd1
SHA256: 84690f3b61efe7da6df95f96eada9a605053bab0b29dfa979aa5bfdcd3c38de0

C:\Documents and Settings\User\Local Settings\Temp\Axt.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 54d2896179966a13f4faa1bc73284fe8
SHA1: 0dd47e84e774ba3c2ccbb0dd47fcf563f19fb76c
SHA256: 9e34556b380a213ee47b037ceefc32b77fe6fc12478dbf36923fe1d3464306b6

C:\Documents and Settings\User\Local Settings\Temp\Axw.exe
C:\Documents and Settings\User\Local Settings\Temp\Axv.exe
C:\Documents and Settings\User\Local Settings\Temp\Axy.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: c806961cb1d8b43cbe1df13eedc1039c
SHA1: ee8fd861e61d13c1ad32e048df3e3a08facba028
SHA256: c113fa1ff0917a258aa00fa6ffff8ee1653c6a805f550fa957683279a0e8f3ea

C:\Documents and Settings\User\Local Settings\Temp\Ay1.exe
C:\Documents and Settings\User\Local Settings\Temp\Ay2.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 2fe6e5e992e6add810c4ebf11f67ca19
SHA1: 2577a1c2c55abb675002ba409bba1e79d506fd9e
SHA256: 19c5006518eedda2e60989af9e69905cbb5555d6aa6f872cd576ff51ed0b2b03

C:\Documents and Settings\User\Local Settings\Temp\Ay5.exe
C:\Documents and Settings\User\Local Settings\Temp\Ay6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 7acb91210a4593477d3ae25ccdd2c6eb
SHA1: 5d8d59f03a932cd1306cd3f6c0f8f328a10ea47c
SHA256: a7d0dae8bbc77e937a72ef35587674c74d0579137de8cd74757e4e98a2055ee1

C:\Documents and Settings\User\Local Settings\Temp\Aya.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 7075e82514e5bdbcf08c339bc3f8186b
SHA1: 8eadd811dabb107f7b16bdf5db0201c2db981520
SHA256: d2c4a5f1c1c1f7ea88bc49be6e22256a6dc13555f7210c43ca29a8c02a6f57b7

C:\Documents and Settings\User\Local Settings\Temp\Ayg.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayh.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayi.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 34ee2b4d290baeac072d066484c85eb9
SHA1: 9882c2b173318e915bc0c18c58a76fba33b1dc41
SHA256: d98051313f9fa5139308b316451c829dcba9e3e2e7880fcda4cc074aa897855d

C:\Documents and Settings\User\Local Settings\Temp\Ayk.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 38f0f631c6557f35bbb0b6188ffd7148
SHA1: ebd8c6db3034605a985486ebca9dfe601c110787
SHA256: 8961d4f8448e8d5e5f249cf8ae785411a2443d02fa382ead0a6c1ba112e44a0c

C:\Documents and Settings\User\Local Settings\Temp\Ayn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 5ff04f8d606da3f001761a71d2e3452c
SHA1: dc050d9289e80facd2a43d48a6afc8c293981521
SHA256: 5f634b0411a79f705c21ce4b7c1f024615573fc6077f94029a365ad53b37ecba

C:\Documents and Settings\User\Local Settings\Temp\Ayq.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayr.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayt.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayv.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: 6cb01f858f0cd82a3e273ccdfa93bfa2
SHA1: fa7472e6a80a202511eb9d7401b2d55606cf86b2
SHA256: 883a50d6fab16a35aefd5f10c2deb80458bfea2a8461b70af7280fe84a8e84c8

C:\Documents and Settings\User\Local Settings\Temp\Ayw.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayy.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XPM|%idn%=0ad999c6a7c0f000|
Filesize: 184320
MD5: be6193aec5cf1d9c4b40158eb77c08c2
SHA1: dddfce8291a5691670adfd597a4f111509f95d1d
SHA256: 15900f35f4921a4edd6324ca8756ee87aed0d1a2ed48ca280a8b913d0541a1c1

C:\Documents and Settings\User\Local Settings\Temp\Ana.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: c0f627d01cd3a0d18cae01f18b0d81ef
SHA1: f4528ec4c3f5fff75fed82ba100fbd9a849df34f
SHA256: cd7c903e8bf28cb68d609d03ee365ae58c76af6f30f835639b5b3fa1819824a6
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ana.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A2h.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ATYF|%idn%=0b3665f766b0e000|
Filesize: 181248
MD5: 1c1ffc8a952edd47b3fdcb2eadde6e2f
SHA1: 37ff54011754595d1cd585b22ac6bf0a1fb664c1
SHA256: 0240f8e888dd10996becdb192e5bc13b588f413345ad983e6d513bcfda94405d
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of A2h.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ap2.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRN|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 6e82385db6d26baa83759207b18af131
SHA1: a2ddeaed0e1f5cf0a62b0748cc67606f56b86cae
SHA256: 1608f65baae1a7aa64fefba9bb7a44a1df242829ad6b726ce93ec2ab2b96d6f1
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4af4 start with 2f 11 31 a5 ...
When the 16 bytes at 0x4af4 are set to 00 the checksums of the file are:
MD5: 9b52123e7df4885c1571fc42d73574d8
SHA1: 988993ad46c6070e46e38782a570d101e86a6b5c
SHA256: f024d5a43f5d407454efeed7f1618f9c364f43a475ff121219b268629f842c06
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ap2.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ap4.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRN|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: a26bbe4816fad8ed0aa1e8c4520befbe
SHA1: 46ebf622286e3e1561f5ca936c2e2a081604b69c
SHA256: fc6e43ad99ccb866a9fa6a4ae8fdff0d1c24c01f8a50d7ee3cb56feaa9aefa95
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4af4 start with 90 e5 6a 5f ...
When the 16 bytes at 0x4af4 are set to 00 the checksums of the file are:
MD5: 9b52123e7df4885c1571fc42d73574d8
SHA1: 988993ad46c6070e46e38782a570d101e86a6b5c
SHA256: f024d5a43f5d407454efeed7f1618f9c364f43a475ff121219b268629f842c06
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ap4.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ap6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRN|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 9e99c5d7a4f01749cc4ce8f124d0be13
SHA1: 4e0146e51afb46b886eed0df9042b7698baf91be
SHA256: 7802d14b777981cbfbd72a0c0b9df37e782120d26d8fbc4f1ed14dd08a4a29b4
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4af4 start with 82 2e 6d 00 ...
When the 16 bytes at 0x4af4 are set to 00 the checksums of the file are:
MD5: 9b52123e7df4885c1571fc42d73574d8
SHA1: 988993ad46c6070e46e38782a570d101e86a6b5c
SHA256: f024d5a43f5d407454efeed7f1618f9c364f43a475ff121219b268629f842c06
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ap6.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ap9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRN|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 2d5b2598a622b7777b205dd50ba61c00
SHA1: be317d770a5c13c9a1150d35e8823c9069895adc
SHA256: 17ac5ef168aba6809300582e354375fb0b365ac8b13002aab92ac914407f60ae
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4af4 start with 06 d9 5f b2 ...
When the 16 bytes at 0x4af4 are set to 00 the checksums of the file are:
MD5: 9b52123e7df4885c1571fc42d73574d8
SHA1: 988993ad46c6070e46e38782a570d101e86a6b5c
SHA256: f024d5a43f5d407454efeed7f1618f9c364f43a475ff121219b268629f842c06
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ap9.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Aqb.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRN|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 2d62237181046764e893fd2052fa517c
SHA1: 403f1a4c88d02787df5cf3515ca908f56b1fe46f
SHA256: 792131246f062ef213398ffdd5f41bb955f70e0eccf97e2b25b7d54bdc123c19
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4af4 start with c4 14 ee e2 ...
When the 16 bytes at 0x4af4 are set to 00 the checksums of the file are:
MD5: 9b52123e7df4885c1571fc42d73574d8
SHA1: 988993ad46c6070e46e38782a570d101e86a6b5c
SHA256: f024d5a43f5d407454efeed7f1618f9c364f43a475ff121219b268629f842c06
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Aqb.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Apw.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WDZ|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: e3e863a95915f2ece5f350534e03f876
SHA1: c98bf95a88197dbc31d956ffa22dd9abc854703a
SHA256: ce81596ac1e9f165f186574036ce8280de7c9a4695b17bbc30888f24c76569c2
The 16 bytes at 0x48e2 start with 16 8b 3f 52 ...
When the 16 bytes at 0x48e2 are set to 00 the checksums of the file are:
MD5: 2515cde2465364889f2909d1da75e958
SHA1: 1a18ddd984665606120fe089f788baa7f4005499 
SHA256: 641a4fda030734d4d5895a903b1bf3528c67659e7e5f3a027aaa8bb0729bb2c4
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Apw.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Apz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WDZ|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 7d5e99277d64747f78dd3e5bb6ec7fd5
SHA1: 7f0374ad3f9a5b3e8df4b37379c60cf471e07345
SHA256: ce65e7874853801ab3685163caadac4943d77eb9ba44df7d3d3bcf0c4aad2eb3
The 16 bytes at 0x48e2 start with f7 8b 3b 47 ...
When the 16 bytes at 0x48e2 are set to 00 the checksums of the file are:
MD5: 2515cde2465364889f2909d1da75e958
SHA1: 1a18ddd984665606120fe089f788baa7f4005499
SHA256: 641a4fda030734d4d5895a903b1bf3528c67659e7e5f3a027aaa8bb0729bb2c4
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Apz.exe]"

C:\Documents and Settings\User\Local Settings\Temp\At8.exe
C:\Documents and Settings\User\Local Settings\Temp\At9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 230166d5288097de07537e180beeda00
SHA1: 0c92f6a42a35d9ab7095bef2ab24f8b129c399b7
SHA256: 05580221ca755844d8da3663ea1e650af1c58acb22b8ad01571a3f7e65af407d
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with c7 5f 95 8d ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of At8.exe/At9.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ata.exe
C:\Documents and Settings\User\Local Settings\Temp\Atc.exe
C:\Documents and Settings\User\Local Settings\Temp\Ate.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 6b93f278ba8359dd18d311da2e9806d7
SHA1: ac9131b607fed61c3eeea47a3bd2909fa548f471
SHA256: 4a59b8584a5cf302a7d8e81e055d847ae735d79bb9245b1b8e524f9797747127
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with b8 bc 61 02 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ata.exe/Atc.exe/Ate.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Atg.exe
C:\Documents and Settings\User\Local Settings\Temp\Atj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ebea2d5f882213a4cc42d085a149f0cc
SHA1: ec0dd430545060786bce5807da1c8e737097a25f
SHA256: 77797e3d296359014f486298c1d8bd9e523889587cf0ba2f64e2f9c9b38f8504
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 3c f0 bd 72 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Atg.exe/Atj.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Atl.exe
C:\Documents and Settings\User\Local Settings\Temp\Atn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ddf032bd9cd644dda8319cac40bdec11
SHA1: 08e81a16060fea8f81805d1e03080ebbda38150a
SHA256: 34a8f78b9b934de53093f43597941d65df803f30fc055b3298ea8986aae1bd02
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 18 7e b5 fe ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Atl.exe/Atn.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ato.exe
C:\Documents and Settings\User\Local Settings\Temp\Atr.exe
C:\Documents and Settings\User\Local Settings\Temp\Att.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 43a9fb56f47e9cc72ea3d11b9abcab14
SHA1: e3410d2ba3d226209c8a4a8dd6d6501b8377bea7
SHA256: bb4dc5052006d4f04c4388da69530e351217f35fb7065be33453e0d2cbae6bfa
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 6d f2 6d 6e ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ato.exe/Atr.exe/Att.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Atu.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 6cf47238b446b3df02a928602182ce55
SHA1: 138f21ea92ba54ea9da9e2ea48b55ed737f5278f
SHA256: 8746d874dcf0e5e1d3dcda8c5d3fd84274a04b38a217bbf2bdc2b51a7ed385d0
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 31 eb 5f 5d ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Atu.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Atx.exe
C:\Documents and Settings\User\Local Settings\Temp\Atw.exe
C:\Documents and Settings\User\Local Settings\Temp\Aty.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ef5f1473f62e398de7ff7661d56298a3
SHA1: f314599fe683c8df62293f5a58cd05426d8074c1
SHA256: 07aecae52a7d6d3f4c50290c1edb9ad8005dc659a5c3b2fc548719ee61459f5d
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 7c dd 47 3d ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Atx.exe/Atw.exe/Aty.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Atz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 943083077d6ab0ceae5885cf98b7715e
SHA1: 9364455b28a2eaa7f183831880a4ba3878573407
SHA256: 1f265b5edea833a4c6016450104d420e9ba6bc6dbd7d92d14b5879c79d35b66e
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 18 31 5b 36 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Atz.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Au0.exe
C:\Documents and Settings\User\Local Settings\Temp\Auw.exe
C:\Documents and Settings\User\Local Settings\Temp\Auy.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ee67935cc5f33283e9fa73e5a06fecd4
SHA1: 94cc0e5dc310c66e2238af35884cd2b6eb858a4a
SHA256: 25e90c96a7f8c08253921d137d81faa24ab593089f6f1de45dfb264545908d28
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with bb 38 26 ae ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Au0.exe/Auw.exe/Auy.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Au1.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: af147c926799ba9534e933e8dcab4d67
SHA1: 4b8555a3de47d357e6769e102898a85556b3f99f
SHA256: e2e32a317e24d757a2b1202bd904a187775163f451cf060b5439799a6c1f31f4
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 66 1a 8a 16 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Au1.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Au4.exe
C:\Documents and Settings\User\Local Settings\Temp\Au6.exe
C:\Documents and Settings\User\Local Settings\Temp\Au8.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: aa9ddcb6df573647107d1e1a9ce0d03b
SHA1: 50c529fffbad189a12e00e7f06f61f5fec90ac07
SHA256: 3041394be40dcd337aa87d584c17b0c528402e03732a63067241df897aaebcd6
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with d4 02 79 fe ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Au4.exe/Au6.exe/Au8.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Au9.exe
C:\Documents and Settings\User\Local Settings\Temp\Ava.exe
C:\Documents and Settings\User\Local Settings\Temp\Avb.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 3af66d08d0e880f49e3a56f50a97c31d
SHA1: 792dc195662ce6b6c44b5f42ab264b8239ddf218
SHA256: f73741b2be9b7a4dc76fa5b7125d043b50c6f5a61da38fc4974aa55c3c53eda4
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with d4 02 79 fe ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Au9.exe/Ava.exe/Avb.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Aub.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: b007abc9f85f8b0f230fefd2f2606493
SHA1: 65a1a9439ab1514ec5211d1e3a17511019805f5f
SHA256: 5c90196cfb92ce1e97b6fa2450a67fe886f498c200cacec244a062fb92efbd31
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with e2 98 29 fd ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Aub.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Auc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: a8d46afb63558ad99c69c190ea34a157
SHA1: 79d7dd9fbf984c0915ee517737d450b48fdabe43
SHA256: 0e45874782904d9d723f4e60f177147d63b8b1193754309719a4bf398d8217d6
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 16 f1 f9 16 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Auc.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Auf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 3d854f353a48bcc6bf83934b8e3f0a41
SHA1: b60769dbb1bbfbb4105501aa08ca82cd84fd0ac0
SHA256: a880c46a14875f081542030ba25654f06bab648828db621f3f30e737d0c3bd5e
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 32 6b c9 c8 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Auf.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Auj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 6595abd437420529e0a303f322547c57
SHA1: 8b0fa95eec81383cebf118311e71bade6aba8e50
SHA256: 2738c5dab674ad2e64354589bc6b617333c409e2cd8b03983181f7b46dc73112
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 42 a5 9c 1e ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Auj.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Auk.exe
C:\Documents and Settings\User\Local Settings\Temp\Aum.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 80c1825953fe20555ecc3f5990e1ea96
SHA1: 4b188a760df2c04c130459417b2517fa4026af65
SHA256: 45f36206dab076433f79898c439354affc07bb7c3075aa97ac0c68c63528bfde
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 85 5c 76 32 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Auk.exe/Aum.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Aup.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: e5b61c0eefdc5eb3195e730afe46d9e4
SHA1: e44cca39006259657023c579b3b4d35e7d4f8066
SHA256: a5767e0ebf0388c263fd32e686d4ffa848d51a83f89f6c08184e4780e6123655
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with f9 4c ff e4 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Aup.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Aur.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 6e9a3b229a3813bd0866033ae29ba3c7
SHA1: 1c49800982e129ce9a2b1df200540736b3425d15
SHA256: e4f4ea0478e99316d633a9412bdc6d870e6e5386c53867dc1299e786e923fc1e
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 3d c2 1e b4 ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Aur.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Aut.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 370867e61ac24d61066b32bbe6563b53
SHA1: ca545f60723eca146a0b761e116dd750c1f803be
SHA256: a4d88dbbd69c7e21a414b45a28809bd23887a2a66d86483add210bfb78887864
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with b0 25 22 ae ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Aut.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Av0.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 96b4e283dd6140a3745dd3eb84e3022f
SHA1: 6ac7d293b122b06b48897a444c976c661c2c1bb7
SHA256: b77c568b4c788a25748dcfbbe7536306ea57dcea7099780e947192aca4124d04
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 4a 9e 9e 9a ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Av0.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Av4.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 582b72253524fa2766ed91acc57005ce
SHA1: b357fa802ea973ac5d927a23d5be79de75daf998
SHA256: 9a12a086bca8015ba85927c29cab79b6546cfec1818210d2be263bb488c981cb
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with f4 88 0f ac ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Av4.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Av8.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 35c957d9c73368b11761bff945966ac1
SHA1: 5c9925b8c44ac1eec87d1ce5a16016e3b9785844
SHA256: 18ada800ad1f29c5a6b80e8a79a1eb7ca9c3e63e3e0ecbf8485b19d1f84609f8
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 6c 05 05 8b ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Av8.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Avd.exe
C:\Documents and Settings\User\Local Settings\Temp\Ave.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: a69bf41f0599f23cc7262159960bad5f
SHA1: 043ac9210aa4d9a065b5c2a3a4c77009f28ecc9a
SHA256: 90e820a21c6a37545376b6ce06d8138a78b74a2dacae9887129d87367146b11c
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with d1 b6 f2 eb ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Avd.exe/Ave.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Avg.exe
C:\Documents and Settings\User\Local Settings\Temp\Avh.exe
C:\Documents and Settings\User\Local Settings\Temp\Avj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: a7088f852ab6edf2c7de4c9f23583848
SHA1: b1fd4ec3d324976f67e003d559353114de786f86
SHA256: 6146661b0f7fe5f2c412022e79a4563511d85a0a19d46fc3bf86bc73b1c5dd84
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 5b e7 59 9a ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Avg.exe/Avh.exe/Avj.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Avk.exe
C:\Documents and Settings\User\Local Settings\Temp\Avl.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 05dceefe7447ebd7f36141dc49011d87
SHA1: 3af077b1d52d0566538fc231a158152f621e707a
SHA256: 3c33636a56b3ecc3ff7076a38efe0656daecab2bae1da2aba14e4bd4feb706ba
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 5d ff 0d bd ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Avk.exe/Avl.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Avn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: e3eba7e10f46e6a18e4f61d518524b29
SHA1: 1002daa1498a07922f2a8a4425e3a6408283558d
SHA256: 209f3cb473738cfed790daa3a5fd4b0200dce47c7a9489390d8bdf1527698bc7
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with cc 34 a1 6c ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Avn.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Avq.exe
C:\Documents and Settings\User\Local Settings\Temp\Avr.exe
C:\Documents and Settings\User\Local Settings\Temp\Avs.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 9f8d89591c78e0cb656371d54fa2e3ff
SHA1: 130f74f3bc4461763aa3a8cecd7b3b06a26d7ff1
SHA256: 9a7c036fa29b908db57e0dbbe659c23e65c737298815a9694a7f56dfc42175d1
Appears to be programmed in Microsoft C (MSVCRT.DLL)
The 16 bytes at 0x4948 start with 05 33 49 1e ...
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Avq.exe/Avr.exe/Avs.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Avv.exe
C:\Documents and Settings\User\Local Settings\Temp\Avw.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ddbf94a3c74ebbb6ec992e60181fae99
SHA1: 2b0cc2e7d0d95a69efa186fc036140a2ec48a58c
SHA256: d41afea461fdf3ab5f98d758df10bc715e83c1da483279cba132f5da397f3433
The 16 bytes at 0x4948 start with cd 23 6e aa ...  
When the 16 bytes at 0x4948 are set to 00 the checksums of the file are:
MD5: 5260fbd5c94232fcc4d6e69517cf2a86
SHA1: da987a5e36b46403a036647febecf4cff209294a
SHA256: f705c338c5f9e16a9b25a761e65f5a97332025cc78e4b7f5e959c28e887d4a73
Appears to be programmed in Microsoft C (MSVCRT.DLL)
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
QxyT = ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Avv.exe/Avw.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Al0.exe
C:\Documents and Settings\User\Local Settings\Temp\Aly.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 2e8633e0530cb03784ecab4d79e274e5
SHA1: d8961957776543d47c4b2160ab133587be94cb54
SHA256: bfb6dce3410e4a79150a3cdc897dd1022172c03d426db9b84332ffd9ebfb4236
The 16 bytes at 0x260b2 start with ed 3e c7 b5 ...
When the 16 bytes at 0x260b2 are set to 00 the checksums of the file are:
MD5: 1ba95a1db72dbdab78bf2cdf391cae5d
SHA1: c15b2597221e8b57199512e9ef5ef38db8e2d091
SHA256: c9eec5bbd5a78d01ac7ffd4161a97769c3b5dbb2d6c798ee37844d25812be4e0
Modifies the file: %WINDIR%\Tasks\{66BA574B-1E11-49B8-909C-8CC9E0E8E015}.job (hidden) to schedule execution of itself (every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\YVIBBBHA8C
New registry values:
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YVIBBBHA8C = "[location of Al0.exe/Aly.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Al3.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 29629e035a8bbbee445901685352e6f9
SHA1: c72f7dcdf133fb3412c294b6f127db4a0d11b543
SHA256: 0421dd78c3a5890515156a82d5476b6f535a0beeb694067801c9364eed485e5d
The 16 bytes at 0x260b2 start with 92 8d 99 a8 ...
When the 16 bytes at 0x260b2 are set to 00 the checksums of the file are:
MD5: 1ba95a1db72dbdab78bf2cdf391cae5d
SHA1: c15b2597221e8b57199512e9ef5ef38db8e2d091
SHA256: c9eec5bbd5a78d01ac7ffd4161a97769c3b5dbb2d6c798ee37844d25812be4e0
Modifies the file: %WINDIR%\Tasks\{66BA574B-1E11-49B8-909C-8CC9E0E8E015}.job (hidden) to schedule execution of itself (every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\YVIBBBHA8C
New registry values:
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YVIBBBHA8C = "[location of Al3.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Al4.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 00d8c8834b1211b2acae3c0981c7814e
SHA1: 32223e245fb3bdda42d742b00eb07406b9ff13c6
SHA256: 2f549eb988e0b68bb2a0aaf615c4e8fc67c41ad1101e0bc6e2dace66b6d9c391
The 16 bytes at 0x260b2 start with 79 2e ab 1f ...
When the 16 bytes at 0x260b2 are set to 00 the checksums of the file are:
MD5: 1ba95a1db72dbdab78bf2cdf391cae5d
SHA1: c15b2597221e8b57199512e9ef5ef38db8e2d091
SHA256: c9eec5bbd5a78d01ac7ffd4161a97769c3b5dbb2d6c798ee37844d25812be4e0
Modifies the file: %WINDIR%\Tasks\{66BA574B-1E11-49B8-909C-8CC9E0E8E015}.job (hidden) to schedule execution of itself (every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\YVIBBBHA8C
New registry values:
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YVIBBBHA8C = "[location of Al4.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Al7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 988cc6545c42cb91bb7d21bdaea07b51
SHA1: 46f8b56aea97fa552d8f274dfa12323dfcc19573
SHA256: b9fee7058d85133236c34b9da0585a38cb716413ea3d1ef216be803506082413
The 16 bytes at 0x260b2 start with 02 62 02 f7 ...
When the 16 bytes at 0x260b2 are set to 00 the checksums of the file are:
MD5: 1ba95a1db72dbdab78bf2cdf391cae5d
SHA1: c15b2597221e8b57199512e9ef5ef38db8e2d091
SHA256: c9eec5bbd5a78d01ac7ffd4161a97769c3b5dbb2d6c798ee37844d25812be4e0
Modifies the file: %WINDIR%\Tasks\{66BA574B-1E11-49B8-909C-8CC9E0E8E015}.job (hidden) to schedule execution of itself (every hour)
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\YVIBBBHA8C
New registry values:
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YVIBBBHA8C = "[location of Al7.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Alw.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 943b1d3d5d6e0a14169cb256dbe1dd0c
SHA1: 2ae9c2012fa7df34793ff9803f1e75d0f4f4b457
SHA256: 03ce1ccc001f63bdb8e0572971e090bb80b8525459c0e65e49426f01cd4a2d21
New registry key: HKEY_CURRENT_USER\Software\YVIBBBHA8C
New registry values:
[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
YVIBBBHA8C = "[location of Alw.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ama.exe
C:\Documents and Settings\User\Local Settings\Temp\Amc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 4d93c75aa1468cb465b3e620e0257712
SHA1: aee137c4b3982e0f795c203e8e89aa024fc4cf96
SHA256: cd9a468b775a6b240387e93fae9b02d744fecba82766a5c8acbe9ec17fc52ac7

C:\Documents and Settings\User\Local Settings\Temp\Amf.exe
C:\Documents and Settings\User\Local Settings\Temp\Amh.exe
C:\Documents and Settings\User\Local Settings\Temp\Ami.exe
C:\Documents and Settings\User\Local Settings\Temp\Amk.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 16b5e038ed93fefbf861357ad3ea9fb8
SHA1: f11e63e27b033407a6d1c43999b3b2e314df5b4f
SHA256: 775e3ebf761b62b35df1c6299c3993524d2634f57d1e578aa9c45f718dabeb5d

C:\Documents and Settings\User\Local Settings\Temp\Amn.exe
C:\Documents and Settings\User\Local Settings\Temp\Amp.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 69d3dee823a5c7b28ac1bdd418dd4142
SHA1: e72bb3ca2889741172d17ce2b583cf603508fb97
SHA256: a9d85c41f695df630ed7bfa977323a625f95d87885930d2caf2b5a95ba1e71b8

C:\Documents and Settings\User\Local Settings\Temp\Ams.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TWT|%idn%=0ad999c6a7c0f000|
Filesize: 158720
MD5: 9054a33ac22994f2e78c7c7b57be8a5f
SHA1: d0a050ca164fd64f5edf96a2f472116ef5d42e46
SHA256: 31162b212c9400e7da5a90a16fbaf897b54a6fca40b43756d7bca21ce6468a53

C:\Documents and Settings\User\Local Settings\Temp\A3j.exe
c:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP340\A0039422.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.CDFM|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 7996cbedaff620c5e24e1a5f97e52b4c
SHA1: 5739f5e31f407aabf0a49a674186f697a25b1eda
SHA256: 4025e355d67bbea3bd8a1dc0eb6a1170433b2ffbfdbda040fcc9782982df5ed0
Copied itself to: C:\WINDOWS\Adujo2.exe (filename varies)
New registry key: HKEY_CURRENT_USER\Software\V71IQL7HI7

C:\Documents and Settings\User\Local Settings\Temp\A3h.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039460.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BXN|%idn%=0b367998dd66e000|
Filesize: 178176
MD5: 4fc102474d5130618d7c8018a37a876e
SHA1: 1513bbb92cf813d33fa159b0fb5ff695808a214c
SHA256: 7f7181e05b97529d9178d33214b7d923a3fd6d31eabe0bf23102de3a4356dc5d
Copied itself to %WINDIR%\Adujo1.exe (filename varies)
New registry key: HKEY_CURRENT_USER\Software\V71IQL7HI7

C:\Documents and Settings\User\Local Settings\Temp\A22.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039482.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CNQQ|%idn%=0b367dd99d353000|
Filesize: 123904
MD5: 0d8214a5171e89d2ef793ca333f8dd8f
SHA1: a78dc2dbbf98d74615806f77eba9ea82fd4684c3
SHA256: ddc5638377c4858eef40699582869923854e759c4d11f83cd5c2c56f857687c5
Copied itself to: %WINDIR%\Adujou.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)

C:\Documents and Settings\User\Local Settings\Temp\A3f.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039461.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.CBGQ|%idn%=0b1cd9f766755000|
Filesize: 176128
MD5: cae1211acf867a69c8eb0f9a61b2c8ab
SHA1: 21f4815194e242eac3228210af0ebb1b74df2dad
SHA256: ae80f046d66222d3fe076a7a44b4cc06513c5f76b7f60770a0f55fa74848fe0f
Copied itself to: %WINDIR%\Adujo0.exe (filename varies)
Modifies the file: C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself

C:\Documents and Settings\User\Local Settings\Temp\Al2.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039462.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BSUA|%idn%=0b1cd9f766755000|
Filesize: 162304
MD5: 06dccfd22a420e4d9363c34ca6e1dc8b
SHA1: 7155d748d4215cab844fb3c4dc158c1d655074e4
SHA256: e2184b8a7b0a293ca2ad2ad79aef29d0bb7a31a121418abd358d91242d66e7fa
Copied itself to: %WINDIR%\Adujoa.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A29.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039485.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.CABM|%idn%=0b1cd9f766755000|
Filesize: 201728
MD5: 35af945835ac6d7c05bfd1f5bbcca47f
SHA1: 904ff6fd454cf032eb917a15eb0a2b309f17522b
SHA256: d666e07570168410a8714ff7adac72c35f4aee23148b439a727ec33c665ad820
Copied itself to: %WINDIR%\Adujox.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A2z.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039480.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BZJC|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: e153964004e881804f2c51921b355141
SHA1: b8bb4c73226783b72203a7adf8080c9f5cae3447
SHA256: 2634540a4ae09cf913db0162ae636d93712d36780010bc396bc96c8ff7244175
Copied itself to: %WINDIR%\Adujot.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A3a.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.CABT|%idn%=0b1cd9f766755000|
Filesize: 184832
MD5: f2751de680af59d0fe9addf2a406f3b4
SHA1: 828f7b99f564764d081bd29ada03e39c699ab26f
SHA256: dbe56d360731d4719fd9ce8247a5f6f7b3d3becabd1e520022a407816292ea08

C:\Documents and Settings\User\Local Settings\Temp\A3b.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039486.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.CAMT|%idn%=0b1cd9f766755000|
Filesize: 167936
MD5: 8c5f94ca0901bd46fe17778894075d6a
SHA1: 7873013b8181614e9bf44ffba45006a1ac4553ea
SHA256: 5790e67f425990e72524a1b2405494eac2d7144c9c357f61931cad71824b283e
Copied itself to %WINDIR%\Adujoy.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A3d.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039487.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.CBGQ|%idn%=0b1cd9f766755000|
Filesize: 176128
MD5: b4ddbaa20242a72d341ffeb6b2dcbc23
SHA1: a7e7a951bb71252ad7d5ff5b8b43dca1aa6c8d70
SHA256: b297c0215d4028c563a6603bdde544453bd903c882f5212b18daaaab731330e7
Copied itself to: %WINDIR%\Adujoz.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\Amr.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039463.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKDN|%idn%=0b367dd99d353000|
Filesize: 160256
MD5: 2e1f0482b28cae03be5567d3c164b77a
SHA1: b0f222f3be156d25d11070b46fd8add705e16421
SHA256: fae905d06fe29d35ea868d957560d82605e9d8d71a7dd2c67b48bb726ee2108b
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ay4.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CCMX|%idn%=0b367dd99d353000|
Filesize: 174080
MD5: 181188420fb6e79940f4f6da4ea2abcc
SHA1: 8f9c193aa00ce5a87bde393cb0cd9fa02bf1e6fe
SHA256: ba4de85913d09fd7be9b7bbecc4117e9cd6ba2d7daed6ef504e11085ad75585e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of executable copied under %WINDIR%\]"

C:\Documents and Settings\User\Local Settings\Temp\Ay8.exe
C:\Documents and Settings\User\Local Settings\Temp\Aza.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CCMX|%idn%=0b367dd99d353000|
Filesize: 174080
MD5: c62b6faf63a48a1b49b29def0cc3f1ba
SHA1: cef1ed95e5ae06a3671722c6409bf20468b93de1
SHA256: 262a06e02c119e71ae262d685cfa7b289df57bee2fb67f6579ec0269673b33f5

C:\Documents and Settings\User\Local Settings\Temp\Azd.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CCMX|%idn%=0b367dd99d353000|
Filesize: 174080
MD5: 41b872f4f587cbe2cbcfa58c9937bec1
SHA1: bd3bf715c1ec35e82d901e0d50b141f2a57629f6
SHA256: 90725693ab02136f49d5396a52234830cbc76bcbcbd6c2a12972cfa8db05990e

C:\Documents and Settings\User\Local Settings\Temp\Azi.exe
C:\Documents and Settings\User\Local Settings\Temp\Azl.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CCMX|%idn%=0b367dd99d353000|
Filesize: 174080
MD5: 7814c18bd62e7a33557adde89ffd1fcb
SHA1: c202e612ab3aef2fb49e387a0bab73c5497e2650
SHA256: a341c3a25053072c816636b4187adc656cfead43e4395cb1050284110d0bf312

C:\Documents and Settings\User\Local Settings\Temp\Azq.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CCMX|%idn%=0b367dd99d353000|
Filesize: 174080
MD5: 2683417ca40f9af9b532a524311dc69c
SHA1: abdc5bcc23848d0809e48620131dff941d977332
SHA256: ae27d5f9187128ff5fa16e5774ec069ead47d29ab2e03cc5a8d809a18e49c3f6

C:\Documents and Settings\User\Local Settings\Temp\Azt.exe
C:\Documents and Settings\User\Local Settings\Temp\Azw.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039476.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CCMX|%idn%=0b367dd99d353000|
Filesize: 174080
MD5: a1a43e4dc2b1d82ecfba0e12c15aab45
SHA1: de1896e5dd566c476eec684e2e033fa3901e695f
SHA256: 008098e0a9be0022660af4aaec3b2d049398f7d60083ee1e074e7f46e16c3041
Copied itself to: %WINDIR%\Adujoo.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\Aq1.exe
C:\Documents and Settings\User\Local Settings\Temp\Aq4.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqy.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: ac007fb058d01d1a1aceb3470625ead7
SHA1: 6c5f21d186ed89628c202902c697269b8cca3cbf
SHA256: 49d8a4ee18352d6d0035f37c6c72ea60f2251a6b79d747f1f32486b6460ff9a0
The 16 bytes at 0x489B start with 6c 2d c0 48 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aqe.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: df4e77ebd394499b019c642f230b863a
SHA1: 2725cc43b6463da0159cb3e7f2f80d058cf3b691
SHA256: 10b70d20345a0964eb3726aae86132f6d80f08f93440af587bbbed9c11ca2c4b
The 16 bytes at 0x489B start with 80 7d f3 c1 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aqg.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqk.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 6ff85c7966c0dff54995b6a0a3baf260
SHA1: d6753c7eee00bebf87f4ac41388b49f7172d35b5
SHA256: 59a9367ae309cab1bf382d2a453fb1acb32165d81c4babfdaaf694f7643a3ea5
The 16 bytes at 0x489B start with 03 70 4a 24 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aqm.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqr.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 8fd898c16558bd3a7edf34f5fe3125db
SHA1: 3147796d75654d5c659a401b85bc9422ed0342a2
SHA256: f36fac6a63c542d3f57542afd63326c5a1caed5fcca6b511484b549b6493cabf
The 16 bytes at 0x489B start with a0 64 59 88 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aqu.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqw.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 6063ac2007d925a1e989d6e0534faffc
SHA1: 875b86cba1a47da4647be5e38dc1cca536ebf738
SHA256: 5507f5ab4ed752bfd3d966a17243d78557921424c34b2514dcab56b67486bed8
The 16 bytes at 0x489B start with 44 99 4d ab ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ar3.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: f35d09d9110308e5c42c5462d1aa9d81
SHA1: d27692ea82743c8a441fd42a5caed55a410e3239
SHA256: 71ad552809eae42c1a31eee59085c7d5648fb7326746d61dcb25f0d3b981ec0d
The 16 bytes at 0x489B start with 84 f9 66 d8 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ar5.exe
C:\Documents and Settings\User\Local Settings\Temp\Ar7.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: b556a3e92f114299c2ea627fa89fb7a7
SHA1: dcbc126a1049b149f5927a99be9966ee2f75d024
SHA256: 516ee9f6e68fde02fffdb55a3d3465ddd60fbdca5d1e9131e5859bda619789b6
The 16 bytes at 0x489B start with 22 f2 0a 44 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Are.exe
C:\Documents and Settings\User\Local Settings\Temp\Aq9.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 7bcedfe95416faddde4145957a961366
SHA1: 99c6402c547ab8cdbe6eebd16442c6b7ea9e362b
SHA256: 5a7bc1512df77b93da68a18618b09a93757e17ed5ef6014b8a2a4e03ae528846
The 16 bytes at 0x489B start with 31 2b 27 97 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ari.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: a10563582e29c4132d1b7a7b345167cb
SHA1: 02f9b1afd88a964d4dfa89fa624794837452d41d
SHA256: 7d1c53c7119fa1309234345d8e107cb214e2313cdadeb89854925b719e1cd7af
The 16 bytes at 0x489B start with da 07 2b 34 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Arl.exe
C:\Documents and Settings\User\Local Settings\Temp\Arm.exe
C:\Documents and Settings\User\Local Settings\Temp\Arq.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 1c9cd922cd0da9f241266636bd850cb1
SHA1: 15684729c4c44da8f9da0693bffc13d40e4419df
SHA256: 9a5b91cbc38c6ab25e21ab85498ca5c9499ac070c2b6b4317c5284e3abf8d4ed
The 16 bytes at 0x489B start with 7b 98 8e 51 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Art.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 4ba2dfbcd4e745d7accab017e7c857d9
SHA1: c82685d98cf798d2f16af0ac8096bd29ffe5475f
SHA256: 37abb3802d6648f6b3c3eb3b18bef0b03d7ca31360dc78179b4fa46262d5bc9e
The 16 bytes at 0x489B start with 19 42 76 07 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ary.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: f35d09d9110308e5c42c5462d1aa9d81
SHA1: d27692ea82743c8a441fd42a5caed55a410e3239
SHA256: 71ad552809eae42c1a31eee59085c7d5648fb7326746d61dcb25f0d3b981ec0d
The 16 bytes at 0x489B start with 84 f9 66 d8 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\As0.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 5c214f6afb441e9afde78c5fccd5bb25
SHA1: c5b04383db6c797d1a3da07f1551e3d003b0140f
SHA256: dbaa5f9f3d56703360a5d24b3b75b2413bbf4affc0b5c7832bd2fa1226c65ab4
The 16 bytes at 0x489B start with 05 74 62 26 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\As5.exe
C:\Documents and Settings\User\Local Settings\Temp\As7.exe
C:\Documents and Settings\User\Local Settings\Temp\As8.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 98057780cc93e41cca8023ed1868f1b7
SHA1: e6ade907300b8d52356e24a6c47185e43b4d55ab
SHA256: 6869af762ae5650a08e7be12cc45c9285ff76b95d44357d7d8a4ca5b1723ae57
The 16 bytes at 0x489B start with b9 ba 69 09 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Asb.exe
C:\Documents and Settings\User\Local Settings\Temp\Ase.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: ecb3f9dfde33f4fd1f51d11ab7890a72
SHA1: 21410bc6937a35b280885d152b051433f3bd3da9
SHA256: 8274fb0504d9687e4adf4d8beeb427f60755748504eac8d556157f418dbe52f1
The 16 bytes at 0x489B start with cd 6f ee 28 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Asg.exe
C:\Documents and Settings\User\Local Settings\Temp\Asl.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: ba939dbb44b0ecdcef963473408a93ab
SHA1: 1f73b65dd6892b7bdf330034dc7fa107e291e818
SHA256: 577c3c6850a8c9961a96e776f8f9c44f22f2e6b044d95b8a1dc8040345d65c20
The 16 bytes at 0x489B start with ec a9 d3 64 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aso.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: cf1f470a851e4d16af79b522efea410c
SHA1: 16c5d2cdc0ad23698547dedbd5a1fdd94545b5aa
SHA256: 70f386b3553867653bb903e5184990b183d8d0397424c8081ab615d9ed34eda1
The 16 bytes at 0x489B start with a8 4c 0c 9f ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Asr.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 9a125190adef8f0e3c2d82c50b1704aa
SHA1: d093aa2c74927c93bfff2e354dcae607d74464fe
SHA256: a5df808272efef161fcc87d8b7f0077a3fc1ae83cbc083892b584260d4f44066
The 16 bytes at 0x489B start with 84 db 2e 75 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Asx.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: d9a1e09f8a6cccfb7f54a12f5671802c
SHA1: 3caf9fc8d8ce02d66f5dc4e458d4326779656c6f
SHA256: ca4e3318d13d02bf1ffd10b49c2227c5fd91c33750909873c8d4002bdf682f33
The 16 bytes at 0x489B start with 20 35 fd 72 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Asz.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 5c214f6afb441e9afde78c5fccd5bb25
SHA1: c5b04383db6c797d1a3da07f1551e3d003b0140f
SHA256: dbaa5f9f3d56703360a5d24b3b75b2413bbf4affc0b5c7832bd2fa1226c65ab4
The 16 bytes at 0x489B start with 05 74 62 26 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\At1.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 07c09d842713c1ee381d33431d079be6
SHA1: a1ef17f4aad18064f9dd6007f947a4e3b09703c3
SHA256: 5666283776d612d0bd83a12039ce51023a83faa5e1679cdcdc69708e978479d1
The 16 bytes at 0x489B start with 80 cf 32 ad ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\At7.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 9ca6bdbff9d01a8bea4497fdbbb22ecb
SHA1: 93626806875a70798e0556c4fdd7d2aa5c06e71d
SHA256: 71142b5be4dd79fc4f69fd5f67f1e378c8e2289befd4ecac3844730fec45c56c
The 16 bytes at 0x489B start with c7 5f 95 8d ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Atb.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: b4cb0490ae1323442f47e70eeaa41b95
SHA1: c40116fef4b5388c3f62922a9b82dc315f4a232a
SHA256: e81732a70bdeb1631ce57b735cc4048d8fee817a43c5296bc9577711624d4821
The 16 bytes at 0x489B start with b8 bc 61 02 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Atf.exe
C:\Documents and Settings\User\Local Settings\Temp\Ati.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: c29820f24e1b63a8955df59563a2b5c6
SHA1: c3e6b14ddd360c03f8841f8e7feadea47e9ad16d
SHA256: d2a0c9490221b34c4f26e2d0ce6d1694b2741b83729950dc235b59d82ecbd712
The 16 bytes at 0x489B start with 3c f0 bd 72 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Atk.exe
C:\Documents and Settings\User\Local Settings\Temp\Atm.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: e755c234bd579fc1b6aa36457299aea3
SHA1: 9ed76565d37d46f0e2b3a8699f73d18df76f786d
SHA256: a75661c6af71fa8cf33ae6e6dad545abae854df5b4305edcaafbf0455ebe84df
The 16 bytes at 0x489B start with 18 7e b5 fe ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copied itself to: %WINDIR%\Adujob.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Atv.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 45cadb25d6a433cff3bcc5addcc77fe8
SHA1: 2ff498cd639ed0af2de82d0322ee8c46c73e9176
SHA256: fcb9f2de835adaa09cf89845c606d6ac93f6564de853494ae672e5a8b734ade9
The 16 bytes at 0x489B start with cd 38 3c c3 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Au3.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 8b0b58d826adb11c2347d17e68510b30
SHA1: 6f1b79861bb562d8d08813d5a284088f53f1d977
SHA256: 7433565d31797478ad78a53370bdf431a18876fbf708e448ed243f6f168116fd
The 16 bytes at 0x489B start with 66 1a 8a 16 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aul.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: a23fdc736ff319f00303def397767a54
SHA1: 259a65ac21641dd8e02b51fbac4f9fef5be4f836
SHA256: cfc64d8b1e848de37bff171fd533a957e067737b2b2680414508ed5a0ddefa64
The 16 bytes at 0x489B start with 85 5c 76 32 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Auo.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 496d0242efeda05b9dad7fadfed347fd
SHA1: 6e8fc146a6f7e34e1310c0bd8829e21651e1897e
SHA256: afc358e6d0a7591b81fce32eb528e029a948a94499f210188e98a62e7e1e26cc
The 16 bytes at 0x489B start with f9 4f cf e4 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aui.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 8cfcc77109dc2fec2d2352cf1179077c
SHA1: e89e0d8d8d41b21163e12658ba9b208e1c0f0b7b
SHA256: 232a680c30abdfbccff05581ee2a5c1a0db16d76d5f8763d3c7be9b35aaf9d95
The 16 bytes at 0x489B start with 42 a5 9c 1e ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Auq.exe
C:\Documents and Settings\User\Local Settings\Temp\Aus.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: a26a0c11f2927495afc2a5a89fa246a6
SHA1: a1ba79c21f47e60378b95832fb287b019aa06e54
SHA256: 838c62ef0be3ce778e48724f046c3115f2cd27726f5a90113c42934089a6063c
The 16 bytes at 0x489B start with 3d c2 1e b4 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Auu.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: a47dce17e131753265093b602942444d
SHA1: 32a6c1335d375acd8113a8c5f5e3f67269e0b637
SHA256: 5ba188cc46f892b74306f1ea175bb94e91622b46cd2a37c081738232824d3e96
The 16 bytes at 0x489B start with b0 25 22 ae ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Auz.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: af7505a43ec2cf10797f36abf25a3ceb
SHA1: 6d2bfb92e2af845a6cb814caf8ce59383c8e5c46
SHA256: cebcc29514703ed1e41fca899c4438d22375facf65155bda137e8537abf261bc
The 16 bytes at 0x489B start with bb 38 26 ae ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Av1.exe
C:\Documents and Settings\User\Local Settings\Temp\Avy.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: f952e8d6f3793aa6c9958bd8b0418db8
SHA1: 21d3fcef3c9a62dd21531226842ce6da36e5197c
SHA256: 739be12169c977e2e00ba4833e9ca1c950063e2a761a4b1f48efd3ba36c88a73
The 16 bytes at 0x489B start with 4a 9e 9e 9a ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Av3.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 258a1e3a6fc9b4c05a7bfad1a55f59a2
SHA1: d6fa41c2fd4f0dd0d2f8a33b9577b8b7c4d1bd1f
SHA256: 7569baf63b4ad5d87d78d3a3e015213dc813de84d42627deb16140d0f96775a9
The 16 bytes at 0x489B start with f4 88 0f ac ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Av5.exe
C:\Documents and Settings\User\Local Settings\Temp\Av7.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039474.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 138e52b9b8a25124629600c1dd53009e
SHA1: 77b670f81678f41931069325679592f8e947ebff
SHA256: 3c29d59d835a469a4fb8ee612f7121c42085bef9f9cd6641b19031f42dea9e16
Copied itself to: %WINDIR%\Adujom.exe (filename varies)
The 16 bytes at 0x489B start with 6c 05 05 8b ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Avc.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 0595cfa1ab88de54c985436a911c2819
SHA1: 45a8d6479da6487bb296bda4b78d95fe2fff6d93
SHA256: fa50a86039f525f691a7ed85c72fc1b057481cd4bde9b2a59eb498adb0a48cd5
The 16 bytes at 0x489B start with d1 b6 f2 eb ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Avm.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: b799d85b1e5dfa1fa0f43b198e1a8ee9
SHA1: 9551ed9baac451491ef8bd4700ecedb910b3853e
SHA256: 30faed80772a6b6ea77883508e963fcbbc1806f2cc30d502f369f8097ade45e7
The 16 bytes at 0x489B start with cc 34 a1 6c ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Avp.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 0c739d79b7f31a268e81a0767cfd7660
SHA1: 7c756b531ed2d11e09bc808c747cb8ce1a69e122
SHA256: 39570229ef0abd38a8757352b0076d2ceca0478b0c5ca0c7cc273484c47d0819
The 16 bytes at 0x489B start with 05 33 49 1e ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Avu.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 589702142d9e35f5dda82f248644fd67
SHA1: 033473045b3fc2165145c11f6fad4c2aaee663d7
SHA256: 5a8e230d8292222638d42924100100cb98d5aa8c3c730b8917b15032e3cfc0be
The 16 bytes at 0x489B start with cd 23 6e aa ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aqc.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039473.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 1f861aebe9cf43356b83127094c583bc
SHA1: 5dfdc92cb32cb8970bf6a5b3c3de9d8ce7140c6b
SHA256: 7fc98de469e07dec3bd20332bcc76d820ad5a3bf5f2b8e9b679004165160aa19
The 16 bytes at 0x489B start with 11 8b ab 48 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aua.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: cdc452327cc4208961207435fac23659
SHA1: 39248839bb7a7639b82eefe75baf0cc349f0f0dd
SHA256: 53a29babc61edf5f15aea23fab4f4aa5a0a4ff83a7ddf66a43a1b0493df889ff
The 16 bytes at 0x489B start with e2 98 29 fd ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Au5.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 0ffd69fb2f40a98b1001680f79dd32bc
SHA1: f14486f4cd7ff5606c539d176d0ecc7a39295cd1
SHA256: 9e7e387ac0316deea1f251e3e219135ae29c8380477d6ff74c954915b8965625
The 16 bytes at 0x489B start with 27 12 d7 92 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Atq.exe
C:\Documents and Settings\User\Local Settings\Temp\Ats.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: 5552170ed39f79728bd88bfbfd45f336
SHA1: 7893defa593d4a1423ea610ac33e70a8a3237ed8
SHA256: 8937c3bb9d85a44b353af0f35f1e1e221cc1f1cb3ccb1f644691a65f15ec6875
The 16 bytes at 0x489B start with 6d f2 6d 6e ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aue.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: f74696a7cc70869c4e2bafb99535cb9e
SHA1: 1d1f6dfe4390034270a9b5e295ad1664ae10c025
SHA256: 8926635aaa2ce2e6882e1552a37ebf5db8775e4b3afe5a3be49a11f864fd16ed
The 16 bytes at 0x489B start with 16 f1 f9 16 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Auh.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BPP|%idn%=0b367998dd66e000|
Filesize: 174592
MD5: ba4e4f8d01f0477d0ff2b553400fc6dc
SHA1: 12f411ff9842f8761af386e4ea245f1e1a3f3181
SHA256: 78927e9d5631c36160fce9a75066f7a0b1db76a8b6c19aed729ab5f2966e9c5a
The 16 bytes at 0x489B start with 32 6b c9 c8 ...
When the 16 bytes at 0x489B are set to 00 the checksums of the file are:
MD5: 7c40e700cb69323aef8c8ff9f402ae01
SHA1: fd6387f675730dc308438da98cc41aaf2b77fa9a
SHA256: 1941e199484833d6142d1a6c4f63d94686ef7edd28f813c59f159678d5af8f7e
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aw0.exe
C:\Documents and Settings\User\Local Settings\Temp\Aw2.exe
C:\Documents and Settings\User\Local Settings\Temp\Aw3.exe
C:\Documents and Settings\User\Local Settings\Temp\Aw4.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: cb399a2b95f62f3eb40ec572140cefc6
SHA1: e91dfce2d1ddf67fa4f5bb3d3b0a28025e7101bb
SHA256: 80ddc257a7f5f3024b8b8ab46ef8bc52e96ccc9ec6467e882dd6ac479ee01cf8
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with ff 7e a1 92 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aw8.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 6abe029823ec70f0076bc5aeeae51c36
SHA1: 9b12aabc6ef6c7fc40ca0a9503a82fa740f72fba
SHA256: 3835343ae8c57d5b731147a109af9e50b0d9f9e376bbf465b116db2a9ee7ab8f
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 2f 40 6a 6f ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Awa.exe
C:\Documents and Settings\User\Local Settings\Temp\Awd.exe
C:\Documents and Settings\User\Local Settings\Temp\Awe.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: f08c2aa845fc080dbc89cbf4f11b21ea
SHA1: c580e469d2b65c836e7b2b863bf7e0c407a3df2b
SHA256: edbe9aefeabfee37e74c7488fe31871456f0b7f6a0a2b5f35ac9248ae87c8a5f
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 15 22 e7 dd ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Awg.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: febe97991fe1e3a408ceb25279afce24
SHA1: 4d56f423e8fcc5b3ffebeeccda6ed42c613e3840
SHA256: 2870b0f8714013455a4987b8f9551f991fd81f3d6f108b6d202fb928bcc08cdb
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with f9 df 86 0d ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Awk.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 31b23c0315f8be04e07e2fd00f174b26
SHA1: 57a917b4fc0b673c1a0c08baf5a7b8037a5799cd
SHA256: ca737b9aa73447ea960bb7586b8b7cc9fb33d70f5e7dcd9279651db6114a6869
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with ed 31 f6 5c ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Awm.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 833e509918bbb7d63292bba4b56e8a1d
SHA1: e82c985ccded13117062f803005093d0112e52a1
SHA256: 00a917d0644f1c039ed3e33e3e7f3fed78900652ca7787caf210a040198efd21
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with ae 34 5a ca ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Awo.exe
C:\Documents and Settings\User\Local Settings\Temp\Awr.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 7fabc01893d533c0037456a9745e2fcf
SHA1: d9dc5c00874e3e783a2337adee4b3456e68fbe06
SHA256: 6eaf492bd010c60a5fcd64b08ccc237803a41ccca92d488bcd8ed009b5fa99c0
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 2c 8d 3c a3 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Awx.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: fabb3def7b3666bc98cebba164b6c92a
SHA1: 4031cfc81545efe19b11356054a8af27f9620c41
SHA256: 6323dc47d3ae396da002681296827a52146d8b164e8799f5bd3b8c78b5e17c5b
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with f9 26 49 6f ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ax1.exe
C:\Documents and Settings\User\Local Settings\Temp\Ax3.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 3538e5496094d942a68a96d4d68a1964
SHA1: 2e6508ac4a7073cd0d1a5ec280905efb06823f5b
SHA256: 1bc4746076c77aa54fff7aaf845b9290d471711cb73f662c89267e130f03c131
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 9f 7d db 2b ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ax6.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 63fcd7181a7f9206bf3224a5471af2bf
SHA1: b5444bd17017742350533ab794b08737f18083fa
SHA256: c932efe22413216b246057cd343c4dd6e57fa40c09705e78ca886b9805c834ce
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 1b f7 67 fb ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ax9.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayb.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: d1279eedcbb7d85f1c7b9b201066368e
SHA1: 62d0013c501abfeddfd6047df9db1838365ac31a
SHA256: 054d8f0705a53c8bb5bb375734da4f2346fcd76e0eeda161350d629138b5e8b5
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 3e 2a 57 e8 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Axb.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: db3f9ea2b6d893f3f9fdf6a026edc177
SHA1: 27dd792923353bd9c55afce30a27ac575cd1019b
SHA256: fc4b1e8e8bbd507a1d5ebd7a11e3a5ce939518213699be5cc93282ebc66a1bb5
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 69 ee 53 a9 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Axi.exe
C:\Documents and Settings\User\Local Settings\Temp\Axq.exe
C:\Documents and Settings\User\Local Settings\Temp\Axr.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: cc4f8291f08071227e848a5c047b4d52
SHA1: a5ed4f60f81e3350318ffcd4fa224a9271eddd0b
SHA256: 5f4159dbc40aba448dca129722859feb00a53c140a1be49f9e3bc23cee7719aa
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 60 56 1d 39 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Axg.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 53d93e74118f9d7eb18248d1c2730b1e
SHA1: ba3ae87a7e01f43f2f5ac9c5d9f095f8503fab5b
SHA256: 44faf5bf03d4b18064926115f8f250754cf49ba3f02c91f13232a4c604a29113
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 57 9a 0c 58 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ayj.exe
C:\Documents and Settings\User\Local Settings\Temp\Aym.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: de1db83639e3fd0ea355567ad5370933
SHA1: b86a35fda6aa790717a6c91b5136d5d45c4f1947
SHA256: 049fee3240f60d61f407d4bf0eaea201f3e0ecc3def4bc12b00410e4d3eebf12
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 89 83 a7 57 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Axx.exe
C:\Documents and Settings\User\Local Settings\Temp\Axz.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: a5ebf5353423e514599439b8bded177e
SHA1: aa246e9c347ef15b2337d5d3c28d2b5b21cb98db
SHA256: a1fca6c54b809ce07427f0d2446d7bfdda1d80aecde7fb96fe95e72b4809113d
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 1c 44 85 60 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ay0.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 9fd72b42f02ecf1d77517aa7b9a1ec19
SHA1: a9fc41c401e02604fc49829de66612ac8b3b1925
SHA256: 9b548b31d4850d5a69d85b724c5272a43088b83a96aab7900b82b89b6eeb3662
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 73 7f cd 28 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aye.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayf.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 949148311a7ba5f9e7111652b22d258d
SHA1: 9df6a5a9d2c32a3d6b0892097bfc484d3f7cc34c
SHA256: 01779e93b4bab336a529f11a5f908cfd101bfed3098dcd07e39eb226811e9d24
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 12 a3 27 51 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ays.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayu.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 11b38fd0aca0b2b4e6f390c8ad1700c7
SHA1: f21106d596ca3d1f96982240c8b854144ecd261a
SHA256: bd42db3495978179c9470529fa2055d96bd87ea0461e1ab544295c3d2cf3fdd6
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 30 79 29 47 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ayo.exe
C:\Documents and Settings\User\Local Settings\Temp\Ayp.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 301453adf942fc49a2423c1cc5eb4252
SHA1: 789e70e7d8e24e2b94457099604931d350ee0ac4
SHA256: 9cf3dc9ce3d0cc04f4f74265156d6daa6f1204d491e36366b55994242a9264b2
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with b4 46 37 4a ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Axu.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 4f683301851531feaf26fd4f2edd2a3f
SHA1: f72978cb4c1a1c9caf271c3263e747d82f1fd119
SHA256: 74cd0fa697a785e42d177bf8767013adc96b50278ac300eb5156d80b762951e0
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with 63 0a 30 b9 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ayx.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BXJH|%idn%=0b1cd9f766755000|
Filesize: 184320
MD5: 2aa879efbc0c4787b6f64929c460954d
SHA1: 44d2506a2f0ca526a35c1bdd609710f250eb0463
SHA256: d33d86a192dff2c3ee4b86c31463d80c91ab9f6f13759761e8074a693f82f5cf
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
The 16 bytes at 0x4B21 start with be 4b 15 b5 ...
When the 16 bytes at 0x4B21 are set to 00 the checksums of the file are:
MD5: 0c37cad3e954cbff90727359fe8e885d
SHA1: ef85c252c444dad1b277a2f8a6bd59bea33c4d6a
SHA256: 0bfa067a19214fdcd8cbbc193e36e46fd13cf7da98a86f968062c322fbc5d729
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job to schedule execution of itself (every hour)
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aob.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 6f21043dd2ee623b22b215b3a68e202e
SHA1: f5e232e2533582ddf8b30880fbf6f855d208c77d
SHA256: 0c55827f54726d664f1506716f128aff0e6d51014b85dc59e2604fd7245a840f

C:\Documents and Settings\User\Local Settings\Temp\Aod.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 93fcdd2e13282d0ae5bb8f7f95342d33
SHA1: 4372de4b5890c4fec5f512a721a5f54467451adb
SHA256: 3d2015a2a8b829301683d06e24f5f242a977645b5e6e51573deb08397680a47a

C:\Documents and Settings\User\Local Settings\Temp\Aof.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 6963d040dbe481d8705b2010e71f341c
SHA1: fa5a1326ead45ea4ad66f55080640e46c763b82c
SHA256: 60e660bf0f3fa9106a948f49bd13a7182ff3d6a346d177f7f07c6efd7204fc81

C:\Documents and Settings\User\Local Settings\Temp\Aoi.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 4df0cecee055292df502dbac4feadcb9
SHA1: 9ab722e60bb8c0243192a9488846e06da1c9e30b
SHA256: 2c00d649f3a1283a98b50f83b121a0bea6eb8c0649143240cc0e00566e429818

C:\Documents and Settings\User\Local Settings\Temp\Aok.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 91fb6975b747c67c4d2665210e687db0
SHA1: 4dde5dbdff59572920f30ab571f3a21f44cca217
SHA256: 6dca4317f35613acc1acd389c6b9a5465b4f1cb655dfcb4d29f02d4df6c73ff8

C:\Documents and Settings\User\Local Settings\Temp\An2.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 9b7d97d33453111b431018bae00466ee
SHA1: 7fdf5f318f758193b8c37b5171ca0c847c70035a
SHA256: 0060e4338625b33ca238c3c45523303c13d9061db4292d55a1a9c579d4fabd41

C:\Documents and Settings\User\Local Settings\Temp\An5.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: a7e2afddfb9aa67b4f1e7eedad3ce775
SHA1: 7c1790881dac189ce60339af50ac2ee039710740
SHA256: cb6777b3e32be95503aa77382b334a1dbc4b38e5472fa916d7279dddddad21d0

C:\Documents and Settings\User\Local Settings\Temp\An8.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 12132674d5aba4adcc15a435cd8e3c9f
SHA1: 1f945c7058159b5e226e0692a9c2cc9ad0a88349
SHA256: 8a60b0322b18b433afff9d5c5b4f80475b230a37c324607cb8cbb53a97ab9fd1

C:\Documents and Settings\User\Local Settings\Temp\Anv.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: ca315e2229bff1169d9f053c379522ba
SHA1: a2fa1f0f217bbb747eef389e8504a58d37bed70b
SHA256: 3c425e2eee4bc86af13bf6333399644179363f269e7bf913707d00a99a3c1df4

C:\Documents and Settings\User\Local Settings\Temp\Anx.exe
C:\Documents and Settings\User\Local Settings\Temp\Anz.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 0c5f1c6aecfaf7cd5eee8b1dea43bdc9
SHA1: b6c3fcbdd0e8d61edd732450e8b98617c2a4f926
SHA256: 5309535a9de115fda61f7226cfd50fb4892576edb880e447b2b3a828d7e0d894

C:\Documents and Settings\User\Local Settings\Temp\Ao2.exe
C:\Documents and Settings\User\Local Settings\Temp\Aow.exe
C:\Documents and Settings\User\Local Settings\Temp\Aoz.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: 3066238f0e43937a6c0a0f6ccc509aa1
SHA1: f849f9d203942112f6a345209258efd80bc8061f
SHA256: 3313be1be03aed0d48a5a80e5c6853dda6cfd2cd6e33c1a74fed550146957816
The 16 bytes at 0x520B start with 5e e0 3b 53 ...
When the 16 bytes at 0x520B are set to 00 the checksums of the file are:
MD5: 848992c38a72fd8370f0169cebc0fb52
SHA1: 55599df8667eff975c0258a93f91576ae71d172c
SHA256: 3e90a0331fca2494cbb764b247eed144005a28b01d629dff8d9b52411f5169f9
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ao2.exe/Aow.exe/Aoz.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ao5.exe
C:\Documents and Settings\User\Local Settings\Temp\Ao8.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: 4205b36c95b0e94b9a8c2326445b3cd0
SHA1: aa625af7b1133a0e28b409ed46702b92253a55bb
SHA256: 82c6b98ad84f9fa51c5416d3b07020643fa3f900f2eaef51ec9800574c72e3f0
The 16 bytes at 0x520B start with ff e0 8d d6 ...
When the 16 bytes at 0x520B are set to 00 the checksums of the file are:
MD5: 848992c38a72fd8370f0169cebc0fb52
SHA1: 55599df8667eff975c0258a93f91576ae71d172c
SHA256: 3e90a0331fca2494cbb764b247eed144005a28b01d629dff8d9b52411f5169f9
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Ao5.exe/Ao8.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Aos.exe
C:\Documents and Settings\User\Local Settings\Temp\Aou.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: c4f8a42117fdd3355468f9bbf6e83f8b
SHA1: 9f9b153e7b4b7952cfab8086865e68ccb4a0da71
SHA256: ccaa5234b26fb9cf38b7e714c4fe5cdee488bbe67d6c864e585883d3a2d47171
The 16 bytes at 0x520B start with b0 14 19 30 ...
When the 16 bytes at 0x520B are set to 00 the checksums of the file are:
MD5: 848992c38a72fd8370f0169cebc0fb52
SHA1: 55599df8667eff975c0258a93f91576ae71d172c
SHA256: 3e90a0331fca2494cbb764b247eed144005a28b01d629dff8d9b52411f5169f9
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Aos.exe/Aou.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Apb.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: a53890089f30a1556eedc8396da9ba22
SHA1: 47e7017211a86ce64534183647c6a0f61f033384
SHA256: 2a22957a493f8deb4cf16341b5db7f95d6a8f7e3ae32a7d80b4a089af22f8137
The 16 bytes at 0x520B start with ff 98 7f fe ...
When the 16 bytes at 0x520B are set to 00 the checksums of the file are:
MD5: 848992c38a72fd8370f0169cebc0fb52
SHA1: 55599df8667eff975c0258a93f91576ae71d172c
SHA256: 3e90a0331fca2494cbb764b247eed144005a28b01d629dff8d9b52411f5169f9
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of Apb.exe]"

C:\Documents and Settings\User\Local Settings\Temp\Ape.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: cae0492c678e2e57508938dce1e0a164
SHA1: 7333b50e030f31967e6150b9b6602d497e8a013b
SHA256: 3ca8801536c6cc7cee03b7bb2bd12e9f84273e38d63f51973cb5953d4a1e177f

C:\Documents and Settings\User\Local Settings\Temp\Aph.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: d2cbaa7559598e414b007e76a9dd905e
SHA1: 79c4d1ec77cca154c6b9de5922d7f64ec1e062c0
SHA256: 55f46a5733b26637cebba4c6e03153097c9bd6494cf3be491a04da137eaf7bc4

C:\Documents and Settings\User\Local Settings\Temp\Apj.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWGF|%idn%=0b1cd9f766755000|
Filesize: 173568
MD5: 6b35b7d69a30c45f7416a54f6595acf2
SHA1: cd347c1be756d7dff21409b69b68cb789e174cf7
SHA256: bf9f5cd401edf73749a5f50c81a38e718bdddcc93813d449e360d1efbce8e4bc

C:\Documents and Settings\User\Local Settings\Temp\Am5.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039467.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEM|%idn%=0b367dd99d353000|
Filesize: 171008
MD5: da423acebe8e549080192c53c5f9218b
SHA1: 6e67e9953ebb3e1993a4362ad1865c3ceb68e983
SHA256: 761e5c61beb12a71af9be4baee5969d1ce2b61543fe03fb561b36761c8070f62
Copied itself to: %WINDIR%\Adujoe.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\A2l.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CGCS|%idn%=0b367dd99d353000|
Filesize: 190464
MD5: 6d78b5adb1967189c5d41b05ed3f7f32
SHA1: d9079a2c6117eb90a2cb46210688debbec277ea6
SHA256: 52a677017795923d9a25802e94c15826124d7e100df6cca6a0e825631ae5ddfe
Copies itself to: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Api.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039468.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 4236962b31121e16d0c51ea174be0de4
SHA1: 51a7cc9612a86306ccd6ca0712803b563d3a7543
SHA256: 96bd48315092d40b3bb6c2eeff09b0ddc8c4e6072a3d7d288fac3f3821f5dc97
Copied itself to: %WINDIR%\Adujoh.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A2t.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039478.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.YH|%idn%=0b366eaa2c34c000|
Filesize: 180224
MD5: ca79bf6f1c8bedaec6b0883fe66320ec
SHA1: da2a93144d2ed6687141c999495b2f29106bd795
SHA256: 582e2c6bd1d1f7c061698a88070cb36f581089242f2c871c4251bade1c767421
Copied itself to: C:\WINDOWS\Adujor.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A24.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039483.exe
Identification (AVG): @EID_Id_trj|%name%=Generic18.ZE|%idn%=0b367dd99d354000|
Filesize: 182272
MD5: f4fb4fb6d13a89bac92cbab4e31bf983
SHA1: 56ad5e1d5e3eefc00996dab88814676f94274577
SHA256: b60020b67607dfd7b8eef9caa23605ea776e7531e0e38f839006dee724fc9460
Copied itself to: %WINDIR%\Adujov.exe (filename varies)

C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039469.exe
C:\Documents and Settings\User\Local Settings\Temp\Aom.exe
Identification (AVG): @EID_Id_trj|%name%=Downloader.Generic9.BWDX|%idn%=0b1cd9f766755000|
Filesize: 171008
MD5: 29088cac716f6a5457d1c96e92e0f973
SHA1: 9a6db443b0832e41612132e5ebb591504d38d5e8
SHA256: ef9c0e1c11a81ae1ef0b9cddd1be363d2efa46f5191b9776307ba81f63da37c5
Copied itself to: %WINDIR%\Adujog.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself

C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039470.exe
C:\Documents and Settings\User\Local Settings\Temp\Apy.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BOH|%idn%=0b367998dd66e000|
Filesize: 178688
MD5: 9bd2c30f2c836b27171eba332d05657c
SHA1: 015f9d54c8e9bfe3f3e9be70d45ce96bb6182600
SHA256: ed03bde3348e8053725a046da275bd1477a00737a9211bd6e78d69ec677890f1
Copied itself to: %WINDIR%\Adujoi.exe (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself

C:\Documents and Settings\User\Local Settings\Temp\Ane.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BMA|%idn%=0b367998dd66e000|
Filesize: 165888
MD5: 7288d682dc3cf5f1393797518c81d735
SHA1: 799ebffd5f49579d12f31a97c054982dff1b37e5
SHA256: ae010c5bf3c1129968cb17a46d49f1e38b0dfacfc1112c2237082b2a3640920b
The 16 bytes at 0x27726 start with 0d 78 6d e7 ...
When the 16 bytes at 0x27726 are set to 00 the checksums of the file are:
MD5: 6c6fab275cbed87dde67b5a5a887b5f1
SHA1: cd95703a9f9b8bed5f5f89716457ba32090c576b
SHA256: fe7550479595529357639efec75791b3d01318a915832a044c20751a18f7ebcb
Copies itself to %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Ang.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BMA|%idn%=0b367998dd66e000|
Filesize: 165888
MD5: c35db8b830f25e67eaa61d0a6039fd80
SHA1: c2e6a38b0efbc19bfdd31fc289c59b60e9de3161
SHA256: b861430f31b106e1d5be83f220fecdccb324767e81b16fd37e96b2eacf0c24a2
The 16 bytes at 0x27726 start with ac 73 05 99 ...
When the 16 bytes at 0x27726 are set to 00 the checksums of the file are:
MD5: 6c6fab275cbed87dde67b5a5a887b5f1
SHA1: cd95703a9f9b8bed5f5f89716457ba32090c576b
SHA256: fe7550479595529357639efec75791b3d01318a915832a044c20751a18f7ebcb
Copies itself to %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Anj.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BMA|%idn%=0b367998dd66e000|
Filesize: 165888
MD5: 7d51cedf8a7c246abd99023517f76395
SHA1: 9c7ce416a271c72ed3a4d41ae006f829e33c7161
SHA256: cb5559233c8506bd0e9dca917d0d73b76f1a4eca5f8841571e3679a39c2628fb
The 16 bytes at 0x27726 start with 26 1f ca 37 ...
When the 16 bytes at 0x27726 are set to 00 the checksums of the file are:
MD5: 6c6fab275cbed87dde67b5a5a887b5f1
SHA1: cd95703a9f9b8bed5f5f89716457ba32090c576b
SHA256: fe7550479595529357639efec75791b3d01318a915832a044c20751a18f7ebcb
Copies itself to %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Anm.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BMA|%idn%=0b367998dd66e000|
Filesize: 165888
MD5: a777c1d0ac46bffe387ca284c3b83e33
SHA1: 5cc54ad2b41487100d1f432a151644742f0959dd
SHA256: 25628ce84fb01f4567b52f7f979eebedc03c498fb27401ffb27b0f4221536d9c
The 16 bytes at 0x27726 start with ac 87 57 df ...
When the 16 bytes at 0x27726 are set to 00 the checksums of the file are:
MD5: 6c6fab275cbed87dde67b5a5a887b5f1
SHA1: cd95703a9f9b8bed5f5f89716457ba32090c576b
SHA256: fe7550479595529357639efec75791b3d01318a915832a044c20751a18f7ebcb
Copies itself to %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039472.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039475.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039479.exe
C:\Documents and Settings\User\Local Settings\Temp\Anp.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BMA|%idn%=0b367998dd66e000|
Filesize: 165888
MD5: e9912115f06d1a93fa92caca8e73ce5d
SHA1: b6bb2b956eeb1ac2595332dd6457ce7b481e12af
SHA256: 057dc5c9557383ab9f45e108ced4a551b67079c5d8ee6c838c70ebb12866bb1f
The 16 bytes at 0x27726 start with a9 a4 84 d1 ...
When the 16 bytes at 0x27726 are set to 00 the checksums of the file are:
MD5: 6c6fab275cbed87dde67b5a5a887b5f1
SHA1: cd95703a9f9b8bed5f5f89716457ba32090c576b
SHA256: fe7550479595529357639efec75791b3d01318a915832a044c20751a18f7ebcb
Copied itself to %WINDIR%\Adujoq.exe, %WINDIR%\Adujon.exe, %WINDIR%\Adujok.exe, ... (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
Uses all idle CPU cycles so that the CPU usage increases to 100%
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK

C:\Documents and Settings\User\Local Settings\Temp\Aqa.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039471.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VQV|%idn%=0b366eac68b00000|
Filesize: 183808
MD5: 5a1f0d2be7b7df9be1847436f01e3d2d
SHA1: 502d201248b89da42f0a22da1f17d0426d522f2b
SHA256: abd40c45b3c05041a792a2286b04ae5135da7ad2a63e06aeb5193cdd57ae6dab
Copied itself to: %WINDIR%\Adujoj.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A2w.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039481.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.YH|%idn%=0b366eaa2c34c000|
Filesize: 180224
MD5: 7c61599c8195c111b60306523e15aaf8
SHA1: a91422c86b81674b26715ad9e05bcaa7689e4e3d
SHA256: 6cc2b6425590433fde3f48585b3e8e9648cc621521f3690cf033ab528d1e7008
Copied itself to: %WINDIR%\Adujos.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A27.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039484.exe
Identification (AVG): @EID_Id_trj|%name%=Generic18.ZE|%idn%=0b367dd99d354000|
Filesize: 182272
MD5: 3fbcde09beafd67a4d1db226fb0afdb5
SHA1: e4213e0d5e934203cb9cd2fafa6f46c5d4a21efc
SHA256: 96f9bb5ff6fb213e895b3179e9da0abdb7df539f7a250a7fd2a3cc93fb0e7752
Copied itself to: %WINDIR%\Adujow.exe (filename varies)

C:\Documents and Settings\User\Local Settings\Temp\A02.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 4bdf94119299aff047f51d004b0f3bca
SHA1: dff800cb342eb1805036e71a6a4c7c9b8f68404b
SHA256: 18e79a496e685279c2c97107b04e9799807e398d88b214f31990bd4339dfa0a5
The 16 bytes at 0x4928 start with d6 d3 99 1b ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A02.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A0z.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 271dacff97b3a610174c86ba292d8f94
SHA1: a955f96a04a8357f5f423c95fd21d6d4303f3e36
SHA256: 83691ef026f6132a5170a76fa426b074274e8b9b40340820e88bf1189647b34e
The 16 bytes at 0x4928 start with ea a5 4f a3 ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A0z.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A16.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: c8bfe8c10603d16a1d38acc7cd6da0cc
SHA1: 42a45dbd9f48a2e0e1a4852290d8a47683e0589d
SHA256: 90a586d9a5fece0cf3c67f25ff7b606b4a3b71bc6b198a66210be9d67f6e7575
The 16 bytes at 0x4928 start with a8 a9 9e c8 ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A16.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A1e.exe
C:\Documents and Settings\User\Local Settings\Temp\A1g.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 5b34b816c4e95acc59d9bd815589e83b
SHA1: af90f02a2289d31c2524354880efa87cc25b2f17
SHA256: 17a9561d77a8fdb2a83e3b4a9a9d26f5586b8578dbb1d45281022546f443e1e9
The 16 bytes at 0x4928 start with fd ea b9 7b ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A1e.exe/A1g.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A1k.exe
C:\Documents and Settings\User\Local Settings\Temp\A1n.exe
C:\Documents and Settings\User\Local Settings\Temp\A1p.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 6164dca3d6444235c97424e657f1bd21
SHA1: 345cf336752da96e0e3056bec4b281b54792ced1
SHA256: c8307eddef145e8b68d0d091dd764db4f7c24f3e06d2710a78c6db38ff311473
The 16 bytes at 0x4928 start with 3c b3 b5 a0 ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A1k.exe/A1n.exe/A1p.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A04.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 07125e1cce4f9f3d6a681dd1f0d652eb
SHA1: 0c753e04b6fed27ff65130c6e3fa67fe7a385182
SHA256: eb6854b40819e8759f40ba9c862644ae2d1f6b131214efd3aac5caa8423e3634
The 16 bytes at 0x4928 start with ed 8d ab b3 ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A04.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A08.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: caf658217ce69f5c546bbd744b7fc9c7
SHA1: b460db98ad2252005154ea6cf77ee852c612f962
SHA256: deb1c33d0542fdccef42ecdbfb74e8f01e47080dbda206b61a217ae84cd75141
The 16 bytes at 0x4928 start with a7 f5 53 f3 ...
When the 16 bytes at 0x4928 are set to 00 the checksums of the file are:
MD5: a1814e26dc2b8eadecf2c8a3faccaf5c
SHA1: 9ecb6b930916fa225d4bb2df6cbe5198339a44ed
SHA256: 13505f76dbcc6ffb5a689af9ef5297f5f46bf19f0ed8a15bb4ae825623b7fcfb
Copies itself under: %WINDIR%\ (filename varies)
Modifies the file: %WINDIR%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (hidden) to schedule execution of itself
New registry key: HKEY_CURRENT_USER\Software\QZAIB7KITK
New registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
QZAIB7KITK = "[location of A08.exe]"

C:\Documents and Settings\User\Local Settings\Temp\A0b.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: e3b4172b27ece21e7002036f9a61d57b
SHA1: 101aa2e2eed93d4d8b0871561a91bfa1428efcd1
SHA256: 4f355561993547dba0812ad1492509e309d5c1bd1ba0b04447ac98c5ac5d2564

C:\Documents and Settings\User\Local Settings\Temp\A0f.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 1c463c082147b4e4a326daa0a8cf44f0
SHA1: 2ef05d36641f5e219de7dfd0b2a8152b6d441228
SHA256: 8b61049bd2664a6ce9273293f3a5c8cdc47cc9d372be29b89047bafdf66203d7

C:\Documents and Settings\User\Local Settings\Temp\A0j.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 174caf2e2c384b89e0eda64b91fdaae9
SHA1: 9737a6d6244dbbf7b2eade867d8a5432122c31f7
SHA256: fa665b484e783364c7eb1227ea061b8e3a93c4926f8320442d0996c600c09ee6

C:\Documents and Settings\User\Local Settings\Temp\A0n.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 8a48ebfbfb878cde283a483265ba8897
SHA1: bb789f8b068977d24e2a1f7e366676c8c580798c
SHA256: 70e43b5443c1266a92ff4512a04d467c334813d23ebc39ce8c04e4af3ee6f2a1

C:\Documents and Settings\User\Local Settings\Temp\A0r.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: 78b62c2ccdfd8205f352279e229184f6
SHA1: 41c0abafa20b41cb16bc703714f1d349fff1847a
SHA256: e62f29d08658bec40d823c53b2a4519f3f58a84c7c95eae7f0fc0ecb4611eaef

C:\Documents and Settings\User\Local Settings\Temp\A0v.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: e0be5be1c45b83b2253a177b09fb840d
SHA1: 657092ed37bc9ae178760c92cbf5c87b2af7bae8
SHA256: bf99430d158760d06a2206983d43f40e0bc0e9c7b9cf1da1e27c16bc8fcbd290

C:\Documents and Settings\User\Local Settings\Temp\A1w.exe
C:\Documents and Settings\User\Local Settings\Temp\A1z.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: ddbeba29e96bf7680077dc141dff9e2f
SHA1: 1bb1764f68b23f20e04bae6672cf20bd82787346
SHA256: 34438eac72fd88813882789233bf42919301ac9f30909e8c1fc7e8b4a441ca99

C:\Documents and Settings\User\Local Settings\Temp\A2d.exe
C:\WINDOWS\Adujop.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039477.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: f574c6217b7ebf46c8435b5b7385d9c4
SHA1: 4c82c4753e1083c41281294bf3f556ef9126383d
SHA256: e5b0b0738112414bfc756085efb434b8b54d7c497ddd597177b12462c2c86f94

C:\Documents and Settings\User\Local Settings\Temp\Az3.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: aac30993e41df245f042cdaac022187d
SHA1: e958d07bf2a303cd7e8e618e50c45449ad9bc063
SHA256: 102cb1b77c720e32f5665751c06597146ece5959247624b0007cff46342549ab

C:\Documents and Settings\User\Local Settings\Temp\Az8.exe
Identification (AVG): @EID_Id_trj|%name%=Cryptic.UC|%idn%=0b366eaa2c6d4000|
Filesize: 189952
MD5: a6ed5173e08057cbd9608a7f3aea57ba
SHA1: 08286b448011e0a4e7bc4a40d9775e679d7b21e6
SHA256: 40a87a27fd2f0fe799f2e29fd7e9aafa0123eccf6f261b04f23e3b452a9120b0

C:\Documents and Settings\User\Local Settings\Temp\A00.exe
C:\Documents and Settings\User\Local Settings\Temp\A03.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 0ad02912c1d01685184ec974b5a51f14
SHA1: 3c080341ccec02c78a6c211840f9720a211feee4
SHA256: 538b3d440a132c938a010666f38d1f1191f696cfd98774ce2308eaaf8f354c34
Appears to be programmed in Microsoft Visual C++ (MSVCP60.DLL)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of executable]"

C:\Documents and Settings\User\Local Settings\Temp\An0.exe
C:\Documents and Settings\User\Local Settings\Temp\Any.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: c55ce912dc20493ac367d03dc094ecc8
SHA1: ac1494bfb6245e8dcb787694ac113a21a58f6bfb
SHA256: 891d4b241cb5d7d1412e8a784a4f79c5917845f1a1836b905758e571c9ce07cf
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
M5T8QL3YW3 = "[location of executable]"

C:\Documents and Settings\User\Local Settings\Temp\A23.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.AAWJ|%idn%=0ad999c6a7c0f000|
Filesize: 122368
MD5: 50aa6f7bf20b31f4158ca7e1021579e6
SHA1: 1d46b93da92d497a3cbee6196babaae8c1019aac
SHA256: 7c3e45f3308c1411f6832e5e27be16768695fe9206ed7eff4a679119fa955ef7
Modifies the file: %WINDIR%\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (hidden) to schedule execution of itself (executed every hour)
New registry key: HKEY_CURRENT_USER\Software\M5T8QL3YW3
New registry values:
[HKEY_CURRENT_USER\Software\M5T8QL3YW3]
...

C:\WINDOWS\unt4716.dll
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039497.dll
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YJQ|%idn%=0ad999c6a7c0f000|
Filesize: 57345
MD5: 80473db7365afee300deff73f207e513
SHA1: e152edd15e6de5abe4d4999b2f5fcb0b4ad9dcc1
SHA256: 821e4469ff3135735eb364237176f02eae68b821be59d88d43ff2f511f875b00

C:\Documents and Settings\User\Local Settings\Temp\rr4asti.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YJQ|%idn%=0ad999c6a7c0f000|
Filesize: 57345
MD5: 09cfdf0b02c07826310d083b4548d2ad
SHA1: 25b8a62913f15820c8c6cd8cab1ad6468d42dec3
SHA256: 4a3413f13f501c02e20c35254508c4418aa88e3cbc3e372412b124ee68aed918

C:\Documents and Settings\User\Local Settings\Temp\Aud.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: bc3290a6e75ec65cf354cca83a4e517f
SHA1: 97c8ab0702c7f41b05a4c5752aaf4e67a933984c
SHA256: 28c2206b14f2bf320f6a3e93af24f31a8c60ab97caadf26157fedeb4ac0e8489
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The file differs at every creation in the last 32 bytes, f.e.:
2C BE 00 00 4B at 0x343E2
2C BE 00 00 77 at 0x343E4
2C BE 00 00 F8 at 0x343E5
2C BE 00 00 F5 at 0x343E7
2C BE 00 00 79 at 0x343E9
2C BE 00 00 DA at 0x343EA
2C BE 00 00 D0 at 0x343F2
2C BE 00 00 64 at 0x343F2
2C BE 00 00 9A at 0x343F6
2C BE 00 00 E5 at 0x343F7
2C BE 00 00 50 at 0x343F8
...
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Au7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: d213b873042b40274ebf936bb0e53262
SHA1: 45eab8ef5322a690e75f6580c3a75bcfb40e3ed8
SHA256: e2c6cb8147735fbd21861ceec0ba581381639510842af9fcff60e8155a217bfd
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Aug.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 78f17e8d416649c0f68bd081bda35784
SHA1: c231804cc2e72938648aef7fb048f0cca7b9feb5
SHA256: 7c3ac9689cb9b7f4596051af0de08d1fe6bf44bcc3c189d90af5dc15d0d83bee
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Aun.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 1cc25ee72206cc16eeb83e126c4fdda5
SHA1: b6c21ec8dce35d54793dd6cc96717e782a3b0a00
SHA256: 37008e53434ca43c21a98dc3d7be665c91a85ae082aaabcbe522dde623d97b0b
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Auv.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: cdaf0d2137b43611ac7a857761bc8b8b
SHA1: f2d4a01e23355f472054f5ad7980c6a33f4db7c1
SHA256: 6125e1f6f00647f36b206f231fc6150eb547afb4d720f40de2bd4c4c86e77e56
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Av2.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 2d93dbe98afedcc621be17887f1b2c3d
SHA1: 79d1960fa14bff296e75fc5ddf036dcf248a428a
SHA256: 3dce7181931865597739a87b4ead5ecbce16378577ca5cbaa23cf140399acc32
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Av6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 5152cef93f6fd7743068e755f212a6b6
SHA1: b12431e8027fbcc3d7232e6ec5df197241d9c4ff
SHA256: c653a4992537020825a33c6796aa0c491d2fedd3b1c15ecb7239e4b94a81f544
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Avf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: fa18d2b1ac7fcd53a0de31c4c159b0b2
SHA1: 2633122eff06b6ae7e83b7a2d747e537afa2e3c5
SHA256: 0abb3ce3dbd47c307ddbae6975e694d39253446b865b428ebdf162efd5cfd050
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Avi.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 12e41f77e3d36e3c224d1c3fff728fcf
SHA1: 705f5b7713cc299f67e96fd6b39dfbb51c377256
SHA256: cb3f78835c4eeacd6b76fd002caf2a9e44b81da47e00aeade7f93f6936e33ae6
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Avo.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: eff7973c3b2c80d1d6b719d8b4203002
SHA1: a524c32ee0cfb89e37f2c0393fa19bd10531fbed
SHA256: 15715712fc83494a6551142618c58a3bc15214a91fa7e21bab229b14c8806dc7
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Avt.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 6490b3a0073a92b5a0116c0da0bb9452
SHA1: 55a5fc2ce77b43faa8fa8f23f114f6aec6832189
SHA256: b5a746dff85b8b5e7e38ad562649e73b9a7090d35f29429e9279eefa1a93912c
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Avx.exe
C:\Documents and Settings\User\Local Settings\Temp\Avz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 32208e2a920ac30f620f1994b6c1392a
SHA1: f3831d94088b38c2f5dd41f9a85a6a7faf8c337d
SHA256: 25aa1ffcbcd9b4cf94f99b59ff99323be24d63a6068011d5c3994feed780f36c
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 214016
The checksums of the first 213984 bytes of the file are:
MD5: 7ff0c7baf9644e7eecc6324b49dc2c50
SHA1: 05be3296d3aa1ec20f70a33924853779fd27e792
SHA256: 1019d25b431e9222ee323c9cec02dc5299561001aaa1b2e6d122f9f3b19e544a
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: 1a159b29622fa33347bd80f04d028e86
SHA1: f35793cf81f6a2ae29265a2934121e08b8eb6582
SHA256: bf3ceac9e7e7093a95e3a395db93eb36872a58773c4775384278912bbaec7273
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Aq0.exe
C:\Documents and Settings\User\Local Settings\Temp\Aq3.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: fe5757ed11b498fbb85a9e5d52e9b6ed
SHA1: f844934ae20495b3f90732fb10ec769a6a60e88c
SHA256: 31519c753b5f7d8d4a77e1f0f5be55535834c397d786c2161ba3dc19bbb14cd5

C:\Documents and Settings\User\Local Settings\Temp\Aqi.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: bcf5aa78b8c12ada27680697d7dde1b2
SHA1: bae29e91951473ebeede41498c9a5050744f89d5
SHA256: cde0764c5d6cb5d38ef9a5d0061127d1c9ec57fe380eff8a69208f42b916ceb6

C:\Documents and Settings\User\Local Settings\Temp\Aql.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: ff48c36dc6493009d75a38512b7da6e2
SHA1: 973e222f73220430d3bf53b38ee192f4c9050df1
SHA256: 0d4ef62106784720047c89619c4069b300c8332513ca838439f4033685ebc293

C:\Documents and Settings\User\Local Settings\Temp\Aqt.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 5a336a500bd21573bff359968a6233ff
SHA1: 9f3e17221f95a2c51ac57d311ea21ee6fcc31a35
SHA256: 469a46d9fa3288d76314fd1b9946e426a733f72ece37ac00e4a47f808128c374

C:\Documents and Settings\User\Local Settings\Temp\Ar0.exe
C:\Documents and Settings\User\Local Settings\Temp\Ar1.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 0f406db2245b87936e73ec7175e5e815
SHA1: 07e61a647b0ce3df4535b549265e45f3b32cc9e6
SHA256: fd258bbdb050a9370084d5319aee63772c722f4c45249c493249b192b3470777

C:\Documents and Settings\User\Local Settings\Temp\Ark.exe
C:\Documents and Settings\User\Local Settings\Temp\Arp.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 26309527a669528c399a77b39c3e6d4c
SHA1: aadf221260ef8ba629037ecb71d6a4dfba5206d3
SHA256: 0aca6bbb04c9a9bd3c4c91af4fcb6c07e0ab9749a881a1b78906df696c48d2dc

C:\Documents and Settings\User\Local Settings\Temp\Ars.exe
C:\Documents and Settings\User\Local Settings\Temp\Arv.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: ae0111cc452d550712a330bd3dde0b9d
SHA1: 9994522f64d670d0995ec49309ad79c7f36da770
SHA256: af8e6b527f208ddb7ec86748ce02a7cf5282a216920916ec379bf94cd29885bb

C:\Documents and Settings\User\Local Settings\Temp\Asa.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: b5c99a9ae0f7e01fa7579606ed93d4db
SHA1: a78c9104f38ee45a2b5e7cdd24f8b473d9c0e983
SHA256: aa7d33e7173dbbde5e9694341ec3a786de65249cf1eb88a6a7d5d6e468e304c0

C:\Documents and Settings\User\Local Settings\Temp\Asd.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: b5c99a9ae0f7e01fa7579606ed93d4db
SHA1: a78c9104f38ee45a2b5e7cdd24f8b473d9c0e983
SHA256: aa7d33e7173dbbde5e9694341ec3a786de65249cf1eb88a6a7d5d6e468e304c0

C:\Documents and Settings\User\Local Settings\Temp\Ask.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 4eb4b39227e04f4512c1235a79f8bc44
SHA1: 1af1e95ae39c4a20e5163aea99c8882d601631d4
SHA256: a19a4df3d0867e889fae0156c3e221d984ed72275e240617cb9fe7f182359fe0

C:\Documents and Settings\User\Local Settings\Temp\Asn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: a071be1e12d783627633bf970755125b
SHA1: 6399e18abd29cd0348117eccb1f67cfcaa012e16
SHA256: 43b50c8fd637f993bfca5f1ea326352c009a21a9137c28399cb176b1fbb233d8

C:\Documents and Settings\User\Local Settings\Temp\Asq.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 31c757bbda848368a8cf6e93342775ee
SHA1: 0556588a2aee8577c8799fe94bcf80149584deed
SHA256: 0e9b4beb7e724b93fb7882cb67b9ce32b78f1ef0ba564595867b2f116b75be28

C:\Documents and Settings\User\Local Settings\Temp\Asw.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: a3b396f4bb24a3d56ad0ec6ea192d8a7
SHA1: efaee3cff0975645f35c46493b2e933f02d5e20e
SHA256: 36e737e54b710a768b1e8e8db88b44e1e8c023d7ec98deaaa04813413f4d2f8f

C:\Documents and Settings\User\Local Settings\Temp\Atd.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: ebe9b3b26d7b668bfce7ceb172c1e401
SHA1: 2b57598550f6c20cdc09d6e4a311b2fb85eabe5a
SHA256: 492234fd30edf65184e29b7ae5bd087453d45e70ed133cbca3085e4ec7bf9962

C:\Documents and Settings\User\Local Settings\Temp\Ath.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 19d3251dbe5999456262f469c5d5855c
SHA1: 73be8eb708bc7f3b63c4d7a87bf258efe00cab30
SHA256: 7b7d3913a7bdc218c08d448de3af7b0ccd3719a2fae4fa31a6f4594179d991f8

C:\Documents and Settings\User\Local Settings\Temp\Atp.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: 3766cbf3cdf2f89e2f48999cd325daf5
SHA1: 7a3c29de48f2b475a6becb91e0dfc36547f8b586
SHA256: 396fa3d216bfaa7172338f48e4a00c8d4735ad449c4c3ed641fce37974dbb2f5

C:\Documents and Settings\User\Local Settings\Temp\Au2.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBE|%idn%=0ad999c6a7c0f000|
Filesize: 266240
MD5: a0580361713b08d52e9708d684fe063f
SHA1: df4589b34f86dcb5c5e9fe2186c6d0b3ff8af8fe
SHA256: 4af08f10bc1ad29c473db4377670e2ddbd213ef03099c8df77d91dae26f44e58

C:\Documents and Settings\User\Local Settings\Temp\Ao0.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: e41e4767770fb1a3e75c35ced9e09157
SHA1: 1e2312551a07cfdc7248b96e6653fd1a331b99a2
SHA256: fafa785affe11d6780932a7ec73d77db2f41c2b6ad6972b2a30558ad1b68cf9f
The 16 bytes at 0x508a start with 5e e0 3b 53 ...
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227
Creates the file C:\WINDOWS\system32\sshnas21.dll
Filesize: 218624
The file differs at every creation in the last 32 bytes, f.e.:
2C BE 00 00 75 at 0x355e7
...
The checksums of the first 218592 bytes of the file are:
MD5: b594dc4ae32c4c8151d28a648d054cac
SHA1: 46f495547a54c562ea6530aab3a62815395d9afd
SHA256: d4b87a9bbc50caa51c5fdbd99216d803145217917e555eafe2e5912010c29454
The checksums of the entire file with the last 32 bytes set to 00 are:
MD5: e9109fff5c67a9acd84dfbb0ece82f41
SHA1: 7e339f783d0c137595a573c221af39e26a93ed8f
SHA256: cab03f9b990e04e616c9ca35fa094e55e6b3afdf1412ff961233c15caa707ed7
May cause the error message: RUNDLL - An exception occurred while trying to run "C:\WINDOWS\system32\sshnas21.dll,BackupReadW"

New registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
New registry values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
ServiceDll = "C:\WINDOWS\system32\sshnas21.dll"

C:\Documents and Settings\User\Local Settings\Temp\Ao3.exe
C:\Documents and Settings\User\Local Settings\Temp\Ao6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: 23aa31b4dcad1b6738ee20eda217c93c
SHA1: 2208baed4cc83e7d357f5ac0166437eed4b9960b
SHA256: 1f66469ac87a4ee3ebf793de9e5a6ce0910440227c01e3c5c6d0b1f0a0d883dc
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Ao9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: 1fdcecce56e055d77176a29f5994e760
SHA1: c0b4c5a2c9f4617546db1de44abf2f41661a7b91
SHA256: e9211f282eb11995f1b083d657c59e38cd7e29c9cd9962da06aa8ab985d2c32f
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Aop.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: c2afa5ae69992b31cbc6c357b5e940e9
SHA1: e0a9b35512ad9cfe8f655aeff9d8b7edec8bbb7b
SHA256: 9acc3af422f1a49758adc26619458e39ef5fcf2d708cd42c2903f21446bd46fc
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Aor.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: c2afa5ae69992b31cbc6c357b5e940e9
SHA1: e0a9b35512ad9cfe8f655aeff9d8b7edec8bbb7b
SHA256: 9acc3af422f1a49758adc26619458e39ef5fcf2d708cd42c2903f21446bd46fc
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Aox.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: e41e4767770fb1a3e75c35ced9e09157
SHA1: 1e2312551a07cfdc7248b96e6653fd1a331b99a2
SHA256: fafa785affe11d6780932a7ec73d77db2f41c2b6ad6972b2a30558ad1b68cf9f
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: ba63c6e14721237f43c4cfef056a2866
SHA1: 3b7730f007e28cfc6032516b8465d2064ee29cfb
SHA256: de847ec69c73b75b90e339cbb4fb51968cddc096a8766290df0bea30e35d350a
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: 3b386134e043dad2994db6a7cab7eff7
SHA1: 52c4b7c26439131595b0adc6e6c44d14c6ad5349
SHA256: 39df5024001cbbf4e5cef27e47a9f1ffa096a2010184a93c995ae188ba54899b
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apk.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: 3dfdb930f7a5804c9c8b4b7c315ba8e6
SHA1: 7f3ccb897bd124af689c83bdb45475c0b6b377af
SHA256: 42c8091c99a0e878b804312ad03297bee5c10d0dcb38a230420ff15398264f98
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apn.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: a15a64354e0f096350d33caeb6ae83f9
SHA1: 843cf6e12debb14e609e54a1bf3a192a0f3e4523
SHA256: 395e437ff7d414f779d6722d5e3cf0c72f177e1d451a12dcf4628a28d2706c3e
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apq.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: e0811854b9285f0cbff5b018f8d29b92
SHA1: 44ba276532f1817888f2fa3f2ad7849d969bf705
SHA256: 130be504e733252ef31bee8a76f7f7ae043580ab4e4d782f88062a19e7895bcf
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apt.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: f8a5b6d20357a1e78bed19b89831301f
SHA1: 8174f207ac980a5195ff0ee3016ba1a82a716a76
SHA256: cf6f87887a04f06e00bf94fe8aa02b29a82200235c900ffdafa1c8e3a3ebc17e
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apv.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: 54290ac72dcfaf7555367a689eac5db2
SHA1: 2b944ff4cc851b0351930dbf13024efde77df6e5
SHA256: 9b8e9b3123453f3c0c57f74d54b0903f1789b657248be567767668633c47d757
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Apx.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WBT|%idn%=0ad999c6a7c0f000|
Filesize: 263168
MD5: 32bf80d41bf26ce3757c4df96cc7683b
SHA1: 6c21fffad785d1a5b09203f7fb995bad8aaaafbd
SHA256: 98d4e227db3601ec0b75ae34722866da8fd4aa5d6885f112f740e18a3b930435
When the 16 bytes at 0x508a are set to 00 the checksums of the file are:
MD5: 5ef36d0314143e3e47255ce8997852ed
SHA1: cb3a854597fb2f522b9e6d147756ff1d6c6f66a6
SHA256: 45452d9908069a996ed2b8fce6e555a88dce8c0e5271ea16a23e449fdd7a6227

C:\Documents and Settings\User\Local Settings\Temp\Ay7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XTR|%idn%=0ad999c6a7c0f000|
Filesize: 81920
MD5: c5df53ff3dd60c03e4e2d1ac8f06bc60
SHA1: 4ab0326603e85ae86c0cac2b5feac88ba48271c3
SHA256: 243316cb8c074e74ace46b5600c591f07c5d7c641c3002d2f225126d3ab3853b
(invalid executable, file appears to be incomplete)

C:\Documents and Settings\User\Local Settings\Temp\A01.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: b7262535fb67cfca664263143e83d286
SHA1: 5f30a9f55357175cfbe36f912f0690aedfec462d
SHA256: 4359ce44c806ac34efdc79cf38b3fa8b693fd6d96e976cdba1f55b449e2aa715

C:\Documents and Settings\User\Local Settings\Temp\A06.exe
C:\Documents and Settings\User\Local Settings\Temp\A09.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: f9c85695a6611ab6da3d06ac48c2237a
SHA1: 518d6c147f8279007080e9f217ce02aff768e644
SHA256: c4312578f2b88f5952c2f73e40e467c4751c72541daa329f9004b604f9e3a7b0

C:\Documents and Settings\User\Local Settings\Temp\A05.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 4313b0335123cf0c03eb46418754cd0a
SHA1: 1bd82c6612695b4258fff3d8f05a62d23ca682dd
SHA256: 88479975f1ee3756274f9c4a92126ac64c62c6592c4f797b6ff169538ce6a8f1

C:\Documents and Settings\User\Local Settings\Temp\A07.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 061049a8dc191982187747b4c9acaa98
SHA1: 3442d929bd09cd0be5bc85262270f47c03b5c388
SHA256: 6d006b0a101db0809241b704e25dbaa0672b1b3ed593aa02eed397f293136077

C:\Documents and Settings\User\Local Settings\Temp\A0a.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: b4149f1d5b27fd71a0c90e4a89b5b005
SHA1: 47e8de9bd01c481bffa27903ac155af07af34d2b
SHA256: d8c68a04b5d7014ce62382c0a00122d95fd5f083e047100675686324cafc67fd

C:\Documents and Settings\User\Local Settings\Temp\A0c.exe
C:\Documents and Settings\User\Local Settings\Temp\A0d.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 1cc155a7ae749427d1e71b2cfa1104fb
SHA1: 7e68f3ba0c4127321b25020830b4929ee055b062
SHA256: 20b3265bb633db4d844fc6cdfba864d969c36b6cdc86ad9335ffb6a684e11215

C:\Documents and Settings\User\Local Settings\Temp\A0e.exe
C:\Documents and Settings\User\Local Settings\Temp\A0h.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: af55d08beb7d0566207d5c4578d996f6
SHA1: 16083b904157796b8b4e67138d6b12ef499e8488
SHA256: 416a59e6754946d9aaa974d14cd5f8a2badf2304aad9a95091dd21d129f7eb09

C:\Documents and Settings\User\Local Settings\Temp\A0g.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: ab99c2ae53130d11426ef958d9faf6a7
SHA1: b957e631fdb4c93ee99b6278a7a0c8ece3287325
SHA256: 9e3fea81760046995913ce98865e20540c54dff49fc8b64523489b0ddbd3da19

C:\Documents and Settings\User\Local Settings\Temp\A0i.exe
C:\Documents and Settings\User\Local Settings\Temp\A0k.exe
C:\Documents and Settings\User\Local Settings\Temp\A0m.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: cd9ca2b3c651a51730dd16d251d1101d
SHA1: 2ffe72a1de7fc1a345413344997fb0fb1c47ba39
SHA256: dd560860c516adc1807e573a11e5f566dabac4e0d44fcfdf51d3dd0fe7814945

C:\Documents and Settings\User\Local Settings\Temp\A0l.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: cdecf69b2b0cc3c127799aacfed4fe39
SHA1: 8c54785eb5afe40b31a8e386b0aae42a6ac3d83f
SHA256: 38721ead6a99f40531b0dab5e97d7dac980a5af9a302de3b0ce3cc0af5800071

C:\Documents and Settings\User\Local Settings\Temp\A0o.exe
C:\Documents and Settings\User\Local Settings\Temp\A0p.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 7d83583c9ed8ec0abf7e8ef14d919e72
SHA1: a9fbb3aedbed192cc0795069075c837724e0890b
SHA256: 3a6d46be6fc12e9e25fb078c1b7ae6035fa401b50f6ec18ee082b46ec844aa75

C:\Documents and Settings\User\Local Settings\Temp\A0q.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 4a2cb12c5a95ea28aad368eb6f75da52
SHA1: 9b10fb40d3793b0a489dc96857206b9ffb3eff23
SHA256: 46f7cdd307e906f0dbba68595ac96bb9165e5e3bc09797201484f35568c6adbf

C:\Documents and Settings\User\Local Settings\Temp\A0t.exe
C:\Documents and Settings\User\Local Settings\Temp\A0u.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: ff6e9be6b28854f55d43da3f85b5e483
SHA1: bf4b19177a2c1aa5a4515767a6d364d074e9b8b3
SHA256: 9301475892f5fce285b6ab21a46e80c8e49ce99c6da3eb7fe37070779b7e6235

C:\Documents and Settings\User\Local Settings\Temp\A0s.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: c776afb075a09f52032a1f0019dae43a
SHA1: 23459ce37fe37af6ccff74af80d587ae63b64fed
SHA256: 10c0d66488c7bfcc9f35e1ed4c6648c543d370e7f1fbc84c011b3982f4e31810

C:\Documents and Settings\User\Local Settings\Temp\A0x.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: b8d483eb040d13c4c86b511ac6ef9560
SHA1: 19e7cf457d1749edc664e991312f4bb8b582d518
SHA256: b033bf31945353cabfae29f712e2e0028828f437655970378e3f65210a51455c

C:\Documents and Settings\User\Local Settings\Temp\A0w.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: aeb23c078aa9719cdaa4f92bb953228e
SHA1: 19a868c2aed8c3c0dc2a1b02394391bcf2f9a33d
SHA256: 88d6f782b808709a334abc0e6bdbea49427efb055e0ad9fc219967e2a03f630a

C:\Documents and Settings\User\Local Settings\Temp\A0y.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 5bac0a2c59f78ca0ce6a2cdc9c2b6948
SHA1: 549981865368bb4c9f55766c910e87cae27e5c79
SHA256: 7fec13951e77e87b2600ed4f3bdf7971c3180ba0f70b3ced92915232d710f961

C:\Documents and Settings\User\Local Settings\Temp\A11.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 9223ab840edc3a8b766d5ad565eba6ef
SHA1: 6d41dda5b7f1aa3f405aae148d368e71901d87e0
SHA256: 51560eb0f1b681c540247c1f25c00da30dc3728d33316561c45cc7e7d2a08e68

C:\Documents and Settings\User\Local Settings\Temp\A10.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: e8124e9309535496bebcaec420df9e37
SHA1: a0437e76f86c53b6d309790aba3be8daa29bd8a9
SHA256: 3249da8c83cff0f1280ace4efa0d1c30317bb445d06a99b630fd1bea646ee46e

C:\Documents and Settings\User\Local Settings\Temp\A12.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 3ecaea8f45b25cc90ec75996b9985a2b
SHA1: 2831289e71d6bbe0fab09190797a3bc27338f570
SHA256: 277496db72bca7f80311a37623ecd5ad36972f1e703b8074b31a408e94461f69

C:\Documents and Settings\User\Local Settings\Temp\A13.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 4b31f61554005c9fef3d956a16664236
SHA1: 15000edc1cd72d7d68a894b6f87f171a27905cd6
SHA256: 613529ec80693ec22251b55f5dc1a2bf9e4c6fc9a8ec6280046aa25494150db5

C:\Documents and Settings\User\Local Settings\Temp\A14.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 2087a9be584d18107eceb1ccf7f1ed06
SHA1: 94e3400164c66489927fd9539426391a0649f46c
SHA256: 5ce35bfdb4fcb00e336476a822dc3498387648d4c3a9f4809a96ca7d00da5523

C:\Documents and Settings\User\Local Settings\Temp\A15.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 87f8390e0977fbfe9b9e0845d88abb3f
SHA1: 15d893a1c0a3a7abee676bf836151dc89d348da0
SHA256: 6145a03dbf1001d3ec8985f97f2974a067870ddd6c9f2fd2200819b74efd80aa

C:\Documents and Settings\User\Local Settings\Temp\A17.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 9cc19fa45c6cbf99ad92114339dd120c
SHA1: fe54ccf332210ddbf465e46415473e448f9dcf1d
SHA256: e8eeb7da58b326a3674402bf7b4dbe04076db7976ee51327ca26a2541fe8117b

C:\Documents and Settings\User\Local Settings\Temp\A18.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 4c386b417d37fed299ca583aaa5a3d72
SHA1: 3d7f9f289ea9f34e79cc05396c80e4ae7769eeaa
SHA256: 89bccd92ffbbbb0ffb8d1b1a99648937d36c2f75177f2cd32a9a09e3abb9dfd9

C:\Documents and Settings\User\Local Settings\Temp\A19.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: befc0910103baa16d5ec10273f502025
SHA1: c83c40acb1ecf987afbeee1b785fc60017ad93a3
SHA256: a0a6aaa26487e3f157c81b967c18d3bd0fb7ef9abfca75b0464a30c8792cac78

C:\Documents and Settings\User\Local Settings\Temp\A1a.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 2b433c6fb591c72dabb543beb6467fb5
SHA1: b4c5e156d7610a288065c68b8c194b9e9197b613
SHA256: 94e3b100c01135e511edd611b3617cf363953d5390b9f919503607a479d3e02f

C:\Documents and Settings\User\Local Settings\Temp\A1d.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: c2bfd8cfa4c5f4c5502919361180f18d
SHA1: 28b9cb893f9be5ad0df1d29568c645e9aa400b89
SHA256: 206899ea28c6abb923875bf20c51e327a2fabe45e4145bc5843dacee5e95f4c6

C:\Documents and Settings\User\Local Settings\Temp\A1b.exe
C:\Documents and Settings\User\Local Settings\Temp\A1c.exe
C:\Documents and Settings\User\Local Settings\Temp\A1f.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: fe78c18d2bbdd5d62e84c457bde7c57f
SHA1: 5ebf0e1c33fdf9985d00547bf2eb5049cb2f9f87
SHA256: 6b78e6384cd69ed4565566ce6c66d81a1d88d58ab2be4d4feaed2263a3a7db8f

C:\Documents and Settings\User\Local Settings\Temp\A1h.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 62fc6b18787d3480a5decbda767782b0
SHA1: cdf40518e69a9f5422631f94055aaefe76507aba
SHA256: 64094056c388437e89af0f37fbce50bc674d239aaa3eb7a89c3b78eb510c0bfb

C:\Documents and Settings\User\Local Settings\Temp\A1i.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 7da93290ef0b5dee589f181a5cf1624b
SHA1: 3ccbd95f36e006ddb90d91d3cf3ea6d40f72f399
SHA256: a36fd74bfa282e113d2ded89056d7a11d23caeccc43d9e932027d1f5ec6eff4b

C:\Documents and Settings\User\Local Settings\Temp\A1j.exe
C:\Documents and Settings\User\Local Settings\Temp\A1m.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 541e2ecd4ed3603b63195652bebdda83
SHA1: ac552c65065dc364ce09757fae399353adefd832
SHA256: f1a79ea64956cc3a50f9b0f4f9ccd43652cebf3d1f945ba1282d79f56f5451d2

C:\Documents and Settings\User\Local Settings\Temp\A1l.exe
C:\Documents and Settings\User\Local Settings\Temp\A1o.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 7ab116365142b5f7cd3b773804b7201e
SHA1: 2fd29447b32c6ce7b867fe9435f84fc397e9bf37
SHA256: 0e7946aeb2b9e8dbbc017719dd749b17b0e793ba1696cfc84b109a48fff86664

C:\Documents and Settings\User\Local Settings\Temp\A1q.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: f55e3fd0fc4c7195e1f82a09d53469d8
SHA1: 0cb9935db9544c16672206a950328e7473da0068
SHA256: 2bbc10ef567bce3cc4626eabbf8dcd2425b56969c7a739cf1d1068eb25d89b50

C:\Documents and Settings\User\Local Settings\Temp\A1r.exe
C:\Documents and Settings\User\Local Settings\Temp\A1s.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: d1ed083245d2167d733360ef6d893d9c
SHA1: 9abdb3586633b557900de82170f96bc67a8026c3
SHA256: ea100a51295f0d43ddd6e5462b2f27b276078f46a457d39c97ba86f09e1ab50c

C:\Documents and Settings\User\Local Settings\Temp\A1t.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 5bd53be3cf57d4dcff4416f1253dfd54
SHA1: 9be267de237e5de47bff3e97b6f343a5392213c8
SHA256: ed1c446e96cb20f851a11f676f6664430961e8b0f3081a1ceff64c3d01d82cee

C:\Documents and Settings\User\Local Settings\Temp\A1v.exe
C:\Documents and Settings\User\Local Settings\Temp\A1y.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCB|%idn%=0ad999c6a7c0f000|
Filesize: 269824
MD5: 1a73a22a2234779180225974c39390de
SHA1: 3b732de9bba4a04fda918a5ef6af264098a06197
SHA256: b0651a0eefd575750b254a7126a293a237c8ed7a9bdc5e07a51aae7bf3ba827b

C:\Documents and Settings\User\Local Settings\Temp\A1u.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: f84249b95f2a1ca4ce2100793edb014b
SHA1: e08485a65e26261eb3e3ea0cfc545d419935c619
SHA256: a91bcb9cafad5db6e51209132b134aada970120c9c96b80518747a176da49e02

C:\Documents and Settings\User\Local Settings\Temp\A1x.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 98a2d27b2d1966bb7cd1489714293efc
SHA1: e47ae6a29f58ed5efe4aa169e15b28f55d9075b3
SHA256: 3051d0a569ba8aaa2ed8bde241c310e854e1f48a820e467efab5291f6e5a3bc9

C:\Documents and Settings\User\Local Settings\Temp\A28.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ABES|%idn%=0ad999c6a7c0f000|
Filesize: 181760
MD5: 4a9f4d973c8e66ef15623179c3e42f27
SHA1: 44a8350528bc3611c6b570b62ee7b293f60f2796
SHA256: 0411de8fbb2b795d4cec1025aa7979c2b957156c3df943dc31f5efbcb49f1a6b

C:\Documents and Settings\User\Local Settings\Temp\A2f.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: b28de56406791edd5e73498d10554024
SHA1: 4de5152b2a5d3427ac754e2b0ce4dc07bb8c1bea
SHA256: cd304a290472580fe4df4e40379ffb6110825f1baa98bfd8c9e7e5e3f1ee76c5

C:\Documents and Settings\User\Local Settings\Temp\A2g.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YCF|%idn%=0ad999c6a7c0f000|
Filesize: 191488
MD5: 034acd18c5e82679ad9ea6a13b1b67b7
SHA1: 65844bf9c8439a12ed1b0f6466c7b3caf9bebec8
SHA256: 87cce4699a3f5fe4cb6d629550217376b3eef5833cb604b65f769eb0080a9f8e

C:\Documents and Settings\User\Local Settings\Temp\A2j.exe
C:\Documents and Settings\User\Local Settings\Temp\A2m.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YTD|%idn%=0ad999c6a7c0f000|
Filesize: 183296
MD5: 6b9b74759f11fd99f6327b11a9a49626
SHA1: 8481832345a24e0a4a584ae045792314ed44aef0
SHA256: 149e2d4af909c96940f73ddad08e977b624b03a2704ed90b9fe3ec1788800754

C:\Documents and Settings\User\Local Settings\Temp\A2i.exe
C:\Documents and Settings\User\Local Settings\Temp\A2k.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YTS|%idn%=0ad999c6a7c0f000|
Filesize: 276992
MD5: da001bb21971e66209d8d5c0d9493fb7
SHA1: b9497ac787d0e2577c8e56820ec4aea7e64da137
SHA256: cf0d6d50c2dbd5d83760b95ed71ae1e6681d947f0b9f46d64b506a3eb61090a8

C:\Documents and Settings\User\Local Settings\Temp\A2n.exe
C:\Documents and Settings\User\Local Settings\Temp\A2q.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YTS|%idn%=0ad999c6a7c0f000|
Filesize: 276992
MD5: bc4cebdb0503bfc3f815abc20e22be8f
SHA1: a624ebf4ea98d28011cd18798bca6f608579ed51
SHA256: 4a87eea6ec82e48ec44f9d462ab23c30d4578473ddeb2c5c61348f24cd19a2c5

C:\Documents and Settings\User\Local Settings\Temp\A2o.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.CGCS|%idn%=0b367dd99d353000|
Filesize: 190464
MD5: e2b316fa4e0a3c79906dfb4a3e01511a
SHA1: bb5e33e6b8c68dc4f0bca445a4078cea67f750eb
SHA256: 92927fde652b946c1771bf0c48a82718b20e5875ae729b7d2f6149c85942c1f5

C:\Documents and Settings\User\Local Settings\Temp\A2p.exe
C:\Documents and Settings\User\Local Settings\Temp\A2r.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.YTD|%idn%=0ad999c6a7c0f000|
Filesize: 183296
MD5: 63a6d435f21a446fd5fc9f001fdef498
SHA1: e874d87059918a0bae95bdb634acbedb82bd5e4e
SHA256: bbd62fdc97a3af59e644e11864d65f3532ca9c0dc4054b3ce81903394feb2b0d

C:\Documents and Settings\User\Local Settings\Temp\A2u.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ZXO|%idn%=0ad999c6a7c0f000|
Filesize: 178176
MD5: bf78c30dda0906a4e6b6cf42672d3a35
SHA1: e453a5293c5e6f98da08b8633ea2a51358891365
SHA256: 9e7ca131da5a321c61dd28503c3569e8c437963929cfd9535c3490624c88c6b9

C:\Documents and Settings\User\Local Settings\Temp\A2s.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ZXC|%idn%=0ad999c6a7c0f000|
Filesize: 273920
MD5: c966c0c45af8a34b1a81e5e797a9e1eb
SHA1: 8d4acb05548b8d9d4d3a6787a6ba0d9aeca96cfe
SHA256: b45d8c2ccdec38cc3c97ad1999c13c3c44ad9ad2fcf5db0b59c619537e0bbb58

C:\Documents and Settings\User\Local Settings\Temp\A2v.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ZXC|%idn%=0ad999c6a7c0f000|
Filesize: 273920
MD5: aa373abd9075c7f2b44dbcd131a2b861
SHA1: 8bb9e5548860e8db7ed87646881adf7bdfaa833d
SHA256: 6361dd22e25d4de12374b8439b7ed93d2fb24e1e0f793b0df8e34240b036b50a

C:\Documents and Settings\User\Local Settings\Temp\A2x.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ZXO|%idn%=0ad999c6a7c0f000|
Filesize: 178176
MD5: b0423b58291f0c3852add3bf85c6d7ba
SHA1: fafcbcd37df533f85e407da7013f266516b96135
SHA256: bc716d28e1d1dfec7d36536e358eb6a3526973213524dc2192d6117c6ebb57d8

C:\Documents and Settings\User\Local Settings\Temp\A3c.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ACBH|%idn%=0ad999c6a7c0f000|
Filesize: 173568
MD5: 253ae2fab99a33e889cd21eee47a682a
SHA1: 72ee176fcc3be7bb434c93ae7d77fe61dd8654d8
SHA256: 8cf2d13e7ba7f65ee2c5a9e4a9ac83ecbf4890ffccb1ebd65fdede1c209a0311

C:\Documents and Settings\User\Local Settings\Temp\A3e.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ACWP|%idn%=0ad999c6a7c0f000|
Filesize: 175104
MD5: bb61ceb467c1b84c53009725334c1e12
SHA1: 10216e60be8e08b4dc22fc3e14651b417643f459
SHA256: f1b8f90c988de36785236a14e8b4ef14952187f71e585710ba42389e5ce4d12a

C:\Documents and Settings\User\Local Settings\Temp\A3g.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ACWP|%idn%=0ad999c6a7c0f000|
Filesize: 175104
MD5: edbcc409a67ae234a59efd94c253b4c3
SHA1: 7088bfedbead40eced34ba07651eb9563377e3db
SHA256: 3e095f2330dd8c762d6859dba9d28aba84da5abb7b7a7f55d0eb8842ab6a7db7

C:\Documents and Settings\User\Local Settings\Temp\A3i.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.ADOR|%idn%=0ad999c6a7c0f000|
Filesize: 164864
MD5: 0b7edf6ddaf73bc26a0a9b855b38da2b
SHA1: 74dbd939c151b7cf486b4e1574f4b1ce9d0edb94
SHA256: b7f56a691517290572b3cc55247435b176d35b1e7f3fb649fd3900a4c8ed7416

C:\Documents and Settings\User\Local Settings\Temp\Al1.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TXZ|%idn%=0ad999c6a7c0f000|
Filesize: 231424
MD5: 537c50d7e5f4f35d2b2f2bfb3193a050
SHA1: 8f6e89406ea0bf45018ee1c8176d76450c913a2f
SHA256: 70412112b7e83b222739a1881d6bafdc017801e0adf6a22fa8f98dbd3471cbf6

C:\Documents and Settings\User\Local Settings\Temp\Al6.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKDN|%idn%=0b367dd99d353000|
Filesize: 160256
MD5: eda6dab80caf527edf8cafb12c4b63b8
SHA1: 362641fe84238aaae73c460343393dddb163ea99
SHA256: 063ba830519c14db743d3a51abad1bff4366d10dbed179410168950b70234bed

C:\Documents and Settings\User\Local Settings\Temp\Alv.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TXZ|%idn%=0ad999c6a7c0f000|
Filesize: 231424
MD5: 7e6827327df7533aff73bed0cbe58f21
SHA1: 90b64d0c80324377a6adf4278c9d757d941789aa
SHA256: 03ec2e232a4a06b22ca2b794d2e2fa90db558d2a67b0e39d9bb0a7ac4e1fcbee

C:\Documents and Settings\User\Local Settings\Temp\Alx.exe
C:\Documents and Settings\User\Local Settings\Temp\Alz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.TXZ|%idn%=0ad999c6a7c0f000|
Filesize: 231424
MD5: e5d65e1d21fff176b93398229c483c3c
SHA1: 8479a89da7a834dfb647e4b7ec37206d527b0771
SHA256: 10ad8e32fcc984d87cc7bb8bce114503664c3028d9a0713e25391662bad72141

C:\Documents and Settings\User\Local Settings\Temp\Am0.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: 08b5db2141325ef80d02ac725002e82d
SHA1: ba09abb8e8bd4a9f3bf23067eb34c45265c401d2
SHA256: 7edf9601d08853e3ebccb2fc2c867dea6b51b044824f80f50cf8ca412aa9f60e

C:\Documents and Settings\User\Local Settings\Temp\Am2.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: 9f03df162957482d7a5c28bd5283c8c3
SHA1: af742da7cf7c6c7b124149c42575e6cd3e4addf4
SHA256: 15189954b0345802a9c383161f260b37be8d1e9484c8eea9e8578e703c253888

C:\Documents and Settings\User\Local Settings\Temp\Am4.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: f41cf204ab27d2fd934d9679d0023487
SHA1: 06f24ea76300d5e121f98d56107d8253b04ce8fc
SHA256: ce5d6c0e5f5e593e273abb950ffdca9ec9233fbada05c79df4a041f17a670d30

C:\Documents and Settings\User\Local Settings\Temp\Am6.exe
C:\Documents and Settings\User\Local Settings\Temp\Am7.exe
C:\Documents and Settings\User\Local Settings\Temp\Am9.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: f77dc4d0fa1fa5903cc7e3bb78dabe3d
SHA1: dd8ff71dca834ee71cf5431cf28e66481a91e41b
SHA256: bb17686a4988271b3d5a67335f9aaa9c99aeb88318a20e6d3775ef0b4177a5d6

C:\Documents and Settings\User\Local Settings\Temp\Amb.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKDN|%idn%=0b367dd99d353000|
Filesize: 160256
MD5: 5baa4582cd652be23b889879f3c5f84f
SHA1: ec8b52e5276fb9416a6211d078e5a00b8904e568
SHA256: 81c68733dfd259148cb6e809023d102ea06dec37b4dfcea83b285945e0ba47d6

C:\Documents and Settings\User\Local Settings\Temp\Ame.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKDN|%idn%=0b367dd99d353000|
Filesize: 160256
MD5: 6f03eaa1cf320f819e17dcbfea24d299
SHA1: f449072bbeec224d3107862b3db1d2f86c3b5e13
SHA256: cd49c46152b0e025f22bc5da340ef4901baf6ccaafb1674931a8ee002ed87a91

C:\Documents and Settings\User\Local Settings\Temp\Amj.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKDN|%idn%=0b367dd99d353000|
Filesize: 160256
MD5: 6f03eaa1cf320f819e17dcbfea24d299
SHA1: f449072bbeec224d3107862b3db1d2f86c3b5e13
SHA256: cd49c46152b0e025f22bc5da340ef4901baf6ccaafb1674931a8ee002ed87a91

C:\Documents and Settings\User\Local Settings\Temp\Amm.exe
C:\Documents and Settings\User\Local Settings\Temp\Amo.exe
C:\WINDOWS\Adujod.exe
C:\WINDOWS\Adujoc.exe
C:\WINDOWS\Adujof.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039464.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039465.exe
C:\System Volume Information\_restore{EB8183BB-2F84-4875-A05D-B060126045B1}\RP341\A0039466.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BKDN|%idn%=0b367dd99d353000|
Filesize: 160256
MD5: 6883edcca08d7e9d7ddfcddd3b9de642
SHA1: bbc4c09f965d3600ce12a3c6d173dbf19f1497d8
SHA256: 59862462b631127401f130df01d0c956681948dde31c4fa3b9c87458d6554bfa

C:\Documents and Settings\User\Local Settings\Temp\Amv.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: d609a71854643fab65f6b063b23ae1f7
SHA1: ec561400bea51eb1e4fbeb05752d79c6b3a1aff2
SHA256: dde13f2b8659cd7b9e51b00e270667cf8d166e1fc5c9ddb6183fa8eee0e0e520

C:\Documents and Settings\User\Local Settings\Temp\Amx.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: b4700d25a44ed09b9488a6f6caac1ca6
SHA1: 3d36f18ccf648648afe77681d8a531f15c47a47e
SHA256: 93fb22efc066ae740e22d3e2f646234a989ec28f0ddb207a44f033a4c0f7283b

C:\Documents and Settings\User\Local Settings\Temp\Amy.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BPEO|%idn%=0b367dd99d353000|
Filesize: 168960
MD5: b9d4d455e8035b4b048c2413c8eee64e
SHA1: 85dc5baa319a19c385e57211330f33ce8b78639a
SHA256: bdcfe2f02a16af493b00b2883d53fe72cb4d1ea42594a0c30a219f24625bc8fc

C:\Documents and Settings\User\Local Settings\Temp\An3.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 44413eb5f2d37ade23fe130483c1b355
SHA1: 40f82e88eb9dde4179f333f79578a3f75dfaf655
SHA256: a2a02869d17adab29f78965de721fd27094419a84603f5ad8cbc95981b35aadb

C:\Documents and Settings\User\Local Settings\Temp\An4.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BXBT|%idn%=0b367dd99d353000|
Filesize: 261632
MD5: 2a63fdd51925d91d6062ce1f90ee3270
SHA1: d8927e8790bd0b50578c7bb2ac19f38f02ac7586
SHA256: 6261200366c2f3a7b2d5e070f5940bbf74cbb1f5ef5832ae0d7872ffab9769f9

C:\Documents and Settings\User\Local Settings\Temp\An7.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BXBT|%idn%=0b367dd99d353000|
Filesize: 261632
MD5: 036e356cf52d91ff8c8aa9b509333ce9
SHA1: 322233e1734749bbce6d887a34ed6b4e1a3493bf
SHA256: 851e62b6f2be721cdb690028d838896d40ab8afbc04aeb7726f7fa2eade2f61c

C:\Documents and Settings\User\Local Settings\Temp\An6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 885e8219aea8bb03b4c74e366eca6b2f
SHA1: bd1f03cd09cb3fbd21e5f8a96273cec8263988a4
SHA256: babc32e417555b2587ec2cd14cc46d64d59c704b302f7683826a5275f84030b0

C:\Documents and Settings\User\Local Settings\Temp\An9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: a880349998e6ed3c47151ced3042f43e
SHA1: 68d0b0326620e72ad1a07fb079174ccb2958450b
SHA256: 34095405982a32b899a193b54b2140d303e9c9bfe308d3fd5dc39282cf7f89fc

C:\Documents and Settings\User\Local Settings\Temp\And.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASKC|%idn%=0b3665f766b0e000|
Filesize: 236032
MD5: 1d3c7b595e6924c59bba834e558a04ff
SHA1: 895287ba10dc6f2813a531f0a714c7072ae54cdb
SHA256: f76f77fc0316f8b04860589710ba132989e74e5bc18f2afa8b1051ef4d94173e

C:\Documents and Settings\User\Local Settings\Temp\Anc.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: 198e1ea65597c2e5f7d60d37264fcc4f
SHA1: e854e06d88ba2ebe637128c5365f6acc719c54ca
SHA256: b05a2a13d38a8e531b357bd6521abb2d2a1f183c22096da9a00735c4de99cb64

C:\Documents and Settings\User\Local Settings\Temp\Anf.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: 75c9b140e6335181fe6fbb2d344968dd
SHA1: 9c517af9b127638caa98e6a303a6b1c9eb4bac8a
SHA256: 927e15c6b140ab26ee5da4add9d4cedd371b7cc63b51534ebe14be15e0e5a859

C:\Documents and Settings\User\Local Settings\Temp\Anh.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: 6158d51916d8225770ba29fdf2c1af87
SHA1: 9df5e48de5780ee87305a36e0e1b6658dc852814
SHA256: 556317491a90cf853aefa5f92b1b37db8fdf46a1d6a202226a149f9bed4df6c8

C:\Documents and Settings\User\Local Settings\Temp\Ani.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASKC|%idn%=0b3665f766b0e000|
Filesize: 236032
MD5: 7b2e6367f507536e4deaa82c4aaabb6e
SHA1: 9fcdfa36ba97cf3c394e7f8936afc30e12ee3dfb
SHA256: 37762b102550bf201c50c9f3af3bf89d843c7c821d628e23f55780ec4a464ea6

C:\Documents and Settings\User\Local Settings\Temp\Ank.exe
C:\Documents and Settings\User\Local Settings\Temp\Anl.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: 1f42c50584d94f85e7c0922a7ff01954
SHA1: c58c5f7484229ec138c47ce5eb6a93d3ea53b16d
SHA256: cfa2742d6cae0e66863419fa4674716ea872e5684faed47630e8a64152b3a967

C:\Documents and Settings\User\Local Settings\Temp\Ann.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: 93def397852a1a165e02423ff6cbeb22
SHA1: 4b9171f735388d6bb278afd0417ad61d14e4bea3
SHA256: 7a9d34d36d0726aa229ea6ebb29d93c9a53ad4a6032eb155c3fa1befd781fdc3

C:\Documents and Settings\User\Local Settings\Temp\Anq.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: b9476855c643a284b22ef55e9370e5b7
SHA1: d95a1b82881d0bcea2a2f654708a66f6a7c48089
SHA256: 89f99db25ecfb0870bc33424b179f521b1f42eaa7800a528cf05ebc0c618eb3d

C:\Documents and Settings\User\Local Settings\Temp\Ano.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASKC|%idn%=0b3665f766b0e000|
Filesize: 236032
MD5: a4dafa0eb0f185678ebce3a66b95a4ad
SHA1: 74712cf85229b9f92674200a3c298492eea82c13
SHA256: cf987bc9a7d0fc5818113827f7a810846d28942a7421726f826688ddcf704694

C:\Documents and Settings\User\Local Settings\Temp\Anr.exe
C:\Documents and Settings\User\Local Settings\Temp\Ant.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASKC|%idn%=0b3665f766b0e000|
Filesize: 236032
MD5: d80d1ac6ad9a764e1b3bc64828de12e6
SHA1: b66fb545176380fd68f8d878bccdd37e7bbb33fd
SHA256: bed9100077b0b05917bf25b98e435fc5ceceecfbc1946e5682d52c89fe8b2256

C:\Documents and Settings\User\Local Settings\Temp\Ans.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: a82787898ac53f4e2e4db7dcfc4fd31b
SHA1: ec85989b3413892c39a3c5e5fff0633bc610c00f
SHA256: 982a11480ebab463ba70704ce790dea5967bd1d2c18e14c54ab060154cffd6dd

C:\Documents and Settings\User\Local Settings\Temp\Anu.exe
Identification (AVG): @EID_Id_trj|%name%=Agent2.ASJR|%idn%=0b3665f766b0e000|
Filesize: 159744
MD5: d9a8d04280c2684a70be3453163c63bc
SHA1: c0c2e4da116bd9f8f9491d6a0b5d18cdc3a874e2
SHA256: 00512f4132e78dbeb97522b4d81fcbc6658fcc9f154d27ae1a01374bbdb034ae

C:\Documents and Settings\User\Local Settings\Temp\Anw.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: ffcca4e414b3d973d0572da92d3e79bf
SHA1: 89ac221d6eab38a2afd5cefbc013333f4e6a6dc6
SHA256: 04d2b48770cf231b4278ad658632effbd55897c71bc1f5adc18f3c3d93a56053

C:\Documents and Settings\User\Local Settings\Temp\Ao1.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 500e8c878acd0525c40c67005a2d1cd6
SHA1: c56ec9acd0fdaf9ddbb6fdb830beee36faeb29ad
SHA256: 5e942db260035987408851f52e9dee3fc411cb2dabfea957b8d2899a03847700

C:\Documents and Settings\User\Local Settings\Temp\Ao4.exe
C:\Documents and Settings\User\Local Settings\Temp\Ao7.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 38c94f23cba053c7257abd346f8b52eb
SHA1: bb2e67f97a001d5d024e9a8c33d4fb8377fcd568
SHA256: 0e71d99d6567a76f7f648dc840d5ff125a3071ec2bdff73b4061a8364a1d7364

C:\Documents and Settings\User\Local Settings\Temp\Aoa.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BXBT|%idn%=0b367dd99d353000|
Filesize: 261632
MD5: 9769c0ca763e1e934e18dff3a57e291f
SHA1: cb5eebc499f6063807f1e6cad8139b1d72cdd6c2
SHA256: ccf3fac81c9a97f3c9f5beba58b4a6e91fc24bead5ab0219e884925e5c45b497

C:\Documents and Settings\User\Local Settings\Temp\Aoc.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: e6dd404488938a1cc43293fbe7793416
SHA1: 7248d4899b0baa04424ba9dd340db73eb36b8f77
SHA256: 5806225ba0915d8839d83cb9c8030b47519ce4c86d7f120464d70abb7a6962cd

C:\Documents and Settings\User\Local Settings\Temp\Aoe.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 8f29bb57076e075dd16e8960dcdfb801
SHA1: d684778b8f06082c84c48d0763d5d0c0315fed0e
SHA256: 208a42a454b248f53c75e94f6f975317e11fecbb59ad19a8709a2e4b4b17900f

C:\Documents and Settings\User\Local Settings\Temp\Aog.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 4c05f9752e8e7e70f8d4cffad76fdd97
SHA1: 6d59831688131e3153c5f05979c1aef9b187d471
SHA256: 0f3b88d8e96320ce4c6a19672c1cd86c43da3b3bbeb882ab8d20911510fe235d

C:\Documents and Settings\User\Local Settings\Temp\Aoh.exe
Identification (AVG): @EID_Id_trj|%name%=Generic17.BXBT|%idn%=0b367dd99d353000|
Filesize: 261632
MD5: b9438c572883b6af838990a45dc3351b
SHA1: bf8f0b0dc17983ecd3b8b6985b7ed0c5c6ff96f7
SHA256: d9bde49d159267eac5953879a475bb9ab5657c7e52beb32761e509c6887096e2

C:\Documents and Settings\User\Local Settings\Temp\Aoj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 41ee75531c830882bcadc13001c73648
SHA1: b397027fa56838406dd756b307ba0db77e12bc17
SHA256: bcd1efef4b0f95b9d3b33be35df8b88eee3f00bfc88a4e2b2770e61bd72a895d

C:\Documents and Settings\User\Local Settings\Temp\Aol.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 13c8a97e10be049ca3718bc27af3ea4c
SHA1: 5db6841621cac56c11487e6a3b62548f76737d46
SHA256: 98c085d1f676180091bca5e03467a79c37c5dc331b93c1f715a00a19edadf308

C:\Documents and Settings\User\Local Settings\Temp\Aon.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: 5065f500fccbd8744b554da21f652848
SHA1: 7a9da6bc8a30d67e9823432ace1ea867d157232a
SHA256: 2715c310c742ba575cfa8ac89703f921678854f93c6357f49475ffcc79010c5f

C:\Documents and Settings\User\Local Settings\Temp\Aoo.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.VZD|%idn%=0ad999c6a7c0f000|
Filesize: 168448
MD5: a860e8b982b9dec4f47f2d2d7aca78b1
SHA1: b53adeaf1e735f06985cb681f9e910f22cb024c8
SHA256: 48f8f11f482e76075a041902d1c5eb45d53e02f5e264875e21517302f72d0fae

C:\Documents and Settings\User\Local Settings\Temp\Aoq.exe
C:\Documents and Settings\User\Local Settings\Temp\Aot.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: f66d94d1dd29ea92516db1f7d2090426
SHA1: ee641854b883bad439b53b2bb239bdf51495ceb4
SHA256: bcc48043196db8feee6867e0b724ff9851996c3d7b57c8e83d003263082229f4

C:\Documents and Settings\User\Local Settings\Temp\Aov.exe
C:\Documents and Settings\User\Local Settings\Temp\Aoy.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 500e8c878acd0525c40c67005a2d1cd6
SHA1: c56ec9acd0fdaf9ddbb6fdb830beee36faeb29ad
SHA256: 5e942db260035987408851f52e9dee3fc411cb2dabfea957b8d2899a03847700

C:\Documents and Settings\User\Local Settings\Temp\Ap0.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRM|%idn%=0ad999c6a7c0f000|
Filesize: 263680
MD5: 5673b1d101ba9716052329450f5820a7
SHA1: ddf38fb4a912ba8f48b916b7d6893a4997be383c
SHA256: 5caa6344cc0a46c5a8f6643437a8603bea8a816e3446778c0673597677ea5102

C:\Documents and Settings\User\Local Settings\Temp\Ap1.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VQV|%idn%=0b366eac68b00000|
Filesize: 183808
MD5: df223edf0f8200bce2644e02014aa95f
SHA1: 194ffb7ba93b78e7cd1886ce2ff4cd5cb4973e72
SHA256: 7526279780b8d8698e66415507c017216033eddd33af70e8aa53ddb8ee6af33b

C:\Documents and Settings\User\Local Settings\Temp\Ap3.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VQV|%idn%=0b366eac68b00000|
Filesize: 183808
MD5: 95605862c7d149214aabf973dbb776b5
SHA1: b5f3277e3bdfab46274b415e7093b00e94d5f597
SHA256: 6c3aa2ccbe2bd2ae1ece65820b1066fbf9c4ab6fb5468bdde21c4ad053dfda79

C:\Documents and Settings\User\Local Settings\Temp\Ap5.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VQV|%idn%=0b366eac68b00000|
Filesize: 183808
MD5: 12b00f4e6e90b14d23f59598eecafd33
SHA1: 0c3a8ad3bb7faef206749f9d0a8caaa1fa6c454b
SHA256: e4ab7363cd42d44511b05dd4fa29a8cc01f9a72b0c27d470e31d3c4030d374ba

C:\Documents and Settings\User\Local Settings\Temp\Ap7.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WRM|%idn%=0ad999c6a7c0f000|
Filesize: 263680
MD5: e2d2ec1caa97e80a311e4d68c3fff4ca
SHA1: 04144f24b7697d713717642ffb9a0cd7eb96a46e
SHA256: 39d04282eb22ea988801fa53144c3f14cac821093b3a53343afff0dd94c84441

C:\Documents and Settings\User\Local Settings\Temp\Ap8.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VQV|%idn%=0b366eac68b00000|
Filesize: 183808
MD5: 4b52a42f973d19f0d2a74e3c45934b17
SHA1: bcf01f7e975e817aab2ab5939f763e9c502a1797
SHA256: 679ef826b29ab56012460d77b844f1ee76db5d6872cdce6f8a4bd364a41c6a15

C:\Documents and Settings\User\Local Settings\Temp\Apa.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 8af340407fd2ed4007acb232f2496eb1
SHA1: 0168f06b43f2cfb9247846ab95aea1b2066d932c
SHA256: 4ca6a5aebd5fc2548f6da015dc99e8714b220eb89a59dde32ccfe104d8db9e84

C:\Documents and Settings\User\Local Settings\Temp\Apd.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 552843fd081733166a750a1a99dfd190
SHA1: 640f1a509e702eb8aaced79c124fbf411acebc1f
SHA256: 48c1419191b131e91d4f0b8cfeaea2c512c5974a39debacb4a0852a6af4ac726

C:\Documents and Settings\User\Local Settings\Temp\Apg.exe
Identification (AVG): @EID_Id_trj|%name%=Crypt.VLM|%idn%=0b366eac68b00000|
Filesize: 173056
MD5: 9a3f455389f925a40a61dc0acb7d34c6
SHA1: c3df8d270df5f6763711366278b83f53b3b1c6e6
SHA256: 648f58b6f7fd9419fb946fb623207a7a307578caa12188193647251ac88def63

C:\Documents and Settings\User\Local Settings\Temp\Apl.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BOH|%idn%=0b367998dd66e000|
Filesize: 178688
MD5: 5ca373a3717ad4719a666794ad79e98c
SHA1: 3c1aaa99bab5a2827e78c2dbb8a62437e1da22db
SHA256: 62782c36980c11aa296f1980a3bebf852e8d08b68b9acc50991363249a75927c

C:\Documents and Settings\User\Local Settings\Temp\Apm.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WDZ|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 8576c87cf2a17c72b8b2056ebc9e6db3
SHA1: e7a391e3bc8ee75ddfd5d20b86de65958162d13a
SHA256: 315ba0d16f9a046e87036bcaec7947a266bab43a59c06bafd62f6c2801a4cabe

C:\Documents and Settings\User\Local Settings\Temp\Apo.exe
Identification (AVG): @EID_Id_trj|%name%=FakeAV.BOH|%idn%=0b367998dd66e000|
Filesize: 178688
MD5: 4a99798b33a735a19fe45054e5b8c2bc
SHA1: d74b4527349a002701059e112dde1a9f22616f84
SHA256: d79377613d4823b533989a5cf0e96834463384245d12cc0b4b88b170dddee5af

C:\Documents and Settings\User\Local Settings\Temp\App.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WDZ|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: ce0edb1d6d39b687bd23561c58de4eb7
SHA1: 064d25e73f7e002635f5096bba3723fe3aea07a5
SHA256: 9bd024728e582abf30e1ce7dac144994e8cbb3172a15353bb3e567aaaffe8b53

C:\Documents and Settings\User\Local Settings\Temp\Apr.exe
C:\Documents and Settings\User\Local Settings\Temp\Aps.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WDZ|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 51e11f96df7ab4c0c18faf17f89ef113
SHA1: ffeb3985b92582aaeaf08f9b4a1532bef3e3ebba
SHA256: c0f720584fb15ec8f18dab11634b6e674dad5532cca66a9cc4f7afb267c1188b

C:\Documents and Settings\User\Local Settings\Temp\Apu.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.WDZ|%idn%=0ad999c6a7c0f000|
Filesize: 169984
MD5: 6837ce786232aebf67dc317610797ff8
SHA1: a56b0636480002aef44e459be72de1255ee496a8
SHA256: fc2567fe97c1bce353ced35dc12e8d3bd8311fc00c8a30f6ebedea36d3c8ec47

C:\Documents and Settings\User\Local Settings\Temp\Aq2.exe
C:\Documents and Settings\User\Local Settings\Temp\Aq5.exe
C:\Documents and Settings\User\Local Settings\Temp\Aq6.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ee6a3eae3def2e7d916245195730e6fa
SHA1: 11435e6d4dcedad93a8db3e06d467759bb4e6618
SHA256: 2043835de9780cd83d887cb16d128643b144709328194ae8815772cf2e2fff9b

C:\Documents and Settings\User\Local Settings\Temp\Aq7.exe
C:\Documents and Settings\User\Local Settings\Temp\Aq8.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: ac95ded998b425ee944f95d35bd08131
SHA1: fdeac9c2f36338b45dae5a1e0e1d0ecb12ee3340
SHA256: 8dbea48ec58f9cc73ec8640385351223736dcc47d6586b49da0ed6cd6a6197d3

C:\Documents and Settings\User\Local Settings\Temp\Aqd.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 3b13ee574c7a9289ee2a0ba5e5aeaee1
SHA1: c3f4feeff32b39273c5ec07b3e68e365750e461d
SHA256: 047513760af024645c16b3c25861283d3581232270b2b9e69bf1287c4eff312a

C:\Documents and Settings\User\Local Settings\Temp\Aqf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 0755d71597ad1812dda9717646bf6561
SHA1: 2dc4adeb3bfa141ca73d1602c4886659d2a285e0
SHA256: 8829c92c675b4e1883c5546596a874705cdd60ce11c8cc31397357d71d8b24ea

C:\Documents and Settings\User\Local Settings\Temp\Aqh.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: d9891ba998ae8770e1f3482274b0b538
SHA1: 958d3eb0e00aab82454961fbf041f6760e406c8a
SHA256: 8cd995b8808818780629748040d00cc1c11f66a07e4139d6986272fd959d7c77

C:\Documents and Settings\User\Local Settings\Temp\Aqn.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqo.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqq.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqp.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqs.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 959068938c53eada84c50a1f0512b606
SHA1: 00b61fb3dbda8c6c464cde2bd9fbb215650c8e53
SHA256: f5e7486d8040297e32d4e3e7cb8080334a6d59c38a5f31f5436073dc9a749434

C:\Documents and Settings\User\Local Settings\Temp\Aqv.exe
C:\Documents and Settings\User\Local Settings\Temp\Aqx.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 7749a1650099debd1c6b57a450b64303
SHA1: 174450d655baddf4b2bcdda289a734bcce8c5f0e
SHA256: d596601cf6c45bd5f1a8222fcbae64a012cd05a6a23685b1fb0a375d9db721de

C:\Documents and Settings\User\Local Settings\Temp\Ar2.exe
C:\Documents and Settings\User\Local Settings\Temp\Ar4.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 8683fb3629e832675a3516cb481a7bae
SHA1: d1ad5bbf8b00ed81470b677a964a39ee2601854b
SHA256: ac115b235e22a6a74e6e9498428eef2abe30f055244392a6accaa6df4256d7b8

C:\Documents and Settings\User\Local Settings\Temp\Ar6.exe
C:\Documents and Settings\User\Local Settings\Temp\Ar8.exe
C:\Documents and Settings\User\Local Settings\Temp\Ar9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 11143139dd00371685268202548f0bb8
SHA1: 9733be14e71fe6a0efaea0dc2a80dabce34f4012
SHA256: cb4eafb7576ef18be0004571c97311b3a837b13ec5910029020f32c60aec6cc5

C:\Documents and Settings\User\Local Settings\Temp\Ara.exe
C:\Documents and Settings\User\Local Settings\Temp\Ard.exe
C:\Documents and Settings\User\Local Settings\Temp\Arb.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 50acb3afa301cf7f14ec5dd75e3f0e08
SHA1: 3e1f1f3ed10abdf420067ef50488b20da4ad6a9e
SHA256: c5b46eec200603be3a8915e9c3e68b44497956176ac0cf60505141ac181e3cf2

C:\Documents and Settings\User\Local Settings\Temp\Arf.exe
C:\Documents and Settings\User\Local Settings\Temp\Arg.exe
C:\Documents and Settings\User\Local Settings\Temp\Arh.exe
C:\Documents and Settings\User\Local Settings\Temp\Arj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: cc3f4159bd79afbec8af3da574b66cca
SHA1: 060d4aac39847ce482240bbcbc48c7ba999f525f
SHA256: d823f404a7a9057d1e18095324f6f12b9b412d6dbbefd597f42b94150b4fbaef

C:\Documents and Settings\User\Local Settings\Temp\Arn.exe
C:\Documents and Settings\User\Local Settings\Temp\Aro.exe
C:\Documents and Settings\User\Local Settings\Temp\Arr.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 0a46323a0af2dc7100e7b281c72964d5
SHA1: b802c002646af069d41e9036d93df721256b3d40
SHA256: 444a1b43868d78e48e59f20f2dd3f5c997e748c9ac69a86deaf7a35e62435c51

C:\Documents and Settings\User\Local Settings\Temp\Aru.exe
C:\Documents and Settings\User\Local Settings\Temp\Arw.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: c9d3305a857d6e0032127f5c633eca86
SHA1: 5ad03e1775e17f44bfa92f287391c1cba6c08fe5
SHA256: e76e8d83b7b755435652820c2ba9195b98da4d000057e0280b8c6b0a6f471ee0

C:\Documents and Settings\User\Local Settings\Temp\Arx.exe
C:\Documents and Settings\User\Local Settings\Temp\Arz.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 8683fb3629e832675a3516cb481a7bae
SHA1: d1ad5bbf8b00ed81470b677a964a39ee2601854b
SHA256: ac115b235e22a6a74e6e9498428eef2abe30f055244392a6accaa6df4256d7b8

C:\Documents and Settings\User\Local Settings\Temp\As1.exe
C:\Documents and Settings\User\Local Settings\Temp\As2.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 7008fce2fbde6b4feea194e44f4b8a69
SHA1: 6d7526043e60fb73e3d1788584fe9f7310d07757
SHA256: a96703a3b60f32a260a796afdd7724921b9b19378a20c2e46afdaf9987c84b71

C:\Documents and Settings\User\Local Settings\Temp\As3.exe
C:\Documents and Settings\User\Local Settings\Temp\As4.exe
C:\Documents and Settings\User\Local Settings\Temp\As6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: b16ab23b482e9ac17c1d9dae6cf73a2b
SHA1: 168369736bed04461d23238250d0e231a4679215
SHA256: ee8cee0d3542124621087a58af14b0de9c9a0bcff1ab5d1aaffee35a2f567f5b

C:\Documents and Settings\User\Local Settings\Temp\As9.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 6b93f278ba8359dd18d311da2e9806d7
SHA1: ac9131b607fed61c3eeea47a3bd2909fa548f471
SHA256: 4a59b8584a5cf302a7d8e81e055d847ae735d79bb9245b1b8e524f9797747127

C:\Documents and Settings\User\Local Settings\Temp\Asc.exe
C:\Documents and Settings\User\Local Settings\Temp\Asf.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: f9fd1f6c3a9ed40ba22c6e4512c5504b
SHA1: a0e12c8365877c27ab67fc400420a1666cc2aeb2
SHA256: 8dac28c2010f4422a7db398d511865b02f2e5f4790113776a0379843b18076b7

C:\Documents and Settings\User\Local Settings\Temp\Ash.exe
C:\Documents and Settings\User\Local Settings\Temp\Asi.exe
C:\Documents and Settings\User\Local Settings\Temp\Asj.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: f0a63344e38129222fde6329a42435c6
SHA1: b59e1a58eee721141fc68daec9206955a2cbc648
SHA256: 02af62d8be10063d5ac8405fec6a249383b475af8081a0adb3e6a90f375e0661

C:\Documents and Settings\User\Local Settings\Temp\Asm.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: f0a63344e38129222fde6329a42435c6
SHA1: b59e1a58eee721141fc68daec9206955a2cbc648
SHA256: 02af62d8be10063d5ac8405fec6a249383b475af8081a0adb3e6a90f375e0661

C:\Documents and Settings\User\Local Settings\Temp\Asp.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 81d869357007aa9c9167a7b27a5591c8
SHA1: 3287309e91b531471c7cab9d59917af60fb1d655
SHA256: 4fb7b759ab3803978d91289f8e3d9a000c950b742903dcdb7b03d4cb0dd1f86a

C:\Documents and Settings\User\Local Settings\Temp\Ass.exe
C:\Documents and Settings\User\Local Settings\Temp\Ast.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 4c425910c4327af998171e49fa3e3429
SHA1: 7bf68f8646d69a9cc276893b46df079fc7a4322b
SHA256: 94f4dc6be376bcddcfe093a957c085e3c082333221dc341915091d067c21fee1

C:\Documents and Settings\User\Local Settings\Temp\Asu.exe
C:\Documents and Settings\User\Local Settings\Temp\Asv.exe
C:\Documents and Settings\User\Local Settings\Temp\Asy.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: a17a349ffc12497447f3e358860ea538
SHA1: db6ab1bb55a4568b5cb01e0903bf5d00fca64474
SHA256: 0c6e7525d2b13bc78e8bf6247b2624683450149f5de904adc4be16db16a00532

C:\Documents and Settings\User\Local Settings\Temp\At0.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: 943083077d6ab0ceae5885cf98b7715e
SHA1: 9364455b28a2eaa7f183831880a4ba3878573407
SHA256: 1f265b5edea833a4c6016450104d420e9ba6bc6dbd7d92d14b5879c79d35b66e

C:\Documents and Settings\User\Local Settings\Temp\At2.exe
C:\Documents and Settings\User\Local Settings\Temp\At3.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: b6fe0c6f6d714a98ee12dcc9b3ff217d
SHA1: e2ecb0a7d6349eac63674eb3380baf221965c697
SHA256: 7f5368c84550262d17b69be621a3a88d216b70dd71ec59f705555a4edf8454ba

C:\Documents and Settings\User\Local Settings\Temp\At4.exe
C:\Documents and Settings\User\Local Settings\Temp\At5.exe
C:\Documents and Settings\User\Local Settings\Temp\At6.exe
Identification (AVG): @EID_Id_trj|%name%=SHeur3.XBR|%idn%=0ad999c6a7c0f000|
Filesize: 172544
MD5: b7ebae18ede40f536760dbe8060bf8c0
SHA1: f90102b8c4d2dd9b78b54626eeef59c422ff4365
SHA256: a92ba7d6b35cafaf904f100459274331239bbe3bebb4abc4e35465f428ad77dd

DNS queries were performed for:
hotcx.com
hotdf.com
allxt.com
rundseys.com

Infected 'Computer' #2: Execution Test (April 10th 2011, inside VM)

Fake antivirus installer malware:
C:\Documents and Settings\User\Local Settings\Temp\packupdate107_2121[1].exe
Identification (AVG): @EID_Id_trj|%name%=PSW.Ldpinch.ACWB|%idn%=0b28da4728866000|
Filesize: 220160
MD5: 3708ad30afcc667fba0ef52a2ba6bf04
SHA1: 9865b42a446be5f513ff97217408c855a64e3203
SHA256: 588679bf437f5237d5a489df3698666631f5d9fddd39f9adcb52c4e26d61c9fd
Copied itself to Documents and Settings/%USERNAME%/Local Settings/Temp/packupdate107_2121[1].exe

[Image: screenshot-mss-installer.png]

Installs fake antivirus program 'My Security Shield':

[Image: screenshot-mss.png]

During installation DNS queries were performed for:
update2.safe-your-pcnow.net
update1.best-pc-guardever.com

A TCP connection on port 80 was established with 173.244.223.32 (update1.best-pc-guardever.com)
(server up April 10th, 2011)

http://www.utrace.de/?query=173.244.223.32
Provider: Hosting Services
Region: Providence (United States)


A DNS query was performed for:
report.countdom.net

A TCP connection on port 80 was established with 209.222.8.102 (report.countdom.com)
(server up April 10th, 2011)

http://www.utrace.de/?query=209.222.8.102
Provider: Choopa.com
Organisation: KM_LTD
Region: Sayreville (United States)


A TCP connection on port 80 was established with 95.211.97.181
(server up April 10th, 2011)

http://www.utrace.de/?query=95.211.97.181
LeaseWeb B.V., Amsterdam (The Netherlands)

UDP packets were sent to port 137 of 95.211.97.181

DNS queries were performed for:
secure2.buytheshield.net
www5.my-security-shield.com
update1.required-software.com

A TCP connection on port 80 was attempted with 69.57.173.219 (update1.required-software.com)
(server down April 10th, 2011)

http://www.utrace.de/?query=69.57.173.219
Provider: FortressITX
Region: Clifton (United States)


DNS queries were performed for:
secure1.main-protecion.com
report.cleaner-soft.com
secure1.base-guardian.net
update1.firstpower-holder.com

A TCP connection on port 80 was established with 209.212.149.22 (update1.firstpower-holder.com)
(server up April 10th, 2011)

http://www.utrace.de/?query=209.212.149.22
Provider: Ecomdevel, LLC
Region: Arlington Heights (United States)


A TCP connection on port 80 was established with 95.211.99.111
(server up April 10th, 2011)

UDP packets were sent to port 137 of 95.211.99.111

A TCP connection on port 80 with Google was established,
%WINDIR%/system32/drivers/etc/hosts was modified so that search engine searches were redirected to 95.211.99.111
Filename: %WINDIR%/system32/drivers/etc/hosts
Filesize: 2690
MD5: 102228e189b87c4086917e7c3bffa955
SHA1: 92594f8779ebe8e279f8e136324a59a2c3468805
SHA256: dff4a066f50cbe140992130157b18a2ff53d6c429cba2ae3b71d8253e3923853

http://www.utrace.de/?query=95.211.99.111
LeaseWeb B.V., Amsterdam (The Netherlands)

When I connected to 95.211.99.111 I got this:
$ telnet 95.211.99.111 80
Trying 95.211.99.111...
Connected to 95.211.99.111.
Escape character is '^]'.
GET http://www.google.com HTTP/1.0

HTTP/1.1 302 Found
Server: nginx
Date: Tue, 12 Apr 2011 05:11:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Location: http://www.google.com/ncr
Cache-Control: private
Set-Cookie: PREF=ID=52b99a82be6f805b:FF=0:TM=1302585104:LM=1302585104:S=qBnWEQbO2vNbbW_i; expires=Thu, 11-Apr-2013 
05:11:44 GMT; path=/; domain=.google.com
Set-Cookie: 
NID=45=RYvc2d7UgRRRSaaabDV8Zzsf__totFxiJVcZgekifo2wt_UH8NNJi3aDOPNwS46xMiy1UYU6HQYGtnM91uWXMpnS41160cdohxZ9YkS7RNUya0K5KZ00MhVAcLXjtpqz; 
expires=Wed, 12-Oct-2011 05:11:44 GMT; path=/; domain=.google.com; HttpOnly
Content-Length: 218
X-XSS-Protection: 1; mode=block

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.nl/">here</A>.
</BODY></HTML>
Connection closed by foreign host.

$ telnet 95.211.99.111 80
Trying 95.211.99.111...
Connected to 95.211.99.111.
Escape character is '^]'.
GET http://www.altavista.com HTTP/1.0

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 12 Apr 2011 05:16:29 GMT
Content-Type: text/html
Content-Length: 55
Last-Modified: Wed, 06 Apr 2011 15:32:27 GMT
Connection: close
Accept-Ranges: bytes

<html>
<h1>Service temporary unavaliable</h1>
</html>Connection closed by foreign host.

The file C:\Documents and Settings\All Users.*\Application Data\acc88d4\MSacc8_2121.exe was downloaded
(it was cached under C:\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files\Content.IE5\G1I301Q3\8f64d[1].exe)
Filesize: 2523648
MD5: a20e1c2292d5049a91f191660b3014db
SHA1: f7bd3a0930d9aac064d5738192aca4ebc93c79e5
SHA256: 62449ca86e02966defb254e98bafc5719ac57fb6e7ad4f66c69d6e407ca7b94a

*.lnk shortcut files were created in the user's Desktop/ and Start Menu/ folders and in the
/Documents and Settings/%USERNAME%/Application Data/Microsoft/Internet Explorer/Quick Launch/ folder.
New registry value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"My Security Shield" = "[location of MSAcc8_2121.exe]"

The file C:\Documents and Settings\All Users.*\Application Data\acc88d4\8325.mof was created.
Filesize: 334
MD5: e0825c7a2701e4e9ce5fb7b4c3036db7 
SHA1: d56880517353421a4c3246338577b4628f447455
SHA256: 5225da3d92ef8c4f817b3988560ed3da4d5e2a55055dad2295b5faeaba70af22

The file %ALLUSERSPROFILE%\Application Data\acc88d4\MSS.ico was created.
Filesize: 4286
MD5: 487f28b4c932c327def75368bf87ab56
SHA1: 60863404e8fd031397e60840d0cbf945c0331f00
SHA256: 5495b3a8eeb00f3e182200878658f0e063010c692dcd3e70c2245a99e7ee182d

The file %ALLUSERSPROFILE%\Application Data\acc88d4\MSSSys\vd952342.bd was received
Filesize: 12463
MD5: 5982cc5cb23907f32bba035b91e0cff4
SHA1: 100821a90737ff912df37f8baebe759b873ab5bc
SHA256: b5345badf68a13e2912d4b1503684ed7deb60164592a25e622d7ffcbb74af78f

The following files that are supposed to look like viruses
were created under /Documents and Settings/%USERNAME%/Recent/

   56 2011-04-10 02:43 ANTIGEN.exe
   66 2011-04-10 02:34 ANTIGEN.sys
   68 2011-04-10 02:34 DBOLE.dll
   39 2011-04-10 02:34 delfile.exe
   46 2011-04-10 02:34 eb.sys
   26 2011-04-10 02:34 fan.drv
    9 2011-04-10 02:34 FS.exe
   51 2011-04-10 02:34 FW.sys
   65 2011-04-10 02:34 FW.tmp
   63 2011-04-10 02:34 gid.drv
   66 2011-04-10 02:34 gid.sys
   14 2011-04-10 02:34 grid.tmp
   69 2011-04-10 02:34 hymt.tmp
   61 2011-04-10 02:34 PE.dll
    4 2011-04-10 02:34 runddl.sys
    9 2011-04-10 02:34 SICKBOY.dll
   80 2011-04-10 02:34 snl2w.drv
   60 2011-04-10 02:34 std.exe

md5sum Recent/*
14e5b453eccfba98cae1b719a9051447 Documents and Settings/%USERNAME%/Recent/eb.sys
1818535b59066cc8385c619989d997d0 Documents and Settings/%USERNAME%/Recent/PE.dll
19aaf7b15dc6dc20036b1f0c56711f1b Documents and Settings/%USERNAME%/Recent/hymt.tmp
1b481adf24806427031b12e845c7c4fd Documents and Settings/%USERNAME%/Recent/snl2w.drv
22f6ac6585a4eb467df93878e42250dc Documents and Settings/%USERNAME%/Recent/FW.sys
30f5e30815883ea42348d3f6b4e79662 Documents and Settings/%USERNAME%/Recent/runddl.sys
3859b1ea757c440e22b1613aed5abc2e Documents and Settings/%USERNAME%/Recent/SICKBOY.dll
6198270fdedc03598422e5fab23013c8 Documents and Settings/%USERNAME%/Recent/DBOLE.dll
7817814ea10864244c5c8fcdb223c42f Documents and Settings/%USERNAME%/Recent/grid.tmp
92ff8c7bfcb414473b9876f2f58d49d9 Documents and Settings/%USERNAME%/Recent/ANTIGEN.sys
9646ce1b9e87538478abbd5138897943 Documents and Settings/%USERNAME%/Recent/ANTIGEN.exe
b6e4475695c81b44f2b9bd690e5a8ecb Documents and Settings/%USERNAME%/Recent/delfile.exe
bfcfa89dba45002ccba6473887d238ae Documents and Settings/%USERNAME%/Recent/fan.drv
bfd08e0b147cb552dca421ccf8eef0d5 Documents and Settings/%USERNAME%/Recent/FS.exe
d0976ddd501b823efe93fd0980a23a1c Documents and Settings/%USERNAME%/Recent/FW.tmp
df689c7a339624989d13860c3d4143ee Documents and Settings/%USERNAME%/Recent/gid.drv
f1d1f185f8a75cf0d9cf84beb7c48a7c Documents and Settings/%USERNAME%/Recent/gid.sys
fb518e011128cda5394304bef3f01205 Documents and Settings/%USERNAME%/Recent/std.exe

The following other changes in the filesystem were witnessed:

2dce22b4d4fc7a7350240d457e794757 WINDOWS/Prefetch/SVCHOST.EXE-3530F672.pf
2e37028c69e57c864b414f0dcb970e84 WINDOWS/Prefetch/MOFCOMP.EXE-01718E95.pf
30f2cecf4101cb54d8cf94a547ec1957 WINDOWS/Prefetch/PACKUPDATE107_2121[1].EXE-22A1E644.pf
3ec3254773cbc76a55ef1e23cb0a92e8 WINDOWS/Prefetch/CMD.EXE-087B4001.pf
60706cc383a0d6ffde80e2a3b8449d8e WINDOWS/Prefetch/NTOSBOOT-B00DFAAD.pf
812c72d8d2dd3f99e45dc5b58aa7b956 WINDOWS/Prefetch/NETSH.EXE-085CFFDE.pf
9b8124a163bfc840ea20cfb7f1274a2b WINDOWS/Prefetch/TASKKILL.EXE-0A8306E3.pf
b42c9995d766dc0a9910d64a73a5f512 WINDOWS/Prefetch/WMIPRVSE.EXE-28F301A9.pf
b89fc76403c2470cf3e1f346b5afcc3a WINDOWS/Prefetch/MSACC8_2121.EXE-06158117.pf

fbff585d46123b0526f59aaaacdaf554 Documents and Settings/%USERNAME%/Application Data/My Security Shield/Instructions.ini

Fake antivirus messages were witnessed:

[Image: screenshot-mss-fakeavmsg.png]

The fake antivirus program made it difficult to create the windows task manager process (%WINDIR%\system32\taskmgr.exe).
In order to run the task manager one could use the following command after clicking Start - Run:

cmd /c copy %windir%\system32\taskmgr.exe taskmgr.pif && taskmgr.pif

_avp32.exe, _avpcc.exe, _avpm.exe, ~1.exe, ~2.exe, a.exe, aAvgApi.exe, AAWTray.exe, About.exe, ackwin32.exe, Ad-Aware.exe, adaware.exe, advxdwin.exe, AdwarePrj.exe, agent.exe, agentsvr.exe, agentw.exe, alertsvc.exe, alevir.exe, alogserv.exe, AlphaAV, AlphaAV.exe, AluSchedulerSvc.exe, amon9x.exe, anti-trojan.exe, Anti-Virus Professional.exe, AntispywarXP2009.exe, antivirus.exe, AntivirusPlus, AntivirusPlus.exe, AntivirusPro_2010.exe, AntivirusXP, AntivirusXP.exe, antivirusxppro2009.exe, AntiVirus_Pro.exe, ants.exe, apimonitor.exe, aplica32.exe, apvxdwin.exe, arr.exe, Arrakis3.exe, ashAvast.exe, ashBug.exe, ashChest.exe, ashCnsnt.exe, ashDisp.exe, ashLogV.exe, ashMaiSv.exe, ashPopWz.exe, ashQuick.exe, ashServ.exe, ashSimp2.exe, ashSimpl.exe, ashSkPcc.exe, ashSkPck.exe, ashUpd.exe, ashWebSv.exe, aswChLic.exe, aswRegSvr.exe, aswRunDll.exe, aswUpdSv.exe, atcon.exe, atguard.exe, atro55en.exe, atupdater.exe, atwatch.exe, au.exe, aupdate.exe, auto-protect.nav80try.exe, autodown.exe, autotrace.exe, autoupdate.exe, av360.exe, avadmin.exe, AVCare.exe, avcenter.exe, avciman.exe, avconfig.exe, avconsol.exe, ave32.exe, AVENGINE.EXE, avgcc32.exe, avgchk.exe, avgcmgr.exe, avgcsrvx.exe, avgctrl.exe, avgdumpx.exe, avgemc.exe, avgiproxy.exe, avgnsx.exe, avgnt.exe, avgrsx.exe, avgscanx.exe, avgserv.exe, avgserv9.exe, avgsrmax.exe, avgtray.exe, avgui.exe, avgupd.exe, avgw.exe, avgwdsvc.exe, avkpop.exe, avkserv.exe, avkservice.exe, avkwctl9.exe, avltmain.exe, avmailc.exe, avmcdlg.exe, avnotify.exe, avnt.exe, avp32.exe, avpcc.exe, avpdos32.exe, avpm.exe, avptc32.exe, avpupd.exe, avsched32.exe, avsynmgr.exe, avupgsvc.exe, AVWEBGRD.EXE, avwin.exe, avwin95.exe, avwinnt.exe, avwsc.exe, avwupd.exe, avwupd32.exe, avwupsrv.exe, avxmonitor9x.exe, avxmonitornt.exe, avxquar.exe, b.exe, backweb.exe, bargains.exe, bdagent.exe, bdfvcl.exe, bdfvwiz.exe, BDInProcPatch.exe, bdmcon.exe, BDMsnScan.exe, bdreinit.exe, bdsubwiz.exe, BDSurvey.exe, bdtkexec.exe, bdwizreg.exe, bd_professional.exe, beagle.exe, belt.exe, bidef.exe, bidserver.exe, bipcp.exe, bipcpevalsetup.exe, bisp.exe, blackd.exe, blackice.exe, blink.exe, blss.exe, bootconf.exe, bootwarn.exe, borg2.exe, bpc.exe, brasil.exe, brastk.exe, brw.exe, bs120.exe, bspatch.exe, bundle.exe, bvt.exe, c.exe, cavscan.exe, ccapp.exe, ccevtmgr.exe, ccpxysvc.exe, ccSvcHst.exe, cdp.exe, cfd.exe, cfgwiz.exe, cfiadmin.exe, cfiaudit.exe, cfinet.exe, cfinet32.exe, cfp.exe, cfpconfg.exe, cfplogvw.exe, cfpupdat.exe, Cl.exe, claw95.exe, claw95cf.exe, clean.exe, cleaner.exe, cleaner3.exe, cleanIELow.exe, cleanpc.exe, click.exe, cmd32.exe, cmdagent.exe, cmesys.exe, cmgrdian.exe, cmon016.exe, connectionmonitor.exe, control, cpd.exe, cpf9x206.exe, cpfnt206.exe, crashrep.exe, csc.exe, cssconfg.exe, cssupdat.exe, cssurf.exe, ctrl.exe, cv.exe, cwnb181.exe, cwntdwmo.exe, d.exe, datemanager.exe, dcomx.exe, defalert.exe, defscangui.exe, defwatch.exe, deloeminfs.exe, deputy.exe, divx.exe, dllcache.exe, dllreg.exe, doors.exe, dop.exe, dpf.exe, dpfsetup.exe, dpps2.exe, driverctrl.exe, drwatson.exe, drweb32.exe, drwebupw.exe, dssagent.exe, dvp95.exe, dvp95_0.exe, ecengine.exe, efpeadm.exe, egui.exe, ekrn.exe, emsw.exe, ent.exe, esafe.exe, escanhnt.exe, escanv95.exe, espwatch.exe, ethereal.exe, etrustcipe.exe, evpn.exe, exantivirus-cnet.exe, exe.avxw.exe, expert.exe, explore.exe, f-agnt95.exe, f-prot.exe, f-prot95.exe, f-stopw.exe, fact.exe, fameh32.exe, fast.exe, fch32.exe, fih32.exe, findviru.exe, firewall.exe, fixcfg.exe, fixfp.exe, fnrb32.exe, fp-win.exe, fp-win_trial.exe, fprot.exe, frmwrk32.exe, frw.exe, fsaa.exe, fsav.exe, fsav32.exe, fsav530stbyb.exe, fsav530wtbyb.exe, fsav95.exe, fsgk32.exe, fsm32.exe, fsma32.exe, fsmb32.exe, gator.exe, gav.exe, gbmenu.exe, gbn976rl.exe, gbpoll.exe, generics.exe, gmt.exe, guard.exe, guarddog.exe, guardgui.exe, hacktracersetup.exe, hbinst.exe, hbsrv.exe, History.exe, homeav2010.exe, hotactio.exe, hotpatch.exe, htlog.exe, htpatch.exe, hwpe.exe, hxdl.exe, hxiul.exe, iamapp.exe, iamserv.exe, iamstats.exe, ibmasn.exe, ibmavsp.exe, icload95.exe, icloadnt.exe, icmon.exe, icsupp95.exe, icsuppnt.exe, Identity.exe, idle.exe, iedll.exe, iedriver.exe, IEShow.exe, iface.exe, ifw2000.exe, inetlnfo.exe, infus.exe, infwin.exe, init.exe, init32.exe , install.exe, install[1].exe, install[2].exe, install[3].exe, install[4].exe, install[5].exe, intdel.exe, intren.exe, iomon98.exe, istsvc.exe, jammer.exe, jdbgmrg.exe, jedi.exe, JsRcGen.exe, kavlite40eng.exe, kavpers40eng.exe, kavpf.exe, kazza.exe, keenvalue.exe, kerio-pf-213-en-win.exe, kerio-wrl-421-en-win.exe, kerio-wrp-421-en-win.exe, killprocesssetup161.exe, launcher.exe, ldnetmon.exe, ldpro.exe, ldpromenu.exe, ldscan.exe, licmgr.exe, livesrv.exe, lnetinfo.exe, loader.exe, localnet.exe, lockdown.exe, lockdown2000.exe, lookout.exe, lordpe.exe, lsetup.exe, luall.exe, luau.exe, lucomserver.exe, luinit.exe, luspt.exe, MalwareRemoval.exe, mapisvc32.exe, mcagent.exe, mcmnhdlr.exe, mcmscsvc.exe, mcnasvc.exe, mcproxy.exe, McSACore.exe, mcshell.exe, mcshield.exe, mcsysmon.exe, mctool.exe, mcupdate.exe, mcvsrte.exe, mcvsshld.exe, md.exe, mfin32.exe, mfw2en.exe, mfweng3.02d30.exe, mgavrtcl.exe, mgavrte.exe, mghtml.exe, mgui.exe, minilog.exe, mmod.exe, monitor.exe, moolive.exe, mostat.exe, mpfagent.exe, mpfservice.exe, MPFSrv.exe, mpftray.exe, mrflux.exe, mrt.exe, msa.exe, msapp.exe, MSASCui.exe, msbb.exe, msblast.exe, mscache.exe, msccn32.exe, mscman.exe, msconfig, msdm.exe, msdos.exe, msfwsvc.exe, msiexec16.exe, mslaugh.exe, msmgt.exe, MsMpEng.exe, msmsgri32.exe, msseces.exe, mssmmc32.exe, mssys.exe, msvxd.exe, mu0311ad.exe, mwatch.exe, n32scanw.exe, nav.exe, navap.navapsvc.exe, navapsvc.exe, navapw32.exe, navdx.exe, navlu32.exe, navnt.exe, navstub.exe, navw32.exe, navwnt.exe, nc2000.exe, ncinst4.exe, ndd32.exe, neomonitor.exe, neowatchlog.exe, netarmor.exe, netd32.exe, netinfo.exe, netmon.exe, netscanpro.exe, netspyhunter-1.2.exe, netutils.exe, nisserv.exe, nisum.exe, nmain.exe, nod32.exe, normist.exe, norton_internet_secu_3.0_407.exe, notstart.exe, npf40_tw_98_nt_me_2k.exe, npfmessenger.exe, nprotect.exe, npscheck.exe, npssvc.exe, nsched32.exe, nssys32.exe, nstask32.exe, nsupdate.exe, nt.exe, ntrtscan.exe, ntvdm.exe, ntxconfig.exe, nui.exe, nupgrade.exe, nvarch16.exe, nvc95.exe, nvsvc32.exe, nwinst4.exe, nwservice.exe, nwtool16.exe, OAcat.exe, OAhlp.exe, OAReg.exe, oasrv.exe, oaui.exe, oaview.exe, OcHealthMon.exe, ODSW.exe, ollydbg.exe, onsrvr.exe, optimize.exe, ostronet.exe, otfix.exe, outpost.exe, outpostinstall.exe, outpostproinstall.exe, ozn695m5.exe, padmin.exe, panixk.exe, patch.exe, pav.exe, pavcl.exe, PavFnSvr.exe, pavproxy.exe, pavprsrv.exe, pavsched.exe, pavsrv51.exe, pavw.exe, pc.exe, pccwin98.exe, pcfwallicon.exe, pcip10117_0.exe, pcscan.exe, pctsAuxs.exe, pctsGui.exe, pctsSvc.exe, pctsTray.exe, PC_Antispyware2010.exe, pdfndr.exe, pdsetup.exe, PerAvir.exe, periscope.exe, persfw.exe, personalguard, personalguard.exe, perswf.exe, pf2.exe, pfwadmin.exe, pgmonitr.exe, pingscan.exe, platin.exe, pop3trap.exe, poproxy.exe, popscan.exe, portdetective.exe, portmonitor.exe, powerscan.exe, ppinupdt.exe, pptbc.exe, ppvstop.exe, prizesurfer.exe, prmt.exe, prmvr.exe, procdump.exe, processmonitor.exe, procexplorerv1.0.exe, programauditor.exe, proport.exe, protector.exe, protectx.exe, PSANCU.exe, PSANHost.exe, PSANToManager.exe, PsCtrls.exe, PsImSvc.exe, PskSvc.exe, pspf.exe, PSUNMain.exe, purge.exe, qconsole.exe, qh.exe, qserver.exe, Quick Heal.exe, QuickHealCleaner.exe, rapapp.exe, rav7.exe, rav7win.exe, rav8win32eng.exe, ray.exe, rb32.exe, rcsync.exe, realmon.exe, reged.exe, regedt32.exe, rescue.exe, rescue32.exe, rrguard.exe, rscdwld.exe, rshell.exe, rtvscan.exe, rtvscn95.exe, rulaunch.exe, rwg, rwg.exe, SafetyKeeper.exe, safeweb.exe, sahagent.exe, Save.exe, SaveArmor.exe, SaveDefense.exe, SaveKeep.exe, savenow.exe, sbserv.exe, sc.exe, scam32.exe, scan32.exe, scan95.exe, scanpm.exe, scrscan.exe, seccenter.exe, Secure Veteran.exe, secureveteran.exe, Security Center.exe, SecurityFighter.exe, securitysoldier.exe, serv95.exe, setloadorder.exe, setupvameeval.exe, setup_flowprotector_us.exe, sgssfw32.exe, sh.exe, shellspyinstall.exe, shield.exe, shn.exe, showbehind.exe, signcheck.exe, smart.exe, smartprotector.exe, smc.exe, smrtdefp.exe, sms.exe, smss32.exe, snetcfg.exe, soap.exe, sofi.exe, SoftSafeness.exe, sperm.exe, spf.exe, sphinx.exe, spoler.exe, spoolcv.exe, spoolsv32.exe, spywarexpguard.exe, spyxx.exe, srexe.exe, srng.exe, ss3edit.exe, ssgrate.exe, ssg_4104.exe, st2.exe, start.exe, stcloader.exe, supftrl.exe, support.exe, supporter5.exe, svc.exe, svchostc.exe, svchosts.exe, svshost.exe, sweep95.exe, sweepnet.sweepsrv.sys.swnetsup.exe, symlcsvc.exe, symproxysvc.exe, symtray.exe, system.exe, system32.exe, sysupd.exe, tapinstall.exe, taskmgr.exe, taumon.exe, tbscan.exe, tc.exe, tca.exe, tcm.exe, tds-3.exe, tds2-98.exe, tds2-nt.exe, teekids.exe, tfak.exe, tfak5.exe, tgbob.exe, titanin.exe, titaninxp.exe, TPSrv.exe, trickler.exe, trjscan.exe, trjsetup.exe, trojantrap3.exe, TrustWarrior.exe, tsadbot.exe, tsc.exe, tvmd.exe, tvtmd.exe, uiscan.exe, undoboot.exe, updat.exe, upgrad.exe, upgrepl.exe, utpost.exe, vbcmserv.exe, vbcons.exe, vbust.exe, vbwin9x.exe, vbwinntw.exe, vcsetup.exe, vet32.exe, vet95.exe, vettray.exe, vfsetup.exe, vir-help.exe, virusmdpersonalfirewall.exe, VisthAux.exe, VisthLic.exe, VisthUpd.exe, vnlan300.exe, vnpc3000.exe, vpc32.exe, vpc42.exe, vpfw30s.exe, vptray.exe, vscan40.exe, vscenu6.02d30.exe, vsched.exe, vsecomr.exe, vshwin32.exe, vsisetup.exe, vsmain.exe, vsmon.exe, vsserv.exe, vsstat.exe, vswin9xe.exe, vswinntse.exe, vswinperse.exe, w32dsm89.exe, W3asbas.exe, w9x.exe, watchdog.exe, webdav.exe, WebProxy.exe, webscanx.exe, webtrap.exe, wfindv32.exe, whoswatchingme.exe, wimmun32.exe, win-bugsfix.exe, win32.exe, win32us.exe, winactive.exe, winav.exe, windll32.exe, window.exe, windows Police Pro.exe, windows.exe, wininetd.exe, wininitx.exe, winlogin.exe, winmain.exe, winppr32.exe, winrecon.exe, winservn.exe, winss.exe, winssk32.exe, winssnotify.exe, WinSSUI.exe, winstart.exe, winstart001.exe, wintsk32.exe, winupdate.exe, wkufind.exe, wnad.exe, wnt.exe, wradmin.exe, wrctrl.exe, wsbgate.exe, wscfxas.exe, wscfxav.exe, wscfxfw.exe, wsctool.exe, wupdater.exe, wupdt.exe, wyvernworksfirewall.exe, xpdeluxe.exe, xpf202en.exe, xp_antispyware.exe, zapro.exe, zapsetup3001.exe, zatutor.exe, zonalm2601.exe and zonealarm.exe do not execute properly because the fake antivirus program created registry values under:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
f.e.:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
Debugger = svchost.exe

msseces.exe, MSASCui.exe, avgscanx.exe, avgcfgex.exe, avgemc.exe, avgchsvx.exe, avgcmgr.exe, avgwdsvc.exe, ekrn.exe, egui.exe, avgnt.exe,avcenter.exe, avscan.exe, avgfrw.exe, avgui.exe and avgtray.exe couldn't be run from windows explorer because the fake antivirus program created registry values to impose restrictions under:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]

[Image: screenshot-restrictions.png]

"Restrictions - This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator."

The fake antivirus program displays nag screens to force the user to pay for activation:

[Image: screenshot-mss-activation.png]

Infected Computer #3 (April 16th 2011)

Infection occurred by a drive-by download.

An HTTP GET was performed for a PHP script on 178.86.2.83 (aleheir.xe.cx).

http://www.utrace.de/?query=178.86.2.83
Provider: Tehnologii Budushego LLC
Organisation: paramore - Paul Lukashenko




75.102.21.120 (www4.hardhn-checker.isgre.at)

http://www.utrace.de/?query=75.102.21.120
Provider: Server Central Network
Organisation: HostForWeb
Region: Chicago (United States)


The browser cache indicates HTTP connections to 212.117.176.150 (www2.strongmastervpd.vv.cc) have been established to download an unrequested executable file found in the internet cache (4 times):
Filesize: 389120
MD5: f9099fd427286c9273e82fbffc2de102
SHA1: 4df14ae717608d8c2dca106e0c715344ce864624
SHA256: c356e80b6e86f0215cfa20b27054d2f262935631cd4a853209a97fc66b175f3a

17th of April the file was detected by AVG after the virus database was updated to version 271.1.1/3579
The file was identified as Generic22.IMO

http://www.utrace.de/?query=212.117.176.150
Provider: root SA

An HTML page containing obfuscated javascript code was found:

Filesize: 20553
MD5: 69d8a4ededead76efe23c0bb9cff1f20
SHA1: c22a385937bdf7419448a87248070ce747837efb
SHA256: d55aebf51a4fa467dd82913e29e628bd5fb09bd171550be282f5910ed4efeb24

The title of the above page is "System scanner".
The page contains an IFRAME tag that embeds an XHTML file. It uses the obfuscated javascript file mentioned below. It also contains the following filenames: "icon_sprite.jpg", "main_sprite.jpg", "fill_sprite.gif", "table_divider.gif" and "load.gif".

Additionally, a file containing obfuscated javascript code was found:

Filename: 1c12305b.js
Filesize: 89879
MD5: d2f508b50189b82fd54019ecca7f8a32
SHA1: 4a2e4d5bd6622e96b088edcfda8e71a84c98b50d
SHA256: a313dab42905c914f000b8f6f03f697883bfa72660b0bc520d18ef6aec77e786

Analyzing Obfuscated JavaScript With Snort and Razorback, Alex Kirk, H2HC 7th Edition, 27th of November 2010.

The following rogue image files were found:

Filename: main_sprite.jpg
Filesize: 23159
MD5: 8a0e9d24d531254d4b5013c3df91c109
SHA1: 0f16561ef9fdc275b7386a450e023e309e35fed7
SHA256: b88beb42423024758a167d93cbd033f8731ec6ffc90b9147f3b89ca467d903fe

Filename: table_divider.gif
Filesize: 12517
MD5: f68527c50cbcf6d352eb6ccd0c593241
SHA1: 41b4a12f2badfb5b232e56b26f4275d6948eadd0
SHA256: fb8dae540c823233d1b3ade72dbbe7c0a7afc95f108b411361df653e9dfb6ec2

Filename: load.gif
Filesize: 12839
MD5: e73b06a4988f1edb2a5b1c944dd3c09b
SHA1: 1b93798eb8fabd19b28d93389480df1bbf46a709
SHA256: 533dbf0a9eb7589fcad638a4c95a7222d12c7f037591a2d42c79e5ba552f3e0c

The HTML page and image files came from 174.127.83.148 (www1.unihen-save.0ze.net)

http://www.utrace.de/?query=174.127.83.148
Provider: Hosting Services
Region: Providence (United States)


When the executable is run inside a VM, a TCP connection is made with 173.244.196.7

http://www.utrace.de/?query=173.244.196.7
Provider: Hosting Services
Region: Providence (United States)


Also, a TCP connection is made with 209.222.8.102

http://www.utrace.de/?query=209.222.8.102
Provider: Choopa.com
Organisation: KM_LTD
Region: Sayreville (United States)