Removal tool for Troj/DwnLdr-ICI, Win32.Genome.aodo (windowsupdate.exe, updt.exe) Trojan
March 19, 2010 by admin
Filed under Removal Tips,Tools and Videos
488 views Leave a Comment
Sample Submitted By diego
Severity Level : 6/10
Alias:
- Troj/DwnLdr-ICI [Sophos]
- Generic Downloader.x!clz [McAfee]
- Trojan-Downloader.Win32.Genome.aodo [Kaspersky Lab]
- NOT Detected [Microsoft]
C.exe (MD5 : 2922808b832f2268cfca78579e527640) – VirusTotal Report : (Click Here)
File System Modifications
The following files were created in the system:
- %systemdrive%\windowsupdate.exe
- %systemroot%\upadates
- %systemroot%\updt.exe
- %system%\drivers\avgbkill.sys
- %system%\drivers\avgbkill.sys.off
Note:
- %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
- ? = Random file name.
Memory Modifications
There were new processes created in the system:
Process Name |
Process Filename |
| windowsupdate.exe | %systemdrive%\windowsupdate.exe |
| updt.exe | %systemroot%\updt.exe |
The following Internet action was started (the retrieved bits are saved into the local file):
URL to be downloaded |
Filename for the downloaded bits |
| 62.149.238.105 (host105-238-149-62.serverdedicati.aruba.it) |
windowsupdate.exe |
| 74.52.140.10 (server.server358.net) |
- |
| 200-155-88-15.bradesco.com.br |
- |
| 200.220.186.3 (www.linhadiretasantander.com.br) |
- |
| 200.220.186.3 (www.portalsantander.com.br) |
- |
Registry Modifications
The newly created or modified Registry Value is:
[HKEY_CURRENT_USER\updt]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\znyjnerf\\znyjnerf\\p.rkr”=hex:01,00,00,00,06,00,00,00,c0,8b,1e,f5,3e,c7,ca,01,
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
“EnableLUA”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=”C:\\Windows\\updt.exe”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS]
“NextInstance”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
“Service”=”carlhos”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
“Legacy”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
“ConfigFlags”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
“Class”=”LegacyDriver”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
“ClassGUID”=”{8ECC055D-047F-11D1-A537-0000F8753ED1}”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000]
“DeviceDesc”=”biba”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000\Control]
“*NewlyCreated*”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CARLHOS\0000\Control]
“ActiveService”=”carlhos”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos]
“Type”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos]
“Start”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos]
“ErrorControl”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos]
“ImagePath”=”system32\\drivers\\avgbkill.sys”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos]
“DisplayName”=”biba”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos\Enum]
“Count”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos\Enum]
“NextInstance”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos\Enum]
“INITSTARTFAILED”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carlhos\Enum]
“0″=”Root\\LEGACY_CARLHOS\\0000″
[HKEY_USERS\S-1-5-21-790525478-789336058-1708537768-500\updt]
[HKEY_USERS\S-1-5-21-790525478-789336058-1708537768-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\znyjnerf\\znyjnerf\\p.rkr”=hex:01,00,00,00,06,00,00,00,c0,8b,1e,f5,3e,c7,ca,01,
Removal Tools :
Download Troj/DwnLdr-ICI, Win32.Genome.aodo Trojan removal tool that provided by VirusExperts.org from Here.
%Temp%\cvasds1.dll
%Temp%\cvasds2.dll
Related posts:
- Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
- Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
- Removal tool for Sus/Delf-J, Trojan.Heur.GZ.kGX@bKStsDeG (Foto_253.com, javahr.exe, javahr2.exe, javahu.exe) Trojan
- Removal tool for Oficla.H!dll, Win32.Fregee.av (reader_s.exe, file1.exe) Trojan
- Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware
