How to Prevent and Remove the
Trojan-Downloader.Win32.Small.kva
|
| # | Filename(s) | File Size |
| 1 | c:\agtyjkj.bat | 114 bytes |
| 2 | %Profiles%\LocalService\Application Data\abpzlw.dat | 24 bytes |
| 3 | %AppData%\avdrn.dat | 4 bytes |
| 4 | %AppData%\svchost.exe | 183,296 bytes |
| 5 | %Temp%\24.tmp | 983,552 bytes |
| 6 | %Programs%\Startup\maswtjoy.exe
%ProgramFiles%\afvdsqre�kc��maswtjoy.exe\maswtjoy.exe |
67,464 bytes |
| 7 | %Programs%\Startup\sishzm32.exe | 30,208 bytes |
| 8 | c:\hotfix.exe | 581,632 bytes |
| 9 | %ProgramFiles%\Internet Explorer\dmlconf.dat | 16 bytes |
| 10 | %System%\qtplugin.exe | 565,248 bytes |
| 11 | %System%\wbem\Performance\WmiApRpl_new.ini | 924 bytes |
| 12 | %Windir%\Tasks\At1.job | 364 bytes |
| 13 | %Windir%\Temp\18.tmp | 0 bytes |
| 14 | %Windir%\Temp\1B.tmp | 64,000 bytes |
- Notes:
- %Profiles% is a variable that refers to the file system directory containing user profile folders. A typical path is C:\Documents and Settings.
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %Programs% is a variable that refers to the file system directory that contains the user's program groups. A typical path is C:\Documents and Settings\[UserName]\Start Menu\Programs.
- %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
-
The following directory was created:
- %ProgramFiles%\afvdsqre�kc��maswtjoy.exe
b. Registry Modifications
-
The following Registry Keys were created:
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\international
- HKEY_CURRENT_USER\Software\UPD
-
The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- RegistryMonitor1 = "%System%\qtplugin.exe"
so that qtplugin.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
- RegistryMonitor2 = "37453768"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet
Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
- svchost.exe = 0x000022B8
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Internet
Explorer\international]
- acceptlanguage = "en-us"
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
- maxhttpredirects = 0x000022B8
- enablehttp1_1 = 0x00000001
- ProxyEnable = 0x00000000
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
- WarnOnPost = 0x00000000
- WarnOnZoneCrossing = 0x00000000
- WarnOnPostRedirect = 0x00000000
- WarnonBadCertRecving = 0x00000000
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- svchost = "%AppData%\svchost.exe"
so that svchost.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Shell = "%AppData%\hotfix.exe"
so that hotfix.exe runs every time Windows starts
- [HKEY_CURRENT_USER\Software\UPD]
- CHK = "D41D8CD98F00B204E9800998ECF8427E"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
c. Other details
-
There were registered attempts to establish connection with the remote hosts. The connection details are:
| Remote Host | Port Number |
| 74.125.227.16 | 80 |
| 91.217.162.174 | 80 |
| 91.217.249.50 | 80 |
| 91.220.62.30 | 443 |
-
The data identified by the following URLs was then requested from the remote web server:
- http://www.google.com/pack/download/Google_Updater?hl=ru&srchcb=on&forcesrch=on&hpdisp=on&hpcb=on&stub=on&ciNum=0&file=Google_Updater.exe
- http://topreerpot.com/inst.php?id=abs_18
- http://cn89212.com/stats/controller.php?action=bot&entity_list=&first=1&rnd=981633&uid=1&guid=1878910501
- http://cn89212.com/aaas/script.php?type=0&email=&hwinfo={8eca90c0-39b7-11db-855f-806d6172696f}
- http://cn89212.com/stats/controller.php?action=report&uid=1&guid=1878910501&rnd=123&entity=1291296066:unique_start;1291296236:unique_start;1291296324:unique_start;1291296453:unique_start;1291296586:unique_start;1291296654:unique_start
3. How-to's
a. How to prevent the Trojan-Downloader.Win32.Small.kva ?
Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the Trojan-Downloader.Win32.Small.kva Manually?
Step 1 : Use Windows Task Manager to Remove Trojan-Downloader.Win32.Small.kva Processes
qtplugin.exe
hotfix.exe
Step 1 : Use Registry Editor to Remove
Trojan-Downloader.Win32.Small.kva Registry Values
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet
Explorer\international
HKEY_CURRENT_USER\Software\UPD
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
RegistryMonitor1 = "%System%\qtplugin.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup]
RegistryMonitor2 = "37453768"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION]
svchost.exe = 0x000022B8
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet
Explorer\international]
acceptlanguage = "en-us"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
maxhttpredirects = 0x000022B8
enablehttp1_1 = 0x00000001
ProxyEnable = 0x00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
WarnOnPost = 0x00000000
WarnOnZoneCrossing = 0x00000000
WarnOnPostRedirect = 0x00000000
WarnonBadCertRecving = 0x00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
svchost = "%AppData%\svchost.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Shell = "%AppData%\hotfix.exe"
[HKEY_CURRENT_USER\Software\UPD]
CHK = "D41D8CD98F00B204E9800998ECF8427E"
Step3: Detect and Delete Other Trojan-Downloader.Win32.Small.kva Files
c:\agtyjkj.bat
%Profiles%\LocalService\Application Data\abpzlw.dat
%AppData%\avdrn.dat
%AppData%\svchost.exe
%Temp%\24.tmp
%Programs%\Startup\maswtjoy.exe
%ProgramFiles%\afvdsqre�kc��maswtjoy.exe\maswtjoy.exe
%Programs%\Startup\sishzm32.exe
c:\hotfix.exe
%ProgramFiles%\Internet Explorer\dmlconf.dat
%System%\qtplugin.exe
%System%\wbem\Performance\WmiApRpl_new.ini
%Windir%\Tasks\At1.job
%Windir%\Temp\18.tmp
%Windir%\Temp\1B.tmp
c. How to Remove these trojans Instantly?
Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
4. Appendix
For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm