Trojan Risk: icthis.exe Behavior Analysis

By gunnalagDesktop

Windows Prompts:

clip_image001

clip_image001[5]

 

Processes:

Running as administrator:

rmsink.exe, rundll32.exe(#2), googletalk.exe, DVDLAu~1.exe, dmremote.exe, cvpnd.exe, CnxDslTb.exe, Apoint.exe, ApntEx.exe, ISUSPM.exe

Local service: scardsvr.exe, wdfmgr.exe

 

Registry Keys Modified:

New Run keys:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun

+ C:Program FilesVideo Add-onicthis.exe

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

+ C:Program FilesApointApoint.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

+ "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" –scheduler

 

Machine Level Run Keys:

C:>reg query HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /s

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Apoint REG_SZ C:Program FilesApointApoint.exe

DellTouch REG_SZ C:WINNTMMKeybd.exe

BluetoothAuthenticationAgent REG_SZ rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

ccApp REG_SZ "C:Program FilesCommon FilesSymantec SharedccApp.exe"

vptray REG_SZ C:PROGRA~1SYMANT~1VPTray.exe

QuickTime Task REG_SZ "C:PROGRA~1QUICKT~1qttask.exe" -atboottime

CnxDslTaskBar REG_SZ "C:Program FilesBIPAC-7000 ADSL USB ModemCnxDslTb.exe"

SigmatelSysTrayApp REG_SZ stsystra.exe

NvCplDaemon REG_SZ RUNDLL32.EXE C:WINNTsystem32NvCpl.dll,NvStartup

nwiz REG_SZ nwiz.exe /installquiet

NVHotkey REG_SZ rundll32.exe nvHotkey.dll,Start

NvMediaCenter REG_SZ RUNDLL32.EXE C:WINNTsystem32NvMcTray.dll,NvTaskbarInit

DVDLauncher REG_SZ "C:PROGRA~1CYBERL~1PowerDVDDVDLAU~1.EXE"

googletalk REG_SZ C:Program FilesGoogleGoogle Talkgoogletalk.exe /autostart

TkBellExe REG_SZ "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot

Adobe Reader Speed Launcher REG_SZ "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponents

<NO NAME> REG_SZ

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsIMAIL

Installed REG_SZ 1

<NO NAME> REG_SZ

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMAPI

Installed REG_SZ 1

NoChange REG_SZ 1

<NO NAME> REG_SZ

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOptionalComponentsMSFS

Installed REG_SZ 1

<NO NAME> REG_SZ

C:>

 

Windows User Logon Run Keys:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit

+ C:WINNTsystem32userinit.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell

+ Explorer.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

+ C:Program FilesApointApoint.exe

+ C:WINNTMMKeybd.exe

+ rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

+ "C:Program FilesCommon FilesSymantec SharedccApp.exe"

+ C:PROGRA~1SYMANT~1VPTray.exe

+ "C:PROGRA~1QUICKT~1qttask.exe" -atboottime

+ "C:Program FilesBIPAC-7000 ADSL USB ModemCnxDslTb.exe"

+ "C:PROGRA~1CYBERL~1PowerDVDDVDLAU~1.EXE"

+ C:Program FilesGoogleGoogle Talkgoogletalk.exe /autostart

+ "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"

 

User Specific Run Key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

+ C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe

+ C:WINNTsystem32ctfmon.exe

+ "C:Program FilesCommon FilesInstallShieldUpdateServiceISUSPM.exe" -scheduler

 

Machine Services Run keys:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce

HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices

HKCUSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce

 

Windows Startup programs:

C:Documents and SettingsAll UsersStart MenuProgramsStartup

+ Cadessa Helper.lnk -> C:Program FilesCadessaCadessaHelpercahelper.exe

+ Cisco Security Agent.lnk -> C:Program FilesCisco SystemsCSAgentbinokclient.exe

+ Local Logon Script.lnk -> C:Program Filesetclogon-local.bat

C:Documents and SettingsAdministratorStart MenuProgramsStartup

 

Delayed Shell Load Keys:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

+ PostBootReminder -> C:WINNTsystem32shell32.dll

+ CDBurn -> C:WINNTsystem32shell32.dll

+ WebCheck -> C:WINNTsystem32webcheck.dll

+ SysTray -> C:WINNTsystem32stobject.dll

HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun

HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad

HKCUSoftwarePoliciesMicrosoftWindowsSystemScripts

HKLMSoftwarePoliciesMicrosoftWindowsSystemScripts

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun

+ C:Program FilesVideo Add-onicthis.exe

HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce

HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceEx

C:WINNTwin.ini

<

p>Task Scheduler

By gunnalag

You might also like:

Procedure to extend Windows System Partition with non-adjacent or non-contiguous unallocated Free space

FIX: Arrow Keys Navigation does NOT work in Excel

Fix: Microsoft Office Icons Missing or Replaced with Generic white icons

Leave a Reply

Your email address will not be published. Required fields are marked *