Backdoor.Win32.PcClient_561e1a8d76

by malwarelabrobot on October 3rd, 2013 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.Agent3!IK (Emsisoft), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 561e1a8d7650f5dbe7b0ac5215a8429d
SHA1: 7987cc1c0fdd7dde66ba24fd07476c8892ae618b
SHA256: ac5ad2d158450b9d8f4500592effa151bf213a97de44ef1d203d4dbe503412d8
SSDeep: 24576:5wkTlvhSYtv4/037vbmv/eN/j7e/FeiPh/MMnMMMMM4NqsdHAEGYf:5phSYtjbbfVf4eiPh/MMnMMMMMyqW3f
Size: 914944 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-04-21 00:07:24


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

9fe65d0f.exe:120
b3626cf5.exe:1700
2e777248.exe:1096
561e1a8d7650f5dbe7b0ac5215a8429d.exe:516
rundll32.exe:1656
20018060.exe:1344

The Backdoor injects its code into the following process(es):

spoolsv.exe:1436
rundll32.exe:492
ukfaLIXCpkTKHl.exe:240

File activity

The process 9fe65d0f.exe:120 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3SV8RA7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D8R47TVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4VGDJ1T9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L630S0M\desktop.ini (67 bytes)

The process 2e777248.exe:1096 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process 561e1a8d7650f5dbe7b0ac5215a8429d.exe:516 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\20018060.exe (12350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9fe65d0f.exe (42433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b3626cf5.exe (2205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2e777248.exe (15283 bytes)

The process spoolsv.exe:1436 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Temp\3.tmp (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (4 bytes)

The Backdoor deletes the following file(s):

%WinDir%\Temp\3.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

The process 20018060.exe:1344 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\ifidfox.dll (114 bytes)

Registry activity

The process 9fe65d0f.exe:120 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp, , \??\%WinDir%\TEMP\5.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\tmp6.tmp,"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data]
"ukfaLIXCpkTKHl.exe" = "WTR Loader"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Download]
"CheckExeSignatures" = "no"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 D7 E0 49 C5 74 F1 C5 96 FD CF 9E 04 AC 6B E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes" = "/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ukfaLIXCpkTKHl" = "%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process b3626cf5.exe:1700 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C D9 1F 4B 5B E6 C0 FF 6A 75 34 D8 03 94 B6 78"

The process 2e777248.exe:1096 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 49 48 DF 21 F1 53 F3 E7 30 52 AF D2 39 B2 F8"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"

The process 561e1a8d7650f5dbe7b0ac5215a8429d.exe:516 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 B7 89 79 70 0C 5A 3E DB BF C7 6A 8C 3B D0 42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"9fe65d0f.exe" = "WTR Loader"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"2e777248.exe" = "2e777248"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"20018060.exe" = "Voxware MetaSound Audio Decoder"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"b3626cf5.exe" = "b3626cf5"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process spoolsv.exe:1436 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Print\Providers\4195731056]
"Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2.tmp"

[HKLM\System\CurrentControlSet\Services\682bda70]
"type" = "1"

[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 4195731056"

[HKLM\System\CurrentControlSet\Services\682bda70]
"imagepath" = "\??\%WinDir%\TEMP\3.tmp"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp, , \??\%WinDir%\TEMP\5.tmp,"

The Backdoor deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\Print\Providers\4195731056]
[HKLM\System\CurrentControlSet\Services\682bda70\Enum]
[HKLM\System\CurrentControlSet\Services\682bda70]

The process rundll32.exe:1656 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 94 9B B8 61 EF EB E7 AD 44 0C 38 71 29 86 E8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

The process rundll32.exe:492 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 2D 6E C2 A2 D2 6E 33 2D D7 13 99 CD A3 FB 83"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "186"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\ifidfox.dll,Startup"

The process 20018060.exe:1344 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 D3 06 2B 4C 32 3F 11 B2 8B 29 CE 8C 53 FB 8C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Ydapup" = "39 01 35 03 33 05 47 07 4B 09 38 0B 3B 0D 48 0F"

The process ukfaLIXCpkTKHl.exe:240 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE A8 21 A3 07 DA E7 B1 28 94 10 59 53 66 A6 69"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Network activity (URLs)

URL IP
hxxp://000207dd102c.voonder.net/get2.php?c=HUXKCMMH&d=26606B6739343F343F2F676268307D3F2220232320242F3177757E4469747A2219151A4210121F150E5C434F1114191871720004720373060E0D0A0E0B040A7A70047001710077040B0C0B7F0F6B2C263E27372169646E617E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E49B4B4B2B7B2A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F5F5F4FAF0F3FAFAEB8B8082 69.43.161.167
hxxp://ww2.000207dd102c.voonder.net/get2.php?c=HUXKCMMH&d=26606B6739343F343F2F676268307D3F2220232320242F3177757E4469747A2219151A4210121F150E5C434F1114191871720004720373060E0D0A0E0B040A7A70047001710077040B0C0B7F0F6B2C263E27372169646E617E31333F616F3B3D5404555A5143070305545B4D031E180A024C472C455329031B12474B4C4D4E49B4B4B2B7B2A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AFB9C3CDCCD7FBC09B978EDE9C9F919D88C98D8094C1898490D4D6DDD6869AD4DADEB4A4FFF2F7F5F5F4FAF0F3FAFAEB8B8082 208.73.211.29
findadvertisem.org Unresolvable
searchmodern.org Unresolvable


Rootkit activity

Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.

The Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    9fe65d0f.exe:120
    b3626cf5.exe:1700
    2e777248.exe:1096
    561e1a8d7650f5dbe7b0ac5215a8429d.exe:516
    rundll32.exe:1656
    20018060.exe:1344

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3SV8RA7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\D8R47TVO\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4VGDJ1T9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5L630S0M\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\20018060.exe (12350 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9fe65d0f.exe (42433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b3626cf5.exe (2205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2e777248.exe (15283 bytes)
    %WinDir%\Temp\3.tmp (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (4 bytes)
    %WinDir%\ifidfox.dll (114 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "ukfaLIXCpkTKHl" = "%Documents and Settings%\All Users\Application Data\ukfaLIXCpkTKHl.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Ihoragiqinicim" = "rundll32.exe %WinDir%\ifidfox.dll,Startup"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.