MAY BE SMANSA WAS WONDERFUL PLACE TO US.SCR – Backdoor RBot removal

MAY BE SMANSA WAS WONDERFUL PLACE TO US.SCR size: 81633 bytes
MAY BE SMANSA WAS WONDERFUL PLACE TO US.SCR hash: B3AF9233527A309D0F2DA1D2DFFBA9C0

Created files:

C:\Penylethylamine.scr
%Program Files Common%\Aliciana.Alisa
%Program Files Common%\Emira.Emma
%Program Files%\Irma Triana.scr
%Program Files%\I_Miss_U_MyPrincess.scr
%Program Files%\May be Smansa was wonderful place to us.scr
%Program Files%\Your_Prince_Will_Be_Waiting_For_You.scr
C:\Renova.htt
%WinDir%\services.exe
%SysDir%\3IPA2.SMANSA.PKP.exe
C:\Xenova.scr
%AppData%\Mr_CF\Renova_Join_Mr_CoolFace.htt
%Desktop%\Message For My Princess.scr

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Alumni_Smoensa_Pangkalpinang: Mr_CoolFaceDid You Miss Me… My PrincessThe Prince is Asking a QuestionIrma Trianainf4D2.tmp
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\My_Old_Class: 3IPA2.SMANSA.PKP.exeAlumni_Smoensa_Pangkalpinang\3IPA2.SMANSA.PKP.exeWindowsSecurityServ
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurityService: %WinDir%\services.exe2.SMANSA.PKP.exe2dffba9c0.EXE|X- |l?p????U???
HKCU\Control Panel\Desktop\SCRNSAVE.EXE: MR_COO~1.SCR

Detected by UnHackMe:

MAY BE SMANSA WAS WONDERFUL PLACE TO US.SCR
Default location: %PROGRAM FILES%\MAY BE SMANSA WAS WONDERFUL PLACE TO US.SCR

Dropper information:
MD5: b3af9233527a309d0f2da1d2dffba9c0
File size: 81633 bytes