ZNHUI.EXE – Trojan Delphi removal

ZNHUI.EXE size: 513613 bytes
ZNHUI.EXE hash: 3F65AC539DA6FAD84B7065096A5B7B26

Created files:

C:\BFFB.EXE
C:\Documents and Settings\AJGY.EXE
C:\Documents and Settings\NRTNR.EXE
C:\Documents and Settings\STRY.EXE
C:\filedebug
%Program Files%\RXSVQ.EXE
%Program Files%\ZNHUI.EXE
C:\System Volume Information\XALJKBY.EXE
C:\TLP.EXE
C:\TPQ.EXE

Autostart registry keys:

HKLM\Software\Classes\txtfile\shell\open\command : C:\Sandbox\HSWZDL.EXE %1
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XZKLLED.EXE: C:\Documents and Settings\NRTNR.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RBN.EXE: C:\..\RBN.EXE
HKLM\System\CurrentControlSet\Services\SXM.EXE\Type: 10010000
HKLM\System\CurrentControlSet\Services\SXM.EXE\Start: 02000000
HKLM\System\CurrentControlSet\Services\SXM.EXE\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\SXM.EXE\DisplayName: SXM.EXE
HKLM\System\CurrentControlSet\Services\SXM.EXE\ImagePath: C:\.\SXM.EXE
HKLM\System\CurrentControlSet\Services\TLP.EXE\Type: 10010000
HKLM\System\CurrentControlSet\Services\TLP.EXE\Start: 02000000
HKLM\System\CurrentControlSet\Services\TLP.EXE\ErrorControl: 01000000
HKLM\System\CurrentControlSet\Services\TLP.EXE\DisplayName: TLP.EXE
HKLM\System\CurrentControlSet\Services\TLP.EXE\ImagePath: C:\.\TLP.EXE

Detected by UnHackMe:

ZNHUI.EXE
Default location: %PROGRAM FILES%\ZNHUI.EXE

Dropper information:
MD5: d643783180507d96336abf90f1d1c250
File size: 513115 bytes