PM9.EXE – Backdoor Poison removal

PM9.EXE size: 560128 bytes
PM9.EXE hash: DD4CE363F7E8B9558BE0AF583B77791F

Created files:

%Program Files%\VSpro\Helper64.exe
%Program Files%\VSpro\msstdfmt.dll
%Program Files%\VSpro\msvcp100.dll
%Program Files%\VSpro\msvcp100d.dll
%Program Files%\VSpro\msvcr100.dll
%Program Files%\VSpro\msvcr100d.dll
%Program Files%\VSpro\NovinSoft.exe
%Program Files%\VSpro\p
%Program Files%\VSpro\PM9.exe
%Program Files%\VSpro\Profiles\Default.ppx
%Program Files%\VSpro\Proxifier.exe
%Program Files%\VSpro\ProxyChecker.exe
%Program Files%\VSpro\PrxDrvPE.dll
%Program Files%\VSpro\PrxDrvPE64.dll
%Program Files%\VSpro\Settings.dll
%Program Files%\VSpro\tunnelplus.dll
%Program Files%\VSpro\vsproplus\4758cca.dll
%Program Files%\VSpro\vsproplus\aep.dll
%Program Files%\VSpro\vsproplus\atalla.dll
%Program Files%\VSpro\vsproplus\capi.dll
%Program Files%\VSpro\vsproplus\chil.dll
%Program Files%\VSpro\vsproplus\cswift.dll
%Program Files%\VSpro\vsproplus\gmp.dll
%Program Files%\VSpro\vsproplus\gost.dll
%Program Files%\VSpro\vsproplus\libeay32.dll
%Program Files%\VSpro\vsproplus\msvcr90.dll
%Program Files%\VSpro\vsproplus\nuron.dll
%Program Files%\VSpro\vsproplus\padlock.dll
%Program Files%\VSpro\vsproplus\ssleay32.dll
%Program Files%\VSpro\vsproplus\sureware.dll
%Program Files%\VSpro\vsproplus\ubsec.dll
%Program Files%\VSpro\vsproplus\vsproplus.exe
%Program Files%\VSpro\vsproplus\zlib1.dll
%Program Files%\VSpro\xmllite.dll
%SysDir%\msstdfmt.dll
%SysDir%\msvcp100.dll
%SysDir%\msvcp100d.dll
%SysDir%\msvcr100.dll
%SysDir%\msvcr100d.dll
%TEMP%\aiw2201295.EXE
%WinDir%\VSpro Uninstaller.exe

Autostart registry keys:

HKLM\System\CurrentControlSet\Services\RasMan\Parameters\ProhibitIpSec: 01000000

Detected by UnHackMe:

PM9.EXE
Default location: %PROGRAM FILES%\VSPRO\PM9.EXE

Dropper information:
MD5: 48ac4f53a4963739b40de4e2fde3ee63
File size: 7710048 bytes