NS.EXE – Trojan Delf removal

NS.EXE size: 4269837 bytes
NS.EXE hash: 8BE01ED4466E3C1E9CCF0D49E50607B9

Created files:

%TEMP%\IXP000.TMP\ns.exe
%TEMP%\RarSFX0\0001\shell.dos
%TEMP%\RarSFX0\12500852.ssp
%TEMP%\RarSFX0\BDE\bantam.dll
%TEMP%\RarSFX0\BDE\blw32.dll
%TEMP%\RarSFX0\BDE\ceeurope.btl
%TEMP%\RarSFX0\BDE\charset.cvb
%TEMP%\RarSFX0\BDE\europe.btl
%TEMP%\RarSFX0\BDE\idapi32.dll
%TEMP%\RarSFX0\BDE\idapinst.dll
%TEMP%\RarSFX0\BDE\idasci32.dll
%TEMP%\RarSFX0\BDE\iddbas32.dll
%TEMP%\RarSFX0\BDE\iddr32.dll
%TEMP%\RarSFX0\BDE\idr20009.dll
%TEMP%\RarSFX0\BDE\other.btl
%TEMP%\RarSFX0\BDE\usa.btl
%TEMP%\RarSFX0\hl.dll.cpt
%TEMP%\RarSFX0\IJL15.DLL
%TEMP%\RarSFX0\isnf2.dll
%TEMP%\RarSFX0\nspl.dll.cpt
%TEMP%\RarSFX0\options.bak
%TEMP%\RarSFX0\shr.dll
%TEMP%\RarSFX0\SpyConsoleSetup.exe
%TEMP%\RarSFX0\wpcap\4.0\npf.sys
%TEMP%\RarSFX0\wpcap\4.0\npptools.dll
%TEMP%\RarSFX0\wpcap\4.0\Packet.dll
%TEMP%\RarSFX0\wpcap\4.0\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\4.0\WanPacket.dll
%TEMP%\RarSFX0\wpcap\4.0\wpcap.dll
%TEMP%\RarSFX0\wpcap\4.1\npf.sys
%TEMP%\RarSFX0\wpcap\4.1\npptools.dll
%TEMP%\RarSFX0\wpcap\4.1\Packet.dll
%TEMP%\RarSFX0\wpcap\4.1\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\4.1\WanPacket.dll
%TEMP%\RarSFX0\wpcap\4.1\WinPcap_4_1_2.exe
%TEMP%\RarSFX0\wpcap\4.1\wpcap.dll
%TEMP%\RarSFX0\wpcap\npf.sys
%TEMP%\RarSFX0\wpcap\npptools.dll
%TEMP%\RarSFX0\wpcap\Packet.dll
%TEMP%\RarSFX0\wpcap\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\vista\npptools.dll
%TEMP%\RarSFX0\wpcap\vista\Packet.dll
%TEMP%\RarSFX0\wpcap\vista\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\vista\wpcap.dll
%TEMP%\RarSFX0\wpcap\WanPacket.dll
%TEMP%\RarSFX0\wpcap\wpcap.dll
%TEMP%\RarSFX0\wpcap\x64\npf.sys

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0: rundll32.exe %WinDir%\System32\advpack.dll,DelNodeRunDLL32 “%TEMP%\IXP000.TMP\”

Detected by UnHackMe:

NS.EXE
Default location: %TEMP%\IXP000.TMP\NS.EXE

Dropper information:
MD5: 1ba4a741245f68d14691bfecf37280d0
File size: 4065280 bytes