SHR.DLL – Trojan Agent removal

SHR.DLL size: 43008 bytes
SHR.DLL hash: FA88691492828B745E2324A7042D2B52

Created files:

%TEMP%\IXP000.TMP\ns.exe
%TEMP%\RarSFX0\0001\shell.dos
%TEMP%\RarSFX0\12500852.ssp
%TEMP%\RarSFX0\BDE\bantam.dll
%TEMP%\RarSFX0\BDE\blw32.dll
%TEMP%\RarSFX0\BDE\ceeurope.btl
%TEMP%\RarSFX0\BDE\charset.cvb
%TEMP%\RarSFX0\BDE\europe.btl
%TEMP%\RarSFX0\BDE\idapi32.dll
%TEMP%\RarSFX0\BDE\idapinst.dll
%TEMP%\RarSFX0\BDE\idasci32.dll
%TEMP%\RarSFX0\BDE\iddbas32.dll
%TEMP%\RarSFX0\BDE\iddr32.dll
%TEMP%\RarSFX0\BDE\idr20009.dll
%TEMP%\RarSFX0\BDE\other.btl
%TEMP%\RarSFX0\BDE\usa.btl
%TEMP%\RarSFX0\hl.dll.cpt
%TEMP%\RarSFX0\IJL15.DLL
%TEMP%\RarSFX0\isnf2.dll
%TEMP%\RarSFX0\nspl.dll.cpt
%TEMP%\RarSFX0\options.bak
%TEMP%\RarSFX0\shr.dll
%TEMP%\RarSFX0\SpyConsoleSetup.exe
%TEMP%\RarSFX0\wpcap\4.0\npf.sys
%TEMP%\RarSFX0\wpcap\4.0\npptools.dll
%TEMP%\RarSFX0\wpcap\4.0\Packet.dll
%TEMP%\RarSFX0\wpcap\4.0\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\4.0\WanPacket.dll
%TEMP%\RarSFX0\wpcap\4.0\wpcap.dll
%TEMP%\RarSFX0\wpcap\4.1\npf.sys
%TEMP%\RarSFX0\wpcap\4.1\npptools.dll
%TEMP%\RarSFX0\wpcap\4.1\Packet.dll
%TEMP%\RarSFX0\wpcap\4.1\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\4.1\WanPacket.dll
%TEMP%\RarSFX0\wpcap\4.1\WinPcap_4_1_2.exe
%TEMP%\RarSFX0\wpcap\4.1\wpcap.dll
%TEMP%\RarSFX0\wpcap\npf.sys
%TEMP%\RarSFX0\wpcap\npptools.dll
%TEMP%\RarSFX0\wpcap\Packet.dll
%TEMP%\RarSFX0\wpcap\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\vista\npptools.dll
%TEMP%\RarSFX0\wpcap\vista\Packet.dll
%TEMP%\RarSFX0\wpcap\vista\pthreadVC.dll
%TEMP%\RarSFX0\wpcap\vista\wpcap.dll
%TEMP%\RarSFX0\wpcap\WanPacket.dll
%TEMP%\RarSFX0\wpcap\wpcap.dll
%TEMP%\RarSFX0\wpcap\x64\npf.sys

Autostart registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0: rundll32.exe %WinDir%\System32\advpack.dll,DelNodeRunDLL32 “%TEMP%\IXP000.TMP\”

Detected by UnHackMe:

SHR.DLL
Default location: %TEMP%\RARSFX0\SHR.DLL

Dropper information:
MD5: 1ba4a741245f68d14691bfecf37280d0
File size: 4065280 bytes