How to Remove TR/Autoit.QX. - TR/Autoit.QX Removal Instruction
Summary:
Date discovered: Apr 20, 2018
Type: Malware
Impact: Medium
Reported Infections: Low
Operating System: Windows
VDF version: 7.14.53.162 (2018-04-20 16:05)
Description:
The term 'TR' denotes a trojan horse that is able to spy out data, violate your privacy, or perform unwanted modifications to the system.
Details:
VDF
7.14.53.162 (2018-04-20 16:05)
Network activity
Array
Processes
Array
Array
Files The following files are deleted:
%APPDATA%\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
The following drivers are loaded:
%WINDIR%\SysWOW64\ieframe.dll
%WINDIR%\winsxs\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms
%TEMPDIR%\%executed_sample%
%WINDIR%\Globalization\Sorting\sortdefault.nls
%APPDATA%\Local\Microsoft\Windows\Caches\cversions.1.db
%USERPATH%\Desktop\desktop.ini
%SYSDIR%\WindowsPowerShell\v1.0\powershell.exe
The following files are executed:
%WINDIR%\SysWOW64\ieframe.dll
%WINDIR%\winsxs\FileMaps\$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms
%TEMPDIR%\%executed_sample%
%WINDIR%\Globalization\Sorting\sortdefault.nls
%APPDATA%\Local\Microsoft\Windows\Caches\cversions.1.db
%USERPATH%\Desktop\desktop.ini
%SYSDIR%\WindowsPowerShell\v1.0\powershell.exe
Registry The following registry entries are added:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("ProxyBypass": "") ("IntranetName": "") ("UNCAsIntranet": "0x00000000") ("AutoDetect": "0x01000000")
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("ProxyBypass": "") ("IntranetName": "")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("UNCAsIntranet": "0")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("AutoDetect": "1")
The following registry entries are changed:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("ProxyBypass": "") ("IntranetName": "") ("UNCAsIntranet": "0x00000000") ("AutoDetect": "0x01000000")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("UNCAsIntranet": "0")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("AutoDetect": "1")
The values of the following registry keys are removed:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("ProxyBypass": "") ("IntranetName": "") ("UNCAsIntranet": "0x00000000") ("AutoDetect": "0x01000000")
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("ProxyBypass": "") ("IntranetName": "")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("ProxyBypass": "")
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("IntranetName": "")
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("ProxyBypass": "")
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ("IntranetName": "")
Aliases
ESET: Win32/TrojanDownloader.Autoit.OGS trojan
G Data: AIT:Trojan.Autoit.DIJ