TrojanSpy:MSIL/Tzeebot

Trojan No Comments

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved! 5 Stars (5 / 5)

TrojanSpy:MSIL/Tzeebot also known as Trojan.Generic.12265287, Trojan.Generic.12265287, PSW.MSIL.AASA.

Malware Analysis of TrojanSpy:MSIL/Tzeebot – MAINMODULE.DLL

Created files:

%Appdata%\Microsoft FxCop\4.tmd
%Appdata%\Microsoft FxCop\c4febf31-f8bd-g26b.tmp
%Appdata%\Microsoft FxCop\MainModule.dll
%Appdata%\Microsoft FxCop\netscp.exe
%Appdata%\setup1.exe

Autostart registry keys:

HKLM\Software\Classes\CLSID\{01669F9A-747B-430C-A8E4-B7D3B865F4E9}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{0E08FAEF-2592-4476-A494-E31AFD19CBA5}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBOffice.dll”
HKLM\Software\Classes\CLSID\{13CB9CFD-ABEE-4ECF-A21D-57E414701143}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{1783EC2A-D86A-4361-85A6-D55133149CFD}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{19CF09CC-CD5F-4815-889B-BA8E5C1ABC5E}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{1A3CB5B2-3F76-46CB-B0B8-3AF53814BF0F}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{1D498C0D-B69C-4539-B2A0-4798131B4235}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{1E304293-5DA6-4243-8BD8-A703F31AA581}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\PolarSpellChecker.dll”
HKLM\Software\Classes\CLSID\{20CC71C2-76DA-4C49-AB25-BD998DA3A323}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{21646776-E8C3-40E7-A9AF-53646011A17D}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{2ADAE94C-D3E1-46EA-BC9B-6C37D3BBCC49}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{331134B3-A059-4ABD-8B3A-CDDA781E0A4C}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{346AB550-8464-4687-BBCE-001DED37AD8D}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{362F51B1-C678-4656-A630-2DE26655116C}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{413044F5-C5C6-4F22-9792-3B431150FBC0}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{45560446-C0A3-49E6-8983-34509E42F9BB}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{509DFEFD-EE7B-4646-B8D3-CC04B9D9C03A}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{51B5BAF4-677B-4D92-9886-39A8349416EA}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{5241BFB0-B960-4344-9366-B9DD0AA0BDFE}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{5300B31A-2CB7-4EB4-A03E-1C7F34F7AA31}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{53FFE7A9-237D-4289-8328-4164890D9F66}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{5885A92C-7AFE-4E6A-8F10-BD4E225FB8ED}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{5E767B6C-E3ED-40CA-8B04-6DC32F81713B}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{6080C7ED-45AF-4BC2-B3A8-BA4ADA910AF0}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{664FFC5A-5513-43A9-BC40-CFA4415F9974}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBLogic.dll”
HKLM\Software\Classes\CLSID\{67659F4B-F816-47E3-898E-02A0D0149AC9}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{68CF3EDB-77FD-4D3A-B928-F151961081DC}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{697DEABA-809C-49FC-ADD1-E9902D88360D}\LocalServer32\: “%Program Files Common%\InstallShield\Driver\8\Intel 32\IDriver2.exe”
HKLM\Software\Classes\CLSID\{69FE6499-8D9C-44CB-8FB6-444B118ACC8A}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{70DC0A9A-EC09-40BB-AA10-DD3E7492A7F4}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBLogic.dll”
HKLM\Software\Classes\CLSID\{72F88475-1EC7-445B-BBF3-994A97D40B37}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{74BBD178-A141-4AAB-B282-421E5058EA2B}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{7B6D5F5A-6CFA-46DC-96D5-815A7272A3E5}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{7C4D9AD4-CCCE-432A-BBF8-429D4A8E7C93}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{7CB4EB1C-860F-4A73-A6E2-7D0C278AC28B}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{8320BFF2-B676-481A-8BD9-2C342EEA7445}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{83289851-7916-4AE7-851F-F4772DB523A8}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{8697CB52-C3AC-4115-B8E6-C97DB4D15654}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{89472D62-762A-42D3-B9BC-18FC034E4981}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\XMLRocket.dll”
HKLM\Software\Classes\CLSID\{8A9C3341-81B3-4CD3-AA8B-44889168F6A6}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{8B1670C8-DC4A-4ED4-974B-81737A23826B}\LocalServer32\: “%Program Files Common%\InstallShield\Driver\8\Intel 32\IDriver.exe”
HKLM\Software\Classes\CLSID\{8DC65F84-C165-42CE-B53E-C8516237BDB0}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{9607A9CD-DA4B-43C3-877C-26CE6618F497}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{96B6A69C-49A5-41DE-BAC4-F06B556E137A}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{9C095C3F-18E3-4E4A-9D74-75B65E1B24E8}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{A1611385-DB7D-417B-ACA4-71260DD92336}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{A1726C4F-5238-4907-B312-A7D3369E084E}\InProcServer32\: “%Program Files Common%\InstallShield\Driver\8\Intel 32\objps8.dll”
HKLM\Software\Classes\CLSID\{A480CD6A-A079-4E37-8298-A0046EFB0077}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{A72C155E-7969-4C4B-858D-A92F14E3A52F}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{B11C5FBE-6983-48D3-B9AA-AA64A843BF8D}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{B1EBE828-1A7A-47C5-8486-0B412966A866}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{B2A37ADF-D777-49F2-AEB0-FBA632B8E226}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{B41EC7A4-D02D-4CB4-9278-7160279170BA}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{B84EDC85-8F87-4D92-A7DF-67AB94F2C528}\LocalServer32\: “%Program Files Common%\InstallShield\Driver\8\Intel 32\IDriver.exe”
HKLM\Software\Classes\CLSID\{BA7FC4A9-1424-4BF2-B3C0-C3641AF6F220}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{BCB61208-4B1E-47B0-AF60-872DDDD806D2}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{C1951CA8-EA36-4AB9-BFE8-83A8D34D8A27}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{C3200B2D-944C-49F3-8A04-64C6B5FA65E9}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{CF7CB142-2D1A-4294-AC7C-51D6C43C50FF}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{D252103D-9063-4369-A466-A69E3980BB7B}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{D6CD75DC-C360-4A93-9CE4-77B9BCB646D2}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{D85FB217-D929-4EBB-9A0D-81B4AFF5C382}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBLogic.dll”
HKLM\Software\Classes\CLSID\{E221F337-4CDC-4B78-8BAD-8C052F42CE1E}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{E4737814-0C6E-4066-B25A-63CFCB5BDD08}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{E4FE0FAB-D30E-42A6-80A2-607A89B6A72D}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{EAE03B42-D010-4261-9C01-6D2456C462BC}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{EE238DE9-FE77-4869-B9F4-ACD4BE0E0C3C}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{EE857AEB-6D53-4A09-AB26-595552D4BBD1}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCore.dll”
HKLM\Software\Classes\CLSID\{F4E4CFFC-D262-4064-AC55-3AB0B91C649D}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{F7256153-49C3-46F0-8B15-4A0E4D3B80FA}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBCover.dll”
HKLM\Software\Classes\CLSID\{F9E7EC1D-7933-4EA0-8785-0CB82C87AF46}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{FC5F5A61-B28C-4E1C-9528-40B4B40A897B}\InprocServer32\: “%Program Files Common%\InstallShield\Driver\8\Intel 32\IScript8.dll”
HKLM\Software\Classes\CLSID\{FC6ECC97-95BD-4492-BC07-EDAF95C2FF2A}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{FF293715-AF03-45D1-A18D-E950533BA728}\InprocServer32\: “%Program Files%\Sarm Software\Easy Resume Creator Pro\RBFlow.dll”
HKLM\Software\Classes\CLSID\{FFD7B771-8ECA-45DE-A944-7B013C6C2DF5}\InprocServer32\: “%Program Files Common%\InstallShield\Driver\8\Intel 32\IUser8.dll”
HKLM\Software\Classes\rbcfile\shell\open\command\: “C:\PROGRA~1\SARMSO~1\EASYRE~1\Omega.exe “%1″”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\64DACD1006FFB87488BFA8711B21F935\InstallProperties\DisplayName: “Easy Resume Creator Pro”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{01DCAD46-FF60-478B-88FB-8A17B1129F53}\UninstallString: “%Program Files Common%\InstallShield\Driver\8\Intel 32\IDriver.exe /M{01DCAD46-FF60-478B-88FB-8A17B1129F53} ”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{01DCAD46-FF60-478B-88FB-8A17B1129F53}\DisplayName: “Easy Resume Creator Pro”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01DCAD46-FF60-478B-88FB-8A17B1129F53}\DisplayName: “Easy Resume Creator Pro”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ComponentUpdate: “”%Appdata%\Microsoft\Google Component Update.lnk””

Detected by UnHackMe:

MAINMODULE.DLL
Default location: %APPDATA%\MICROSOFT FXCOP\MAINMODULE.DLL

Dropper hash(md5): be741520f13a2bf8bc064a73e146bf08

Written by 

Malware Hunter.

UnHackMe removes malware invisible for your antivirus!

Free Download

1
UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.

Tatva WordPress theme by IdeaBox

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera