Gen.Variant.Midie.6956_603e485a42

by malwarelabrobot on May 27th, 2017 in Malware Descriptions.

Gen:Variant.Midie.6956 (BitDefender), Trojan:Win32/Toga!rfn (Microsoft), Trojan-Dropper.Win32.Sysn.bpvb (Kaspersky), Trojan-Dropper.Win32.Daws.awfy (v) (not malicious) (VIPRE), Trojan.Inject1.10883 (DrWeb), Gen:Variant.Midie.6956 (B) (Emsisoft), PWSZbot-FIB!603E485A4201 (McAfee), W32.Faedevour!inf (Symantec), Trojan-Spy.Agent (Ikarus), Gen:Variant.Midie.6956 (FSecure), SHeur4.ALPI (AVG), Win32:Malware-gen (Avast), PE_WINDEX.A (TrendMicro), Gen:Variant.Midie.6956 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Spy, Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 603e485a42013f7a70372855ed14e6dd
SHA1: ee12258d191d7d1705bfda9100d0ecd795d58f02
SHA256: abf0fc4457d29c9dbe5684f2e8915d298c11e47cd13dcb36bb52b5ecfe5bfc49
SSDeep: 49152:zsLi12DPGZWHmCDTzRZbTChxKCnFnQXBbrtgb/iQvu0UHOaRI:zsLi1MuZWHhZ6hxvWbrtUTrUHOGI
Size: 2481596 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Ivanov Ivan
Created at: 2012-03-05 10:37:55
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wtmps.exe:1672
mscaps.exe:3104
@AE224E.tmp.exe:3432
launch.exe:3792
WdExt.exe:1472

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process wtmps.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\mscaps.exe (26272 bytes)

The process mscaps.exe:3104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3D5D.tmp (406 bytes)
C:\Windows\System32\wtime32.dll (27976 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wtmps.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3D5D.tmp (0 bytes)

The process @AE224E.tmp.exe:3432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Se29A0.tmp (1792 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm0.bat (127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm1.bat (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sp299F.tmp (1396 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp29A1.tmp (907 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe (229958 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2847.tmp (432058 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Se29A0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sp299F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2847.tmp (0 bytes)

The process launch.exe:3792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm0.bat (100 bytes)

The process WdExt.exe:1472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Common\Shared\dis.dll (10077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Identities\"%CurrentUserName%"\arc.dll (103749 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm1.bat (124 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DE4.tmp (26548 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wtmps.exe (31581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DA4.tmp (200332 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DC4.tmp (48916 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E25.tmp (18508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Shared\Modules\fil.dll (10805 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe (18077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Caches\Files\usd.dll (7933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E66.tmp (55476 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E14.tmp (28924 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E35.tmp (21164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (26868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Repairs\sha.dll (7589 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E56.tmp (36444 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Addins\att.dll (18829 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DE4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DA4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E35.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E25.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DC4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E66.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E14.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E56.tmp (0 bytes)

Registry activity

The process mscaps.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{ef2b00e3-19da-4e78-b118-6b6451b719f2}]
"Locale" = "*"
"StubPath" = "C:\Windows\system32\mscaps.exe /s /n /i:U shell32.dll"
"Version" = "1,125,2406,1"
"ComponentID" = "DirectShow"

The process @AE224E.tmp.exe:3432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\@AE224E_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process launch.exe:3792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender Extension" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WdExt.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
a2d6acb4299dce68763eb1aba4153a4d c:\%original file name%.exe
f1c9f4a1f92588aeb82be5d2d4c2c730 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Caches\Files\usd.dll
1fcc5b3ed6bc76d70cfa49d051e0dff6 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Common\Shared\dis.dll
daac1781c9d22f5743ade0cb41feaebf c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe
2d9df706d1857434fcaa014df70d1c66 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Identities\"%CurrentUserName%"\arc.dll
42830b2784354701293fcd863d01a53a c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
6a9461f260ebb2556b8ae1d0ba93858a c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Repairs\sha.dll
d0c9ada173da923efabb53d5a9b28d54 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Shared\Modules\fil.dll
fffa05401511ad2a89283c52d0c86472 c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Addins\att.dll
78d3c8705f8baf7d34e6a6737d1cfa18 c:\Windows\System32\mscaps.exe
978888892a1ed13e94d2fcb832a2a6b5 c:\Windows\System32\wtime32.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ???
Product Name: ????????
Product Version: 3.0.1.55
Legal Copyright: Copyright (C) 2017 ??? All Rights Reserved
Legal Trademarks:
Original Filename: GpUpdate.exe
Internal Name: GpUpdate.exe
File Version: 3.0.1.55
File Description: ???????
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2108 2560 3.76997 6dbb11cce72cc16b887018dd4c34d252
.rdata 8192 1478 1536 3.36814 838666d924e8b6e9dfc84f930bd16733
.data 12288 598016 512 0.377955 7d6dcdf3bcb22dca4957ddb77c1c8cbf
.rsrc 610304 16692 16896 2.9414 21a5a1fa5c3d5b86c14d2c57addeb448

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://static-download.dns.iqiyi.com/product/GpUpdate/GpUpdate.xml
hxxp://static-download.dns.iqiyi.com/product/GpUpdate/GeePlayerSetup_update_201703311759.exe
hxxp://dl.static.iqiyi.com/product/GpUpdate/GpUpdate.xml 106.120.177.210
hxxp://dl.static.iqiyi.com/product/GpUpdate/GeePlayerSetup_update_201703311759.exe 106.120.177.210
update.microsoft.com 134.170.58.222
a.gwas.perl.sh 151.80.13.35
windowsupdate.microsoft.com 65.55.138.120


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /product/GpUpdate/GpUpdate.xml HTTP/1.1
Host: dl.static.iqiyi.com
Accept-Encoding: gzip
Pragma: no-cache
Cache-Control: no-cache
Connection: close
Accept: */*


HTTP/1.1 200 OK
Server: QWS
Date: Fri, 26 May 2017 08:03:29 GMT
Content-Type: text/xml
Transfer-Encoding: chunked
Connection: close
Last-Modified: Fri, 05 May 2017 06:22:28 GMT
Expires: Fri, 26 May 2017 10:19:47 GMT
Cache-Control: max-age=10800
X-Cache: EXPIRED from 10.10.17.16
Content-Encoding: gzip
X-Cache: HIT from 106.120.177.210
586.............X.n.V.}.R.......q. .!.D...".H.3....c....>qiK.RRQ.P.
4.E.U.}@Tm...bO../t.{..L.Lh....C<.^g.....y...Ob?.\....Q.~..  ..of.m
"...Y... D.e0..k.b....u....T=.......'...}.*.K...f...l.;....CG... .....
....8z.....3z..'g.O........r8v.rLw*....>.?M....<j.....0...4..|..
C(..8J(#..y.?qO.x....*.).Up..o.CSe..?....(....a.D.).:8.....L..Rl.$.pR.
 ...@l.t....c..-[6.....E..Q.V.b..E..UN.U...B...Q..z.(..*k.p:.........J
6T..JK.[H4U.0...I.l.9.G{.kV.....$...z\...h..4....b".$..Z*.JH..%\V8....
..>Z....k..a.n..3.A.5I.....%..T.T.t.Ri&)qk|X..z.9.m....  =G.).P...p
.B....f......w*.R.`....e|.i..[..0.\~.q......e.[..~......x~6..P{...z...
.sivg..b(.....h~)5.m.T[|..h...........<1........o........:oF3......
7.?......iX......x...._...:.j. ...;W.....g[....j..@.[.....m,..* ./..R.
.....v...<....$~.C.0W[.r{.J.1M...0#3.....Sf$ ....n....P.d........d2
.:.l...8...=.XN.f....Q4.....3bW.-.#.`....s....)@.9.I.5..A.....VR...9..
.r.#.. (.7..Z.>A$.q.3..#.P..k.G..i..~6F.........srx.d.Z....\..1>
VA.......2.......S..x.....ln....{A..iWf..Z$.I.Oe`......I...].`.B..<
.A.%...-.%......KDG...B4....t.ZAu.......`....V#....v..j.[.L......pa...
.......,0.A....D....^0...U<;KkZ....L...7*.........s|n......l.?..`7.
.....D........B....H.S.QY..e......TMQ1$A..."...K.Q.E..$...J.BA.8h..!u8
..yV...N[.mR..`.6....o..R&7...g..yP.D............VA,.p..^.o..._&6..8..
..L|....i...........q.g...t_.M..Mx...w.#}.k.r..G.V....["<` ...!3...
m.t.....\..]x$.|..... ............q.....Ki.........T.....0..
<<< skipped >>>


GET /product/GpUpdate/GeePlayerSetup_update_201703311759.exe HTTP/1.1
Host: dl.static.iqiyi.com
Accept-Encoding: gzip
Pragma: no-cache
Cache-Control: no-cache
Connection: close
Accept: */*


HTTP/1.1 200 OK
Server: QWS
Date: Fri, 26 May 2017 08:03:30 GMT
Content-Type: application/octet-stream
Content-Length: 23887208
Connection: close
Last-Modified: Fri, 31 Mar 2017 10:00:18 GMT
Expires: Fri, 26 May 2017 08:43:29 GMT
Cache-Control: max-age=10800
X-Cache: HIT from 10.10.17.17
X-Cache: HIT from 106.120.177.210
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......G.....b...b.
..b.......b.......b...c...b.......b. 9....b.e8....b.e8....b.Rich..b...
..............PE..L...fO.X.................t...b...B...;............@.
..........................).....Uum...@...............................
............(.8...........XGl..6......................................
.....................................................text....s.......t
.................. ..`.rdata...*.......,...x..............@..@.data...
.#..........................@....ndata.... ...........................
...rsrc...8.....(.....................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
..............................................\.|$d.t/.|$dF.L$lu..I...
.bG..A.Q.t$l.t$l.t$l....@..a...SU.-..G.VW.D$,P.t$t....@..d$.....D$.P.t
$t....@..t$(.d$(..T$ .t$t.......ER..MV..... ...........MU..L$ .....EQ.
......|$t..MT..L$ ..........EP.......|$t.........D$.P.t$...h.@..D$(...
V.D$ PS....@.V..`.@..T$ .t$t....T$ ;...g....}X.th.u4..d.@....t$t..tUj.
S.D$$.....D$(......X.@..uXS..T.@..=\.@.VS..h ......D$ Pj.h.bG.S....@.V
S...t$t..`.@..D$,P.t$t....@._^]3.[..\...QSU.-..G.3.V......W.l$..}..tW3
.;5,.G.sK.=(.G..l$.........u...t..|...t..W.3.@.......#.;.u.F.. @..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3416:

.text
`.rdata
@.data
.rsrc
@.reloc
SShh|
</tg<\tc<.ug
tL<%u@
TT T!"TT#$TTTT%&'TTT(T)*T TTT,-.TT/0123TTTTTT4TTTTTTT5TTTTTT6789:;TTTTTTTT<TTT=>?@ABCDTTTTETTTTFTTTTTTGTTHITTTTTJKTTTLLTTMTTTTTTTTTNTTOTPQRS
!"FFF#F$Fÿ&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FF<=>FF?FFFFF@ABFFFFFCFDFFFFFE
tX9.uT
t.Gj:W
xSSSh
FTPjKS
FtPj;S
C.PjRV
CreatePipe failed
Unable to parse FTP file list
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: Accepting server connect has timed out
FTP: The server failed to connect to data port
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
Unsupported protocol
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
.jpeg
.html
--%s--
couldn't open file "%s"
Content-Type: %s
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
Could not resolve %s: %s; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
%s:%d
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
%5[^:]:%d:%5s
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode domains
Protocol %s not supported or disabled in libcurl
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
<url> malformed
:]://%[^
[^:]:%[^
Re-using existing connection! (#%ld) with host %s
%s://%s
Connection #%ld to host %s left intact
operation aborted by callback
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Unrecognized content encoding type. libcurl understands `identity', `deflate' and `gzip' content encodings.
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
No URL set!
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
23[^;
=]=I99[^;
%s%s%s
# Fatal libcurl error
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
WARNING: failed to save cookies in %s
[%s %s %s]
Send failure: %s
Recv failure: %s
Failed to set SO_KEEPALIVE on fd %d
bind failed with errno %d: %s
Local port: %hu
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Failed connect to %s:%ld; %s
Internal error removing splay node = %d
Internal error clearing splay node = %d
%d.%d.%d.%d
%s%s%s%s%s%s
Session: %s
%s %s RTSP/1.0
Range: %s
Referer: %s
Accept-Encoding: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Transport: %s
Transport:
Refusing to issue an RTSP request [%s] without a session ID.
Got RTSP Session ID Line [%s], but wanted ID [%s]
Unable to read the CSeq header: [%s]
SMTP
EHLO %s
HELO %s
No known auth mechanisms supported!
AUTH %s %s
LOGIN
AUTH %s
Got unexpected smtp-server response: %d
Remote access denied: %d
Access denied: %d
%s xxxxxxxxxxxxxxxx
smtp/
12345678
00000001
Authentication failed: %d
MAIL FROM:%s SIZE=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s
RCPT TO:<%s>
RCPT TO:%s
SMTPS not supported!
STARTTLS denied. %c
USER %s
PASS %s
Access denied. %c
%s %s
POP3S not supported!
%s LOGIN %s %s
%s STARTTLS
%s SELECT %s
%s FETCH 1 BODY[TEXT]
%s LOGOUT
IMAPS not supported!
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
invalid tsize -:%s:- value in OACK packet
%s (%ld)
blksize is smaller than min supported
%s (%d)
blksize is larger than max supported
%s (%d) %s (%d)
got option=(%s) value=(%s)
tftp_rx: internal error
Timeout waiting for block %d ACK. Retries = %d
Received unexpected DATA packet block %d, expecting block %d
tftp_tx: internal error, event: %i
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
bind() failed; %s
tftp_send_first: internal error
%s%c%s%c
TFTP finished
TFTP response timeout
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, d %s M d:d:d GMT
Couldn't open file %s
There are more than %d entries
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%hu
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.26.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s %s %s
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Syntax error in telnet option: %s
Unknown telnet option %s
7[^= ]%*[ =]%5s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
7[^,],7s
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
PORT
FTP response aborted due to select/poll error: %d
FTP response timeout
Failure sending PORT command: %s
,%d,%d
Failure sending EPRT command: %s
%s |%d|%s|%hu|
bind() failed, we ran out of ports!
bind(port=%hu) failed: %s
bind(port=%hu) on non-local address failed: %s
socket failure: %s
failed to resolve the address provided to PORT: %s
getsockname() failed: %s
Connect data stream passively
PRET RETR %s
PRET STOR %s
PRET %s
REST %d
SIZE %s
STOR %s
APPE %s
Failed to do PORT
Got a d response code instead of the assumed 200
RETR %s
ftp server doesn't support SIZE
PBSZ %d
Access denied: d
ACCT %s
ACCT rejected by server: d
TYPE %c
Connecting to %s (%s) port %d
Failure sending QUIT command: %s
Uploading to a URL without a file name!
FTPS not supported!
Preparing for accepting server on data port
MDTM %s
Bad PASV/EPSV response: d
Can't resolve new host %s:%hu
Can't resolve proxy host %s:%hu
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
ddd d:d:d GMT
dddddd
unsupported MDTM reply format
Failed FTP upload: 

RETR response: d
QUOT string not accepted: %s
Wildcard - "%s" skipped by user
Wildcard - START of "%s"
CWD %s
PRET command not accepted: d
Failed to MKD dir: d
MKD %s
QUOT command failed with d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
Got a d ftp-server response when 220 was expected
server did not report OK, got %d
Failure sending ABOR command: %s
Remembering we are in dir "%s"
%sAuthorization: Basic %s
%s:%s
%s auth using %s with user '%s'
HTTP/
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
%s%s=%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
PTF://
Host: %s%s%s:%hu
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
%s, TE
HTTP error before end of send, stop sending
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
RTSP/%d.%d =
HTTP =
HTTP/%d.%d =
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
SOCKS4%s request granted.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
Received HTTP code %d from proxy after CONNECT
HTTP/1.%d %d
CONNECT %s HTTP/%s
%s%s%s%s
Host: %s
%s%s%s:%hu
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
password
login
Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"
%s:%s:x:%s:%s:%s
%s:%.*s
%s:%s:%s
Error while processing content unencoding: %s
1.2.5
1.2.0.4
d:d
d:d:d
%c%c==
%c%c%c=
0123456789-
inflate 1.2.5 Copyright 1995-2010 Mark Adler
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
D:\GeePlayer\trunk\pub\bin\Publish\GpUpdate.pdb
VERSION.dll
WS2_32.dll
WLDAP32.dll
DisconnectNamedPipe
ConnectNamedPipe
CreateNamedPipeW
GetWindowsDirectoryW
GetProcessHeap
PeekNamedPipe
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteExW
SHFileOperationW
SHELL32.dll
ole32.dll
UrlCanonicalizeW
SHLWAPI.dll
IPHLPAPI.DLL
GetCPInfo
.?AVCCrtException@@
.?AV?$CAtlHttpClientT@VZEvtSyncSocket@ATL@@@ATL@@
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
4_5>6`6{7
5#6/676]6
= =$=(=,=0=4=8=
6%7s7}7
5 5$5(545
9 :$:(:,:0:
> >$>(>,>0>
? ?$?(?7?
5,585@5\5|5
; ;(;4;\;
< <$<(<,<
1620127iso_646.irv:19911351932windows-519320920001x-cp20001
1000932csshiftjis
1350221windows-502210712000cp12000
1028597iso_8859-70628605latin90501200utf160700154ptcp1541410010x-mac-romanian
1410001x-mac-japanese1200932cswindows31j
0601251cp12511201258windows-12580601125cp1125
1201257windows-12570601250cp12500601133cp1133
1201256windows-12561100932windows-31j
1000936csgb2312801201255windows-1255
1201254windows-1254
1052936hz-gb-23121201253windows-12531400949ks_c_5601_19871528599iso_8859-9:19890601201cp1201
0601200cp12001201252windows-1252
0810029x-mac-ce1201251windows-12511528598iso_8859-8:19880900949ks_c_56011110000csmacintosh
1201250windows-12501300932shifft_jis-ms
1528597csisolatingreek1100874windows-874
1100936windows-9360520127ascii
1100932windows-9321100437codepage437
0928596iso8859-60900154csptcp154
http-equiv
CrashReport.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\GeePlayer.exe
ppslog_%d-%d-%d
[GpUpdate.exe]
curl download%s
request:%s, response:%s
%s*%s
ok*%s*
update:%s**%s**%s**%s
parser xml failed:%s
hXXp://dl.static.iqiyi.com/product/GpUpdate/GpUpdateInfo.xml
hXXp://dl.static.iqiyi.com/product/GpUpdate/GpUpdateInfo_Debug.xml
GpUpdate.ini
WriteFile failed or none, error code: %d
request:%s,now close all
pipe thread normal exit
ReadFile failed or none, error code:%d
\\.\pipe\initiativeupdatepipe
GpUpdate.exe
Gpupdate.exe
printlog = %d
PPStream.ini
debug = %d, readlocalxml = %d
HKEY_CURRENT_USER$$$$Software\Microsoft\Windows\CurrentVersion\Imee\Address$$$$MacAddr
Testing.ini
copydata %s
\cube.dll
cube.dll
cube.dll
paramname:%s, paramvalue:%s, return code:%d
\libcurl.dll
\HCDNProxy.dll
id:%s
%s--%s,
id:%s, %s
GeePlayerIS.ini
HKEY_CURRENT_USER$$$$PPStream.FDS$$$$net
HKEY_CURRENT_USER$$$$PPStream.FDS$$$$province
HKEY_CURRENT_USER$$$$PPStream.FDS$$$$city
HKEY_CURRENT_USER$$$$PPStream.FDS$$$$country
HKEY_CURRENT_USER$$$$PPStream.FDS$$$$area
hXXp://update.ppstream.com.iqiyi.com
hXXp://update.pps.tv.iqiyi.com
hXXp://dl.static.iqiyi.com
usehttp
httplinkfull
httplink
CrashReport
geeplayer.ini
shXXp://msgp.71.am/p
xml url = %s,
[QyUpdate.exe]
strHttpLink = %s
[QyUpdate.exe]httplinkfull
%s,%s
AEE5851B-96A7-4F3A-8C04-D2CAE21C8003
notify GeePlayer.exe
write update info in GpUpdate.ini
run setup.exe now
qserr.dat
domain%d->%s
GpUpdatePrintLog.xml
product/GpUpdate/GpUpdate.xml
product/GpUpdate/GpUpdate_Debug.xml
GpUpdate.xml
GpUpdate_Debug.xml
Qylogger.dll
ppslog_%d-%d-%d.log
e\StringFileInfo\xx\%s
kernel32.dll
D\ClientID.dll
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
https
Content-Length: %d
Host: %s:%d
HTTP/1.1
move %s to %s %s
delete old file %s failed, errcode = %d
delete old file %s successed
*.old
IsRandomFire: ClientID[%s] dwRandom[%d] dwPercent[%d] dwSeed[%d]
CreateMultiDirectory %s %s
DeleteAndCheck %s %s
%s\%s
Rollback %s to %s %s
compare %s file md5 %s with md5 %s %s
%s still exist or %s not exist
move %s to %s failed
move %s to %s success
%s/bin/%s.zip
replace count %d success
replace: parse %s failed return
%s has no update.pre.xml return
%s/update.pre.xml
replace: path %s has not GpUpdate dir return
%s\GpUpdate
download file %s to file %s %s
download config file url %s
hXXp://dl.static.iqiyi.com/product/GpUpdate/upcfg.xml
UnZipOneFile %s to path %s failed return
%d times download %d file
Save Prepare xml %s failed
CheckAndDownloadModulesByList %d files need update, use time:%d
ParseUpdateModuleList %s failed
%s\bin
download xml %s to path %s failed
%s/update.xml
%s\update.xml
HKEY_LOCAL_MACHINE$$$$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\GeePlayer.exe$$$$
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
mscoree.dll
WUSER32.DLL
C:\Users\"%CurrentUserName%"\AppData\Roaming\IQIYI Video\GeePlayer
C:\%original file name%.exe
3.0.1.55


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wtmps.exe:1672
    mscaps.exe:3104
    @AE224E.tmp.exe:3432
    launch.exe:3792
    WdExt.exe:1472

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\mscaps.exe (26272 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\3D5D.tmp (406 bytes)
    C:\Windows\System32\wtime32.dll (27976 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Se29A0.tmp (1792 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\mydll.dll (1489 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm0.bat (127 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Temp\adm1.bat (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Sp299F.tmp (1396 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp29A1.tmp (907 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe (229958 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2847.tmp (432058 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Common\Shared\dis.dll (10077 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Identities\"%CurrentUserName%"\arc.dll (103749 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DE4.tmp (26548 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\wtmps.exe (31581 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DA4.tmp (200332 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2DC4.tmp (48916 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E25.tmp (18508 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Shared\Modules\fil.dll (10805 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe (18077 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Caches\Files\usd.dll (7933 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E66.tmp (55476 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E14.tmp (28924 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E35.tmp (21164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Repairs\sha.dll (7589 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp2E56.tmp (36444 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Addins\att.dll (18829 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender Extension" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Defender\launch.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now