Gen.Variant.Strictor.121831_3d97790b1c

by malwarelabrobot on February 21st, 2017 in Malware Descriptions.

Gen:Variant.Strictor.121831 (B) (Emsisoft), Gen:Variant.Strictor.121831 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3d97790b1cf6e75b267fc279aba46069
SHA1: ed0cec99a8101b93ec017a4889a77b2e959a88d4
SHA256: 7c5f68c1ef0ed1b3b029b57f162985c14a34decfec00fae210d1a46ffba908d2
SSDeep: 49152:7Nk/yvgAbrR7kPOwuOrjfG7BbePGOnArDTiB1XnSa:hkUgAtkPlXG7BqPqDTuZnSa
Size: 1976424 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: MediaGet LLC
Created at: 2017-02-08 16:14:18
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2928

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0GWTUJW6.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H2GS2F82.txt (301 bytes)
C:\UPDATA.dll (24 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C4UNTEDQ.txt (447 bytes)
C:\PCOMM.DLL (82 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0GWTUJW6.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H2GS2F82.txt (0 bytes)

Registry activity

The process %original file name%.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\3d97790b1cf6e75b267fc279aba46069_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
bedfff9a8296392992a458d03ba69e08 c:\PCOMM.DLL
4c853c2dd8c43005149f20c7797a57ce c:\UPDATA.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: JMD?????V2.9.6
Product Name: ???(JMD)?????
Product Version: 2.9.6.8
Legal Copyright: ??: ???????????????????,????????????????????,?????????????,?????????????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.9.6.8
File Description: ?????
Comments: JMD?????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 4120576 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 4124672 1966080 1964544 5.50853 7babfebbe15004126f4bba2bd24b9a77
.rsrc 6090752 12288 9728 3.68427 1c335228c3040b8f25c61e1cb207824c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.a.shifen.com/
hxxp://www.baidu.com/


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 20 Feb 2017 12:12:57 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Thu, 16 Feb 2017 03:07:00 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=CB5A39094238AC99E3247ADA8B953CD6:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=CB5A39094238AC99E3247ADA8B953CD6; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1487592777; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>
;...<meta http-equiv="content-type" content="text/html;charset=utf-
8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">..
.<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link 
rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-pref
etch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="/
/t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.co
m"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...&l
t;link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="
dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........
................</title>...<link href="hXXp://s1.bdstatic.com
/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/cs
s" />...<!--[if lte IE 8]><style index="index" >#conten
t{height:480px\9}#m{top:260px\9}</style><![endif]-->...<
;!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:vis
ited{font-family:simsun}</style><![endif]-->...<script&
gt;var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if 
(hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace
("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};
</script>...<script>function h(obj){obj.style.behavior='ur
l(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}<
;/script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2928:

`.rsrc
t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
Bv=kAv.SCv
shlwapi.dll
kernel32.dll
advapi32.dll
user32.dll
gdi32.dll
User32.dll
msimg32.dll
comctl32.dll
COMCTL32.DLL
Kernel32.dll
PCOMM.dll
wininet.dll
UPDATA.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
Gdiplus.dll
dbghelp.dll
oleaut32.dll
OLEACC.DLL
Ole32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
CreatePipe
PeekNamedPipe
SetWindowsHookExA
UnhookWindowsHookEx
MsgWaitForMultipleObjects
EnumWindows
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpGetFileA
FtpFindFirstFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpDeleteFileA
FtpRenameFileA
FtpPutFileA
FtpOpenFileA
FtpGetFileSize
GdiplusShutdown
RegCreateKeyA
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
{B6F7542F-B8FE-46a8-9605-98856A687097}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
WebBrowser
C:\Windows\config_display.ini
C:\Windows\uppack.zip
\TempWmicBatchFile.bat
\JMD.ini
Speed.bat
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
Serial port is occupied.
Didn't find Handybaby device, Maybe the following cause:Didn't connect to Handybaby to your PC/laptop or didn't install the driver Please search the serial port manual
wmic path Win32_SerialPort
command.com /c
cmd.exe /c
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_SerialPort")
GetTrait = GetTrait Obj.Caption ","
hXXp://VVV.handy-baby.com/
*.jmd;*.jmd2
|*.jmd;*.jmd2
*.jmd,*.jmd2
|*.jmd*.jmd2
\UPDATA.dll
.text
.rdata
.data
.reloc
.aspack
.adata
__MSVCRT_HEAP_SELECT
GetCPInfo
KERNEL32.dll
serial.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
\PCOMM.DLL
`.rdata
@.data
.rsrc
@.reloc
\\.\COM%d
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
USER32.dll
PComm.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
%hXXp://VVV.globalsign.net/repository/03
"hXXp://crl.globalsign.net/root.crl0
 hXXp://crl.globalsign.net/Timestamping1.crl0
%hXXp://VVV.globalsign.net/repository/0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100.
3hXXp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0?
3hXXp://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0
.Class 3 Public Primary Certification Authority0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif0
hXXp://ocsp.verisign.com01
hXXp://crl.verisign.com/pca3.crl0)
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
c:\JMD.ini
2.9.6
KEY MAKER
website
JMD Client.lnk
JMD.lnk
bbs.125.la
Volkswagen={Beetle(HC912),Jetta(93C86),Gol(93C56),Passat,Santana(93C56),Bora(2002),FOX(93C56),pointer(93C56),anti-theft box(93C56),};
Jeep={Compass,Patriot,Wrangler,};
Maserati={Quattroporte,};
)Quattroporte,};
hXXp://i.youku.com/i/UMzAzMzg1NTIwNA==
Password input error ,please try again
Password length less than 6
C:\Windows\jmd_pic
C:\Windows\jmd_pic\1.jpg
C:\Windows\jmd_pic\2.jpg
C:\Windows\jmd_pic\3.jpg
120.76.132.181
/data.zip
Password can not be empty
B8.zCc
.oUc;
Port
*.jpg;*.jpeg;*.png;*.bmp
|*.jpg;*.jpeg;*.png;*.bmp
Password
1sLogin failed
audit of Result: does not pass
Website DownLoad
@.tmp
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Version below V6.2.0, please update the latest version
Passat={93C86,Megamos48,8200,2048,,0,,1};
Compass={24C16,ID46,10200,2048,,0,,1};
Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};
)Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};
VVV.meitu.com
F.RnRj)(
u%d$:
*.Bin
|*.Bin|
00000000
44444444
Click on the back of the key to generate the key to match the car
@@00102030
00000000000000
55555555
password
Honda password Calc(HDS)
first password
second password
password
@ping 127.0.0.1 -n
del Restart.bat
\Restart.bat
The key 1
The key 2
The key 3
The key 4
\CP210x_VCP_Windows\CP210xVCPInstaller.exe
Serial port is occupied
Please be patient and wait, to generate the key process, please do not take the chip
The current key can not start the car, you must then learn the key to the engine before they can start
Successful operation
0000000000
Operation is successful
Operation is successful, you need to write the data can be started
UM1 write failure, operation shall be terminated
UM2 write failure, operation shall be terminated
All chip information failure, operation terminated!
Chip to failure, operation shall be terminated
A serial port is not connected or not in the main interface!
Operation is successful, you need to write the data can be started!
Chip operation fails!
Read all chip error, termination of operations!
Write page2 failure, stop operation!
Write page1 failure, stop operation!
Chip information failure, stop operation!
Page4 write failure, operation terminated!
Operation is successful,Need to write the data can be started
Write failure, stop operation!
Read all chip information failure, stop operation
Page4 write failure, stop operation!
Page2 write failure, stop operation!
Page1 write failure, stop operation!
write failure, stop operation!
start the car for the KEY
17|6|73|6|113|6|
9|6|49|6|105|6|
1|6|57|6|97|6|
11|8|75|8|523|8|587|8|
21|8|85|8|533|8|597|8|
31|8|95|8|543|8|607|8|
9|2|73|2|521|2|585|2|
19|2|83|2|531|2|595|2|
29|2|93|2|541|2|605|2|
39|2|103|2|551|2|615|2|
881|8|889|8|897|8|
905|8|913|8|921|8|
929|8|937|8|945|8|
953|8|961|8|969|8|
57|8|65|8|73|8|
81|8|89|8|97|8|
105|8|113|8|121|8|
129|8|137|8|145|8|
449|4|457|2|
453|4|459|2|
465|4|473|2|
469|4|475|2|
449|4|459|2|
465|4|475|2|
00010001
00030003
00070007
49|8|177|8|
57|8|185|8|
65|8|193|8|
73|8|201|8|
1|8|17|8|33|8|
49|8|65|8|81|8|
97|8|113|8|129|8|
145|8|161|8|177|8|
161|8|169|8|177|8|
193|8|201|8|209|8|
225|8|233|8|241|8|
3|6|35|6|
11|6|43|6|
19|6|51|6|
27|6|59|6|
537|8|633|8|729|8|825|8|921|8|
581|8|677|8|773|8|869|8|965|8|
17|4|273|4|
9|4|265|4|
41|4|297|4|
1|8|129|8|385|8|
9|8|137|8|393|8|
17|8|145|8|401|8|
25|8|153|8|409|8|
hXXp://nspin.3110110.com/
handy baby identification key after online decoding
3|8|747|8|
13|8|757|8|
23|8|767|8|
33|8|777|8|
7|2|745|2|
11|2|755|2|
21|2|765|2|
31|2|775|2|
265|8|1033|8|
273|8|1041|8|
281|8|1049|8|
289|8|1057|8|
2219|8|3281|8|4333|8
2227|8|3289|8|4341|8|
2235|8|3297|8|4349|8|
2243|8|3305|8|4357|8|
753|8|2525|8|
773|8|2545|8|
743|2|2515|2|
749|2|2521|2|
763|2|2535|2|
769|2|2541|2|
165|2|169|4|175|2|
173|2|177|4|183|2|
181|2|185|4|191|2|
3|8|843|8|
11|8|851|8|
19|8|859|8|
27|8|867|8|
Serial port is not open!
hXXp://lanniao.e4os.com/frombd/
C:\Windows\data_up\Please make sure the connection JMD assistant,LOAD........
sm.bin
Scripting.FileSystemObject
C:\Windows\data_up
1.HandyBaby connect to computer
2.Only one HandyBaby connect to computer each time
3.Do not disconnect during updating
Support: Toyota 72G/Ford 4D83 80bit/Jetta ID42 (online)
Steps: (1)Read the key (2)Press OK to decode
(3)waiting, until finish (4)put the new key into the coil to copy
t move out the key!
Serial operation
Checking serial number passed...
C:\Windows\data_up\
C:\Windows\data_up\*.*
C:\Windows\data_up\4D\4d16.bin
C:\Windows\data_up\4D\4d32.bin
6.0.0
hXXp://VVV.handy-baby.com/download/
C:\Windows\System32
hXXp://VVV.handy-baby.com/aboutme.php
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
=@{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
MSScriptControl.ScriptControl
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf()) ?
this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z' : null;
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
// Produce a string from holder[key].
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
// Join all of the elements together, separated with commas, and wrap them in
v = partial.length === 0 ? '[]' : gap ?
'[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']' :
'['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
// Otherwise, iterate through all of the keys in the object.
if (Object.prototype.hasOwnProperty.call(value, k)) {
// Join all of the member texts together, separated with commas,
v = partial.length === 0 ? '{}' : gap ?
'{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}' :
'{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
// that can replace values, or an array of strings that will select the keys.
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
// Make a fake root object containing our value under the key of ''.
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
// Parsing happens in four stages. In the first stage, we replace certain
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
// We split the second stage into 4 regexp operations in order to work around
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// In the optional fourth stage, we recursively walk the new structure, passing
throw new SyntaxError('JSON.parse');
// These forms are obsolete. It is recommended that JSON.stringify and
// JSON.parse be used instead.
if (!Object.prototype.toJSONString) {
Object.prototype.toJSONString = function (filter) {
return JSON.stringify(this, filter);
Object.prototype.parseJSON = function (filter) {
return JSON.parse(this, filter);
JSON.stringify(
.push(
.map)'){
.splice(
) {ary=ary  key ','; }
var ary=''; for (var key in
\empty.exe
`.data
could not empty working set for process #%d [%s]
could not empty working set for process #%d
USAGE: empty.exe {pid | task-name}
AdjustTokenPrivileges failed with %d
LookupPrivilegeValue failed with %d
OpenProcessToken failed with %d
empty.pdb
msvcrt.dll
ADVAPI32.dll
CloseWindowStation
SetProcessWindowStation
OpenWindowStationA
EnumWindowStationsA
ntdll.dll
OLEAUT32.dll
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
\\.\COM
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
2016:08:04 18:08:10
-6k}k
 o.Sl@
.ou&j
r.umV
h.XhtR|
PfBCMd![p
.iKVy
.WcGV
LN->kEy
^u.wY'
)Y$}u.wR
mSgQ
<\*5Q.Uh
]EÞh`
1999-2003
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
hXXp://VVV.baidu.com
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
%d%d%d
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
c:\%original file name%.exe
GetWindowsDirectoryA
WinExec
GetProcessHeap
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
CreateDialogIndirectParamA
UnregisterHotKey
RegisterHotKey
EnumChildWindows
GetKeyState
InternetCrackUrlA
InternetCanonicalizeUrlA
%fpoj
i-%c/-Q
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
KERNEL32.DLL
AVIFIL32.dll
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVFW32.dll
oledlg.dll
RASAPI32.dll
SHELL32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
mscoree.dll
 *%$#"! '&):(91/638
2, 7, 0, 0
10080216
5.2.3790.0 built by: dnsrv_dev(v-smgum)
empty.exe
Windows
Operating System
5.2.3790.0
(*.*)
2.9.6.8
V2.9.6

%original file name%.exe_2928_rwx_00401000_005CD000:

t%SVh
t$(SSh
|$D.tm
~%UVW
u$SShe
Bv=kAv.SCv
shlwapi.dll
kernel32.dll
advapi32.dll
user32.dll
gdi32.dll
User32.dll
msimg32.dll
comctl32.dll
COMCTL32.DLL
Kernel32.dll
PCOMM.dll
wininet.dll
UPDATA.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
Gdiplus.dll
dbghelp.dll
oleaut32.dll
OLEACC.DLL
Ole32.dll
ShellExecuteA
RegOpenKeyA
RegCloseKey
CreatePipe
PeekNamedPipe
SetWindowsHookExA
UnhookWindowsHookEx
MsgWaitForMultipleObjects
EnumWindows
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpGetFileA
FtpFindFirstFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpDeleteFileA
FtpRenameFileA
FtpPutFileA
FtpOpenFileA
FtpGetFileSize
GdiplusShutdown
RegCreateKeyA
RegEnumKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
{B6F7542F-B8FE-46a8-9605-98856A687097}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
WebBrowser
C:\Windows\config_display.ini
C:\Windows\uppack.zip
\TempWmicBatchFile.bat
\JMD.ini
Speed.bat
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Wscript.Sleep(1000)
Serial port is occupied.
Didn't find Handybaby device, Maybe the following cause:Didn't connect to Handybaby to your PC/laptop or didn't install the driver Please search the serial port manual
wmic path Win32_SerialPort
command.com /c
cmd.exe /c
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_SerialPort")
GetTrait = GetTrait Obj.Caption ","
hXXp://VVV.handy-baby.com/
*.jmd;*.jmd2
|*.jmd;*.jmd2
*.jmd,*.jmd2
|*.jmd*.jmd2
\UPDATA.dll
.text
.rdata
.data
.reloc
.aspack
.adata
__MSVCRT_HEAP_SELECT
GetCPInfo
KERNEL32.dll
serial.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
\PCOMM.DLL
`.rdata
@.data
.rsrc
@.reloc
\\.\COM%d
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
USER32.dll
PComm.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
%hXXp://VVV.globalsign.net/repository/03
"hXXp://crl.globalsign.net/root.crl0
 hXXp://crl.globalsign.net/Timestamping1.crl0
%hXXp://VVV.globalsign.net/repository/0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100.
3hXXp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0?
3hXXp://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0
.Class 3 Public Primary Certification Authority0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif0
hXXp://ocsp.verisign.com01
hXXp://crl.verisign.com/pca3.crl0)
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
c:\JMD.ini
2.9.6
KEY MAKER
website
JMD Client.lnk
JMD.lnk
bbs.125.la
Volkswagen={Beetle(HC912),Jetta(93C86),Gol(93C56),Passat,Santana(93C56),Bora(2002),FOX(93C56),pointer(93C56),anti-theft box(93C56),};
Jeep={Compass,Patriot,Wrangler,};
Maserati={Quattroporte,};
)Quattroporte,};
hXXp://i.youku.com/i/UMzAzMzg1NTIwNA==
Password input error ,please try again
Password length less than 6
C:\Windows\jmd_pic
C:\Windows\jmd_pic\1.jpg
C:\Windows\jmd_pic\2.jpg
C:\Windows\jmd_pic\3.jpg
120.76.132.181
/data.zip
Password can not be empty
B8.zCc
.oUc;
Port
*.jpg;*.jpeg;*.png;*.bmp
|*.jpg;*.jpeg;*.png;*.bmp
Password
1sLogin failed
audit of Result: does not pass
Website DownLoad
@.tmp
User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Version below V6.2.0, please update the latest version
Passat={93C86,Megamos48,8200,2048,,0,,1};
Compass={24C16,ID46,10200,2048,,0,,1};
Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};
)Quattroporte={9S12,Megamos48,10650,4096,,0,2004,1};
VVV.meitu.com
F.RnRj)(
u%d$:
*.Bin
|*.Bin|
00000000
44444444
Click on the back of the key to generate the key to match the car
@@00102030
00000000000000
55555555
password
Honda password Calc(HDS)
first password
second password
password
@ping 127.0.0.1 -n
del Restart.bat
\Restart.bat
The key 1
The key 2
The key 3
The key 4
\CP210x_VCP_Windows\CP210xVCPInstaller.exe
Serial port is occupied
Please be patient and wait, to generate the key process, please do not take the chip
The current key can not start the car, you must then learn the key to the engine before they can start
Successful operation
0000000000
Operation is successful
Operation is successful, you need to write the data can be started
UM1 write failure, operation shall be terminated
UM2 write failure, operation shall be terminated
All chip information failure, operation terminated!
Chip to failure, operation shall be terminated
A serial port is not connected or not in the main interface!
Operation is successful, you need to write the data can be started!
Chip operation fails!
Read all chip error, termination of operations!
Write page2 failure, stop operation!
Write page1 failure, stop operation!
Chip information failure, stop operation!
Page4 write failure, operation terminated!
Operation is successful,Need to write the data can be started
Write failure, stop operation!
Read all chip information failure, stop operation
Page4 write failure, stop operation!
Page2 write failure, stop operation!
Page1 write failure, stop operation!
write failure, stop operation!
start the car for the KEY
17|6|73|6|113|6|
9|6|49|6|105|6|
1|6|57|6|97|6|
11|8|75|8|523|8|587|8|
21|8|85|8|533|8|597|8|
31|8|95|8|543|8|607|8|
9|2|73|2|521|2|585|2|
19|2|83|2|531|2|595|2|
29|2|93|2|541|2|605|2|
39|2|103|2|551|2|615|2|
881|8|889|8|897|8|
905|8|913|8|921|8|
929|8|937|8|945|8|
953|8|961|8|969|8|
57|8|65|8|73|8|
81|8|89|8|97|8|
105|8|113|8|121|8|
129|8|137|8|145|8|
449|4|457|2|
453|4|459|2|
465|4|473|2|
469|4|475|2|
449|4|459|2|
465|4|475|2|
00010001
00030003
00070007
49|8|177|8|
57|8|185|8|
65|8|193|8|
73|8|201|8|
1|8|17|8|33|8|
49|8|65|8|81|8|
97|8|113|8|129|8|
145|8|161|8|177|8|
161|8|169|8|177|8|
193|8|201|8|209|8|
225|8|233|8|241|8|
3|6|35|6|
11|6|43|6|
19|6|51|6|
27|6|59|6|
537|8|633|8|729|8|825|8|921|8|
581|8|677|8|773|8|869|8|965|8|
17|4|273|4|
9|4|265|4|
41|4|297|4|
1|8|129|8|385|8|
9|8|137|8|393|8|
17|8|145|8|401|8|
25|8|153|8|409|8|
hXXp://nspin.3110110.com/
handy baby identification key after online decoding
3|8|747|8|
13|8|757|8|
23|8|767|8|
33|8|777|8|
7|2|745|2|
11|2|755|2|
21|2|765|2|
31|2|775|2|
265|8|1033|8|
273|8|1041|8|
281|8|1049|8|
289|8|1057|8|
2219|8|3281|8|4333|8
2227|8|3289|8|4341|8|
2235|8|3297|8|4349|8|
2243|8|3305|8|4357|8|
753|8|2525|8|
773|8|2545|8|
743|2|2515|2|
749|2|2521|2|
763|2|2535|2|
769|2|2541|2|
165|2|169|4|175|2|
173|2|177|4|183|2|
181|2|185|4|191|2|
3|8|843|8|
11|8|851|8|
19|8|859|8|
27|8|867|8|
Serial port is not open!
hXXp://lanniao.e4os.com/frombd/
C:\Windows\data_up\Please make sure the connection JMD assistant,LOAD........
sm.bin
Scripting.FileSystemObject
C:\Windows\data_up
1.HandyBaby connect to computer
2.Only one HandyBaby connect to computer each time
3.Do not disconnect during updating
Support: Toyota 72G/Ford 4D83 80bit/Jetta ID42 (online)
Steps: (1)Read the key (2)Press OK to decode
(3)waiting, until finish (4)put the new key into the coil to copy
t move out the key!
Serial operation
Checking serial number passed...
C:\Windows\data_up\
C:\Windows\data_up\*.*
C:\Windows\data_up\4D\4d16.bin
C:\Windows\data_up\4D\4d32.bin
6.0.0
hXXp://VVV.handy-baby.com/download/
C:\Windows\System32
hXXp://VVV.handy-baby.com/aboutme.php
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
=@{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}
MSScriptControl.ScriptControl
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf()) ?
this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z' : null;
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
'\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
// Produce a string from holder[key].
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
// Join all of the elements together, separated with commas, and wrap them in
v = partial.length === 0 ? '[]' : gap ?
'[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']' :
'['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
// Otherwise, iterate through all of the keys in the object.
if (Object.prototype.hasOwnProperty.call(value, k)) {
// Join all of the member texts together, separated with commas,
v = partial.length === 0 ? '{}' : gap ?
'{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}' :
'{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
// that can replace values, or an array of strings that will select the keys.
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
// Make a fake root object containing our value under the key of ''.
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
// Parsing happens in four stages. In the first stage, we replace certain
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
// We split the second stage into 4 regexp operations in order to work around
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
// JavaScript structure. The '{' operator is subject to a syntactic ambiguity
// In the optional fourth stage, we recursively walk the new structure, passing
throw new SyntaxError('JSON.parse');
// These forms are obsolete. It is recommended that JSON.stringify and
// JSON.parse be used instead.
if (!Object.prototype.toJSONString) {
Object.prototype.toJSONString = function (filter) {
return JSON.stringify(this, filter);
Object.prototype.parseJSON = function (filter) {
return JSON.parse(this, filter);
JSON.stringify(
.push(
.map)'){
.splice(
) {ary=ary  key ','; }
var ary=''; for (var key in
\empty.exe
`.data
could not empty working set for process #%d [%s]
could not empty working set for process #%d
USAGE: empty.exe {pid | task-name}
AdjustTokenPrivileges failed with %d
LookupPrivilegeValue failed with %d
OpenProcessToken failed with %d
empty.pdb
msvcrt.dll
ADVAPI32.dll
CloseWindowStation
SetProcessWindowStation
OpenWindowStationA
EnumWindowStationsA
ntdll.dll
OLEAUT32.dll
?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
\\.\COM
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
2016:08:04 18:08:10
-6k}k
 o.Sl@
.ou&j
r.umV
h.XhtR|
PfBCMd![p
.iKVy
.WcGV
LN->kEy
^u.wY'
)Y$}u.wR
mSgQ
<\*5Q.Uh
]EÞh`
1999-2003
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
CCmdTarget
MSH_SCROLL_LINES_MSG
MSWHEEL_ROLLMSG
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
hXXp://VVV.baidu.com
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
code %d bits %d->%d
gen_codes: max_code %d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
%d%d%d
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
c:\%original file name%.exe
GetWindowsDirectoryA
WinExec
GetProcessHeap
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
CreateDialogIndirectParamA
UnregisterHotKey
RegisterHotKey
EnumChildWindows
GetKeyState
InternetCrackUrlA
InternetCanonicalizeUrlA
%fpoj
i-%c/-Q
KERNEL32.DLL
mscoree.dll
 *%$#"! '&):(91/638
2, 7, 0, 0
10080216
5.2.3790.0 built by: dnsrv_dev(v-smgum)
empty.exe
Windows
Operating System
5.2.3790.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0GWTUJW6.txt (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\H2GS2F82.txt (301 bytes)
    C:\UPDATA.dll (24 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\C4UNTEDQ.txt (447 bytes)
    C:\PCOMM.DLL (82 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now