Gen.Variant.Zusy.196324_203d656650

Gen:Variant.Zusy.196324 (BitDefender), Trojan:Win32/Tonmye.gen!A (Microsoft), not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader21.64766 (DrWeb), Gen...
Blog rating:2 out of5 with1 ratings

Gen.Variant.Zusy.196324_203d656650

by malwarelabrobot on May 23rd, 2017 in Malware Descriptions.

Gen:Variant.Zusy.196324 (BitDefender), Trojan:Win32/Tonmye.gen!A (Microsoft), not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader21.64766 (DrWeb), Gen:Variant.Zusy.196324 (B) (Emsisoft), GenericRXAB-VB!203D656650E4 (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.Win32.Tonmye (Ikarus), Gen:Variant.Zusy.196324 (FSecure), Atros3.BGDN (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R02LC0DEA17 (TrendMicro), Gen:Variant.Zusy.196324 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Adware, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 203d656650e4678f8837c464d1d5ce14
SHA1: cec4efc632589300cdbe4fd11287a1aff7ccf01d
SHA256: 7502f9f2f2a89e68a553079be5767ba04cbe4ff1978ca7a5c030893c1ec8f01d
SSDeep: 49152:J/kWBrDcNtpq7ZdiFxoDaErqEjcySkY7qIaMvbdfV77CXvQ2WvzkUJIk6dA:xkWBrDIyZdiFxoeyFVour6bdf5mYPgAr
Size: 2615360 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2016-06-05 14:06:35
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1956

The Trojan injects its code into the following process(es):

Éú»îÖúÊÖ.exe:2788

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ldsajdklsajdlkjsalkda (32 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat (785 bytes)
%Program Files%\LifeAide\Éú»îÖúÊÖ.exe (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1616689266.exe (9 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4721555083\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4721555083\TemporaryFile\TemporaryFile (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\4721555083 (0 bytes)

The process Éú»îÖúÊÖ.exe:2788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ip138_com[1].htm (2162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ic[1].htm (219 bytes)
%Program Files%\LifeAide\LifeAide.ini (132 bytes)

Registry activity

The process %original file name%.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\203d656650e4678f8837c464d1d5ce14_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process Éú»îÖúÊÖ.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Éú»îÖúÊÖ_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
dc0dad0a6916ab09261fa9724c2316bb c:\Program Files\LifeAide\Éú»îÖúÊÖ.exe
a2e75df4044dfea2e5d8d2c0a6b15be8 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\1616689266.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: LifeAide Install Setup
Product Version: 5.6.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.6.0.0
File Description: LifeAide Install Setup
Comments: LifeAide Install Setup
Language: Indonesian (Indonesia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 875901 876032 4.49609 06cfadb814aa233cbeaf9df127594884
.rdata 880640 1637982 1638400 5.49244 96fcd383801be9ab8b12881acb3ac4b3
.data 2519040 146184 69632 3.93249 41fdb6314978e3b89059229bdf420601
.rsrc 2666496 29740 30208 2.98446 fba9d458853a3acecf4f6357020c42e2

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://yd.ecoma.ourwebpic.com/
hxxp://1212.ip138.com/ic.asp 183.238.101.232
hxxp://tianqi.2345.com/t/tq_common_json/.json 42.62.30.188
hxxp://hao.360.cn/?src=lm&ls=n6abbbb598c 111.206.66.62
hxxp://www.ip138.com/ 87.245.198.83
xz.hebchengjiu.com 222.186.60.131
tb.hebchengjiu.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /t/tq_common_json/.json HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://tianqi.2345.com/t/tq_common_json/.json
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: tianqi.2345.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Last-Modified: Tue, 30 Aug 2016 09:23:59 GMT
ETag: "4324-53b468a6249c0"
Accept-Ranges: bytes
Vary: Accept-Encoding
P3P: CP=CAO PSA OUR
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Date: Mon, 22 May 2017 04:11:09 GMT
Age: 0
Connection: keep-alive
x-hits: 0
004324..<!DOCTYPE html>.<html>.<head>.  <meta htt
p-equiv="Content-Type" content="text/html; charset=gbk" />.  <me
ta content="IE=edge, chrome=1" http-equiv="X-UA-Compatible">.  <
!--[if lt IE 7]><html class="ie6"><![endif]-->.  <!-
-[if IE 7]><html class="ie7"><![endif]-->.  <!--[if 
IE 8]><html class="ie8"><![endif]-->.  <!--[if gte I
E 9]><html class="ie9"><![endif]-->.  <title>404 
- 2345........</title>.  <meta content="" name="description"&
gt;.  <meta content="" name="keywords">.  <link rel="shortcut
 icon" href="/favicon.ico" type="image/x-icon" />.  <link href="
/theme2/css/global2_v20160329150419.css" rel="stylesheet" type="text/c
ss">.  <link href="/theme2/css/wea_404.css" rel="stylesheet" typ
e="text/css">.  <script src="/js/jquery.js" type="text/javascrip
t"></script>.  <script src="/js/common2_v20160830163921.js
" type="text/javascript"></script>.  <script src="/js/city
SelectData.js" type="text/javascript"></script>.  <script 
src="/js/jquery-ui-autocomplete.custom.js" type="text/javascript">&
lt;/script>.  <script defer="defer" id="defaultCity" type="text/
javascript"></script>.  <script>.  var pageType = 'loca
l';.  </script>.</head>..<body id="header" onload="jump
(5);">.  <div class="stretch-wrap">.    <div class="stretc
h-bg"></div>.  </div>.<!-- <script type="text
<<< skipped >>>


GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.ip138.com/
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.ip138.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 21 May 2017 10:18:38 GMT
Content-Length: 19584
Content-Type: text/html
Content-Location: hXXp://VVV.ip138.com/index.htm
Last-Modified: Wed, 03 May 2017 04:41:24 GMT
Accept-Ranges: bytes
ETag: "9adfa85c7c3d21:15fdd"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 64348
X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE html>..<html>...<head>....<meta charset
="gb2312">....<meta name="mobile-agent" content="format=html5; u
rl=hXXp://m.ip138.com/">....<title>IP........--..............
.... | ............ | ............ | ........................</titl
e>....<meta name="keywords" content="ip,IP....,IP........,ip138"
/>....<meta name="description" content="ip,IP....,IP........,ip1
38"/>....<script type="text/javascript">.....<!--......if(
window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com
/';.....//-->....</script>....<style type="text/css">..
. ..html{color:#000;background:#FFF}body,div,dl,dt,dd,ul,ol,li,h1,h3,h
3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,t
h,td{margin:0;padding:0}table{border-collapse:collapse;border-spacing:
0}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var
{font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th
{text-align:left}h1,h3,h3,h4,h5,h6{font-size:100%;}q:before,q:after{co
ntent:''}abbr,acronym{border:0;font-variant:normal}sup{vertical-align:
text-top}sub{vertical-align:text-bottom}input,textarea,select{font-fam
ily:inherit;font-size:inherit;font-weight:inherit;*font-size:100%}lege
nd{color:#000}.....html{height:100%;}.....body{height: 100%;font-size:
 14px;}.....table{table-layout:fixed;border-collapse: collapse;border-
spacing: 0;margin: 0 auto;}.....input,button{font-family: Tahoma,Arial
, Helvetica,"Microsoft Yahei";}.....a{color: #1c5f82;text-decorati
<<< skipped >>>


GET /?src=lm&ls=n6abbbb598c HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: hao.360.cn
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: nginx
Date: Mon, 22 May 2017 04:12:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 68
Connection: keep-alive
Location: hXXps://hao.360.cn/?src=lm&ls=n6abbbb598c
X-Powered-By: golang
<a href="hXXps://hao.360.cn/?src=lm&ls=n6abbbb598c">Found<
;/a>.....



GET /ic.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://1212.ip138.com/ic.asp
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 1212.ip138.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 22 May 2017 04:16:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 219
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQTTARBQ=OIBEDJCBGDKJKBAFINHDOBCG; path=/
Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>HTTP/1.1 200 OK..Date: Mon, 22 May 2017 04:16:41 GMT..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 219..Content-Ty
pe: text/html..Set-Cookie: ASPSESSIONIDQQTTARBQ=OIBEDJCBGDKJKBAFINHDOB
CG; path=/..Cache-control: private..<html>..<head>..<me
ta http-equiv="content-type" content="text/html; charset=gb2312">..
<title> ....IP.... </title>..</head>..<body style
="margin:0px"><center>....IP....[194.242.96.218] ............
</center></body></html>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1956:

.text
`.rdata
@.data
.rsrc
t$(SSh
|$D.tm
~%UVW
u$SShe
Cv?lCv=kAv.SCv
shlwapi.dll
URLMON.DLL
shell32.dll
kernel32.dll
advapi32.dll
user32.dll
ole32.dll
WinINet.dll
wininet.dll
Advapi32.dll
ntdll.dll
NTDLL.DLL
psapi.dll
URLDownloadToFileA
ShellExecuteA
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
RegCreateKeyA
RegEnumKeyA
RegCloseKey
GetProcessHeap
RegOpenKeyA
InternetOpenUrlA
{15EB1853-EE4C-468f-BAA5-63D186FDB911}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
-2}$j%fk
VOl|.Lx
NV.aL
H_9%x8
h:\O71
-pQ}w(PI
e.Zl^
n_%X^
}_.me
%f%JC
.jB8)/
J!%%f
%U-%!t
.LPxf
6U.NA
a>%x'
k4%%c
9W>.jU
F.Pa#
0.gR2
|#[}2 3&'
.viBbN
/=O%%S{
7MSgv.
Au%f\
}..Vy0S1M3
533333333
Hj%dP
58*`$[0&
/4%Uz
.ES/j:
.jr;WwvF^4
|'%9u
o%d'9
CmdA2Q
_v=.bfjk
l>.Ei
}%uYI
=M<.nL
"þe
s.hf#
1<N.Gh
Q3.sw
.ehPJA<CZ
h.PBU8
.gJ=KRbG
{;.Sd
R-5id}
{Q%c#
%X_]Y
^:p%X
k]%DR
%1%x.
@6-d}S
.Ey>qC
.Ck s
*&D%c
a?.VV
.zpjy
[I.pDR
!.fl{
VR.DRm
`pj.Cip
bVH.YW9o
B..WW
M3.sM}<
%Uz[i45
(,%Cl
hH.aoX
B#.VT|
S<.Go
{/m)%f
lC%X1
3?Zh2.UU[
*e.aC7
9sG8%s#
5BU.rY
I;4.ns7
\.wTj
Y%S6;/
i%f=o 
.WTL`
7 .cn
.djZ9/
 }uRl
P2$!{$%d
TaB.RLe
7S,.qND
.uj&Qh)
.jHI$%
h/e.SD"
'\.VQ
W %xI
%Co&;
-Xs}W
-Vm}N
.pO d
%UV N`
Ks.cB
i%.x 
jN.Jfe
,& 60%7/
CrTg
h.cv2uv6u2
9BHU..UH
2~&.HU
IT.BTn
h h%C
fzp%x[
%D)Yk
~$*tL]
;).Ge
91&>=6=> >
.stMgi
aMsg
/-d.gNc
.8'2'> 9=5
%ucfov
q!.qF}
:_.UK
^T^Q%U
O%S&Vv"4
,.kitYtyt
$.eVr!!
t%SO?
j%F:wS
W.QoWH
O.dKst
pwEA)*%Xr
ud%UI
\r.Ve]/x&
/-*-)).JD
,oSF%D
%x;|o
q).Fy
pj.AX
>kk%X
 ]-Y)X%X#
q\%fr8
3;-35*-'%)/ 
;%sIldL
.mNmJh
zSql
;4&:*2"|
:Q.Av:%$
.jj{E
.wmcU
SHELL32.dll
MSVCRT.dll
KERNEL32.dll
USER32.dll
program internal error number is %d.
@http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
hXXps://
AHTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
Adodb.Stream
AA,C5,2C*.lnk
*.url
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
?#%X.y
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
USER32.DLL
operator
WinExec
GetKeyState
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegOpenKeyExA
ADVAPI32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
GetCPInfo
GetConsoleOutputCP
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s%s%s
LOCK CMPXCHG8B may crash some processors when executed
Win95/98 may crash when VxD call is executed in user mode
Win95/98 may crash when NOT ESP is executed
Win95/98 may crash when NEG ESP is executed
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
<assemblyIdentity type="win32" name="xxx" version="1.0.0.0" />
<!-- Windows XP style common controls -->
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<!-- Windows feature settings -->
<windowsSettings xmlns:ws="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</windowsSettings>
<!-- Supported OS versions -->
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
1.0.0.0
(hXXp://VVV.dywt.com.cn)
mscoree.dll
KERNEL32.DLL
5.6.0.0

Éú»îÖúÊÖ.exe_2788:

.text
`.rdata
@.data
.rsrc
f9z.vk
GetProcessHeap
KERNEL32.dll
GdipSetStringFormatHotkeyPrefix
gdiplus.dll
MsgWaitForMultipleObjects
ExitWindowsEx
GetAsyncKeyState
USER32.dll
ole32.dll
OLEAUT32.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
GDI32.dll
ShellExecuteA
SHELL32.dll
WINMM.dll
IMM32.dll
SHLWAPI.dll
URLDownloadToFileA
urlmon.dll
MSVCRT.dll
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
exdui.dll
<!-- "@"
<!-- "@":1.
<!-- "#":
<Method Index="6" Name="crText" Type="@3#"/>
<Method Index="5" Name="crText" Type="@3#"/>
<Method Index="45" Name="PasswordChar" Type="@11#"/>
<Method Index="53" Name="crText" Type="@3#"/>
<Method Index="54" Name="crTextSel" Type="@3#"/>
<Method Index="14" Name="crText" Type="@3#"/>
t=.VMV
%%fnW
,7Z.in
k`%u"]
!! ! !!!!#
]'z%c
2r]i=.dl&@
.mokC6
%ue!U
.%"w.Om
fQ.iN
D%xc3f
}.KGcx
eYJ)%f
%%xm3
%ck6iMy
aV.JI~)
:l.CfZ'
CFTP
\)%U&
^[! 5871
s.QC?
r9g.Uj
pasSKK4
5.IDATx
.xGG'
cMdX
.OMN(m
E-.BC B
k%C~4
w%d,a
)Œa
:::.hmm
s.Rq6
.XbIy
y.ZW\
g.kh~_
%fhru4r
cRtW
At.tm.MN]O
.XpZSKK
cY.RF
hE5G

5-Z}z
=.Ui`
o!Øl
}e"%X
((%DQ(Y
;.iln^
].tRR
c23%-1}_
#n.Vn
viTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40" xmpMM:DocumentID="xmp.did:E50907BCCEDF11E4AFA98F25D86EC42D" xmpMM:InstanceID="xmp.iid:E50907BBCEDF11E4AFA98F25D86EC42D" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:20239c19-4804-2242-ad64-b88646a1eb40" stRef:documentID="xmp.did:20239c19-4804-2242-ad64-b88646a1eb40"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Y;
iTXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC 2014 (Windows)</xmp:CreatorTool>
<xmpMM:InstanceID>xmp.iid:f2f7b4c6-dbb6-f049-b899-6686161143cd</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:4c773a9b-7260-7548-9e25-7cb4950b0350</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:4c773a9b-7260-7548-9e25-7cb4950b0350</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:4c773a9b-7260-7548-9e25-7cb4950b0350</stEvt:instanceID>
<stEvt:softwareAgent>Adobe Photoshop CC 2014 (Windows)</stEvt:softwareAgent>
<stEvt:instanceID>xmp.iid:f2f7b4c6-dbb6-f049-b899-6686161143cd</stEvt:instanceID>
<xmpMM:InstanceID>xmp.iid:a376de18-c870-5a47-bf36-1f448caa6246</xmpMM:InstanceID>
<xmpMM:DocumentID>xmp.did:a376de18-c870-5a47-bf36-1f448caa6246</xmpMM:DocumentID>
<xmpMM:OriginalDocumentID>xmp.did:a376de18-c870-5a47-bf36-1f448caa6246</xmpMM:OriginalDocumentID>
<stEvt:instanceID>xmp.iid:a376de18-c870-5a47-bf36-1f448caa6246</stEvt:instanceID>
<xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>
<xmpMM:InstanceID>xmp.iid:7d33a592-9f08-b541-af88-e765345a753a</xmpMM:InstanceID>
<stEvt:instanceID>xmp.iid:7d33a592-9f08-b541-af88-e765345a753a</stEvt:instanceID>
<stEvt:softwareAgent>Adobe Photoshop CC 2015 (Windows)</stEvt:softwareAgent>
png\LifeAide.ini
%f%%f
7".Fv
>.OsM
r.vDO
hXXp://VVV.ip138.com/
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
hXXps://
AHTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
Adodb.Stream
\LifeAide.lnk
.json
hXXp://tianqi.2345.com/t/tq_common_json/
.shortWea
.tempLow
.tempHigh
","pinyin":"keyouqianqi","py":"k","id":"71248"},{"zhongwen":"
!"*&0&9&5"4
$$'. 5 *
#!&)'3)1#$
"$')'*""
"& 0 9 :
)&6(;$= @
,'2624&-
('2;6:*-
(#034=03"&
*#0/05**
\notepad.exe
\calc.exe
WinHttp.WinHttpRequest.5.1
hXXp://VVV.baidu.com/
wshom.ocx
WindowStyle
Hotkey
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
?kernel32.dll
Report
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
Microsoft.XMLDOM
themepassword
.objtype
SysShadow.HostWnd
SysShadow.SubWnd
SysShadow.Menu
var SY = now.getFullYear();
var SM = now.getMonth();
var SD = now.getDate();
.year .month .day .isLeap .yearCyl .dayCyl .monCyl
this.dayCyl = offset   40
this.monCyl = 14
this.monCyl  = 12
this.monCyl -= 12
this.year = i
this.yearCyl = i-1864
this.isLeap = false
if(leap>0 && i==(leap 1) && this.isLeap==false)
{ --i; this.isLeap = true; temp = leapDays(this.year); }
{ temp = monthDays(this.year, i); }
if(this.isLeap==true && i==(leap 1)) this.isLeap = false
if(this.isLeap == false) this.monCyl   
if(this.isLeap)
{ this.isLeap = false; }
{ this.isLeap = true; --i; --this.monCyl;}
if(offset<0){ offset  = temp; --i; --this.monCyl; }
this.month = i
this.day = offset   1
return(day[now.getDay()]);
default:s  = nStr2[Math.floor(d/10)]; s  = nStr1[d];
return(lDObj.year '
' cDay(lDObj.month,lDObj.day));
var tt = cyclical(lDObj.year-1900 36) '
' cyclical(lDObj.monCyl) '
' cyclical(lDObj.dayCyl  ) '
' cDay(lDObj.month,lDObj.day);
var tt = cyclical(lDObj.year-1900 36);
return(lDObj.year);
return(lDObj.month);
return(lDObj.day);
var tt = cDay(lDObj.month,lDObj.day);
tmp1 = new Date((31556925974.7*(Y-1900) sTermInfo[M*2 1]*60000) Date.UTC(1900,0,6,2,5))
tmp2 = tmp1.getUTCDate()
tmp1 = new Date((31556925974.7*(Y-1900) sTermInfo[M*2]*60000) Date.UTC(1900,0,6,2,5))
tmp2= tmp1.getUTCDate()
(%S)%M%D %y-%mm-Ý
shell32.dll
GdiPlus.dll
Kernel32.dll
user32.dll
Ole32.dll
OleAut32.dll
WinINet.dll
wininet.dll
gdi32.dll
winmm.dll
imm32.dll
shlwapi.dll
URLMON.DLL
Wininet.dll
ntdll.dll
Gdi32.dll
User32.dll
RegisterHotKey
UnregisterHotKey
program internal error number is %d.
:"%s".
...4.887.887O44   
;==.EIA!!$!$(4$
<assemblyIdentity type="win32" name="xxx" version="1.0.0.0" />
<!-- Windows XP style common controls -->
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
<!-- Windows feature settings -->
<windowsSettings xmlns:ws="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</windowsSettings>
<!-- Supported OS versions -->
<!-- Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />
<!-- Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />
<!-- Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />
<!-- Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />
<!-- Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />
1.0.15.507
3/'0788<4<34';0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Voices\Tokens\VW Lily
#  ?543*&
##;''/33///#;   73/ 8
;7/#  7 $,3 / 3
</D08FG9^I,JCR%DTMdFFNN^WOWg77/7G/G7
'$047(#.,
1.5.0.0

Éú»îÖúÊÖ.exe_2788_rwx_00340000_00036000:

.rsrc
f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
1.0.15.507

Éú»îÖúÊÖ.exe_2788_rwx_01960000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

iexplore.exe_3188:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_2616:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

iexplore.exe_3420:

.text
`.data
.rsrc
@.reloc
Bv.TBv
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

explorer.exe_3060:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
GDI32.dll
USER32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
EXPLORERFRAME.dll
UxTheme.dll
POWRPROF.dll
dwmapi.dll
slc.dll
gdiplus.dll
Secur32.dll
SSPICLI.DLL
RPCRT4.dll
PROPSYS.dll
.wzA-w
.wiF-w
QSShM
PSSh^
FtPhq
SSSSh
SShxS
PSSh,
QPSSSShL
t7WSSh
SSShO
tfSSh
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel
kernel32.dll
t.It It
taSSSh
explorer.exe
FtPhO
SSShI
F8SSh
tRSSh
PSSh|$
PSShL$
t}SShV
tKSSSh
t SSSh
?.ulf
.ue9]
TaskDialogIndirect
TSAppCMP.DLL
SSShT
PSSShA
SSSh?
SSShB
t.Ht%Ht
SSSShD
WINMM.dll
CFGMGR32.dll
WINSTA.dll
OLEACC.dll
WINBRAND.dll
DUI70.dll
SndVolSSO.DLL
netutils.dll
wkscli.dll
NetGetJoinInformation
ntdll.dll
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegEnumKeyExW
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHeap
SetProcessShutdownParameters
OffsetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
EnumChildWindows
GetKeyboardLayout
ActivateKeyboardLayout
GetProcessWindowStation
UnhookWindowsHookEx
SetWindowsHookExW
MsgWaitForMultipleObjectsEx
TileWindows
CascadeWindows
EnumWindows
UnregisterHotKey
RegisterHotKey
GetAsyncKeyState
GetKeyState
MsgWaitForMultipleObjects
ExitWindowsEx
_amsg_exit
_wcmdln
SHDeleteKeyW
SHQueryInfoKeyW
AssocQueryKeyW
ShellExecuteExW
ShellExecuteW
SHFileOperationW
SLGetWindowsInformationDWORD
GdiplusShutdown
explorer.pdb
name="Microsoft.Windows.Shell.explorer"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
{;;;;{;;
I51111111111111.1.1.B
46464444
*,,.,,.,'/'....'/
1888661
A1.<yjjjggbbZYV?=9.=zjjjjgddbabYV>.=||wwwwpggb_a`X.?0......Tmmkj__.<S
k}??F.o
Ja(%F
uz.In
#-.12220 *!
(-12220 
Knmhe.HH
%Mgr.RhY4RfE5Qd:d
2<===@@=
&$%Uooqkezs
['$$#%&(4
5>^666^.>66^6>>>
>>^6^.>^6>
5^66^6>66
6>>6^6^>=>>6>6>
>>^66>6>^6^6^6
>=>>^6>>=
=_>>7>_6_>>>>
>^.>^.6^'
=6^66^66>>
7'''')) 
3'')))33.
.mnnw
4444444444
288888888882
911111111119
,Cÿ>I
..--11///06
%F|aD
%XX^^
%XXX^
%UXXX
!$$$$'$$#$!!"
6****,@=
!!1.WN
!..WKA@?
::8240-)%2/
,-(%(-(%%*%**17
!#)'&4,- 
=$.VP^
0.rJ)I
\.gh.v(sO
W%3UI
0.aT@
%D&PJ
1.JV2
t4%CU
uvm%s|
Ep.SU0
kq.kV
njW%c
 !/.!375
@$@:'&%:
(*),,,0001
!!! ###%%$
n.2.Ýdddddddd
*.UGA
%u}} mtt
&PQMSornurl[
%XR8]
....raK
***.sdR
,-il}
%%%Ìccr`H
./".LMBNmnPPa
.jkL^
45 .WX]n
$$$$!!!!
%%%%$$$$!!!!
&&&&%%%%$$$$!!!!
@6'~@6'~
=4$|=4$|
$$$$""""
%%%%$$$$""""
&&&&%%%%$$$$""""
;2${;2${=4$}
####!!!!
$$$$####!!!!
%%%%$$$$####!!!!
&&&&%%%%$$$$####!!!!
####""""
$$$$####""""
%%%%$$$$####""""
4 4$4(4,4
;#< <8<><]<
; ;(;0;8;
1 1$1(1,1014181<1
3"3)30373>3
70767<7}7
%0,090?0
<$</<8<]<
=0>9>?>[>
5 5&565<5
<&= =4=\=
; ;$;(;,;0;4;8;<;@;
5#5)5:5@5]5
= >(>8>>>
; ;$;(;,;0;4;
323d3m3
3 3%3:3|3
0 1$1(1,10141
9 9$9(9,9
9(:,:0:4:8:<:
1 2$2(2,20242
: :$:(:,:
:(;,;0;4;8;<;
< <$<(<,<
< =$=(=,=0=4=8=<=
2 3$3(3,30343
; ;$;(;,;
;(<,<0<4<8<<<
9":,:^:{:
0$0*01070?0
:$: :1:7:
5"5=5{5=6
UseExecutableForTaskbarGroupIcon
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
{59031a47-3f72-44a7-89c5-5595fe6b30ee}
imageres.dll
::{E44E5D18-0652-4508-A4E2-8A090067BCB0}
::{26EE0668-A00A-44D7-9371-BEB064C98683}\5\::{D20EA4E1-3957-11d2-A40B-0C5020524153}
::{26EE0668-A00A-44D7-9371-BEB064C98683}\0\::{38A98528-6CBF-4CA9-8DC0-B1E1D10F7B1B}
::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions
shell:::{e345f35f-9397-435c-8f95-4e922c26259e}
shell:::{daf95313-e44d-46af-be1b-cbacea2c3065}
%s\%s
user.bmp
%s\%s\%s
%s::%s
{A1965210-3A9D-4bca-822B-433645B3F5A2}
%LocalAppData%\Microsoft\Windows\Explorer
Local\ExplorerIsShellMutex
Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{EF87B4CB-F2CE-4785-8658-4CA6C63E38C6}\TopViews\{00000000-0000-0000-0000-000000000000}
Software\Policies\Microsoft\Windows\Explorer
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
DisabledHotkeys
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DelayedApps
Software\Microsoft\Windows NT\CurrentVersion\Windows,Load
Software\Microsoft\Windows NT\CurrentVersion\Windows
UserChosenExecuteHandlers\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers
Software\Microsoft\Windows\CurrentVersion\ThemeManager
USER32.DLL
Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband
comctl32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
Software\Microsoft\Windows\CurrentVersion\Themes
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
system.ini
::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}
::{26EE0668-A00A-44D7-9371-BEB064C98683}\2\::{A8A91A66-3A7D-4424-8D24-04E180695C7A}
{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::{0c39a5cf-1a7a-40c8-ba74-8900e6df5fcd}
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Shell\ResponseMonitor
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
AppEvents\Schemes\Apps\%s\%s\.current
.Default
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\UAS
control.exe
{A4756F80-4AE7-4A1F-A776-F5E9D9B04406}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Software\Microsoft\Windows\DWM
Microsoft-Windows-DesktopWindowManager-Core-LivePreviewAllowed
Microsoft.Windows.ControlPanel.Taskbar
%systemRoot%\system32\rundll32.exe %systemRoot%\system32\shell32.dll,Options_RunDLL 1
shell32.dll,-40
@explorer.exe,-810
Microsoft.NotificationAreaIcons
timedate.cpl
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations\
HELP_ENTRY_ID_START_MENU_HELP_AND_SUPPORT
WindowsLogon
WindowsLogoff
*PIDx
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
install.exe
@themeui.dll,-853
@themeui.dll,-852
@themeui.dll,-851
@themeui.dll,-850
runonce.exe
NoDataExecutionPrevention
UpdateURL
WindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationCustomization
Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
Software\Microsoft\Windows NT\CurrentVersion\Windows,Run
Software\Microsoft\Windows\CurrentVersion\OOBE
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
shell32.dll
Microsoft.UserAccounts
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
NewExeName
desk.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRULegacy
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedPidlMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSavePidlMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Software\Microsoft\Internet Explorer\TypedURLs
mshelp://windows/?id=c45acd5d-98b5-4245-8ce6-1f7bba654767
System.StructuredQueryType.AllBitsSet
System.StructuredQueryType.AnyBitsSet
System.StructuredQueryType.SortKeyDescription
Accessories\Windows PowerShell\Windows PowerShell.lnk
Administrative Tools\Server Manager.lnk
Windows Media Player.lnk
Accessories\Windows Explorer.lnk
Internet Explorer.lnk
Accessories\Notepad.lnk
Accessories\Command Prompt.lnk
Windows Fax and Scan.lnk
XPS Viewer.lnk
Accessories\displayswitch.lnk
Accessories\Wordpad.lnk
Windows Anytime Upgrade.lnk
{00D8862B-6453-4957-A821-3D98D74C76BE}
Accessories\Accessibility\Magnify.lnk
Accessories\Remote Desktop Connection.lnk
Accessories\Paint.lnk
Accessories\Snipping Tool.lnk
Accessories\Sticky Notes.lnk
Accessories\Calculator.lnk
Media Center.lnk
Accessories\Welcome Center.lnk
Microsoft.Windows.ControlPanel
CLSID\%s\ShellExplorerRoot
AlwaysShowMenus
WebView
AltTab_KeyHookWnd
/globalhotkey
"%systemroot%\system32\magnify.exe"
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
shell32.dll,WaitForExplorerRestart "
"%systemroot%\system32\rundll32.exe"
%s%d%s
%s, %s, %s
Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon2
Software\Microsoft\Windows\CurrentVersion\Explorer\NotificationArea\PromotedIcon1
?guid=%s&hwnd=%lu&id=%lu&ecrc=%lu
{00000000-0000-0000-0000-000000000000}
\\?\Volume
mshelp://windows/?id=5de7c31f-1b8b-4431-9d3d-c0994939b186
\\?\UNC\
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
taskmgr.exe
ShellExecute
Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d
AppEvents\Schemes\Apps\.Default\%ws\.Current
D:(A;;GA;;;SY)(A;;0x%x;;;%s)
D:(A;;GA;;;SY)(A;;0x%x;;;%s)S:(ML;;1;;;LW)
%s%I64u%s
%s%g%s
%s%I64d%s
RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s
RunDLL32.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ControlPanel\NameSpace\{5ea4f148-308c-46d7-98a9-49041b1dd468}
Software\Microsoft\Windows\CurrentVersion\SMDEn
SOFTWARE\Microsoft\Windows\Tablet PC
OEM%d
%s %s
%SystemRoot%\system32\GettingStarted.exe
Microsoft.Windows.GettingStarted
SBOEM%d
Software\Microsoft\Windows\CurrentVersion\Explorer\TBDEn
Software\Microsoft\Windows\CurrentVersion\Explorer\OEMWC
Accessories\Mobility Center.lnk
@%s,%d
WCOEM%d
Software\Microsoft\Windows\CurrentVersion\Explorer\WCDEn
{00021401-0000-0000-C000-000000000046}
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
StartMenuKeyBoard
StartMenuKeyBoardComposited
201ef99a-7fa0-444c-9399-19ba84f12a1a
%WINDOWS_LONG%
mshelp://windows/?id=83f968d5-844e-408c-a7c4-69ff50f0ff54
@tzres.dll,
\tzres.dll
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
guest.bmp
"? %s"
hXXps://
hXXp://
Windows Explorer
6.1.7601.17567 (win7sp1_gdr.110224-1502)
EXPLORER.EXE
Windows
Operating System
6.1.7601.17567


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1956

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ldsajdklsajdlkjsalkda (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat (785 bytes)
    %Program Files%\LifeAide\Éú»îÖúÊÖ.exe (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1616689266.exe (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ip138_com[1].htm (2162 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ic[1].htm (219 bytes)
    %Program Files%\LifeAide\LifeAide.ini (132 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 2 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now