MD5: e39e326b24a15e970f6999b9d90e94bb
SHA1: 38de66aa458554258b8af72e90b9862673cc0f93
SHA256: 734600e93985130e69e2326bb3d93eb431b1b7fa9fdd4d94df95d75751a5035b
SSDeep: 393216:Hw5wf k0VOkvMLz5E8GtfViJI8FbYJjKLeKuJ/VtybRwjAikXFxCan6tKr:Q5wGGkELlPG5sjbYcglyV3ikf/nVr
Size: 20642559 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-14 22:15:49
Analyzed on: Windows7 SP1 32-bit

Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Process activity

The Trojan-Banker creates the following process(es):

%original file name%.exe:3436

The Trojan-Banker injects its code into the following process(es):

autorun.exe:3496

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3436 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.cbp (785 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.inf (82 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CNic.exe (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\off_all_nic.cmd (198 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\install_2.bat (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\el_path.txt (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp_private.h (606 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\Makefile (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.dev (914 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\el (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\main.c (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\list_str_del (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pre_x64.bat (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\Hotspot_Shield_logo.png (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\read_att_hss-update.cmd (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\install_1.bat (783 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\depatch_hosts.cmd.vbs.exe (3337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\logo.png (65 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\depatch_hosts.cmd (398 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\Makefile.win (912 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\start_services.bat (321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pre.bat (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\del_el.bat (332 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\del_temp.bat (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\stop_services.bat (428 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.layout (300 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.aru (905 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp_private.rc (779 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\del_tails.bat (398 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\HotspotShield-6.7.2.exe (9857 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.ico (1436 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\uninstalltool-3.5.1-portable.exe (7162 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\start_hss.bat (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp_private.res (888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\hosts_patch.cmd (469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\on_all_nic.cmd (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.exe (43158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\el_attib.cmd (641 bytes)

The Trojan-Banker deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_340316 (0 bytes)

Registry activity

The process %original file name%.exe:3436 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan-Banker deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan-Banker's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan-Banker connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.gfids

@.rsrc

@.reloc

t,j.Xj\f

f9.tDj.

FtPQ

COMCTL32.dll

SHLWAPI.dll

USER32.dll

GDI32.dll

COMDLG32.dll

ADVAPI32.dll

SHELL32.dll

ole32.dll

operator

operator ""

%S#[k

InvokeMainViaCRT

ExitMainViaCRT

Microsoft.CRTProvider

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$r

.rdata$sxdata

.rdata$zETW0

.rdata$zETW1

.rdata$zETW2

.rdata$zETW9

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.didat$2

.didat$3

.didat$4

.didat$6

.didat$7

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.didat$5

.gfids$x

.gfids$y

.rsrc$01

.rsrc$02

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

SHFileOperationW

ShellExecuteExW

sfxrar.exe

SetThreadExecutionState

GetCPInfo

KERNEL32.dll

GetProcessHeap

c:\%original file name%.exe

ok}.ls

version="1.0.0.0"

<requestedExecutionLevel level="requireAdministrator"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

>$> >2>}>

Maximum allowed array size (%u) is exceeded

rtmp%d

Crypt32.dll

version.dll

DXGIDebug.dll

sfc_os.dll

SSPICLI.DLL

rsaenh.dll

UXTheme.dll

dwmapi.dll

cryptbase.dll

lpk.dll

usp10.dll

clbcatq.dll

comres.dll

ws2_32.dll

ws2help.dll

psapi.dll

ieframe.dll

ntshrui.dll

atl.dll

setupapi.dll

apphelp.dll

userenv.dll

netapi32.dll

shdocvw.dll

crypt32.dll

msasn1.dll

cryptui.dll

wintrust.dll

shell32.dll

secur32.dll

cabinet.dll

oleaccrc.dll

ntmarta.dll

profapi.dll

WindowsCodecs.dll

srvcli.dll

cscapi.dll

slc.dll

imageres.dll

dnsapi.DLL

iphlpapi.DLL

WINNSI.DLL

netutils.dll

mpr.dll

devrtl.dll

propsys.dll

mlang.dll

samcli.dll

samlib.dll

wkscli.dll

dfscli.dll

browcli.dll

rasadhlp.dll

dhcpcsvc6.dll

dhcpcsvc.dll

XmlLite.dll

linkinfo.dll

cryptsp.dll

RpcRtRemote.dll

aclui.dll

dsrole.dll

peerdist.dll

uxtheme.dll

Please remove %s from %s folder. It is unsecure to run %s until it is done.

WaitForMultipleObjects error %d, GetLastError %d

Shell.Explorer

<head><meta http-equiv="content-type" content="text/html; charset=

riched20.dll

%s %s %s

%s %s

GETPASSWORD1

winrarsfxmappingfile.tmp

M-d-d-d-d-d-d

sfxcmd

__tmp_rar_sfx_access_check_%u

-el -s2 "-d%s" "-p%s" "-sp%s"

%s.%d.tmp

Software\Microsoft\Windows\CurrentVersion

%s%s%d

KERNEL32.DLL

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

Windows

autorun.exe_3496:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

.Owner

Uh.vB

EInvalidGraphicOperation

%s%s (*.%s)|*.%2:s

%s*.%s

%s (%s)|%1:s|%s

comctl32.dll

USER32.DLL

windows

uxtheme.dll

Proportional

OnKeyDown

OnKeyPress

OnKeyUp

MAPI32.DLL

msShiftSelect

OnKeyUp0

ArrowKeys

vsReport

RICHED32.DLL

TComboBoxExEnumerator

ole32.dll

PasswordChar8

ssHorizontal

OnKeyUp,

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword`

crSQLWait

%s (%s)

imm32.dll

OnExecute

HelpKeyword|

AutoHotkeysX

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreviewL

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

EInvalidGridOperation

goAlwaysShowEditor

doKeyColFixed

TKeyOption

keyEdit

keyAdd

keyDelete

keyUnique

TKeyOptions

KeyName

KeyValue

KeyOptions fJ

KeyDescl

%s=%s

TMonochromeLookup

Uh%uK

1.2.3

Portable Network Graphics

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

D:\Longtion Software\Products\AutoRunII\Code\AAFont\AATimer.pas

Readme.txt

yygw@yygw.net

Http://VVV.cnvcl.org

Http://VVV.yygw.net

liwensong@hotmail.com

hXXp://member.netease.com/~lws

Passion

shanzhashu@163.com

olepro32.dll

IWebBrowser

IWebBrowserApp

IWebBrowser2

TWebBrowserStatusTextChange

TWebBrowserProgressChange

TWebBrowserCommandStateChange

TWebBrowserTitleChange

TWebBrowserPropertyChange

TWebBrowserBeforeNavigate2

TWebBrowserNewWindow2

TWebBrowserNavigateComplete2

TWebBrowserDocumentComplete

TWebBrowserOnVisible

TWebBrowserOnToolBar

TWebBrowserOnMenuBar

TWebBrowserOnStatusBar

TWebBrowserOnFullScreen

TWebBrowserOnTheaterMode

TWebBrowser

TWebBrowser0gO

EExeError

TExeImage

TExeImageHrO

Not a PE (WIN32 Executable) file

.rsrc

%d X %d %d Colors

%d X %d %d Bit(s)

%d, "%s"

POPUP "%s"

MENUITEM "%s", %d

RegDeleteKeyExA

advapi32.dll

autorun.exe

File I/O error %d

File isn't an EXE file (1)

Only supported on Windows NT and above

ProfilePort

%s_%s

TSQLTimeStampVariantType

TSQLTimeStampData

SqlTimSt

SQLTimeStamp

Password

TLoginDialog

TPasswordDialog

%s:%s

TDoInstShellExecForm

DoInstShellExecUnit

Operation Error

The operating system is out of memory or resources.

The .EXE file is invalid (non-Win32 .EXE or error in .EXE image).

The operating system denied access to the specified file.

There was not enough memory to complete the operation.

FormKeyDown

FormKeyUp

UserPassword

\autorun.exe

autorun.ico

This project is protected by password, please input the password:

Password

Invalid Password.

For more information, please visit hXXp://VVV.longtion.com.

TAuUserPassword

hXXp://get.adobe.com/reader/

Invalid Username or Password, please retry.

Invalid Username or Password, Login Failed.

Login Failed

*.png;*.jpg;*.jpeg;*.bmp;*.emf;*.wmf;*.gif

hXXp://VVV.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

Icons (*.ico)|*.ico

.avi (Video Clip)

.doc (Microsoft Word Document)

.mov (QuickTime Movie)

.mp3 (MP3 Audio File)

.mpg (MPEG Video)

.pdf (Adobe Acrobat Document)

.pps (Microsoft PowerPoint Slide Show)

.ppt (Microsoft PowerPoint Presentation)

.swf (Shockware Flash)

.xls (Microsoft Excel Worksheet)

Windows 2000 or later

Windows XP or later

Windows Vista or later

64-bit Windows

VisitWebsite

ShowLoginPage

SubmitLoginPage

SubmitLogin

SetWindowState

Wait for the process to finish executing

Website URL:

Press any key or click to close sub page

Passed Actions:

Actions (Login Failed)

Actions (Login Passed)

\AutoRunPro.ini

hXXp://VVV.longtion.com/autorunenterprise/autorunpro.htm

hXXp://VVV.longtion.com/autorunpro/autorunpro.htm

hXXp://VVV.longtion.com/flashdemopro/flashdemopro.htm

hXXp://VVV.longtion.com/radbuilder/radbuilder.html

hXXp://VVV.longtion.com/gifanim/gifanim.htm

hXXp://VVV.longtion.com/autorunenterpriseii/autorunpro.htm

hXXp://VVV.longtion.com/appbuilder/appbuilder.htm

hXXp://VVV.longtion.com/dbappbuilder/dbappbuilder.html

\Tips.rtf

mailto:sales@longtion.com

SpinEdit1KeyDown

FileNewCmd

FileOpenCmd

FileSaveCmd

FilePrintCmd

FileExitCmd

EditCutCmd$

EditCopyCmd(

EditPasteCmd,

EditUndoCmd0

EditFontCmd4

FileSaveAsCmd8

binarymagics.comSPTI

.\WNASPI32.DLL

WNASPI32.DLL

GetASPI32SupportInfo

D:\Longtion Software\Products\AutoRunII\Code\MagicCDBSource\mbASPI.pas

TOnDebugMsg

(not supported)

SEND KEY

REPORT KEY

0000000000000000

START BUILDING .ISO FILE ...

Device Error: (%d) %s

(%d) %s

Output File Error: (%d) - %s

Source File Error: (%d) - %s

System Error: (%d) %s

Write Error: (%d) %s

/ MB

Free space on the loaded disc is %s.

This data image requires %s of free space!

fx

Device Error: (%d) %s

(%s) - %s

Erase operation complete!

Erase operation complete.

File Warning(%d): %s

Selected drive does not support re-writable discs of this format.

Can not start erase operation!

Default.ico

echnicalSupport1x

ToolButton_UserPassword

echnicalSupport1Click

Edit2KeyDown

Edit2KeyUp

\autorun.ico

If the "autorun.exe" is running, please terminate it and try again.

autorun.exe

All (*.*)|*.*|wav (*.wav)|*.wav|mid (*.mid)|*.mid|mp3 (*.mp3)|*.mp3

All (*.png;*.gif;*.jpg;*.jpeg;*.bmp;*.ico;*.emf;*.wmf)|*.png;*.gif;*.jpg;*.jpeg;*.bmp;*.ico;*.emf;*.wmf|Portable Network Graphics (*.png)|*.png|GIF Image (*.gif)|*.gif|JPEG Image File (*.jpg)|*.jpg|JPEG Image File (*.jpeg)|*.jpeg|Bitmaps (*.bmp)|*.bmp|Icons (*.ico)|*.ico|Enhanced Metafiles (*.emf)|*.emf|Metafiles (*.wmf)|*.wmf

APE II Object (*.aeo)|*.aeo

All (*.*)|*.*

Adobe PDF files (*.pdf)|*.pdf

SWF (*.swf)|*.swf|All (*.*)|*.*

Report

Website

WebsiteURL

hXXp://VVV.longtion.com/

hXXp://VVV.longtion.com/products.htm

mailto:support@longtion.com

ReportColumns

ReportGridLines

ReportRowSelect

WebSiteURL

User,Password

[autorun.ico]

ProjectPassword

\Default.ico

\autorun.inf

AUTORUN.EXE

AUTORUN.ICO

Save "autorun.inf" file failed.

\autorun.exe"

\AutoRunPro.chm

autorun.aru

AutoRunPro.exe

autorunpro.exe

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

Binary Magic (hXXp://VVV.binarymagics.com)

1iu2.iu

user32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegCreateKeyExA

WinExec

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

SetViewportExtEx

UnhookWindowsHookEx

SetWindowsHookExA

SetKeyboardState

MsgWaitForMultipleObjects

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

winspool.drv

shell32.dll

ShellExecuteExA

ShellExecuteA

FindExecutableA

comdlg32.dll

winmm.dll

7 7$7(7,7074787<7@7\7|7

< <$<(<,<0<4<

: :$:(:,:0:4:

9":&:*:0:~:

9!9%9)9~:

9"9&999[9}9

>!?%?)?-?4?

<|=5>:>??

6(7,7074787

%2S2p2

8$8,848<8

?"?&?*?.?2?6?

<&=0=:=?=

5#5'5 5/535

7 7$7(7,7074787<7

6 6-626:6?6

8 8$8(8,8

6 6h6D6I6Y6e6j6}6

6 6$6(6,6064686<6

7Œ8O9

3%3s3

0-05090O0W0u0}0

4 4$4(4.4{5

7:889]9}9

0&1*1.141

1 3:3\3|3

8”9C9

7)757[7|7

9”9C9\9

9“9C9O9_9m9w9

8"8&8*8.82868

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

33333333330

3333338

3333333330

3333833330

3333330

333333330

3333333333

33333333333333

337373?3

333373?33

33333337

3733333

3337333

3333373

3737333

373333?3

333333333

333?33?333

333373?3

338333?330

33383?3330

3833830

ok}.ls

KWindows

UrlMon

rSqlTimSt

[DoInstShellExecUnit

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

ParentEffect.ParentFont

Effect.Transparent

Effect.FontEffect.Shadow.Enabled

!Effect.FontEffect.Gradual.Enabled

Effect.FontEffect.Gradual.Style

Effect.FontEffect.Angle

Effect.FontEffect.Outline

gsTopToBottom"Effect.FontEffect.Gradual.EndColor

Effect.FontEffect.Shadow.OffsetX

Effect.FontEffect.Shadow.OffsetY

HotLink.FadeDelay

HotLink.UnderLine

JRAD tool to develop interactive multimedia, database and Web applications.

!Website: hXXp://VVV.longtion.com/

Support: support@longtion.com

Sales: sales@longtion.com

3Create applications, database and Web applications.

;Create database applications and Web database applications.

MainForm.ImageList2

KeyPreview

ISO File (*.iso)|*.iso

Lines.Strings

Items.Strings

DoInstShellExecForm

Picture.Data

Constraints.MinHeight

Constraints.MinWidth

Glyph.Data

3337?3373333

3333330333333373333

333033333337

LoginDialog

Database Login

&Password:

PasswordChar

TitleCaptions.Strings

Add UserPassword (Window)

echnicalSupport1

Technical Support...

Visit Website...

PasswordDialog

Enter password

gsCenterToTB"Effect.FontEffect.Gradual.EndColor

o<~k8}h5{g7mY)wa1x] v[)nU#r^.dV&[R'`Y8

jU!iT xb.nY,VG'

eT!hT$gS#iU%fS t_ mX$o[$p\,k[6maE

zdzmSygHta<lY.hT$nZ#lY cQ

kW lX!mY"nZ#n\'n[(o[ p_.ra0tc2ud3ve4xe8xh=mb<qiK

kV"kY$lZ%m[&n]*o^ p_,ra.tc2ve4xf7xf7{h;zj<{mCjb=

lV"nX$nY%n\'o](o_*q`-ra.sb1ud3wf5yh7{j9{j9

jU"mW#lV"mX!oY%p['p^)q_*qa,sc.tc0ud1wf5xg6zi8|k:~m<

jT$oX&nX$pZ&q\(s^*r_,ta.ud1ve2wf5xg6zi8|k:}l;

[UBk`JymQ|nQtiKqfJmfMicLgbMe_Hf^Gd\EbZC`XA_W@[U>YS<YQ:WO8SK4PH1QF0OD.OB,M@*L?)C6 NC/j`OpgZ|ul

RG1cW?qfKd[@\U<XR;[U>ZR;YR9WO8UM6SJ6QH4OE3ND2J@.I?-H? F=)E=&E=&F?&HA(OD.PE/TI3YN8\S?aXDh^LoeSvn]}ud

QH4`S=eZ?_V;_X?TN7WQ:WO8VN7TL5RJ3PG3NE1LB0J@.G= F<*E<(D;'D<%F>'H@)JB PE/SH2XM9]R>`WCe\HlbPrhVxp_

PF4UJ6\R:WK3ZP8UK3RJ3QI2OG0ME.KB.I@,G>*F=)D;'D;'D;'E<(F>'IA*ME.OG0TI5VJ8YO=_UCdZHj`NpiVwp]~wd

|@6$WL6[O7TI.WK3QF0NF/LD-JB I@,G>*F=)D;'A8$B9%D;'E<(H@)KC,OG0RI5XL:ZN<\R@aWEf\JkaOqjWwp]

c[JKB.YM5SH-TH0NC-KB.I@,H? G>*F=)D;'C:&B9%C:&E<(G>*JA-MD0QH4SJ6XN<ZP>_UCe[Ii_MndRrkXxq^~wd

E;)F;%XL4QE-LA I@,H? G>*F=)E<(C:&B9%E<(F=)H? JA-LC/OF2QH4SJ6XN<[Q?aWEg]KlbPqgUun[zs`

qA7%I<&QD.MB.G>*D;'B9%F=)F=)=4 F=)E<(G>*JA-LC/MD0PG3TK7VM9ZP>`VDcYGh^LmfSrkXwp]}vc

KB.D;'F=)H? KB.MD0OF2RI5VM9YP<[Q?aWEe[Ii_MngTslYxq^

KA/=3!E;)@7#I@,C:&I@,KB.LC/OF2QH4SI7VL:ZP>]SA`VDf\Ji_MmcQrkXvo\{ta

JA3E=,HA.IB/RI5OF2RI5UL8XO;]Q?_UCfYIg]Kg`LlfOohTrkWxq]{va

Effect.Alignment

taCenter Effect.FontEffect.Shadow.Enabled

Single File Executable

EXE Files (*.exe)|*.exe

&Website...

If you paid the AutoRun Pro Enterprise II registration fee and received Serial and Key, please enter your NAME, SERIAL and KEY EXACTLY as they appear in the instructions.

GCreate demos, tutorials and presentations. (SWF, EXE, HTM, Autorun CD)

SComplete RAD tool to develop interactive multimedia, database and Web applications.

gsCenterToTB$Effect.FontEffect.Gradual.StartColor

clSkyBlue"Effect.FontEffect.Gradual.EndColor

@Create applications, database applications and Web applications.

BCreate database applications and Web database applications easily.

EditCutCmd

EditCopyCmd

EditPasteCmd

EditUndoCmd

6Rich Text Files (*.rtf)|*.rtf|Text Files (*.txt)|*.txt

FileExitCmd

FileSaveAsCmd

EditFontCmd

Items.Data

Text file (*.txt)|*.txt

-Sub Items for Report (one line for one item):

--.555///

--.RRRhhh

888>>>%%%

.Gu7:A

&&&222]]]

This page will be shown by ShowLoginPage action OnStart event of the project. For more information please see the OnStart event of the project.

zUser must input Authentication Code, CD Key, Serial Number and/or User Name and Password before the AutoRun will continue.

9/*:0 ;1,;1,?60

,#".$" !

70.NFCPGCKC?

=4.SIAmc[

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

TDOINSTSHELLEXECFORM

TLOGINDIALOG

TPASSWORDDIALOG

"STARTING ERASE PROCESS ON %s AT %s

IMPORTING SESSION # %d

CAN'T CREATE FILE "%s"

MAXIMUM DIRECTORIES CAN BE %d

MAXIMUM FILES CAN BE %d

INVALID DESTINATION PATH;ERROR IMPORTING SESSION, FILE NAME LENGTH EXCEEDS 120 CHARS

ERROR IMPORTING SESSION0ERROR IMPORTING SESSION %d (ISO IMAGE NOT FOUND)

SEND CUE SHEET FAILED"STARTING WRITE PROCESS ON %s AT %s

OPERATION ABORTED BY USER9CAN'T OPEN FILE "%s" OR FILE IS IN USES BY OTHER SOFTWARE

VOLTAGE FAULT=COPY PROTECTION KEY EXCHANGE FAILURE - AUTHENTICATION FAILURE6COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT PRESENT:COPY PROTECTION KEY EXCHANGE FAILURE - KEY NOT ESTABLISHED/READ OF SCRAMBLED SECTOR WITHOUT AUTHENTICATION6MEDIA REGION CODE IS MISMATCHED TO LOGICAL UNIT REGION7DRIVE REGION MUST BE PERMANENT/REGION RESET COUNT ERROR

OPERATOR SELECTED WRITE PERMIT

LOG LIST CODES EXHAUSTEDúILURE PREDICTION THRESHOLD EXCEEDED MEDIA FAILURE PREDICTION THRESHOLD EXCEEDED2LOGICAL UNIT FAILURE PREDICTION THRESHOLD EXCEEDED3SPARE AREA EXHAUSTION PREDICTION THRESHOLD EXCEEDED-FAILURE PREDICTION THRESHOLD EXCEEDED (FALSE)

ERASE FAILURE3ERASE FAILURE - INCOMPLETE ERASE OPERATION DETECTED

INSUFFICIENT RESOURCES#INSUFFICIENT REGISTRATION RESOURCES#UNABLE TO RECOVER TABLE-OF-CONTENTS&OPERATOR REQUEST OR STATE CHANGE INPUT

OPERATOR MEDIUM REMOVAL REQUEST

OPERATOR SELECTED WRITE PROTECT

REPORTED LUNS DATA HAS CHANGED

LOGICAL UNIT FAILED SELF-TEST LOGICAL UNIT UNABLE TO UPDATE SELF-TEST LOG(TARGET OPERATING CONDITIONS HAVE CHANGED

CHANGED OPERATING DEFINITION

UNSUPPORTED ENCLOSURE FUNCTION

SAVING PARAMETERS NOT SUPPORTED

REGISTRATIONS PREEMPTED0COPY CANNOT EXECUTE SINCE HOST CANNOT DISCONNECT

INSUFFICIENT TIME FOR OPERATION%COMMANDS CLEARED BY ANOTHER INITIATOR

CONDITIONAL WRITE PROTECT2NOT READY TO READY CHANGE, MEDIUM MAY HAVE CHANGED!IMPORT OR EXPORT ELEMENT ACCESSED-POWER ON, RESET, OR BUS DEVICE RESET OCCURRED

PARAMETER NOT SUPPORTED

PARAMETER VALUE INVALID"THRESHOLD PARAMETERS NOT SUPPORTED)INVALID RELEASE OF PERSISTENT RESERVATION

TOO MANY TARGET DESCRIPTORS'UNSUPPORTED TARGET DESCRIPTOR TYPE CODE

TOO MANY SEGMENT DESCRIPTORS(UNSUPPORTED SEGMENT DESCRIPTOR TYPE CODE

INLINE DATA LENGTH EXCEEDED0INVALID OPERATION FOR COPY SOURCE OR DESTINATION"COPY SEGMENT GRANULARITY VIOLATION

SYNCHRONOUS DATA TRANSFER ERROR"MISCOMPARE DURING VERIFY OPERATION

INVALID COMMAND OPERATION CODE"LOGICAL BLOCK ADDRESS OUT OF RANGE

LOGICAL UNIT NOT SUPPORTED

RECOVERED DATA WITH RETRIES(RECOVERED DATA WITH POSITIVE HEAD OFFSET(RECOVERED DATA WITH NEGATIVE HEAD OFFSET/RECOVERED DATA WITH RETRIES AND/OR CIRC APPLIED'RECOVERED DATA USING PREVIOUS SECTOR ID3RECOVERED DATA WITHOUT ECC - RECOMMEND REASSIGNMENT.RECOVERED DATA WITHOUT ECC - RECOMMEND REWRITE RECOVERED DATA WITHOUT ECC - DATA REWRITTEN,RECOVERED DATA WITH ERROR CORRECTION APPLIED1RECOVERED DATA WITH ERROR CORR. & RETRIES APPLIED&RECOVERED DATA - DATA AUTO-REALLOCATED

NO SEEK COMPLETE,LOGICAL UNIT NOT READY, CAUSE NOT REPORTABLE,LOGICAL UNIT IS IN PROCESS OF BECOMING READY2LOGICAL UNIT NOT READY, INITIALIZING CMD. REQUIRED4LOGICAL UNIT NOT READY, MANUAL INTERVENTION REQUIRED*LOGICAL UNIT NOT READY, FORMAT IN PROGRESS-LOGICAL UNIT NOT READY, OPERATION IN PROGRESS.LOGICAL UNIT NOT READY, LONG WRITE IN PROGRESS-LOGICAL UNIT NOT READY, SELF-TEST IN PROGRESS*LOGICAL UNIT DOES NOT RESPOND TO SELECTION

Modified:Unable to retrieve folder details for "%s". Error code $%x%%s: Missing call to LoadColumnDetails

Rename to %s failed

I/O PROCESS TERMINATED AUDIO PLAY OPERATION IN PROGRESS

AUDIO PLAY OPERATION PAUSED AUDIO PLAY OPERATION SUCCESSFULLY COMPLETED)AUDIO PLAY OPERATION STOPPED DUE TO ERROR!NO CURRENT AUDIO STATUS TO RETURN

OPERATION IN PROGRESS

NUnable to retrieve a pointer to a running object registered with OLE for %s/%s

%s is not a valid BCD value$Could not parse SQL TimeStamp string

Invalid SQL date/time values

Remote Login

oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.oThe "Portable Network Graphics" could not be created because invalid image type parameters have being provided.&Cannot change the size of a JPEG image

JPEG error #%d

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design mode

yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.

Description: BThe "Portable Network Graphics" image contains an invalid palette.

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.]The program tried to add a existent critical chunk to the current image which is not allowed.IIt's not allowed to add a new chunk because the current image is invalid.

Unsupported PixelFormat

Invalid stream operation

Optimizing...jThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)

Invalid extension introducerúiled to allocate memory for GIF DIB

Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size

Unknown GIF block type'Object type not supported for operation

=This control requires version 4.70 or greater of COMCTL32.DLL

Date exceeds maximum of %s

Date is less than minimum of %s#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range

No help keyword specified.

Unsupported GIF version

Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d<MultiLine must be True when TabPosition is tpLeft or tpRight

Failed to Save Stream %s is already associated with %sE%d is an invalid PageIndex value. PageIndex must be between 0 and %d

Value*A key with the name of "%s" already exists

Key "%s" not found%goColMoving is not a supported option%Key may not contain equals sign ("=")

Error setting path: "%s"

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count#No OnGetItem event handler assigned"Unable to find a Table of Contents

No help found for %s

Invalid clipboard format Clipboard does not support Icons

Text exceeds memo capacity.There is no default printer currently selected/Menu '%s' is already being used by another form

(%dx%d)

Value must be between %d and %d

Invalid input value7Invalid input value. Use escape key to abandon changes

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active0Can only modify an image if it contains a bitmap*A control cannot have itself as its parent

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'

%s property out of range

Thread creation error: %s

Thread Error: %s (%d)0Tab position incompatible with current tab style0Tab style incompatible with current tab position

Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic$Unknown picture file extension (.%s)

Unsupported clipboard format

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Failed to get data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a class registration group

Property %s does not exist

#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s1Fixed column count must be less than column count Fixed row count must be less than row count

Cannot open file "%s". %s

Grid too large for operation

Unable to write to %s

Invalid file name - %s

Invalid stream format$''%s'' is not a valid component name

Invalid property element: %s

Invalid property type: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)

2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

Invalid variant operation

Invalid NULL variant operation%Invalid variant operation (%s%.8x)

%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Hotspot Shield Elite 6.7.2 LifeTime

6.0.5.155

6.0.0.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3436

2. Delete the original Trojan-Banker file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Banker:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.cbp (785 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.exe (7 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.inf (82 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\CNic.exe (36 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\off_all_nic.cmd (198 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\install_2.bat (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\el_path.txt (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp_private.h (606 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\Makefile (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.dev (914 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\main.c (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\list_str_del (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pre_x64.bat (98 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\Hotspot_Shield_logo.png (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\read_att_hss-update.cmd (288 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\install_1.bat (783 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\depatch_hosts.cmd.vbs.exe (3337 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\logo.png (65 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\Makefile.win (912 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\start_services.bat (321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\pre.bat (100 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\del_el.bat (332 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\del_temp.bat (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\stop_services.bat (428 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp.layout (300 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.aru (905 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp_private.rc (779 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\del_tails.bat (398 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\HotspotShield-6.7.2.exe (9857 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.ico (1436 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\uninstalltool-3.5.1-portable.exe (7162 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\start_hss.bat (102 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\chp_private.res (888 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\hosts_patch.cmd (469 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\on_all_nic.cmd (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\autorun.exe (43158 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\el_attib.cmd (641 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.