Trojan.NSIS.StartPage_5dacb36aaa

by malwarelabrobot on April 14th, 2017 in Malware Descriptions.

Trojan.Win32.Vobfus.aswk (Kaspersky), Artemis!6FF386BD2408 (McAfee), Trojan.Win32.Vobfus (Ikarus), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5dacb36aaaf6f99154625853a9381a64
SHA1: 4438f2d2859acc45041544329a463078cefcd113
SHA256: cd3bb7913c2f57f0f332e7dc9f7f2edbefe8688b3b2d11823f6ab9a85f6651fe
SSDeep: 49152:46S835UrdMFUNxPMkUKqVZN50HEFh6ZJ 0JHSgYGYGz4oz676Ur6:Fr dMFUNx9s9/UlfYGYG1uvr6
Size: 2829514 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Uniblue Systems Limited
Created at: 2007-05-05 15:23:36
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2444

The Trojan injects its code into the following process(es):

s2exe.exe:3768

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi3E87.tmp (96116 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe (31373 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ÂìÒϵ¼º½.sb (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\open.fnr (71670 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd3E67.tmp (0 bytes)

The process s2exe.exe:3768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\crossdomain[1].htm (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar817F.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab816F.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\lang_list[1].txt (1977 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar817F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab816F.tmp (0 bytes)

Registry activity

The process s2exe.exe:3768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "A0 2E B5 8F 68 B4 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"EnableConsoleTracing" = "0"

"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "A0 2E B5 8F 68 B4 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
6ff386bd2408b55841b9a6508a5f283c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22948 23040 4.47592 27548a140ee5871e901b5081d2ea223c
.rdata 28672 4474 4608 3.58713 69c5211e1a88679cc11fd273667a51c9
.data 36864 110552 1024 3.45044 7e7f788f7322d235e21ca51dab874511
.ndata 147456 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 180224 11200 11264 1.97377 499ab3e3464bd66af2c29340e31b6499

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://b.sni.global.fastly.net/scratchr2/static/locale/lang_list.txt
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE=
app.getsentry.com 108.168.254.125
cdn.scratch.mit.edu 151.101.2.33
dns.msftncsi.com 131.107.255.255
sentry.io 108.168.254.125
ocsp.digicert.com 93.184.220.29
teredo.ipv6.microsoft.com 157.56.106.189


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /scratchr2/static/locale/lang_list.txt HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: cdn.scratch.mit.edu
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Tue, 20 Dec 2016 17:18:05 GMT
ETag: W/"585967cd-47f"
Expires: Thu, 31 Dec 2037 23:55:55 GMT
Cache-Control: max-age=315360000
Access-Control-Allow-Origin: *
Content-Encoding: gzip
Server: Scratch Web Server
Via: 1.1 varnish-v4
Via: 1.1 varnish
Fastly-Debug-Digest: 07587f68aefde9c4233441a5eb99ee5b23053d49c5198952df3e2f150fa7959b
Content-Length: 919
Accept-Ranges: bytes
Date: Thu, 13 Apr 2017 15:13:52 GMT
Via: 1.1 varnish
Age: 2031676
Connection: keep-alive
X-Served-By: cache-iad2150-IAD, cache-hhn1525-HHN
X-Cache: MISS, HIT, HIT
X-Cache-Hits: 0, 1, 1
X-Timer: S1492096433.955468,VS0,VE0
Vary: Accept-Encoding
..........MSQO.G.~._..0....4".U...ok.r...=.{kd..$M...F!.H(.b.B...4..x8
x..une0..ZD.....=.J.J3.|....7Kr.|..Z........Db...a......?..."..$n(....
.....dDh`....(..%.PP....?.....!G1y..&...-u.t...E.A..|....W....<..$"
<^....Y.."..x..HB]p.. B.0IF.....C.....{P...9,.i&..$...p......y.i...
s.iu.;.@....3e..8...$"...4 .N..j...'...x^....4~..I......a.&....D.K.&..
..\.o....8s...........K..n....^.{..Jo.W=-......x.z.<{zZ;[.~.l.<.
..2.#SY7.9S..TK.I.T.H.|.3..b_in.Q..)N.....o..Z.lc...e.....4...z.:S.3..
i.AN.8.E"..p.x..KZ...|..Z:.6p..I...^HQ.....<...F..N....,%5 .n.L....
...;...!.h...Y7..L..4..y...... .....R3.CSYN..'6I.i.DZ....s..3.o.sI..".
J....Ai~P.......W... 8NP.."9..&x.P.\..s...F.,/.o......... r8.J.gFC?...
....E.z.3../........C.zh....*Lq.<..,S.E2...7..Fr..DfT..8e2....a....
. 5&..o.8...*.Y"....f.{l...Y...8.K.P|.......J.....?.0....*`..q9"..V1;.
L.nv...`-.........\............#.$...I?^......}...]Hu.....f....?.K....
...|.8..i..z.................
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o+tuynXIiEOLckvPvJE= HTTP/1.1
Cache-Control: max-age = 518191
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 06:43:19 GMT
If-None-Match: "57ff2d07-1d7"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: public, max-age=172800
Content-Type: application/ocsp-response
Date: Thu, 13 Apr 2017 15:13:53 GMT
Etag: "58ef6e45-1d7"
Expires: Thu, 20 Apr 2017 03:13:53 GMT
Last-Modified: Thu, 13 Apr 2017 12:25:41 GMT
Server: ECS (fcn/4196)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0........P5V.L.f........=.U..2017041
2220000Z0s0q0I0... .........Q..2...}Q......b.U.....P5V.L.f........=.U.
.....n.u..C.rK.......20170412220000Z....20170419220000Z0...*.H........
......2F...C$f.c.I..n........;{.h....Yk...2.....\v...}...]q~~.....k...
M.....L...e%......8.e9.......... .a..@.....o....^.y_Y...#u.f..Q<...
.c....#.1.>8.q.mXf.`.ZC..jXv..:........6-.8.6...; ..H..FF.z.A.V.k3C
..u.<r7..y.o_d.X..<14!...w..^$.^.< ...<.....in.Y.....r:q6H
TTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: public, max-age=1
72800..Content-Type: application/ocsp-response..Date: Thu, 13 Apr 2017
 15:13:53 GMT..Etag: "58ef6e45-1d7"..Expires: Thu, 20 Apr 2017 03:13:5
3 GMT..Last-Modified: Thu, 13 Apr 2017 12:25:41 GMT..Server: ECS (fcn/
4196)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0....
..0...0........P5V.L.f........=.U..20170412220000Z0s0q0I0... .........
Q..2...}Q......b.U.....P5V.L.f........=.U......n.u..C.rK.......2017041
2220000Z....20170419220000Z0...*.H..............2F...C$f.c.I..n.......
.;{.h....Yk...2.....\v...}...]q~~.....k...M.....L...e%......8.e9......
.... .a..@.....o....^.y_Y...#u.f..Q<....c....#.1.>8.q.mXf.`.ZC..
jXv..:........6-.8.6...; ..H..FF.z.A.V.k3C..u.<r7..y.o_d.X..<14!
...w..^$.^.< ...<.....in.Y.....r:q6..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2444:

.text
`.rdata
@.data
.ndata
.rsrc
t%SPV
tDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
%s %s
... %d%%
verifying installer: %d%%
unpacking data: %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe" C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
s2exe.exe
cmdid
enumWindows
@default.main.aau
import
win.ui
win.subclass
com.flash
_CMDLINE
msgbox
scratch\open.fnr
by hXXp://hi.baidu.com/scratch
why error?please go hXXp://hi.baidu.com/scratch
@res\main.aau
open.fnr
?http
version="5.1.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
\AAuto\lib\winex\_.aau
EnumWindows
EnumChildWindows
-"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe" C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsd3E67.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.27</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
yz.lhuo@gmail.com
0.0.0.5
.........................exe>
scratch2exe.exe
s2exe

s2exe.exe_3768:

.text
`.rdata
@.data
.rsrc
u.ht:H
?%uYG
xSSSh
FTPjKS
FtPj;S
C.PjRV
cmd.exe
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
_CMDLINE
import preload;
com.each = function(obj) begin
if(type(obj)==type.function)obj=obj();
if(!com.IsObject(obj))error('
try{enumerator = com.GetEnumerator(obj);}catch(e){err=e}if(err)error(err,2);var function iterator( index ) {var value = owner.Next();return ( value ? index 1 : null ) , value ;}return iterator, enumerator, 0;end
There was not enough memory to complete the operation
Windows error
Unsupported feature required
%d.%d
com.dll
Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
com.getIUnknow() QueryInterface Failed!
-mapid %d
hh.exe
ID:0x%X: %s
pointer/*com.VARIANT*/
$Spp: AAuto v6.0 Copyright (C) ecranesoft.com $
$URL: VVV.ecranesoft.com $
File %s, Line %d
ExportConstants
ExportEnumerations
ole.host
expected: ::MSG struct
com.CreateEmbed
Invalid form.hwnd!
Union type not supported!
Record type not supported!
TKIND_MODULE and TKIND_MAX not supported!
Exception (%s)
IDispatch.Pointer
invalid object(com.IDispatch)
Property putref not supported.
Property puts with more than two parameters aren't supported.
showMsg
error: error during error handler execution.
load resource(%s/%s) failed!
bad argument:@%d '%s'
calling:'%s'
bad argument:@%d
expected:%s
got:%s
file:%s
line:#%d
invalid option:'%s'
%s.%s
attempt to use a closed object: %s:#%d ( type:'%s.%s')
stack overflow (%s)
name conflict for namespace '%s'
failed:%s
error:%s
field:'%s'
thread id:%d
thread error:%s
return %s
callback : _struct error '...%s'
Cannot load library '%s'.
%s._struct not found!
Invalid _struct{%s...},Expected a field name! [in]
field:%s
field:%s.%s
Invalid _struct: {...%s},Data Type Error(%c...key:%s) [out]
{ %s }
Invalid _struct{%s...},Expected a field name! [out]
Failed to get the size of the dynamic array!field(%s)
Cannot load remote library '%s'.
Cannot find remote function '%s' in the dll.
Cannot find function '%s' in the dll.
Declare Api:'%s'
Data type error: '...%s'
Struct size has more than %d
%s %s[%d]
invalid key to 'next'
Cann't modify a %s : '%s'
attempt to:%s
kind:%s
name:'%s'
type:%s
attempt to:compare two %s values
attempt to:compare %s with %s
file:%s:
join
^$* ?.:([\-{<%
invalid replacement value (a %s)
no function environment for tail call at level %d
in function '%s'
in function <%s:%d>
import-namespace conflict for global.%s
import
import ide;
importFile
import %s failed ! file not found
import %s failed !syntax error:
import %s failed :
import-namespace conflict for self.%s
%s: %p
io.FILE*
Invalid time:Invalid dayofweek(%d) outside valid range(0~6)
Invalid time:Invalid month(%d) outside valid range(1~12)
Invalid time:Invalid day(%d) outside valid range(1~31)
Invalid time:hour(%d) outside valid range(0~23)
Invalid time:minute (%d) outside valid range(0~59)
Invalid time:second(%d) outside valid range(0~59)
Invalid time:year(%d) outside valid range(1900~9999)
Invalid format directive(...%s)
thread.call() error
[%d]=
['%s']=
["%s"]=
%s'%s'
%s"%s"
%snull
%stopointer(0x%p)
io.file(closed)
io.file(%p)
standard %s file is closed
cdata( by raw.malloc() )
%s\%s
_exepath
_exedir
_exefile
char(%d)
near:...'%s'
byte:%s
$"%s"
%s: %s in precompiled chunk
expected:'%s'
main function has more than %d %s
function at line %d has more than %d %s
match for:'%s'
match line:%d
expected:keyword
%H:%M:%S
%m/%d/%y %H:%M:%S
%m/%d/%y
?#%X.y
%S#[k
KERNEL32.dll
USER32.dll
ole32.dll
SHDeleteKeyA
SHLWAPI.dll
GetProcessHeap
GetCPInfo
CreatePipe
SetViewportExtEx
SetViewportOrgEx
GDI32.dll
RegEnumKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
OLEAUT32.dll
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe
\AAuto\lib\com\flash\_.aau
fsys.localfile
util.metaProperty
com.flash.xml
ShockwaveFlash.ShockwaveFlash
\AAuto\lib\com\flash\xml.aau
string.xml
\AAuto\lib\com\picture.aau
com.picture
win.guid
win.ole
@lib\config.aau
fsys.config
\AAuto\lib\fsys\_.aau
fsys.path
SHFileOperation
SHFileOperationA
operation
fsys.shortpath()
joinpath
int hwnd;INT wFunc;string pFrom;string pTo;WORD fFlags;int fAnyOperationsAborted;pointer hNameMappings;string lpszProgressTitle
\AAuto\lib\fsys\config.aau
fsys.table
.table
\AAuto\lib\fsys\localfile.aau
\AAuto\lib\fsys\path.aau
Shlwapi.dll
[\/\:\*\?\"\<\>]
\AAuto\lib\fsys\table.aau
\AAuto\lib\gdi\_.aau
.LOGFONT
Gdi32.dll
int(ptr hdcDest,int xoriginDest,int yoriginDest,int wDest,int hDest,pointer hdcSrc,int xoriginSrc,int yoriginSrc,int wSrc,int hSrc,INT crTransparent)
ptr hdcSrc, struct ptSrc, INT crKey,struct blend, INT flags)
#X
#X
crKey
\AAuto\lib\preload\_.aau
User32.dll
Kernel32.dll
MsgWaitForMultipleObjects
EXCEPTION_FLT_DENORMAL_OPERAND
EXCEPTION_FLT_INVALID_OPERATIO
0xX
\.*(. )(%\[\])$
\.*(. )\.([^.] )$
keys
hasMsg
msgWaitForMultipleObjects
\AAuto\lib\string\xml.aau
<%s%s?>%s
<%s%s>%s</%s>%s
<%s%s/>
(.*?)<@]]>@>
^\<\!\-\-.*?\-\-\>
\AAuto\lib\util\metaProperty.aau
\AAuto\lib\win\_.aau
int(addr hwnd,INT msg,ADDR wParam,addr lParam)
int(ptr lpPrevWndFunc,addr hwnd,INT Msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ADDR wParam,addr lParam)
addr(int idThread,INT msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ptr wParam,ptr lParam)
addr(addr hwnd,INT msg,int &wParam,int &lParam)
addr(addr hwnd,INT msg,ptr wParam,ptr lParam,INT flags,INT timeout,int & resultult)
GetAsyncKeyState
word(int vKey)
GetKeyState
word( int vKey)
int( addr hwnd,INT uCmd)
bool(addr hwnd,int cmd)
msgbox
msgboxTest
msgboxErr
msgboxTimeout
win.invoke()
INT(int hDlg,struct IpMsgc)
UxTheme.dll
%s[TID:%d]
msg_observer
\AAuto\lib\win\guid.aau
Rpcrt4
Rpcrt4.dll
Ole32.dll
\AAuto\lib\win\ole\_.aau
Oleaut32.dll
\AAuto\lib\win\subclass.aau
int(int hwnd, int msg, int wParam, int lParam)
\AAuto\lib\win\ui\_.aau
win.ui.background
RegisterHotKey
UnregisterHotKey
int(int hwnd,int crKey,BYTE bAlpha,INT dwFlags)
.win.ui.ctrl
reghotkey
unreghotkey
cmdTranslate
_hotkeys
\AAuto\lib\win\ui\background.aau
win.ui
@Publish\release.win.ui.ctrl.aau
win.ui.ctrl.common
win.ui.ctrl.metaProperty
win.ui.ctrl.button
win.ui.ctrl
win.ui.ctrl.custom
\AAuto\lib\win\ui\ctrl\button.aau
\AAuto\lib\win\ui\ctrl\common.aau
Comctl32.dll
\AAuto\lib\win\ui\ctrl\custom.aau
\AAuto\lib\win\ui\ctrl\metaProperty.aau
\AAuto\lib\winex\_.aau
EnumWindows
EnumChildWindows
enumWindows
cmdid
@default.main.aau
win.subclass
com.flash
scratch\open.fnr
by hXXp://hi.baidu.com/scratch
why error?please go hXXp://hi.baidu.com/scratch
@res\main.aau
open.fnr
?http
version="5.1.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Interface: %s
COM.FLASH
COM.FLASH.XML
COM.PICTURE
FSYS.CONFIG
FSYS.LOCALFILE
FSYS.PATH
FSYS.TABLE
STRING.XML
UTIL.METAPROPERTY
WIN.GUID
WIN.OLE
WIN.SUBCLASS
WIN.UI
WIN.UI.BACKGROUND
WIN.UI.CTRL
WIN.UI.CTRL.BUTTON
WIN.UI.CTRL.COMMON
WIN.UI.CTRL.CUSTOM
WIN.UI.CTRL.METAPROPERTY
/RES/MAIN.AAU
yz.lhuo@gmail.com
0.0.0.5
.........................exe>
scratch2exe.exe
s2exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2444

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi3E87.tmp (96116 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe (31373 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ÂìÒϵ¼º½.sb (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\open.fnr (71670 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (1302 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\crossdomain[1].htm (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar817F.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 (471 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab816F.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\lang_list[1].txt (1977 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now